-
-
Save abbra/a74e171d791cf90113b0272b78919987 to your computer and use it in GitHub Desktop.
| # Assuming that HOSTNAME is enrolled to IPA realm already, | |
| # run the following on HOSTNAME where RADIUS server will be deployed | |
| # In FreeIPA 4.6+ host principal has permissions to create own services | |
| kinit -k | |
| ipa service-add 'radius/HOSTNAME' | |
| # create keytab for radius user | |
| ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab | |
| chown root:radiusd /etc/raddb/radius.keytab | |
| chmod 640 /etc/raddb/radius.keytab | |
| # make radius use the keytab for SASL GSSAPI | |
| mkdir -p /etc/systemd/system/radiusd.service.d | |
| cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF | |
| [Service] | |
| Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab | |
| ExecStartPre=-/usr/bin/kdestroy -A | |
| ExecStopPost=-/usr/bin/kdestroy -A | |
| EOF | |
| systemctl daemon-reload | |
| edit /etc/raddb/mods-enabled/ldap | |
| ldap server = 'LDAP HOSTNAME' | |
| ldap base_dn = 'cn=accounts,dc=example,dc=org' | |
| ldpa sasl mech = 'GSSAPI' | |
| ldpa sasl realm = 'YOUR REALM' | |
| ldap sasl update control:NT-Password := 'ipaNTHash' | |
| # How to request certificates from IPA server for RADIUS | |
| mv /etc/raddb/certs /etc/raddb/certs.bak | |
| mkdir /etc/raddb/certs | |
| openssl dhparam 2048 -out /etc/raddb/certs/dh | |
| ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME |
BTW. I'm running the test as follows:
KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X
If I test the radius daemon with the keytab it finds the user but it cannot see the user password.
(0) ldap: User object found at DN "uid=kees,cn=users,cn=accounts,dc=ijtest,dc=nl" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)Is that expected, or is there a way for the service to see the password?
same issue with me. have you found any workaround?
FreeIPA does not provide any access to password attributes, that's intended. With FreeIPA 4.8+ we also do not generate NT hashes anymore as they are too fragile and can be easily cracked.
As result, none of the authentication method that relies on NT hashes will work against FreeIPA.
The problem here is that FreeRADIUS is not able to compare the Hash used in FreeIPA by default (PBKDF2_SHA256). They implemented it in the 3.0.22 version but it does not seem to work for me anyway...
Alexander
if NT hashes will not work against FreeIPA, what should I use in place of:
ldap sasl update control:NT-Password := 'ipaNTHash'
in the /etc/raddb/mods-enabled/ldap file?
freeradius-3.0.20-12 + ipa-server-4.9.10-6
Nothing. You would need to switch to a better RADIUS authentication method. Microsoft also started to phase out RC4.
I've never run radius before and it has a lot of documentation because it can be configured to do so many things.
what authentication method would be recommended? I am only seeking simple authentication for network switches and such.
We had to switch to another hashing algorithm in FreeIPA because of this. So every user had to change their passwords. Sadly, there is not another solution for this.
The config snippet isn't complete, or out of date.
Authentication should/could be handled by krb5 and Authorization by ldap.
Ldap module not finding a 'good password' is expected, and should be ignored. (krb5 module will do a kinit with user credentials for authentication)
There isn't any need for alternative hashing algos or any configuration related to nt/ipa/hash/password.
@bagassy This whole setup is not supported anymore. The original approach was to show how to integrate with FreeIPA if you need NTLM stuff to work. As I said previously in https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987?permalink_comment_id=3443169#gistcomment-3443169, this is not supported anymore.
if it's not supported anymore, is there any way to integrate freeradius into freeipa for mschap requests? this is my specific scenario: we have devices that authenticate against our freeradius v3.0.21, and our freeradius authenticates against freeipa's ldap (freeipa v4.11.0, 389ds v2.4.5). if radius request is pap, auth works perfectly. but i can't find a way to make it work when radius request is mschap/mschapv2.
If I test the radius daemon with the keytab it finds the user but it cannot see the user password.
Is that expected, or is there a way for the service to see the password?