This tutorial is for configuring FreeRadius to authenticate against a Windows Active Directory via NTLM (so that PEAP can be used from client side). It is assumed you have already configured FreeRadius to allow authentication from the Wireless APs, and that you've taken care of the shared keys etc between devices. You will also need to have your APs configured to use PEAP for the authentication and MCHAPv2 for the Phase 2 Authentication (inner tunnel). My preferred wireless encryption is AES, if you're interested.
We are doing this on a Debian Linux server, talking to Active Directory on a Windows 2008 server. Make sure you have all your firewall rules in place. The clear-text passwords are unavailable through Active Directory, so we have to use Samba, and the ntlm_auth helper program. In this configuration, we are using Active Directory as an authentication oracle, and not as an LDAP database. We will also need to have Kerberos installed on the same box as freeRadius and Samba.
As carried out on myserver.mysite.ie:
AD domain: mysite.local
WinAD server: ad-server.mysite.ie
On myserver:
aptitude install samba
aptitude install winbind
aptitude install krb5-kdc
Now vi /etc/krb5.conf, content is as follows:
[libdefaults]
default_realm = MYSITE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYSITE.LOCAL = {
kdc = ad-server.mysite.ie
admin_server = ad-server.mysite.ie
default_domain = MYSITE.LOCAL
}
[domain_realm]
.mysite.local = MYSITE.LOCAL
mysite.local = MYSITE.LOCAL
Add following to /etc/hosts (where "ad-server" is NETBIOS name for AD server, and x.x.x.x is it's IP address):
x.x.x.x ad-server.mysite.ie ad-server
Create the database for the new realm (will be created in /etc/krb5kdc by default):
kdb5_util create MYSITE.LOCAL
...when prompted for the KDC database master key, just hit return (or set a password if you prefer).
Restart services:
/etc/init.d/krb5-kdc restart
Test joining the domain (use the NETBIOS name for ad-server here, and a user with administrator privileges):
net ads join -S ad-server -U username
...sample output showing a successful join:
root@myserver:/# net ads join -S ad-server.mysite.ie -U username
Enter username's password:
Using short domain name -- MYSITE
Joined 'MYSERVER' to realm 'mysite.local'
No DNS domain configured for myserver. Unable to perform DNS Update.
DNS update failed!
root@myserver:/#
vi /etc/samba/smb.conf, content is as follows:
[global]
workgroup = MYSITE
realm = MYSITE.LOCAL
server string = %h server (Samba, Ubuntu)
security = ADS
map to guest = Bad User
password server = ad-server
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
Test the syntax of your edits via: 'testparm'
Restart services:
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
Test with 'wbinfo -t':
root@myserver:/# wbinfo -t
checking the trust secret via RPC calls succeeded
root@myserver:/#
Verify that a user in the domain can be authenticated, with 'wbinfo -a USER%PASSWORD':
root@myserver:/# wbinfo -a username%blahblah
plaintext password authentication failed
Could not authenticate user username%blahblah with plaintext password
challenge/response password authentication succeeded
root@myserver:/#
Test using the method that FreeRadius will use with the command:
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=USERNAME --password=PASSWORD
...e.g.:
root@myserver:/# ntlm_auth --request-nt-key --domain=MYSITE.LOCAL --username=username --password=blahblah
NT_STATUS_OK: Success (0x0)
root@myserver:/#
-----> Should return: NT_STATUS_OK: Success (0x0)
Configuring FreeRadius
The FreeRadius user, 'radius', will need access to /var/run/samba/winbindd_privileged, otherwise FreeRadius will fail to run, so add the user to the relevant group:
usermod -a -G winbindd_priv radius
In proxy.conf:
realm myserver.mysite.ie {
strip
}
In modules/mschap (note the use of "Stripped-User-Name"!):
mschap {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%:-%} --domain=%:-MYSITE.LOCAL} --challenge=% --nt-response=%"
}
That's it - you should now be able to authenticate via your wireless clients. Adding certs and stuff is a whole other tutorial!