Freeradius 3.0.4 authentication to FreeIPA 4.1.2
Environment: Fedora release 21 (Twenty One) {Linux ipa.socnet.demonet.net 3.18.5-201.fc21.x86_64 #1 SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux} radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Jan 19 2015 at 19:42:17 ipa: VERSION: 4.1.2, API_VERSION: 2.109 I am a freeradius noob. I figure if I can get to the point where I can do a test with radtest locally, I can get from there. I cannot find any documentation on the internet that is coherent for me to give me a step-by-step configuration for authenticating radius against FreeIPA. I would prefer (I think) to use the Kerberos portion of FreeIPA as opposed to the OpenLDAP portion - however, I can go either way. I just need a nudge in the configuration of freeradius to freeipa. Any help would be very much appreciated. As a side note, I am authenticating successfully against my IPA infrastructure - I just can't seem to find the information I need to tie freeradius to freeipa. Thanks.
On Tue, 2015-02-10 at 12:24 -0600, Charles Jennings wrote:
Environment:
Fedora release 21 (Twenty One) {Linux ipa.socnet.demonet.net 3.18.5-201.fc21.x86_64 #1 SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux} radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Jan 19 2015 at 19:42:17 ipa: VERSION: 4.1.2, API_VERSION: 2.109
I am a freeradius noob. I figure if I can get to the point where I can do a test with radtest locally, I can get from there. I cannot find any documentation on the internet that is coherent for me to give me a step-by-step configuration for authenticating radius against FreeIPA. I would prefer (I think) to use the Kerberos portion of FreeIPA as opposed to the OpenLDAP portion - however, I can go either way. I just need a nudge in the configuration of freeradius to freeipa. Any help would be very much appreciated.
As a side note, I am authenticating successfully against my IPA infrastructure - I just can't seem to find the information I need to tie freeradius to freeipa.
Thanks.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
its not for FreeIPA, but it does work against Fedora 20, OpenLDAP and MIT Kerberos...
FreeIPA is just a packaged-up GUI'ed-up frontend to MIT Kerberos, 389 Directory Server, Dogtag CA/RA, and SSSD. The internals are there - I just can't seem to get it to work.... -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jennings.charles.e=gmail.com@lists.freeradius.org] On Behalf Of Brendan Kearney Sent: Tuesday, February 10, 2015 1:16 PM To: FreeRadius users mailing list Subject: Re: Freeradius 3.0.4 authentication to FreeIPA 4.1.2 On Tue, 2015-02-10 at 12:24 -0600, Charles Jennings wrote:
Environment:
Fedora release 21 (Twenty One) {Linux ipa.socnet.demonet.net 3.18.5-201.fc21.x86_64 #1 SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux} radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Jan 19 2015 at 19:42:17 ipa: VERSION: 4.1.2, API_VERSION: 2.109
I am a freeradius noob. I figure if I can get to the point where I can do a test with radtest locally, I can get from there. I cannot find any documentation on the internet that is coherent for me to give me a step-by-step configuration for authenticating radius against FreeIPA. I would prefer (I think) to use the Kerberos portion of FreeIPA as opposed to the OpenLDAP portion - however, I can go either way. I just need a nudge in the configuration of freeradius to freeipa. Any help would be very much appreciated.
As a side note, I am authenticating successfully against my IPA infrastructure - I just can't seem to find the information I need to tie freeradius to freeipa.
Thanks.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
its not for FreeIPA, but it does work against Fedora 20, OpenLDAP and MIT Kerberos... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10 Feb 2015, at 18:24, Charles Jennings <jennings.charles.e@gmail.com> wrote:
As a side note, I am authenticating successfully against my IPA infrastructure - I just can't seem to find the information I need to tie freeradius to freeipa.
I did this with Kerberos - no LDAP policy checks though. For my environment (CentOS 7) the rough steps were: Enrol your RADIUS server in IPA, then SSH into your FreeIPA server, and run: # kinit <<adminuser>>@YOUR.KERBEROS.REALM Then to generate a service principal (you could do this in the GUI too): # ipa-addservice radius/radius.server.yourdomain.com@YOUR.KERBEROS.REALM Then on your radius server get the key tab: # ipa-getkeytab -s radius.server.yourdomain.com. -p radius/radius.server.yourdomain.com -k /var/lib/radiusd/krb5.keytab Make sure that the radius user can see that key tab, and edit mods-enabled/krb5 ... keytab = /var/lib/radiusd/krb5.keytab service_principal = radius/radius.server.yourdomain.com ... Add a handler into the AuthZ section of your virtual servers: ... Auth-Type Kerberos { krb5 } ... You can (and should) verify the contents of the key tab with: # ktutil -k /var/lib/radiusd/krb5.keytab ktutil: rkt /var/lib/radiusd/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- ... And: # kinit -k -t /var/lib/radiusd/krb5.keytab radius/radius.server.yourdomain.com # klist Ticket cache: KEYRING:persistent:0:0 Default principal: radius/radius.server.yourdomain.com ... LDAP queries would be configured exactly FreeIPA like any other LDAP server. I don't know which mechanisms FreeRADIUS supports when binding to a directory for queries, someone else on the list may be able to confirm. Thanks, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Thanks. This pointed me in the right direction and was exactly what I needed. Ended up that I needed to add the following to the "authorize" section of /etc/raddb/sites-enabled/default : -ldap If ((ok || updated)) { update { control:Auth-Type := Kerberos } } And as you stated, add the following to the "authenticate" section of same file: Auth-Type Kerberos { Krb5 } After that, radtest worked. Now it is just normal stuff to get everything else working. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jennings.charles.e=gmail.com@lists.freeradius.org] On Behalf Of Adam Bishop Sent: Tuesday, February 10, 2015 4:28 PM To: FreeRadius users mailing list Subject: Re: Freeradius 3.0.4 authentication to FreeIPA 4.1.2 On 10 Feb 2015, at 18:24, Charles Jennings <jennings.charles.e@gmail.com> wrote:
As a side note, I am authenticating successfully against my IPA infrastructure - I just can't seem to find the information I need to tie freeradius to freeipa.
I did this with Kerberos - no LDAP policy checks though. For my environment (CentOS 7) the rough steps were: Enrol your RADIUS server in IPA, then SSH into your FreeIPA server, and run: # kinit <<adminuser>>@YOUR.KERBEROS.REALM Then to generate a service principal (you could do this in the GUI too): # ipa-addservice radius/radius.server.yourdomain.com@YOUR.KERBEROS.REALM Then on your radius server get the key tab: # ipa-getkeytab -s radius.server.yourdomain.com. -p radius/radius.server.yourdomain.com -k /var/lib/radiusd/krb5.keytab Make sure that the radius user can see that key tab, and edit mods-enabled/krb5 ... keytab = /var/lib/radiusd/krb5.keytab service_principal = radius/radius.server.yourdomain.com ... Add a handler into the AuthZ section of your virtual servers: ... Auth-Type Kerberos { krb5 } ... You can (and should) verify the contents of the key tab with: # ktutil -k /var/lib/radiusd/krb5.keytab ktutil: rkt /var/lib/radiusd/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- ... And: # kinit -k -t /var/lib/radiusd/krb5.keytab radius/radius.server.yourdomain.com # klist Ticket cache: KEYRING:persistent:0:0 Default principal: radius/radius.server.yourdomain.com ... LDAP queries would be configured exactly FreeIPA like any other LDAP server. I don't know which mechanisms FreeRADIUS supports when binding to a directory for queries, someone else on the list may be able to confirm. Thanks, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Adam Bishop -
Brendan Kearney -
Charles Jennings