-
-
Save abbra/a74e171d791cf90113b0272b78919987 to your computer and use it in GitHub Desktop.
| # Assuming that HOSTNAME is enrolled to IPA realm already, | |
| # run the following on HOSTNAME where RADIUS server will be deployed | |
| # In FreeIPA 4.6+ host principal has permissions to create own services | |
| kinit -k | |
| ipa service-add 'radius/HOSTNAME' | |
| # create keytab for radius user | |
| ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab | |
| chown root:radiusd /etc/raddb/radius.keytab | |
| chmod 640 /etc/raddb/radius.keytab | |
| # make radius use the keytab for SASL GSSAPI | |
| mkdir -p /etc/systemd/system/radiusd.service.d | |
| cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF | |
| [Service] | |
| Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab | |
| ExecStartPre=-/usr/bin/kdestroy -A | |
| ExecStopPost=-/usr/bin/kdestroy -A | |
| EOF | |
| systemctl daemon-reload | |
| edit /etc/raddb/mods-enabled/ldap | |
| ldap server = 'LDAP HOSTNAME' | |
| ldap base_dn = 'cn=accounts,dc=example,dc=org' | |
| ldpa sasl mech = 'GSSAPI' | |
| ldpa sasl realm = 'YOUR REALM' | |
| ldap sasl update control:NT-Password := 'ipaNTHash' | |
| # How to request certificates from IPA server for RADIUS | |
| mv /etc/raddb/certs /etc/raddb/certs.bak | |
| mkdir /etc/raddb/certs | |
| openssl dhparam 2048 -out /etc/raddb/certs/dh | |
| ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME |
The config snippet isn't complete, or out of date.
Authentication should/could be handled by krb5 and Authorization by ldap.
Ldap module not finding a 'good password' is expected, and should be ignored. (krb5 module will do a kinit with user credentials for authentication)
There isn't any need for alternative hashing algos or any configuration related to nt/ipa/hash/password.
@bagassy This whole setup is not supported anymore. The original approach was to show how to integrate with FreeIPA if you need NTLM stuff to work. As I said previously in https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987?permalink_comment_id=3443169#gistcomment-3443169, this is not supported anymore.
if it's not supported anymore, is there any way to integrate freeradius into freeipa for mschap requests? this is my specific scenario: we have devices that authenticate against our freeradius v3.0.21, and our freeradius authenticates against freeipa's ldap (freeipa v4.11.0, 389ds v2.4.5). if radius request is pap, auth works perfectly. but i can't find a way to make it work when radius request is mschap/mschapv2.
We had to switch to another hashing algorithm in FreeIPA because of this. So every user had to change their passwords. Sadly, there is not another solution for this.