Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
Hi list, A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process. There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2. You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf Good luck! Regards, Charles Schwartz
charles schwartz <charles.schwartz@umail.univ-metz.fr> wrote:
There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2.
Very nice. My only real comment is that it's not necessary to edit /etc/nsswitch.conf. Alan DeKok.
On Tue, 22 Nov 2005, charles schwartz wrote:
A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process.
There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2.
You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf
This is a god-send. I have one debian specific error rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. it seems that the shared object is not shipped when I did apt-get install freeradius
On Tue, 2005-11-22 at 14:10 -0500, Robin Mordasiewicz wrote:
it seems that the shared object is not shipped when I did apt-get install freeradius
Grab the latest CVS, install build-deps and use dpkg-buildpackage. It should work out-of-the-box. -- Luca Corti PGP Key ID 1F38C091
Hi Charles, thank you for that howto. A typo, that you might want to correct: On page 9 it should be --request-nt-key -instead of –-nt-request-key and --username instead of -username. Norbert Wegener charles schwartz wrote:
Hi list,
A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process.
There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2.
You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf
Good luck!
Regards, Charles Schwartz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, 22 Nov 2005, charles schwartz wrote:
Hi list,
A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process.
There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2.
You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf
thanks for this. I change to use the /dev/random as per your tutorial but radiusd hangs. When I change the random_file back to the original then it works random_file = ${raddbdir}/certs/random In my tls section of eap.conf I have tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/random } But when I run radiusd -X it just hangs there after getting to the following. rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem" tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem" tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/dev/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" And Strace shows 13519 open("/etc/freeradius/certs/demoCA/cacert.pem", O_RDONLY|O_LARGEFILE) = 6 13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=1350, ...}) = 0 13519 open("/etc/freeradius/certs/cert-srv.pem", O_RDONLY|O_LARGEFILE) = 6 13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=2429, ...}) = 0 13519 open("/etc/freeradius/certs/cert-srv.pem", O_RDONLY|O_LARGEFILE) = 6 13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=2429, ...}) = 0 13519 stat64("/dev/random", {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 8), ...}) = 0 13519 open("/dev/random", O_RDONLY) = 6 [root@smtcorms02 /usr/lib/ssl ]# ls -la /dev/random crw-rw-rw- 1 root root 1, 8 Nov 2 12:02 /dev/random [root@smtcorms02 /usr/lib/ssl ]# ls -la /dev/urandom cr--r--r-- 1 root root 1, 9 Nov 2 12:02 /dev/urandom
Robin Mordasiewicz <rmordasiewicz@samuelmanutech.com> wrote:
thanks for this. I change to use the /dev/random as per your tutorial but radiusd hangs. When I change the random_file back to the original then it works
Yes. The "random_file" needed by the TLS module is a *pool* of random numbers. /dev/random and /dev/urandom are infinite streams of random numbers. So the TLS module thinks that the "pool" is infinite in size, and takes forever to read it. The default config of the server for "random_file" is correct, and should be used. Alan DeKok.
Actually, that's not completely true. Using /dev/random as the file argument for RAND_load_file when seeding the PRNG is recommended practice on systems that have it. The RAND_load_file call in the eap_tls code will only read at max 1048567 (1024 * 1024) bytes from the file, so it won't read infinitely. The problem here is that /dev/random is blocking. To keep that from happening, use /dev/urandom, if your system has it, or some other entropy source (such as egd). --Mike Alan DeKok wrote:
Robin Mordasiewicz <rmordasiewicz@samuelmanutech.com> wrote:
thanks for this. I change to use the /dev/random as per your tutorial but radiusd hangs. When I change the random_file back to the original then it works
Yes. The "random_file" needed by the TLS module is a *pool* of random numbers. /dev/random and /dev/urandom are infinite streams of random numbers. So the TLS module thinks that the "pool" is infinite in size, and takes forever to read it.
The default config of the server for "random_file" is correct, and should be used.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, 22 Nov 2005, charles schwartz wrote:
Hi list,
A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process.
There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2.
You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf
I think everything is very close, but all I have to test with is NTRadPing. Would it be possible if someone can comment on the fields that I need to fill in for NTRadPing in order to test my AD account properly. I have already gotten NTRadPing to work against a hard coded user, as well as a unix account, but I have no idea which options I need to set to test the AD account.
participants (6)
-
Alan DeKok -
charles schwartz -
Luca Corti -
Michael Griego -
Norbert Wegener -
Robin Mordasiewicz