SlideShare a Scribd company logo

Free radius for wpa2 enterprise with active directory integration

Chanaka Lasantha
Chanaka Lasantha

This document provides instructions for configuring FreeRADIUS for WPA2 Enterprise authentication with Active Directory integration on an Ubuntu server. It describes installing FreeRADIUS and EasyRSA for certificate generation. The instructions explain how to configure the RADIUS server certificates and test basic authentication. It then details how to integrate Active Directory for MSCHAP authentication by configuring Samba and Kerberos, joining the Active Directory domain, and modifying FreeRADIUS configuration files. Finally, it explains how to configure wireless clients and start the FreeRADIUS service.

Related slideshows

Authentification Réseau 802.1X PEAP-MSCHAP-V2
Authentification Réseau 802.1X PEAP-MSCHAP-V2Authentification Réseau 802.1X PEAP-MSCHAP-V2
Authentification Réseau 802.1X PEAP-MSCHAP-V2
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
 
AIXpert - AIX Security expert
AIXpert - AIX Security expertAIXpert - AIX Security expert
AIXpert - AIX Security expert
 
1 of 8
Download to read offline
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 1 chanakan@cclk.lk FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 2 chanakan@cclk.lk CONFIGURING FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 3 chanakan@cclk.lk The Conclusion That Having a Single Wi-Fi Password for A Growing Startup Just Isn't a Viable Solution. Shared Passwords in General Are Not a Very Good Idea, And the Very Large Number of Devices Connected Make Changing the Wireless Password a Cumbersome Task. Therefore, The Best Practice Is to Implement WPA2 Enterprise. WPA2 Enterprise Is a Protocol for Wireless Authentication. It Passes Authentication Requests to A Radius Server. Radius Is a Very Large Open-Ended Protocol for Authentication. The End Goal from This Is to Have Individual Usernames and Passwords for Each User of The WIFI Network. INSTALLATION Install Freeradius and easy-rsa. We'll borrow the Openvpn project's easy-rsa scripts to make the Openssl configuration easier. apt-get install freeradius easy-rsa samba winbind The server starts automatically, so we'll stop it for now. service freeradius stop The first thing we'll do is configure the server certificates. Copy the easy-rsa scripts into your certificate directory cp -R /usr/share/easy-rsa /etc/freeradius/certs/ Now generate the certificate authority cd /etc/freeradius/certs/easy-rsa source vars ./clean-all ./build-ca The build-ca command will ask you for some information. I highly recommend you enter a password for your CA. Make sure you keep this password as you will need it for creating certificates. Note: do not make the common name of the CA your server's fully qualified domain name or FQDN. Common names should be unique and you will use your server's FQDN for its certificate, which we will generate next. ./build-key-server server
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 4 chanakan@cclk.lk You'll have to enter your information again. This time put the server's FQDN as the common name. I.E. freerad.practichem.com. Answer yes to sign the certificate with the CA. Now we will copy the needed files for Freeradius. cp -r keys/ca.crt /etc/freeradius/certs/ I will leave a copy of the CA in the easy-rsa directory so we can generate client keys with it later. mv keys/radius* /etc/freeradius/certs/ Now We Need to Change the Owner Of The Server Certificates To The Freerad User chown -R freerad: freerad /etc/freeradius/certs/server* At This Point You Should Have a Working Radius Server Setup. You Can Test It by Adding This Line to The Users File. Just Remember to Remove It When You Are Finished Testing. testuser Cleartext-Password := "testpassword Now, start your radius server in debugging mode, and in another terminal run the radtest command. freeradius -X radtest testuser testpassword localhost 0 testing123 You Should See an Access Accepted Response. If You See Access Rejected, Something on Your Server Has Been Incorrectly Setup. The Output of The Freeradius -X Command Should Have More Information.
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 5 chanakan@cclk.lk ACTIVE DIRECTORY INTEGRATION This Active Directory Integration Method Uses MSCHAP And Mschapv2. The Two Main Authentication Methods That Will Work with This Are PEAP With MSCHAP Or TTLS with MSCHAP. Both Are Equally Secure, But PEAP Works on A Wider Range of Devices, So I Decided to Have Users Use PEAP. First You Will Want To Edit Your smb.conf vim /etc/samba/smb.conf Make sure the following parameters are set. Workgroup was the only one that was in my smb.conf by default. workgroup = ADDomain security = ads password server = domain-controller.domain.tld realm = domain.tld The Realm Will Generally Be Just the Domain. Now Edit Your Kerberos Configuration. vim /etc/krb5.conf Under the [realms] heading add the following. Again, the default in active directory is to set the realm to the domain. domain.tld = { >kdc = **domain-controller.domain.tld** >} Start samba service samba start
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 6 chanakan@cclk.lk Now join the active directory domain. You will need a domain admin's credentials to do this. net join -u Administrator Verify That the Domain Is Connected. Note That You Can Add a Space Before a Command to Prevent It from Being Added to The History. This Is Useful When Dealing with Cleartext Passwords. ntlm_auth --request-nt-key --domain=ADDomain --username=user --password=password You Should See an NTSTATUSOK Message. Before Freeradius Can Connect to Winbind, It Will Need Access to Its Socket. While The Socket Itself Has 777 Permissions, The Surrounding Directory Is Root:Root 750. The Freerad User Needs Read and Execute Access. There Are a Couple of Ways to Do This; I Added the Freerad User to The Winbindd_Priv Group, And Gave That Group Access to The Socket Directory. usermod -a -G winbindd_priv freerad chmod :winbindd_priv /var/lib/samba/winbindd_privileged/ Now We Will Configure Freeradius To Use the Ntlm_Auth for MSCHAP. Edit /Etc/Freeradius/Modules/Ntlm_Auth. Replace /Path/To/Ntlm_Auth with /Usr/Bin/Ntlm_Auth. Replace MYDOMAIN As Your Active Directory Domain. Open /Etc/Freeradius/Modules/Mschap. Replace /Path/To/Ntlm_Auth with /Usr/Bin/Ntlm_Auth. Replace MYDOMAIN As Your Active Directory Domain. Edit /Etc/Freeradius/Sites-Enabled/Default And /Etc/Freeradius/Sites-Enabled/Inner-Tunnel. Under the Authenticate Section Add Ntlm_Auth. >authenticate { >... >ntlm_auth >... >}
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 7 chanakan@cclk.lk Now you can test the MSCHAP authentication with radtest. radtest -t mschap **aduser** **adpassword** localhost 0 testing123 If you see an access-accept message, active directory is integrating with Freeradius. CONFIGURE CLINETS Now we will configure FreeRadius to allow an AP to connect. Edit /etc/freeradius/clients.conf Add a client config. >client **client IP** { >secret = **client-shared-secret** >shortname = wirelessAP >nastype = other >} Finally start freeradius in service mode. service freeradius start You should now be able to connect your wireless access point to your Freeradius server. Clients will be able to authenticate with their AD credentials with PEAP MSCHAP or TTLS MSCHAP. This will get you support on pretty much every single platform. If you have clients that you want to just authenticate with certificates.
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 8 chanakan@cclk.lk

More Related Content

Free radius for wpa2 enterprise with active directory integration

  • 1. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 1 chanakan@cclk.lk FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION
  • 2. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 2 chanakan@cclk.lk CONFIGURING FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION
  • 3. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 3 chanakan@cclk.lk The Conclusion That Having a Single Wi-Fi Password for A Growing Startup Just Isn't a Viable Solution. Shared Passwords in General Are Not a Very Good Idea, And the Very Large Number of Devices Connected Make Changing the Wireless Password a Cumbersome Task. Therefore, The Best Practice Is to Implement WPA2 Enterprise. WPA2 Enterprise Is a Protocol for Wireless Authentication. It Passes Authentication Requests to A Radius Server. Radius Is a Very Large Open-Ended Protocol for Authentication. The End Goal from This Is to Have Individual Usernames and Passwords for Each User of The WIFI Network. INSTALLATION Install Freeradius and easy-rsa. We'll borrow the Openvpn project's easy-rsa scripts to make the Openssl configuration easier. apt-get install freeradius easy-rsa samba winbind The server starts automatically, so we'll stop it for now. service freeradius stop The first thing we'll do is configure the server certificates. Copy the easy-rsa scripts into your certificate directory cp -R /usr/share/easy-rsa /etc/freeradius/certs/ Now generate the certificate authority cd /etc/freeradius/certs/easy-rsa source vars ./clean-all ./build-ca The build-ca command will ask you for some information. I highly recommend you enter a password for your CA. Make sure you keep this password as you will need it for creating certificates. Note: do not make the common name of the CA your server's fully qualified domain name or FQDN. Common names should be unique and you will use your server's FQDN for its certificate, which we will generate next. ./build-key-server server
  • 4. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 4 chanakan@cclk.lk You'll have to enter your information again. This time put the server's FQDN as the common name. I.E. freerad.practichem.com. Answer yes to sign the certificate with the CA. Now we will copy the needed files for Freeradius. cp -r keys/ca.crt /etc/freeradius/certs/ I will leave a copy of the CA in the easy-rsa directory so we can generate client keys with it later. mv keys/radius* /etc/freeradius/certs/ Now We Need to Change the Owner Of The Server Certificates To The Freerad User chown -R freerad: freerad /etc/freeradius/certs/server* At This Point You Should Have a Working Radius Server Setup. You Can Test It by Adding This Line to The Users File. Just Remember to Remove It When You Are Finished Testing. testuser Cleartext-Password := "testpassword Now, start your radius server in debugging mode, and in another terminal run the radtest command. freeradius -X radtest testuser testpassword localhost 0 testing123 You Should See an Access Accepted Response. If You See Access Rejected, Something on Your Server Has Been Incorrectly Setup. The Output of The Freeradius -X Command Should Have More Information.
  • 5. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 5 chanakan@cclk.lk ACTIVE DIRECTORY INTEGRATION This Active Directory Integration Method Uses MSCHAP And Mschapv2. The Two Main Authentication Methods That Will Work with This Are PEAP With MSCHAP Or TTLS with MSCHAP. Both Are Equally Secure, But PEAP Works on A Wider Range of Devices, So I Decided to Have Users Use PEAP. First You Will Want To Edit Your smb.conf vim /etc/samba/smb.conf Make sure the following parameters are set. Workgroup was the only one that was in my smb.conf by default. workgroup = ADDomain security = ads password server = domain-controller.domain.tld realm = domain.tld The Realm Will Generally Be Just the Domain. Now Edit Your Kerberos Configuration. vim /etc/krb5.conf Under the [realms] heading add the following. Again, the default in active directory is to set the realm to the domain. domain.tld = { >kdc = **domain-controller.domain.tld** >} Start samba service samba start
  • 6. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 6 chanakan@cclk.lk Now join the active directory domain. You will need a domain admin's credentials to do this. net join -u Administrator Verify That the Domain Is Connected. Note That You Can Add a Space Before a Command to Prevent It from Being Added to The History. This Is Useful When Dealing with Cleartext Passwords. ntlm_auth --request-nt-key --domain=ADDomain --username=user --password=password You Should See an NTSTATUSOK Message. Before Freeradius Can Connect to Winbind, It Will Need Access to Its Socket. While The Socket Itself Has 777 Permissions, The Surrounding Directory Is Root:Root 750. The Freerad User Needs Read and Execute Access. There Are a Couple of Ways to Do This; I Added the Freerad User to The Winbindd_Priv Group, And Gave That Group Access to The Socket Directory. usermod -a -G winbindd_priv freerad chmod :winbindd_priv /var/lib/samba/winbindd_privileged/ Now We Will Configure Freeradius To Use the Ntlm_Auth for MSCHAP. Edit /Etc/Freeradius/Modules/Ntlm_Auth. Replace /Path/To/Ntlm_Auth with /Usr/Bin/Ntlm_Auth. Replace MYDOMAIN As Your Active Directory Domain. Open /Etc/Freeradius/Modules/Mschap. Replace /Path/To/Ntlm_Auth with /Usr/Bin/Ntlm_Auth. Replace MYDOMAIN As Your Active Directory Domain. Edit /Etc/Freeradius/Sites-Enabled/Default And /Etc/Freeradius/Sites-Enabled/Inner-Tunnel. Under the Authenticate Section Add Ntlm_Auth. >authenticate { >... >ntlm_auth >... >}
  • 7. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 7 chanakan@cclk.lk Now you can test the MSCHAP authentication with radtest. radtest -t mschap **aduser** **adpassword** localhost 0 testing123 If you see an access-accept message, active directory is integrating with Freeradius. CONFIGURE CLINETS Now we will configure FreeRadius to allow an AP to connect. Edit /etc/freeradius/clients.conf Add a client config. >client **client IP** { >secret = **client-shared-secret** >shortname = wirelessAP >nastype = other >} Finally start freeradius in service mode. service freeradius start You should now be able to connect your wireless access point to your Freeradius server. Clients will be able to authenticate with their AD credentials with PEAP MSCHAP or TTLS MSCHAP. This will get you support on pretty much every single platform. If you have clients that you want to just authenticate with certificates.
  • 8. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017 Page 8 chanakan@cclk.lk