Nothing complicated really⊠@robb
To begin:
yum install freeradius freeradius-ldap freeradius-utils
Be sure that nethserver-freeradius module isnât installed, just pure freeradius, so we can edit files at /etc/raddb directly and they are not getting overwritten. I switched to NethServer recently and am not very familiar with developing NethServer modules yet.
Initial configuration files will be created at /etc/raddb and ldap module at /etc/raddb/modules-available
Then you need to modify the radiusd.conf file in the security section
user = root
group = root
We have to run radiusd as root instead of default radiusd user, because accessing systemd container is otherwise not possible.
In log section I set it to log failed and successful login attempts to radius.log file. By default nothing like that is logged.
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = yes
At clients.conf file, just add your clients, IPs and shared secrets to the bottom. For example:
client testpc {
ipaddr = 10.43.0.6
secret = 123
}
client cap {
ipaddr = 10.30.0.50
secret = secret
}
Then move to the modules, module ldap should be symlinked from mods-available to mods-enabled using ln -s command (if it isnât already). After itâs done, here is my modified ldap file
https://pastebin.com/CZH2QM8S
There isnât really much modified, just set the server IP, identity, password from NethServer GUI->Configuration->Accounts Provider. Also set base_dn from NethServer GUI->Domain Accounts.
Then follows mschap module for NTLM MSCHAP authentication.
First edit /var/lib/machines/nsdc/etc/samba/samba.conf and add ntml auth = mschapv2-and-ntlmv2-only to the global section, so it looks something like this:
# Global parameters
[global]
dns forwarder = 127.0.0.1
netbios name = NSDC-SERVER
realm = AD.TESTSERVER.LOCAL
server role = active directory domain controller
workgroup = TESTSERVER
include = /etc/samba/smb.conf.include
ntlm auth = mschapv2-and-ntlmv2-only
[netlogon]
path = /var/lib/samba/sysvol/ad.testserver.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Execute
systemctl restart nsdc
to apply changes.
Here is my modified mschap module file
https://pastebin.com/ukmRq7wP
Again not much modified, only the ntlm_auth line to
ntlm_auth = "/usr/bin/nsdc-run -e /usr/bin/ntlm_auth_nsdc %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"
Then create a bash script at /var/lib/machines/nsdc/usr/bin/ntml_auth_nsdc. Remember to chmod -x /var/lib/machines/nsdc/usr/bin/ntml_auth_nsdc
#!/bin/bash
OUTPUT=$(/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=$1 --challenge=$2 --nt-response=$3);
DATETIME=`date "+%Y%m%d-%H:%M:%S"`
echo $DATETIME $1 $OUTPUT >> /var/log/ntlm_auth_nsdc;
echo $OUTPUT;
if [[ ${OUTPUT:0:6} == "NT_KEY" ]] ; then exit 0; else exit 1; fi;
fi
A little trick which executes the ntml_auth command under nsdc container machine and helps to pass logon information and the exit code of the command, as well as doing some logfiles at/var/log/ntlm_auth_nsdc
. You can then ln -s /var/lib/machines/nsdc/var/log/ntlm_auth_nsdc /var/log/ntlm_auth_nsdc
For testing purposes you can run radiusd with -X parameter to get full debug output.
If you need to give radius access to a specific group, you need to edit /etc/raddb/mods-config/files/authorize and add the following lines to the beginning of the file:
DEFAULT LDAP-Group !="radius_group", Auth-Type := Reject
Service-Type := Login-User
Both pap and mschap requests will be filtered
I made this writeup quickly, so if there are any questions feel free to ask.
For testing there is radtest utility included in freeradius-utils package.
radtest -t pap username password server:port 1 testing123
radtest -t mschap username password server:port 1 testing123
In the clients.conf file a test client on localhost with secret âtesting123â is enabled by default, so you can send radius auth requests from the servers shell. Both upper mentioned commands should authenticate fine.
The ldap and mschap module files are taken from working environment. So far it all works, only issue I faced is that after a reboot, the radiusd starts before nsdc, so it fails to connect to ldap server, after systemctl radiusd restart itâs fine. Have to fix that.
edit:
modify /etc/raddb/mods-available/ldap
edit
pools{
start = 0
...
Now radiusd will start even with no LDAP available at startup