Hi, while working on the integration of a few Debian Edu workstations into a Windows network with a Samba 3 PDC, I came across Winbind. As tjener's LDAP database contains NT password hashes for all users exept the first one by default, it is possible to provide freeradius EAP-PEAP with MS-CHAPv2 authentication using Samba and Winbind on the machine running the freeradius service. This allows to get rid of installing SecureW2 (or other software) on the Windows clients. Debian Edu: WPA2 Enterprise with both EAP-TTLS/PAP and EAP-PEAP/MSCHAPv2 support. ================================================================================= It is assumed that the freeradius service will be running on tjener and that the test user account (hh) was created using GOsa² with Samba account added. (This is the default; only the 'first user' lacks a Samba account.) If you have freeradius already up and running with EAP-TTLS/PAP go back to the default freeradius configuration with 'apt-get purge freeradius' before step 1 -- and skip step 2. Make sure to backup your previous configuration. (1) Install Freeradius and Winbind. ----------------------------------- root@tjener:~# apt-get update && apt-get install freeradius-krb5 winbind (2) Create Freeradius Kerberos principal. ----------------------------------------- root@tjener:~# kadmin -p root/admin@INTERN Authenticating as principal root/admin@INTERN with password. Password for root/admin@INTERN: kadmin: ank -randkey radius/tjener@INTERN WARNING: no policy specified for radius/tjener@INTERN; defaulting to no policy Principal "radius/tjener@INTERN" created. kadmin: ktadd -k /etc/krb5.keytab.radius radius/tjener@INTERN Entry for principal radius/tjener@INTERN with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.radius. Entry for principal radius/tjener@INTERN with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.radius. Entry for principal radius/tjener@INTERN with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.radius. Entry for principal radius/tjener@INTERN with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.radius. kadmin: q root@tjener:~# (3) Enable Samba administrator account temporarily and join tjener to the Samba domain. --------------------------------------------------------------------------------------- root@tjener:~# smbpasswd -e Administrator Enabled user Administrator. root@tjener:~# net join -U Administrator -S tjener.intern Enter Administrator's password: Joined domain SKOLELINUX. root@tjener:~# root@tjener:~# smbpasswd -d Administrator Disabled user Administrator. root@tjener:~# service samba stop && service winbind stop root@tjener:~# service samba start && service winbind start (4) Test if Kerberos and Samba-Winbind authentication (test user hh) are working. --------------------------------------------------------------------------------- root@tjener:~# wbinfo -a hh Enter hh's password: plaintext password authentication succeeded Enter hh's password: challenge/response password authentication succeeded root@tjener:~# (5) Allow Freeradius to read the Winbind reply. ----------------------------------------------- root@tjener:~# usermod -a -G winbindd_priv freerad root@tjener:~# (6) Test if NTLM authentication (will be used with freeradius) is working. -------------------------------------------------------------------------- root@tjener:~# ntlm_auth --request-nt-key --domain=SKOLELINUX --username=hh password: NT_STATUS_OK: Success (0x0) root@tjener:~# (7) Configure Freeradius EAP-TTLS/PAP and PEAP/MS-CHAPv2 authentication. ----------------------------------------------- -------------------- Run a script to edit some freeradius configuration files. (Script attached.) #!/bin/bash # change-freeradius-config # Edit Freeradius configuration files and restart the service. # echo "DEFAULT Auth-Type = Kerberos" >> /etc/freeradius/users sed -i '/copy_request/ s/no/yes/' /etc/freeradius/eap.conf sed -i '/use_tunneled/ s/no/yes/' /etc/freeradius/eap.conf sed -i '/keytab/ s/\/path\/to\/keytab/\/etc\/krb5.keytab.radius/' /etc/freeradius/modules/krb5 sed -i '/service/ s/name_of_principle/radius\/tjener/' /etc/freeradius/modules/krb5 sed -i '/request-nt-key/ s/\/path\/to\/ntlm_auth/\/usr\/bin\/ntlm_auth/' /etc/freeradius/modules/mschap sed -i '/request-nt-key/ s/#/ /' /etc/freeradius/modules/mschap sed -i '/pam/ a\ \ #\ # Kerberos Authentication\ Auth-Type Kerberos {\ krb5\ }' /etc/freeradius/sites-available/default sed -i '/pam/ a\ \ #\ # Kerberos Authentication\ Auth-Type Kerberos {\ krb5\ }' /etc/freeradius/sites-available/inner-tunnel service freeradius restart # root@tjener:~# ./change-freeradius-config root@tjener:~# (8) Test PAP and MS-CHAP auth in the inner-tunnel (test user hh, pw secret). ---------------------------------------------------------------------------- root@tjener:~# radtest hh secret localhost 10 testing123 Sending Access-Request of id 149 to 127.0.0.1 port 1812 User-Name = "hh" User-Password = "secret" NAS-IP-Address = 10.0.2.2 NAS-Port = 10 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, length=20 root@tjener:~# root@tjener:~# radtest -t mschap hh secret localhost 10 testing123 Sending Access-Request of id 102 to 127.0.0.1 port 1812 User-Name = "hh" NAS-IP-Address = 10.0.2.2 NAS-Port = 10 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xdc448c80b13fbfea MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004663c17ce2d27ea69f120b4f828bc2daea97334fbac4e82d rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=102, length=84 MS-CHAP-MPPE-Keys = 0x0000000000000000b1b4c13cb0ea0a44479a867e6458ec6b0000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 root@tjener:~# (9) Make sure to edit /etc/freeradius/clients.conf to match your network setup. ------------------------------------------------------------------------------- Both Freeradius WPA2 Enterprise services have been tested with a client running Debian Wheezy. Not tested with Windows clients, cause I don't use any. This setup should also work with Debian Edu Squeeze if the squeeze-backports samba package (3.6.x, squeeze: 3.5.x) is installed. As an alternative use a different machine to run the freeradius service. Please note that the (default) server certificate is unchanged (and unused here). So the freeradius server can't be authorized against the connecting clients (see /etc/freeradius/eap.conf). If this is an issue in your specific environment, generate your own certificate and install the server certificate on each client. Wolfgang
#!/bin/bash # # Edit Freeradius configuration files and restart the service. # echo "DEFAULT Auth-Type = Kerberos" >> /etc/freeradius/users sed -i '/copy_request/ s/no/yes/' /etc/freeradius/eap.conf sed -i '/use_tunneled/ s/no/yes/' /etc/freeradius/eap.conf sed -i '/keytab/ s/\/path\/to\/keytab/\/etc\/krb5.keytab.radius/' /etc/freeradius/modules/krb5 sed -i '/service/ s/name_of_principle/radius\/tjener/' /etc/freeradius/modules/krb5 sed -i '/request-nt-key/ s/\/path\/to\/ntlm_auth/\/usr\/bin\/ntlm_auth/' /etc/freeradius/modules/mschap sed -i '/request-nt-key/ s/#/ /' /etc/freeradius/modules/mschap sed -i '/pam/ a\ \ #\ # Kerberos Authentication\ Auth-Type Kerberos {\ krb5\ }' /etc/freeradius/sites-available/default sed -i '/pam/ a\ \ #\ # Kerberos Authentication\ Auth-Type Kerberos {\ krb5\ }' /etc/freeradius/sites-available/inner-tunnel service freeradius restart #
Attachment:
signature.asc
Description: Digital signature