Jisc Regional Support Centre for Walessupport@rsc-wales.ac.uk

FreeRADIUS 3.0.3 on Ubuntu 14.04 LTS

with Active Directory for eduroam

(document is in progress...!)

FreeRADIUS on Ubuntu 14.04 LTS with AD for eduroamThe following are based on installing FreeRADIUS on Ubuntu Server 14.04 (Trusty) with Active Directory support for deployment of eduroam. In this instance we use a pre-compiled FreeRADIUS package from a Personal Package Archive (PPA). This documentation should also work with Ubuntu 12.04 Precise and 10.04 Lucid. No prebuilt packages are available for non-LTS Ubuntu releases.

Hardware Requirements

PhysicalGenerally any hardware that you are comfortable with using and managing on an ongoing basis for this service. As you can see from the basic VM requirements.

VM(Absolute minimum, you may need to scale-up as usage increases)

1 x vCPU 512MB RAM 8GB Storage

Networking and Remote access Ensure that the server has a static IP address Ensure that you have remote access to the server via SSH

Update/Upgrade

Samba and Authentication with Active Directory

sudo aptitude install snmp samba krb5-user winbind

Configure Kerberos and SambaIn this example;RSC-WALES.LOCAL (or rsc-wales.local) equals the FQDN of our AD domainRSC-WALES = the Netbios name of our AD domain

dc0.rsc-wales.local = one of our Domain Controllers

/etc/krb5.conf

[libdefaults]default_realm = rsc-wales.local

krb4_config = /etc/krb.confkrb4_realms = /etc/krb.realmskdc_timesync = 1ccache_type = 4forwardable = trueproxiable = true

v4_instance_resolve = falsev4_name_convert = {

host = {rcmd = hostftp = ftp

}plain = {

something = something-else}

}fcc-mit-ticketflags = true

[realms]RSC-WALES = {

kdc = dc0.rsc-wales.localadmin_server = dc0.rsc-wales.localdefault_domain = dc0.rsc-wales.local

}.

/etc/samba/smb.conf

#Global parameters[global]workgroup = rsc-wales#winbind use default domain = norealm = rsc-wales.localpreferred master = nolocal master = nodomain master = noserver string = rsc-wales freeradiussecurity = ADSencrypt passwords = yeswinbind separator = +idmap uid = 1000-60000idmap gid = 1000-60000password server = *

Check that services are started;

sudo service winbind restartsudo service smbd restartsudo service nmbd restart

http://wiki.samba.org/index.php/Join_a_domain_as_a_DC

Adding the server to the domain

sudo net ads join -U administrator

Using short domain name -- RSC-WALESJoined 'RADIUS1' to realm 'rsc-wales.local'

If above fails try adding -S dc0.rsc-wales.local to the command;

sudo net ads join -U administrator -S dc0.rsc-wales.local

Confirming authentication requests using ntlm_auth

ntlm_auth --request-nt-key --domain=rsc-wales.local --username=Administrator

NT_STATUS_OK: Success (0x0)

If you get the following output;

could not obtain winbind separator!Reading winbind reply failed! (0x01): (0x0)

then check that the service winbind is running

ps -A | grep winbind

2952 ? 00:00:00 winbindd2953 ? 00:00:00 winbindd

If required start the winbind service;

sudo service winbind start

winbind start/running, process 2954

FreeRADIUS install

sudo add-apt-repository ppa:freeradius/stable-3.0sudo aptitude updatesudo aptitude upgradesudo aptitude install freeradius

FreeRADIUS configuration files need some changes, as FreeRADIUS currently wont start or allow additional packages to be installed.

/etc/freeradius/radiusd.conf

allow_vulrenable_openssl = CVE-2014-0160name = freeradius

Install the following packages, two are freeradius plugins, the third is used for build the SSL certificate authority.

sudo aptitude install freeradius-ldap freeradius-krb5 make

sudo chown -R :adm /etc/freeradius/ /var/log/freeradius/

cd /etc/freeradius/certssudo rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*sudo make ca.pemsudo make server.pem

FreeRADIUS will create a certificate authority and server certificate on first installation. You can re-configure this as described below to your own requirements or utilise your own CA. If you introduce a secondary FreeRADIUS server, then you shouldn't create a new CA, but should get a certificate signed by the CA on the primary FreeRADIUS server.

Changes to openSSL config files

ll the information below could be made available to users by clients connecting or you providing the Public CA key to them.

days = 3650default_days = 3650

/etc/freeradius/certs/ca.cnf/etc/freeradius/certs/server.cnf

For ca.cnf only in [ ca_default] and [v3_ca]

crlDistributionPoints URI:http://eduroam.rsc-wales.ac.uk/ca.crl URI:http://yourdomain/ca.crl

For ca.cnf in [certifcate_authority] For server.cnf in [server]

countryName GB GB

stateOrProvinceName Wales County (or nation if you're Welsh!)

localityName Swansea Town/City

organizationalUnitName Jisc Regional Support Centre Wales Organisation Name

emailAddress support@rsc-wales.ac.uk IT service helpdesk?

commonName Jisc RSC Wales - eduroam This should be a sensible name as it will display to users. e.g. "College XX- eduroam"

Note: Update input_password and output_password and make a note as you will also need to configure this in eap.conf later

Now update the certificates from that install by the ubuntu package

sudo make ca.pemsudo make server.pem

Config with eduroam(UK)

Copy the config from the UK eduroam Support site into clients.conf and proxy.conf. In clients.conf replace nastype with nas_type

For proxy.conf

Replace

/etc/freeradius/proxy.confrealm LOCAL

realm ~.*

In order to enable sufficient logging to comply with the eduroam specification, uncomment the following lines in the virtual servers that contain:

/etc/freeradius/sites-available/default/etc/freeradius/sites-available/inner-tunnel

auth_logreply_logattr_filter.pre-proxypre_proxy_logpost_proxy_logattr_filter.post-proxy

Create an eduroam virtual router

To create an eduroam virtual router, simply copy the default router, and modify

sudo cp /etc/freeradius/sites-available/default /etc/freeradius/sites-available/eduroam

Sites-available contains all the virtual routers, sites-enabled is simply symbolic links to the files in sites-available, therefore we need to create a link using the command ln;

sudo ln -s /etc/freeradius/sites-available/eduroam /etc/freeradius/sites-enabled/eduroam

Make the following changes to /etc/freeradius/sites-enabled/eduroam, starting at the top of the file (note that we have discounted the comments, with the comments this is approximately 160 lines)

sites-available/eduroam

server default {listen {

type = authipaddr = *port = 0limit {

max_connections = 16 lifetime = 0 idle_timeout = 30

}}listen {

ipaddr = *port = 0type = acctlimit {}

}

server eduroam {

Add to the following to the authorize sections of sites-available/default after suffix (approximately line 300) that will send all requests that arent for your realms, to the NRPS.

sites-available/default

if("%{Realm}" !~ /(.*\\.)?(rsc-wales\\.ac\\.uk|rsc-cymru\\.ac\\.uk)$/) { update control { Proxy-To-Realm := 'eduroam' } }

In the pre-proxy section of sites-available/default uncomment operator-name

site-available/default

#operator-name

operator-name

But we dont want to send certain invalid realms, so modify the policy.d/filter:

/etc/freeradius/policy.d/filter

filter_username { if (User-Name != "%{tolower:%{User-Name}}") { reject }

filter_username { if (User-Name !~ /@/) { update reply { Reply-Message += "Rejected: Username has no realm" } reject }

mods-enabled/eap

Ensure that the password matches the input_password / output_password in certs/ca.cnf and certs/server.cnf

change all instances of copy_request_to_tunnel = no to copy_request_to_tunnel = yes

change default_eap_type=md5 to default_eap_type=peap

The following is a sample eap.conf file with all comments removed;

/etc/freeradius/mods-enabled/eap

eap {default_eap_type = peaptimer_expire = 60ignore_unknown_eap_types = nocisco_accounting_username_bug = nomax_sessions = 4096md5 {}leap {}gtc {

auth_type = PAP}tls {

certdir = ${confdir}/certscadir = ${confdir}/certsprivate_key_password = whateverprivate_key_file = ${certdir}/server.pemcertificate_file = ${certdir}/server.pemCA_file = ${cadir}/ca.pemdh_file = ${certdir}/dhrandom_file = ${certdir}/randomCA_path = ${cadir}cipher_list = "DEFAULT"make_cert_command = "${certdir}/bootstrap"ecdh_curve = "prime256v1"cache { enable = no max_entries = 255}verify {}ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/"}

}ttls {

default_eap_type = mschapv2copy_request_to_tunnel = yesuse_tunneled_reply = novirtual_server = "inner-tunnel"

}peap {

default_eap_type = mschapv2copy_request_to_tunnel = yesuse_tunneled_reply = novirtual_server = "inner-tunnel"

}mschapv2 {}

}

The following is a sample modules/mschap file with all comments removed;

/etc/freeradius/mods-enabled/mschap

mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-rsc-wales.local} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"}

LDAP details

Update modules/ldap with your LDAP details. The following table, lists the key details;

sudo ln -s /etc/freeradius/mods-available/ldap /etc/freeradius/mods-enabled

/etc/freeradius/mods-enabled/ldap

server dc0.rsc-wales.local This refers to one domain controller, within most AD environments there will be a number of DCs. Consider using domaindnszones.rsc-wales.local or read the following article on FreeRADIUS and multiple LDAP - http://www.novell.com/support/kb/doc.php?id=3807164

identity cn=ldap,cn=Users,dc=rsc-wales,dc=local This will be an account that you have created within your AD environment, this maybe shared between other systems, but it shouldnt be an account used by users. You should ensure that it doesnt become disabled or removed. Ensure that Password Never Expires and User Cannot Change Password

password This will be your password for the identity above.

basedn cn=Users,dc=rsc-wales,dc=local You will need to Search an ou (Organisational Unit) or cn (Container) within AD. You cannot search from the dc (domain) level. If you require multiple bases then this is similar to multiple servers - see http://www.novell.com/support/kb/doc.php?id=3807164

filter "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

This is an important bit that you will need to test for your environment. The example given should largely work in most AD environments, but you may not want to use sAMAccountName and may prefer to use mail or UserPrincipalName. For the inner-tunnel authentication based on using mschap, then you will need to map to sAMAccountName.

Attribute files

When working with attribute files (attr) remember to add a comma to the last entry when adding more to the file. Comma is used a separator and therefore isnt need after the last entry.

Change the DEFAULT sections of the following to attrs filters; the other ones in the DEFAULT section are not required as part of the eduroam spec, therefore we should drop them all and only allow the ones that should be there.

/etc/freeradius/mods-config/attr_filter/pre-proxy

DEFAULT User-Name =* ANY, EAP-Message =* ANY, Message-Authenticator =* ANY, State =* ANY, Proxy-State =* ANY, Operator-Name =* ANY, Class =* ANY, Calling-Station-Id =* ANY, Chargeable-User-Identity =* ANY

/etc/freeradius/mods-config/attr_filter/post-proxy

DEFAULT Reply-Message =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, Message-Authenticator =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, State =* ANY, Calling-Station-Id =* ANY, Operator-Name =* ANY, User-Name =* ANY, Class =* ANY, Chargeable-User-Identity =* ANY

FreeRADIUS Virtual Servers (sites-enabled)

eduroam Provides virtual router for all external authentication requests i.e. your users when roaming elsewhere

Mostly default config

default Provides a virtual router for all authentication at your site. This provides the default EAP (outer tunnel) as used by College clients locally and users that are roaming locally.

Mostly default configuration with changes to allow ldap. Set proxy to eduroam for all realms that are not local to eduroam for non-ystrad-mynach realm

inner-tunnel This provides the MSCHAP authentication for our local users, and redirects visited users to the eduroam virtual router.

Majority of configuration work has been in this file.Redirect to eduroam for non-ystrad-mynach realm

Other FreeRADIUS configuration files

eap.conf This provides the default EAP configuration. Defining the inner-tunnels to use, and SSL Certificate information.

Minor changes to enable eap, and for the certificate password.

certs/ca.cnfcerts/server.cnf

These provide the configuration which are used by FreeRADIUS (and its certs/bootstrap script) to create a certificate and authority when first running RADIUS.

These are customised to each organisation to provide sensible information for users in the certificate and certificate authority. Under no circumstance should a production server be put on-line with these files left in their default state

clients.conf This provides the IP address and shared secret with clients including other RADIUS servers

We configure all clients here, this includes any full Wireless APs, or where using thin Wireless APs just the controller. In addition, we also configure the JANET RADIUS servers, configuration items for this is provided on the JRS support

site.

modules/mschap MS Chap Configuration Changes to the ntlm_auth command only

modules/ldap LDAP configuration Significant configuration in this file with the usual LDAP details. Username/Password/BaseDN/ServerName/Attribute

Clients

You will need to add clients for all Wireless Access-Points, Wireless Access-Point Controllers, Network Switches or other RADIUS servers that need to communicate with this RADIUS server. In addition the JANET NRPS (National Radius Proxy Servers) will need to be configured here. However, the eduroam(UK) support page provides the relevant configuration snipit.

You may wish to define these as IP subnets if you have majority APs in a single IP subnet. You should be careful of using these over broader subnets which may contain client machines or servers.

The following is an example entry for clients.conf. This defines a client for all hosts in 192.168.1.0/24 (or 192.168.1.*)

clients.conf

client 192.168.1.0/24 {secret = mysecret}

Testing

If you would like to test on the command line, then use the following instructions to build rad_eap_test and eapol_test programs.

https://docs.google.com/a/jiscadvance.ac.uk/document/d/1NfB8JbUs-EhlHX-wLIsquoc7E8l4-FAqFyXOwvKGbE8/edit#heading=h.b5fil0xvkowd

Enable login with userPrincipalName and/or sAMAccountName

in mods-enabled/ldap

in the user section change filter to

filter = "(|(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(userPrincipalName=%{User-Name}))"

(this means that you can login as either sAMAccountName@realm or userPrincipalName)

Alternatively, set this to:

filter = "(userPrincipalName=%{User-Name})

if you dont want to allow login as sAMAccountName, i.e. only allow userPrincipalName

in the update section add

request:Stripped-User-Name := 'sAMAccountName'

(we need to use the sAMAccountName for the inner tunnel where you usethe mschap module and ntlm_auth command)