windows 2003 AD authentication with freeradius (for 802.1X)

Stieven.Struyf at komatsu.eu Stieven.Struyf at komatsu.eu
Thu Nov 16 12:10:20 CET 2006 

All,
I've been struggling to get AD authentication working the way i want it. I 
wanted users to autom. login to the wireless network with their 
windows(ad) account without needing to enter their passwords.
I created this procedure with bits and pieces i found on the internet, 
hints i got on this list and some things i found out myself. 
I hope this saves some time to others(as this was a popular question the 
list/google, but i didn't found the complete solution that worked for me). 
If there are better options then the ones i used let me know. I changed 
ipaddresses and realm names for privacy reasons, but if there's something 
not clear anymore let me know.

1. General config needed for 802.1X
I added the AP in the clients.conf file.
I configured the AP to use WPA2/aes (also had to add WPA/tkip).
I entered the radiusserver i used below as radius server(enabled 802.1X on 
the AP) and used the secret i configured in the clients.conf file.


freeradius+AD windows 2003
install samba(package samba+samba-common+samba-client)

configure /etc/samba/smb.conf:
[root at radsv samba]# cat smb.conf
realm = DIVISION.DOMAIN.NET
workgroup = division.domain.net
security = ADS
encrypt passwords = yes
password server = 192.168.100.3
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
[test]
comment = Samba functionality test directory
path = /home/sambatest
read only = no
browsable = yes
writable = yes
guest ok = yes
valid users = @DIVISION.DOMAIN.NET\"Domain Users"
[root at radsv samba]#


configure /etc/krb5.conf
[root at radsv samba]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = DIVISION.DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc

[realms]
DIVISION.DOMAIN.NET = {
kdc = 192.168.100.3:88
admin_server = 192.168.100.3:749
default_domain = division.domain.net
}

[domain_realm]
.division.domain.net = DIVISION.DOMAIN.NET
division.domain.net = DIVISION.DOMAIN.NET

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root at radsv samba]#

configure nsswitch.conf:
change following entries in nssswitch.conf:
 
passwd:files -> passwd:files winbind
group:files -> group:files winbind

join the radius server to the domain (account wireless-acount needs to be 
created and should have enough rights on AD)
#net ads join -S 192.168.100.3 -U wireless-account


Configure freeradius:

Add user to /etc/raddb/users file(if you use it for 802.1X you prob. also 
want to add vlan assignment entries):
[root at radsv raddb]# cat users|grep -i user123
user123 
[root at radsv raddb]#

Add realm(s) to /etc/raddb/proxy.conf file (add here all your aliases of 
your domain):
realm DIVISION.DOMAIN.NET {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
}
realm DIVISION {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
}

Configure /etc/raddb/radiusd.conf  (change/activate mschap part):
mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_strong = yes
                with_ntdomain_hack = yes
                require_encryption = yes
                ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{Stripped-User-Name:-%{User-Name:-None}} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"
        }


Configure eap.conf: 

Uncomment tls keys(for production you should create your own!!).
tls {
                        private_key_password = whatever
                        private_key_file = ${raddbdir}/certs/cert-srv.pem
                        certificate_file = ${raddbdir}/certs/cert-srv.pem
                        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
                        fragment_size = 1024
                include_length = yes
                }


Stieven Struyf
M.I.S. Division - System Operations 
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf at komatsu.eu
Tel. +32 (0)2 2552551
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061116/b0c4dbda/attachment.html>

More information about the Freeradius-Users mailing list