Freeradius 3.0.4 authentication to FreeIPA 4.1.2

[Adam Bishop]

On 10 Feb 2015, at 18:24, Charles Jennings <jennings.charles.e at gmail.com> wrote:
> As a side note, I am authenticating successfully against my IPA
> infrastructure - I just can't seem to find the information I need to tie
> freeradius to freeipa.

I did this with Kerberos - no LDAP policy checks though. For my environment (CentOS 7) the rough steps were:

Enrol your RADIUS server in IPA, then SSH into your FreeIPA server, and run:

  # kinit <<adminuser>>@YOUR.KERBEROS.REALM

Then to generate a service principal (you could do this in the GUI too):

  # ipa-addservice radius/radius.server.yourdomain.com at YOUR.KERBEROS.REALM

Then on your radius server get the key tab:

  # ipa-getkeytab -s radius.server.yourdomain.com. -p radius/radius.server.yourdomain.com -k /var/lib/radiusd/krb5.keytab

Make sure that the radius user can see that key tab, and edit mods-enabled/krb5

  ...
  keytab = /var/lib/radiusd/krb5.keytab
  service_principal = radius/radius.server.yourdomain.com
  ...

Add a handler into the AuthZ section of your virtual servers:

  ...
  Auth-Type Kerberos {
    krb5
  }
  ...

You can (and should) verify the contents of the key tab with:

  # ktutil -k /var/lib/radiusd/krb5.keytab
  ktutil: rkt /var/lib/radiusd/krb5.keytab
  ktutil: l
  slot KVNO Principal
  ---- ---- ---------------------------------------------------------------------
  ...

And:

  # kinit -k -t /var/lib/radiusd/krb5.keytab radius/radius.server.yourdomain.com
  # klist
  Ticket cache: KEYRING:persistent:0:0
  Default principal: radius/radius.server.yourdomain.com
  ...

LDAP queries would be configured exactly FreeIPA like any other LDAP server. I don't know which mechanisms FreeRADIUS supports when binding to a directory for queries, someone else on the list may be able to confirm.

Thanks,

Adam Bishop

   gpg: 0x6609D460

Janet, the UK's research and education network.

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.