Freeradius 3.0.4 authentication to FreeIPA 4.1.2

Charles Jennings jennings.charles.e at gmail.com
Wed Feb 18 22:25:38 CET 2015 

Thanks.

This pointed me in the right direction and was exactly what I needed.  Ended up that I needed to add the following to the "authorize" section of /etc/raddb/sites-enabled/default :

	-ldap
	If ((ok || updated)) {
		update {
			control:Auth-Type := Kerberos
		}
	}

And as you stated, add the following to the "authenticate" section of same file:

	Auth-Type Kerberos {
		Krb5
	}

After that, radtest worked.  Now it is just normal stuff to get everything else working.



-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+jennings.charles.e=gmail.com at lists.freeradius.org] On Behalf Of Adam Bishop
Sent: Tuesday, February 10, 2015 4:28 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius 3.0.4 authentication to FreeIPA 4.1.2

On 10 Feb 2015, at 18:24, Charles Jennings <jennings.charles.e at gmail.com> wrote:
> As a side note, I am authenticating successfully against my IPA 
> infrastructure - I just can't seem to find the information I need to 
> tie freeradius to freeipa.

I did this with Kerberos - no LDAP policy checks though. For my environment (CentOS 7) the rough steps were:

Enrol your RADIUS server in IPA, then SSH into your FreeIPA server, and run:

  # kinit <<adminuser>>@YOUR.KERBEROS.REALM

Then to generate a service principal (you could do this in the GUI too):

  # ipa-addservice radius/radius.server.yourdomain.com at YOUR.KERBEROS.REALM

Then on your radius server get the key tab:

  # ipa-getkeytab -s radius.server.yourdomain.com. -p radius/radius.server.yourdomain.com -k /var/lib/radiusd/krb5.keytab

Make sure that the radius user can see that key tab, and edit mods-enabled/krb5

  ...
  keytab = /var/lib/radiusd/krb5.keytab
  service_principal = radius/radius.server.yourdomain.com
  ...

Add a handler into the AuthZ section of your virtual servers:

  ...
  Auth-Type Kerberos {
    krb5
  }
  ...

You can (and should) verify the contents of the key tab with:

  # ktutil -k /var/lib/radiusd/krb5.keytab
  ktutil: rkt /var/lib/radiusd/krb5.keytab
  ktutil: l
  slot KVNO Principal
  ---- ---- ---------------------------------------------------------------------
  ...

And:

  # kinit -k -t /var/lib/radiusd/krb5.keytab radius/radius.server.yourdomain.com
  # klist
  Ticket cache: KEYRING:persistent:0:0
  Default principal: radius/radius.server.yourdomain.com
  ...

LDAP queries would be configured exactly FreeIPA like any other LDAP server. I don't know which mechanisms FreeRADIUS supports when binding to a directory for queries, someone else on the list may be able to confirm.

Thanks,

Adam Bishop

   gpg: 0x6609D460

Janet, the UK's research and education network.

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list