Setup freeRADIUS Active Directory Authentication Integration
This guide explains how to setup freeRADIUS Active Directory authentication / integration. I should point out when freeRADIUS uses Active Directory as a user database, there are some limitations. Active Directory will not give FreeRADIUS the “known good” password for FreeRADIUS to use. Instead, FreeRADIUS retrieves the user authentication data (PAP, MS-CHAP, etc.) and passes them to Active Directory. It will check the users AD credentials, and returns success or fail to FreeRADIUS.
FreeRADIUS connects to Active Directory using Samba. Samba allows Linux servers to connect to Active Directory domain. It can function both as a domain controller or as a regular domain member.
FreeRADIUS AD authentication also uses ntlm_auth helper program which uses winbind for evaluating NTLM (NT Lan Manager) requests. ntlm_auth allows verifying user credentials on the domain controller and returns either a success or an error message.
Note that in this configuration, we’re using Active Directory as an authentication oracle, and not as an LDAP database. An authentication oracle is a system where the RADIUS server does not perform the authentication itself, but instead passes the users authentication credentials to Active Directory. Those credentials are normally the domain user name and password of the user trying to connect, i.e. for PAP or MS-CHAP authentication.
Image Source: freeRADIUS
FreeRADIUS Active Directory Authentication Process
The authentication process flow of steps to authenticate radius clients is as follows:
- FreeRADIUS receives a user name and a password with an MS-CHAP data wrapper
- FreeRADIUS passes this information to Samba and asks for verification
- Samba passes this information to Active Directory and asks for verification
- Active Directory retrieves the stored password (in NT hash format) for that user
- Active Directory applies MS-CHAP to the stored password
- Active Directory compares the MS-CHAP data of the stored password against the submitted password and decides on access
- Active Directory provides access information to Samba
- Samba passes that access information to FreeRADIUS
- FreeRADIUS provides access to the user (or not)
The table below lists the compatibility between the common identity systems used for authentication, and the authentication protocols.
| PAM | LDAP "bind as user" | ntlm_auth | |
|---|---|---|---|
|
PAP |
|
|
|
|
CHAP |
|
|
|
|
Digest |
|
|
|
|
MS-CHAP |
|
|
|
|
PEAP |
|
|
|
|
EAP-MSCHAPv2 |
|
|
|
|
EAP-GTC |
|
|
|
|
EAP-MD5 |
|
|
|
|
EAP-PWD |
|
|
|
Getting Started Setting up FreeRADIUS Active Directory Authentication
In the following steps we need to do the following to integrate Active Directory with freeRADIUS. This tutorial assumes you already have FreeRADIUS installed on Linux / Ubuntu:
- Install Samba
- Configure Samba and freeRADIUS
- Join your Linux FreeRADIUS server to your domain
- Test RADIUS Authentication
1.) Configure localhost DNS
A fully qualified domain name (FQDN) must be defined. Open “/etc/hosts” file in your preferred text editor and add localhost IP address, FQDN and hostname respectively as below.
sudo nano /etc/hosts
Below you can see my local hosts file using the local IP and my FQDN of my hostname.Active Directory domain hostname
To test the localhost has updated correctly run the following commands:
hostname
hostname -f
2.) Install Samba and Configure Active Directory on Ubuntu 20.04
First step is to install the following packages with the following command:
sudo apt-get install -y samba winbind libnss-winbind krb5-user
Ignore any error messages you may get, as we still need to make some configuration changes. Run the following command to open the samba smb conf file
sudo nano /etc/samba/smb.conf
Scroll down to the [global] settings section.
Then add your Active Directory domain information, similar to how i’ve done below, save and exit:
workgroup = DOMAIN
security = ads
winbind use default domain = yes
realm = Domain.COM
password server = mydc1.domain.com
ntlm auth = mschapv2-and-ntlmv2-only
For Samba 4, you also have to set the ntlm auth configuration variable. It should be set to either yes, or to mschapv2-and-ntlmv2-only. This configuration needs to be set all participating Samba members, and also on (Samba4) AD-DC servers.
Here’s my domain configuration:
3.) Setup Kerberos Authentication for Active Directory
The next step is to configure kerberos and add your AD domain information and domain controller hostnames. Open /etc/krb5.conf with the following command:
sudo nano /etc/krb5.conf
Update your krb5.conf as i’ve updated mine below. You can delete any of the default domain entries that come pre configured. Once completed, save and exit.
4.) Join Linux Server to Active Directory Domain
The next step is to now add our RADIUS server to Active Directory. First make sure your using your root account:
sudo -i
In order to add a Linux server to Active Directory, you will need to use a domain administrator account. The domain administrator account has the permissions to add devices to a domain. Exactly the same as you would a Windows desktop or server. Once you have the domain admin account, run the following command:
kinit Administrator
When prompted, add the password. Next, run the following command which adds our RADIUS server to Active Directory.
net ads -k join
If successful, you should see a message to say your RADIUS server has been added to your DNS Domain. You can also confirm this by looking in your Active Directory Users and Computers and seeing your server in the Computers container.
Next, is to restart the following services:
service smbd restart
service nmbd restart
service winbind restart
Test if NTLM Authentication Works
Now your server has been joined to your domain we can test if New Technology LAN Manager (NTLM) authentication works. FreeRADIUS uses “ntlm_auth” tool to allow external access to Winbind’s NTLM authentication function. Run the command to confirm if NTLM authentication works on your RADIUS server.
ntlm_auth --request-nt-key --domain=mydomain.com --username=administrator --password=mypassword
If successful, you should get the following message:
NT_STATUS_OK: The operation completed successfully. (0x0) 5) Configure FreeRADIUS to use ntlm_auth
Once Samba is working correctly and authentication works, we now need to configure FreeRADIUS to use ntlm_auth. Open your ntlm_auth module configuration file. Its normally located under /etc/freeradius/mods-enabled/ntlm_auth
sudo nano /etc/freeradius/mods-enabled/ntlm_auth
Default config should look like this:
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
Edit the field for the path to your ntlm_auth file and your domain. Here is how my config looks:
This configuration tells the server to run the ntlm_auth program with the user name and password obtained from the Access-Request. You will also have to list ntlm_auth in the authenticate sections of each the Apache /sites-enabled/default file, and of the /sites-enabled/inner-tunnel file:
Within both files under authenticate add ntlm_auth as in my screenshot below:
authenticate {
...
ntlm_auth
...
}Open your default site with the following command and under authenticate add ntlm_auth
sudo nano /etc/freeradius/sites-enabled/default
Open your inner-tunnel site with the following command and under authenticate add ntlm_auth
sudo nano /etc/freeradius/sites-enabled/inner-tunnel
Configure RADIUS Auth and Account Ports
FreeRADIUS uses the following ports:
RADIUS Authentication and Authorization
UDP: 1812
RADIUS Accounting
UDP: 1813
