Wednesday, October 12, 2005

FreeRADIUS PEAP against Active Directory

*Note*
This is very old, and very outdated.  I was going to remove it, but according to google, it's still searched very often.  So it stays.
*Note*

Ok, this is a work in progress. I defiantly have to clean this up, and reorder my thoughts, as well as test my installation. I know there are a few steps I did that I didn't write down This is a Paste from my initial notes. I'll work on it here live.
Debian 802.1x PEAP authenticating against Active Directory, using FreeRADIUS

First, get OpenSSL

Then get libssl

Ignore the freeRADIUS package.As of this writing, it’s freeRADIUS 1.0.1-2.Due to license restrictions, it cannot contain the binaries for OpenSSL. We have to use the source.

Download the latest release of freeRADIUS.Hopefully when you read this, it will be freeRADIUS 1.1.x, and the rest of the document will be redundant, because these problems will be fixed. As of this writing, the current stable version is 1.0.2

Unzip freeRADIUS

Tar –zxvf freeradius-1.0.2.tar.gz

then

./configure --disable-shared

make

make install

The –disable-shared is the special sauce here.Debian doesn’t seem to play exactly well without it.

2. Produce Certificates Server and client certificates are needed for TLS and PEAP. To produce the required certificates, I recommend that you use CA.all that is included with FreeRADIUS. CA.all uses the configuration information in openssl.cnf.This will get you up and running.Later you can replace this with certificates from your local CA, or from a paid CA. a. openssl.cnf -- Update openssl.cnf for your configuration. The configuration file is located at: /usr/local/openssl/sslA portion of the information from my openssl.cnf is given below. (The company information is does not describe an actual company located in Brentwood, TN.) Note that the configuration information includes the password "whatever". It is the certificate password. When CA.all executes, it uses this information three times. The first pass through this information produces the root certificates. If you set up your configuration as shown below, you will be able to accept all of the settings in the first pass. The second pass through this information produces the client certificates. You only need to change the commonName to the client name. In my case, I changed the commonName to jbibe. The third pass through this information produces the server certificates. You only need to change the commonName to the server name. In my case, I changed the commonName to micron. ----- Example -------------------------------------------

... # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tennessee localityName = Locality Name (eg, city) localityName_default = Brentwood 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Helava organizationalUnitName = Organizational Unit Name organizationalUnitName_default = Engineering commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName_default = HAI emailAddress = Email Address emailAddress_max = 40 emailAddress_default = ohb@cmcast.net # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 challengePassword_default = whatever unstructuredName = An optional company name

--------------------------------------------------------- b. CA.all -- Update the CA.all script for your requirements. The file is located at: /usr/src/802/radius/freeradius-snapshot-20040203/scripts If you use the default password "whatever", you only need to verify that the path in the script points to the installed openssl information. No changes should be necessary, but there is one gotcha. At about line 30, the path will probably be in error. Look for the following line and update the path as needed. echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca When CA.all executes, it produces nine certificates: root.pem, root.p12, root.der cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der For TLS and PEAP, the server needs root.pem and cert-srv.pem. For TLS, the Windows XP client needs root.der and cert-clt.p12. For PEAP, the Windows XP client needs root.der.

Move them all to /usr/local/etc/raddb/certs/(Don’t forget demoCA directory) Ok, we have TLS working

Next.Moving to PEAP.

Skiiping stuff.

Kerberos version 5

we need at least rev 1.3 to work with Windows 2003

Make sure /etc/hosts has the FQDN of this system in place



SAMBA SetupAt least 3.0.13

Now to build Samba from source to take advantage of the newest Kerberos

Configure Samba to work with Kerberos

Set up smb.conf and krb5.conf.

(The paths are /usr/local/samba/lib/smb.conf and /etc/krb5.conf.)

(Extracted from the email Chris Cinnamo from Secure Computing sent.)

Edit /usr/local/samba/lib/smb.conf

----------------------------------



smb.conf

realm = ex. support.com

workgroup = ex. support

security = ADS

encrypt passwords = yes

password server = 192.168.100.12

# idmap uid and idmap gid are aliases for

# winbind uid and winbid gid, respectively

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind enum users = yes

winbind enum groups = yes







[test]

comment = Samba functionality test directory

path = /home/ryan/

read only = no

browsable = yes

writable = yes

guest ok = yes

valid users = @SUPPORT\"Domain Users"



------------------------------------



/etc/krb5.conf should look like this:

(Note that Kerberos uses realms named the same as the AD domain name.

BUt --IMPORTANT--the realm name must be in all UPPER CASE.So

infrasupportetc.com becomes INFRASUPPORTETC.COM)





[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

ticket_lifetime = 24000

default_realm = INFRASUPPORTETC.COM

dns_lookup_realm = false

dns_lookup_kdc = false

[realms]

INFRASUPPORTETC.COM = {

kdc = 10.10.10.100:88

admin_server = 10.10.10.100:749

default_domain = INFRASUPPORTETC.COM

}

[domain_realm]

.infrasupportetc.com = INFRASUPPORTETC.COM

infrasupportetc.com = INFRASUPPORTETC.COM

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}







Add following entries in nssswitch.conf:



passwd:files winbind

group:files winbind



Samba uses a daemon called winbindd that handles the authentication between Windows and Linux. When a Windows system tries to look at a share on the Samba server, it

passes credentials.The Samba server needs to know where to look to validate the

credentials.The above entries tell the Samba server to first check the local passwd file and if not there, then have Winbindd look back in the Windows AD.

Join Computer to Domain

Save this script someplace convenient, perhaps /firewall-scripts.

Now join this system to the Win2003 domain.Here is an extract:

[EMAIL PROTECTED] gregs]# /usr/local/samba/bin/net ads join -S 10.10.10.100

-U administrator

administrator's password:

Using short domain name -- INFRASUPPORTETC

Joined 'SQUIDTEST' to realm 'INFRASUPPORTETC.COM'

Ok, make FreeRADISU authenticate for PEAP

ntlm_auth = "/path/to/ntlm_auth --request-nt-key

--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}

--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

Is the ntlm_auth statement you’ll need.Remember to change the /path/to/ntlm_auth string.

At this point, I just rebooted the box to make sure all the right processes were running,

Then I ran radiusd –A –X from the command line to see the debugging output.

References:

http://www.mail-archive.com/samba@lists.samba.org/msg20262.html

http://www.dslreports.com/forum/remark,9286052~mode=flat

http://www.freeradius.org

http://howtos.linux.com/howtos/8021X-HOWTO/faq.shtml

http://lists.freeradius.org/archives/freeradius-users/2004/10/frm00299.html

Samba

http://www.netadmintools.com/art172.html

http://lists.freeradius.org/archives/freeradius-users/2004/10/msg00123.html

http://www.mail-archive.com/squid-users@squid-cache.org/msg27678.html

. So In an email conversation with he wrote the following > I don't recommend this method to the Debian users, because it confuses > dpkg about the files installed on the system and it's not possible to > uninstall the files later. I think it's a lot better to build
> FreeRADIUS from sources using dpkg-buildpackage. > >
$­­­ tar zxf freeradius-1.0.5.tar.gz
$­­­ cd freeradius-1.0.5
$­­­ fakeroot dpkg-buildpackage -b -uc
$­­­ sudo dpkg -i ../freeradius_1.0.5-0_i386.deb


He right of course. I'm going to re-write this entire page. Especially since 1.1.1 is coming out, which Fixes A WHOLE LOT of the stuff on this page.. Then I'm going to submit it to the FreeRADIUS WIKI, so it's more helpful.

smbclient winbind krb5-doc krb5-user krb5-config

join it to the domain.

test with net ads testjoin

edit the config files

eap.conf
enable PEAP/TTLS/TLS (YOU NEED TLS For PEAP and TTLS to work)
Make sure you create the Certs.

Edit radius.conf