Setup freeRADIUS Active Directory Authentication Integration

This guide explains how to setup freeRADIUS Active Directory authentication / integration.  I should point out when freeRADIUS uses Active Directory as a user database, there are some limitations. Active Directory will not give FreeRADIUS the “known good” password for FreeRADIUS to use. Instead, FreeRADIUS retrieves the user authentication data (PAP, MS-CHAP, etc.) and passes them to Active Directory. It will check the users AD credentials, and returns success or fail to FreeRADIUS.

FreeRADIUS connects to Active Directory using Samba.  Samba allows Linux servers to connect to Active Directory domain.  It can function both as a domain controller or as a regular domain member.

 

FreeRADIUS AD authentication also uses ntlm_auth helper program which uses winbind for evaluating NTLM (NT Lan Manager) requests. ntlm_auth allows verifying user credentials on the domain controller and returns either a success or an error message.  

Note that in this configuration, we’re using Active Directory as an authentication oracle, and not as an LDAP database.  An authentication oracle is a system where the RADIUS server does not perform the authentication itself, but instead passes the users authentication credentials to Active Directory. Those credentials are normally the domain user name and password of the user trying to connect, i.e. for PAP or MS-CHAP authentication.

freeRADIUS Active Directory Authentication

Image Source: freeRADIUS

FreeRADIUS Active Directory Authentication Process

The authentication process flow of steps to authenticate radius clients is as follows:

 

  1. FreeRADIUS receives a user name and a password with an MS-CHAP data wrapper
  2. FreeRADIUS passes this information to Samba and asks for verification
  3. Samba passes this information to Active Directory and asks for verification
  4. Active Directory retrieves the stored password (in NT hash format) for that user
  5. Active Directory applies MS-CHAP to the stored password
  6. Active Directory compares the MS-CHAP data of the stored password against the submitted password and decides on access
  7. Active Directory provides access information to Samba
  8. Samba passes that access information to FreeRADIUS
  9. FreeRADIUS provides access to the user (or not)

The table below lists the compatibility between the common identity systems used for authentication, and the authentication protocols.

PAM LDAP "bind as user" ntlm_auth

PAP

CHAP

Digest

MS-CHAP

PEAP

EAP-MSCHAPv2

EAP-GTC

EAP-MD5

EAP-PWD

Getting Started Setting up FreeRADIUS Active Directory Authentication

In the following steps we need to do the following to integrate Active Directory with freeRADIUS.  This tutorial assumes you already have FreeRADIUS installed on Linux / Ubuntu:

 

  1. Install Samba
  2. Configure Samba and freeRADIUS
  3. Join your Linux FreeRADIUS server to your domain
  4. Test RADIUS Authentication

1.) Configure localhost DNS

A fully qualified domain name (FQDN) must be defined. Open “/etc/hosts” file in your preferred text editor and add localhost IP address, FQDN and hostname respectively as below.

				
					sudo nano /etc/hosts
				
			

Below you can see my local hosts file using the local IP and my FQDN of my hostname.Active Directory domain hostname

To test the localhost has updated correctly run the following commands:

				
					hostname
hostname -f
				
			

2.) Install Samba and Configure Active Directory on Ubuntu 20.04

First step is to install the following packages with the following command:

				
					sudo apt-get install -y samba winbind libnss-winbind krb5-user
				
			

Ignore any error messages you may get, as we still need to make some configuration changes.  Run the following command to open the samba smb conf file

				
					sudo nano /etc/samba/smb.conf
				
			

Scroll down to the [global] settings section.

Then add your Active Directory domain information, similar to how i’ve done below, save and exit:

				
					workgroup = DOMAIN 
security = ads 
winbind use default domain = yes 
realm = Domain.COM 
password server = mydc1.domain.com
ntlm auth = mschapv2-and-ntlmv2-only
				
			

For Samba 4, you also have to set the ntlm auth configuration variable. It should be set to either yes, or to mschapv2-and-ntlmv2-only. This configuration needs to be set all participating Samba members, and also on (Samba4) AD-DC servers.

Here’s my domain configuration:

3.) Setup Kerberos Authentication for Active Directory

The next step is to configure kerberos and add your AD domain information and domain controller hostnames.  Open /etc/krb5.conf with the following command:

				
					sudo nano /etc/krb5.conf
				
			

Update your krb5.conf as i’ve updated mine below.  You can delete any of the default domain entries that come pre configured.  Once completed, save and exit.

4.) Join Linux Server to Active Directory Domain

The next step is to now add our RADIUS server to Active Directory.  First make sure your using your root account:

				
					sudo -i
				
			

In order to add a Linux server to Active Directory, you will need to use a domain administrator account.  The domain administrator account has the permissions to add devices to a domain.  Exactly the same as you would a Windows desktop or server.  Once you have the domain admin account, run the following command:

				
					kinit Administrator
				
			

When prompted, add the password.  Next, run the following command which adds our RADIUS server to Active Directory.

				
					net ads -k join
				
			

If successful, you should see a message to say your RADIUS server has been added to your DNS Domain.  You can also confirm this by looking in your Active Directory Users and Computers and seeing your server in the Computers container.

Next, is to restart the following services:

				
					service smbd restart
service nmbd restart
service winbind restart
				
			

Test if NTLM Authentication Works

Now your server has been joined to your domain we can test if New Technology LAN Manager (NTLM) authentication works.  FreeRADIUS uses “ntlm_auth” tool to allow external access to Winbind’s NTLM authentication function. Run the command to confirm if NTLM authentication works on your RADIUS server.

				
					ntlm_auth --request-nt-key --domain=mydomain.com --username=administrator --password=mypassword
				
			

If successful, you should get the following message:

NT_STATUS_OK: The operation completed successfully. (0x0)

5) Configure FreeRADIUS to use ntlm_auth

Once Samba is working correctly and authentication works, we now need to configure FreeRADIUS to use ntlm_auth.  Open your ntlm_auth module configuration file. Its normally located under /etc/freeradius/mods-enabled/ntlm_auth

				
					sudo nano /etc/freeradius/mods-enabled/ntlm_auth
				
			

Default config should look like this:

				
					exec ntlm_auth {
    wait = yes
    program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
				
			

Edit the field for the path to your ntlm_auth file and your domain.  Here is how my config looks:

This configuration tells the server to run the ntlm_auth program with the user name and password obtained from the Access-Request. You will also have to list ntlm_auth in the authenticate sections of each the Apache /sites-enabled/default file, and of the /sites-enabled/inner-tunnel file:

Within both files under authenticate add ntlm_auth as in my screenshot below:

authenticate {
    ...
    ntlm_auth
    ...
}

Open your default site with the following command and under authenticate add ntlm_auth

				
					sudo nano /etc/freeradius/sites-enabled/default
				
			

Open your inner-tunnel site with the following command and under authenticate add ntlm_auth

				
					sudo nano /etc/freeradius/sites-enabled/inner-tunnel
				
			

Configure RADIUS Auth and Account Ports

FreeRADIUS uses the following ports:

 

RADIUS Authentication and Authorization

UDP: 1812 

 

RADIUS Accounting

UDP: 1813 

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.

2 6 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x