-
-
Save abbra/a74e171d791cf90113b0272b78919987 to your computer and use it in GitHub Desktop.
| # Assuming that HOSTNAME is enrolled to IPA realm already, | |
| # run the following on HOSTNAME where RADIUS server will be deployed | |
| # In FreeIPA 4.6+ host principal has permissions to create own services | |
| kinit -k | |
| ipa service-add 'radius/HOSTNAME' | |
| # create keytab for radius user | |
| ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab | |
| chown root:radiusd /etc/raddb/radius.keytab | |
| chmod 640 /etc/raddb/radius.keytab | |
| # make radius use the keytab for SASL GSSAPI | |
| mkdir -p /etc/systemd/system/radiusd.service.d | |
| cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF | |
| [Service] | |
| Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab | |
| ExecStartPre=-/usr/bin/kdestroy -A | |
| ExecStopPost=-/usr/bin/kdestroy -A | |
| EOF | |
| systemctl daemon-reload | |
| edit /etc/raddb/mods-enabled/ldap | |
| ldap server = 'LDAP HOSTNAME' | |
| ldap base_dn = 'cn=accounts,dc=example,dc=org' | |
| ldpa sasl mech = 'GSSAPI' | |
| ldpa sasl realm = 'YOUR REALM' | |
| ldap sasl update control:NT-Password := 'ipaNTHash' | |
| # How to request certificates from IPA server for RADIUS | |
| mv /etc/raddb/certs /etc/raddb/certs.bak | |
| mkdir /etc/raddb/certs | |
| openssl dhparam 2048 -out /etc/raddb/certs/dh | |
| ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME |
I've never run radius before and it has a lot of documentation because it can be configured to do so many things.
what authentication method would be recommended? I am only seeking simple authentication for network switches and such.
We had to switch to another hashing algorithm in FreeIPA because of this. So every user had to change their passwords. Sadly, there is not another solution for this.
The config snippet isn't complete, or out of date.
Authentication should/could be handled by krb5 and Authorization by ldap.
Ldap module not finding a 'good password' is expected, and should be ignored. (krb5 module will do a kinit with user credentials for authentication)
There isn't any need for alternative hashing algos or any configuration related to nt/ipa/hash/password.
@bagassy This whole setup is not supported anymore. The original approach was to show how to integrate with FreeIPA if you need NTLM stuff to work. As I said previously in https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987?permalink_comment_id=3443169#gistcomment-3443169, this is not supported anymore.
if it's not supported anymore, is there any way to integrate freeradius into freeipa for mschap requests? this is my specific scenario: we have devices that authenticate against our freeradius v3.0.21, and our freeradius authenticates against freeipa's ldap (freeipa v4.11.0, 389ds v2.4.5). if radius request is pap, auth works perfectly. but i can't find a way to make it work when radius request is mschap/mschapv2.
Nothing. You would need to switch to a better RADIUS authentication method. Microsoft also started to phase out RC4.