Skip to content

Instantly share code, notes, and snippets.

@abbra

abbra/FreeRadius + FreeIPA

Forked from tiran/FreeRadius + FreeIPA
Last active June 6, 2024 10:00
Show Gist options
  • Save abbra/a74e171d791cf90113b0272b78919987 to your computer and use it in GitHub Desktop.
Save abbra/a74e171d791cf90113b0272b78919987 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
FreeRadius + FreeIPA
# Assuming that HOSTNAME is enrolled to IPA realm already,
# run the following on HOSTNAME where RADIUS server will be deployed
# In FreeIPA 4.6+ host principal has permissions to create own services
kinit -k
ipa service-add 'radius/HOSTNAME'
# create keytab for radius user
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
chown root:radiusd /etc/raddb/radius.keytab
chmod 640 /etc/raddb/radius.keytab
# make radius use the keytab for SASL GSSAPI
mkdir -p /etc/systemd/system/radiusd.service.d
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
systemctl daemon-reload
edit /etc/raddb/mods-enabled/ldap
ldap server = 'LDAP HOSTNAME'
ldap base_dn = 'cn=accounts,dc=example,dc=org'
ldpa sasl mech = 'GSSAPI'
ldpa sasl realm = 'YOUR REALM'
ldap sasl update control:NT-Password := 'ipaNTHash'
# How to request certificates from IPA server for RADIUS
mv /etc/raddb/certs /etc/raddb/certs.bak
mkdir /etc/raddb/certs
openssl dhparam 2048 -out /etc/raddb/certs/dh
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
@bagassy
Copy link

bagassy commented Apr 7, 2023

The config snippet isn't complete, or out of date.
Authentication should/could be handled by krb5 and Authorization by ldap.
Ldap module not finding a 'good password' is expected, and should be ignored. (krb5 module will do a kinit with user credentials for authentication)
There isn't any need for alternative hashing algos or any configuration related to nt/ipa/hash/password.

@abbra
Copy link
Author

abbra commented Apr 13, 2023

@bagassy This whole setup is not supported anymore. The original approach was to show how to integrate with FreeIPA if you need NTLM stuff to work. As I said previously in https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987?permalink_comment_id=3443169#gistcomment-3443169, this is not supported anymore.

@vvilaplana
Copy link

if it's not supported anymore, is there any way to integrate freeradius into freeipa for mschap requests? this is my specific scenario: we have devices that authenticate against our freeradius v3.0.21, and our freeradius authenticates against freeipa's ldap (freeipa v4.11.0, 389ds v2.4.5). if radius request is pap, auth works perfectly. but i can't find a way to make it work when radius request is mschap/mschapv2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment