Hi,
while working on the integration of a few Debian Edu workstations into a
Windows network with a Samba 3 PDC, I came across Winbind. As tjener's
LDAP database contains NT password hashes for all users exept the first
one by default, it is possible to provide freeradius EAP-PEAP with
MS-CHAPv2 authentication using Samba and Winbind on the machine running
the freeradius service. This allows to get rid of installing SecureW2
(or other software) on the Windows clients.
Debian Edu: WPA2 Enterprise with both EAP-TTLS/PAP and EAP-PEAP/MSCHAPv2 support.
=================================================================================
It is assumed that the freeradius service will be running on tjener and
that the test user account (hh) was created using GOsa² with Samba
account added. (This is the default; only the 'first user' lacks a Samba
account.)
If you have freeradius already up and running with EAP-TTLS/PAP go back
to the default freeradius configuration with 'apt-get purge freeradius'
before step 1 -- and skip step 2. Make sure to backup your previous
configuration.
(1) Install Freeradius and Winbind.
-----------------------------------
root@tjener:~# apt-get update && apt-get install freeradius-krb5 winbind
(2) Create Freeradius Kerberos principal.
-----------------------------------------
root@tjener:~# kadmin -p root/admin@INTERN
Authenticating as principal root/admin@INTERN with password.
Password for root/admin@INTERN:
kadmin: ank -randkey radius/tjener@INTERN
WARNING: no policy specified for radius/tjener@INTERN; defaulting to no policy
Principal "radius/tjener@INTERN" created.
kadmin: ktadd -k /etc/krb5.keytab.radius radius/tjener@INTERN
Entry for principal radius/tjener@INTERN with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.radius.
Entry for principal radius/tjener@INTERN with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.radius.
Entry for principal radius/tjener@INTERN with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.radius.
Entry for principal radius/tjener@INTERN with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.radius.
kadmin: q
root@tjener:~#
(3) Enable Samba administrator account temporarily and join tjener to the Samba domain.
---------------------------------------------------------------------------------------
root@tjener:~# smbpasswd -e Administrator
Enabled user Administrator.
root@tjener:~# net join -U Administrator -S tjener.intern
Enter Administrator's password:
Joined domain SKOLELINUX.
root@tjener:~#
root@tjener:~# smbpasswd -d Administrator
Disabled user Administrator.
root@tjener:~# service samba stop && service winbind stop
root@tjener:~# service samba start && service winbind start
(4) Test if Kerberos and Samba-Winbind authentication (test user hh) are working.
---------------------------------------------------------------------------------
root@tjener:~# wbinfo -a hh
Enter hh's password:
plaintext password authentication succeeded
Enter hh's password:
challenge/response password authentication succeeded
root@tjener:~#
(5) Allow Freeradius to read the Winbind reply.
-----------------------------------------------
root@tjener:~# usermod -a -G winbindd_priv freerad
root@tjener:~#
(6) Test if NTLM authentication (will be used with freeradius) is working.
--------------------------------------------------------------------------
root@tjener:~# ntlm_auth --request-nt-key --domain=SKOLELINUX --username=hh
password:
NT_STATUS_OK: Success (0x0)
root@tjener:~#
(7) Configure Freeradius EAP-TTLS/PAP and PEAP/MS-CHAPv2 authentication.
----------------------------------------------- --------------------
Run a script to edit some freeradius configuration files. (Script attached.)
#!/bin/bash
# change-freeradius-config
# Edit Freeradius configuration files and restart the service.
#
echo "DEFAULT Auth-Type = Kerberos" >> /etc/freeradius/users
sed -i '/copy_request/ s/no/yes/' /etc/freeradius/eap.conf
sed -i '/use_tunneled/ s/no/yes/' /etc/freeradius/eap.conf
sed -i '/keytab/ s/\/path\/to\/keytab/\/etc\/krb5.keytab.radius/' /etc/freeradius/modules/krb5
sed -i '/service/ s/name_of_principle/radius\/tjener/' /etc/freeradius/modules/krb5
sed -i '/request-nt-key/ s/\/path\/to\/ntlm_auth/\/usr\/bin\/ntlm_auth/' /etc/freeradius/modules/mschap
sed -i '/request-nt-key/ s/#/ /' /etc/freeradius/modules/mschap
sed -i '/pam/ a\
\
#\
# Kerberos Authentication\
Auth-Type Kerberos {\
krb5\
}' /etc/freeradius/sites-available/default
sed -i '/pam/ a\
\
#\
# Kerberos Authentication\
Auth-Type Kerberos {\
krb5\
}' /etc/freeradius/sites-available/inner-tunnel
service freeradius restart
#
root@tjener:~# ./change-freeradius-config
root@tjener:~#
(8) Test PAP and MS-CHAP auth in the inner-tunnel (test user hh, pw secret).
----------------------------------------------------------------------------
root@tjener:~# radtest hh secret localhost 10 testing123
Sending Access-Request of id 149 to 127.0.0.1 port 1812
User-Name = "hh"
User-Password = "secret"
NAS-IP-Address = 10.0.2.2
NAS-Port = 10
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, length=20
root@tjener:~#
root@tjener:~# radtest -t mschap hh secret localhost 10 testing123
Sending Access-Request of id 102 to 127.0.0.1 port 1812
User-Name = "hh"
NAS-IP-Address = 10.0.2.2
NAS-Port = 10
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0xdc448c80b13fbfea
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004663c17ce2d27ea69f120b4f828bc2daea97334fbac4e82d
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=102, length=84
MS-CHAP-MPPE-Keys = 0x0000000000000000b1b4c13cb0ea0a44479a867e6458ec6b0000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
root@tjener:~#
(9) Make sure to edit /etc/freeradius/clients.conf to match your network setup.
-------------------------------------------------------------------------------
Both Freeradius WPA2 Enterprise services have been tested with a client
running Debian Wheezy. Not tested with Windows clients, cause I don't
use any.
This setup should also work with Debian Edu Squeeze if the
squeeze-backports samba package (3.6.x, squeeze: 3.5.x) is installed. As
an alternative use a different machine to run the freeradius service.
Please note that the (default) server certificate is unchanged (and
unused here). So the freeradius server can't be authorized against the
connecting clients (see /etc/freeradius/eap.conf). If this is an issue
in your specific environment, generate your own certificate and install
the server certificate on each client.
Wolfgang
#!/bin/bash
#
# Edit Freeradius configuration files and restart the service.
#
echo "DEFAULT Auth-Type = Kerberos" >> /etc/freeradius/users
sed -i '/copy_request/ s/no/yes/' /etc/freeradius/eap.conf
sed -i '/use_tunneled/ s/no/yes/' /etc/freeradius/eap.conf
sed -i '/keytab/ s/\/path\/to\/keytab/\/etc\/krb5.keytab.radius/' /etc/freeradius/modules/krb5
sed -i '/service/ s/name_of_principle/radius\/tjener/' /etc/freeradius/modules/krb5
sed -i '/request-nt-key/ s/\/path\/to\/ntlm_auth/\/usr\/bin\/ntlm_auth/' /etc/freeradius/modules/mschap
sed -i '/request-nt-key/ s/#/ /' /etc/freeradius/modules/mschap
sed -i '/pam/ a\
\
#\
# Kerberos Authentication\
Auth-Type Kerberos {\
krb5\
}' /etc/freeradius/sites-available/default
sed -i '/pam/ a\
\
#\
# Kerberos Authentication\
Auth-Type Kerberos {\
krb5\
}' /etc/freeradius/sites-available/inner-tunnel
service freeradius restart
#
Attachment:
signature.asc
Description: Digital signature