Skip to content

Instantly share code, notes, and snippets.

@abbra

abbra/FreeRadius + FreeIPA

Forked from tiran/FreeRadius + FreeIPA
Last active June 6, 2024 10:00
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save abbra/a74e171d791cf90113b0272b78919987 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save abbra/a74e171d791cf90113b0272b78919987 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
FreeRadius + FreeIPA
# Assuming that HOSTNAME is enrolled to IPA realm already,
# run the following on HOSTNAME where RADIUS server will be deployed
# In FreeIPA 4.6+ host principal has permissions to create own services
kinit -k
ipa service-add 'radius/HOSTNAME'
# create keytab for radius user
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
chown root:radiusd /etc/raddb/radius.keytab
chmod 640 /etc/raddb/radius.keytab
# make radius use the keytab for SASL GSSAPI
mkdir -p /etc/systemd/system/radiusd.service.d
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
systemctl daemon-reload
edit /etc/raddb/mods-enabled/ldap
ldap server = 'LDAP HOSTNAME'
ldap base_dn = 'cn=accounts,dc=example,dc=org'
ldpa sasl mech = 'GSSAPI'
ldpa sasl realm = 'YOUR REALM'
ldap sasl update control:NT-Password := 'ipaNTHash'
# How to request certificates from IPA server for RADIUS
mv /etc/raddb/certs /etc/raddb/certs.bak
mkdir /etc/raddb/certs
openssl dhparam 2048 -out /etc/raddb/certs/dh
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
@flymia
Copy link

flymia commented Dec 8, 2022
edited
Loading

We had to switch to another hashing algorithm in FreeIPA because of this. So every user had to change their passwords. Sadly, there is not another solution for this.

@bagassy
Copy link

bagassy commented Apr 7, 2023

The config snippet isn't complete, or out of date.
Authentication should/could be handled by krb5 and Authorization by ldap.
Ldap module not finding a 'good password' is expected, and should be ignored. (krb5 module will do a kinit with user credentials for authentication)
There isn't any need for alternative hashing algos or any configuration related to nt/ipa/hash/password.

@abbra
Copy link
Author

abbra commented Apr 13, 2023

@bagassy This whole setup is not supported anymore. The original approach was to show how to integrate with FreeIPA if you need NTLM stuff to work. As I said previously in https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987?permalink_comment_id=3443169#gistcomment-3443169, this is not supported anymore.

@vvilaplana
Copy link

vvilaplana commented Jun 6, 2024

if it's not supported anymore, is there any way to integrate freeradius into freeipa for mschap requests? this is my specific scenario: we have devices that authenticate against our freeradius v3.0.21, and our freeradius authenticates against freeipa's ldap (freeipa v4.11.0, 389ds v2.4.5). if radius request is pap, auth works perfectly. but i can't find a way to make it work when radius request is mschap/mschapv2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment