Versão avaliada: Fedora 42
Criar um ponto central de autenticação.
O FreeRADIUS esta sendo instalado no mesmo servidor que esta configurado o serviço do FreeIPA.
Para instalar o serviço execute:
$ sudo su
# dnf install freeradius freeradius-utils freeradius-ldap freeradius-krb5 -y
Inicie o serviço.
# systemctl enable radiusd.service && systemctl start radiusd.service
Nota: Ao iniciar o serviço apresentou falha e para corrigir a falha foi necessário atualizar o certificado do serviço.
# ./bootstrap
Os parâmetros abaixo são opcionais, bastando executar o comando ./bootstarp sem as alterações informadas abaixo para criar os certificados necessários para o funcionamento do FreeRADIUS. Lembrando que o prazo do certificado é de 60 dias, portanto será necessário atualizar o certificado frequentemente.
Criar o arquivo "Diffie-Hellman"
# openssl dhparam -check -text -5 -out /etc/raddb/certs/dh 4096
Para personalizar o certificado com as configurações de seu ambiente, alterar os arquivos abaixo, os principais parâmetros estão em negrito.
# vi passwords.mk
PASSWORD_SERVER = 'whatever'
PASSWORD_INNER = 'whatever'
PASSWORD_CA = 'whatever'
PASSWORD_CLIENT = 'whatever'
USER_NAME = 'user@example.org'
CA_DEFAULT_DAYS = '3560'
Acesse o arquivo CA.
# cd /etc/raddb/certs
# vi ca.cnf
[ CA_default ]
....
default_days = 3650
....
[ req ]
....
input_password = whatever
output_password = whatever
....
[certificate_authority]
countryName = BR
....
Acesse o arquivo Client.
# vi client.cnf
[ CA_default ]
....
default_days = 3560
....
[ req ]
....
input_password = whatever
output_password = whatever
....
[client]
countryName = BR
....
Acesse o arquivo Server.
# vi server.cnf
[ CA_default ]
....
default_days = 3560
....
[ req ]
....
input_password = whatever
output_password = whatever
....
[server]
countryName = BR
....
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
....
[alt_names]
DNS.1 = hl251.local.domain
# NAIRealm from RFC 7585
otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com
Acesse o arquivo Server.
# vi inner-server.cnf
[ CA_default ]
....
default_days = 3560
....
[ req ]
....
input_password = whatever
output_password = whatever
....
[server]
countryName = BR
....
# /etc/raddb/sites-available/tls
listen {
....
tls {
....
private_key_password = whatever
....
home_server tls {
....
tls {
....
private_key_password = whatever
....
# vi /etc/raddb/mods-available/inner-eap
....
tls {
private_key_password = whatever
....
# vi /etc/raddb/mods-available/eap
....
eap {
....
tls-config tls-common {
....
private_key_password = whatever
....
# vi /etc/raddb/certs/xpextensions
[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
crlDistributionPoints = URI:http://www.example.com/example_ca.crl
subjectAltName = @alt_names
[alt_names]
DNS.1 = hl251.local.domain
# NAIRealm from RFC 7585
otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.local.domain
Execute o script bootstrap para realizar a criação do certificado com os novos parâmetros.
# ./bootstrap
# systemctl restart radiusd.service
Para renovar o certificado siga os passos abaixo.
Mova o certificado velho para um local diferente.
# cd /etc/raddb/certs
# mkdir OLDCerts && mv *.pem *.key OLDCerts/
O comando abaixo auxilia na remoção dos arquivos não mais necessarios.
# make destroycerts
rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
serial* *\.0 *\.1 ca-crl.pem ca.crl
Criar o arquivo "Diffie-Hellman"
# openssl dhparam -check -text -5 -out /etc/raddb/certs/dh 4096
Execute o script bootstrap para realizar a criação do certificado com os novos parâmetros.
# ./bootstrap
# systemctl restart radiusd
Com o comando abaixo é possível realizar o teste de funcionamento do serviço:
# radtest steve testing 127.0.0.1 1812 testing123
Sent Access-Request Id 53 from 0.0.0.0:40621 to 127.0.0.1:1812 length 75
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 10.1.10.251
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "testing"
Received Access-Reject Id 53 from 127.0.0.1:1812 to 127.0.0.1:40621 length 38
Message-Authenticator = 0x37e3eaf9bfd95c5cdbb290d038b29ad5
(0) -: Expected Access-Accept got Access-Reject
# cd /etc/raddb/mods-available
# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
# mv ldap ldap.Default
# egrep -v "^\s*(#|$)" ldap.Default > ldap
# vi mods-enabled/ldap
ldap {
server = 'localhost'
base_dn = 'dc=local,dc=domain'
port = 636
start_tls = yes
identity = "uid=binddnldap,cn=users,cn=accounts,dc=local,dc=domain"
#identity = "krbprincipalname=radius/hl251.local.domain@LOCAL.DOMAIN,uid=binddnldap,cn=users,cn=accounts,dc=local,dc=domain"
password = Senha2025
set_auth_type = yes
....
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
....
# vi ldap
ldap {
server = 'localhost'
port = 636
identity = "uid=binddnldap,cn=users,cn=accounts,dc=local,dc=domain"
password = Senha2025
base_dn = 'dc=local,dc=domain'
....
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
....
tls {
# start_tls = yes
....
# systemctl restart radiusd.service
# radtest <UserLDAP> <SenhaLDAP> localhost 1812 testing123
Sent Access-Request Id 17 from 0.0.0.0:48678 to 127.0.0.1:1812 length 78
User-Name = "UserLDAP"
User-Password = "SenhaLDAP"
NAS-IP-Address = 10.1.10.251
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "SenhaLDAP"
Received Access-Reject Id 17 from 127.0.0.1:1812 to 127.0.0.1:48678 length 38
Message-Authenticator = 0xcfb3bc91a8fa54b7536d0c8d33f8d11e
(0) -: Expected Access-Accept got Access-Reject
Nota: Valide se o link simbólico esta criado no diretório mods-enable para o serviço LDAP.
# cd /etc/raddb/mods-available
# mv eap eap.Default
# egrep -v "^\s*(#|$)" eap.Default > eap
# ln -s /etc/raddb/mods-available/eap /etc/raddb/mods-enabled/eap
Edite o arquivo EAP em
# vi eap
/etc/raddb/mods-enabled/eap
default_eap_type = tls
private_key_password = <Password you set output_password in server.cnf>
private_key_file = ${certdir}/server.pem
ca_file = ${cadir}/cacrl.pem
random_file = /dev/random
check_crl = yes
cipher_list = "HIGH"
cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"
ecdh_curve = "secp384r1"
name = "EAP-TLS"
persist_dir = "${logdir}/tlscache"
eap eap-client {
tls-config tls-common {
private_key_file = ${certdir}/fisrt.key
certificate_file = ${certdir}/first.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
eap eap-guest {
default_eap_type = ttls
tls-config tls-common {
private_key_passwotd=whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
check_crl = no
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
}
# systemctl restart radiusd.service
Nota: Valide se o link simbólico esta criado no diretório mods-enable para o serviço EAP.
# cd /etc/raddb/site-available
# mv default default.Default
# egrep -v "^\s*(#|$)" default.Default > default
server default {
....
authorize {
filter_username
preprocess
if (&User-Name == "guest") {
eap-guest {
ok = return
}
}
elsif (&User-Name == "client") {
eap-client {
ok = return
}
}
else {
eap-guest {
ok = return
}
}
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
pap
}
....
}
Nota: Valide se o link simbólico esta criado no diretório site-enable para o serviço default.
# cd /etc/raddb/site-available
# mv inner-tunnel inner-tunnel.Default
# egrep -v "^\s*(#|$)" inner-tunnel.Default > inner-tunnel
# cat inner-tunnel
server inner-tunnel {
....
authorize {
filter_username
filter_inner_identity
update control {
&Proxy-To-Realm := LOCAL
}
ldap {
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
expiration
digest
logintime
pap
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type eap-guest {
eap-guest
}
Auth-Type eap-client {
eap-client
}
ldap
}
....
} # inner-tunnel server block
# vi policy.d/filter
....
if (&outer.request:User-Name !~ /^(anon|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
}
elsif (&outer.request:User-Name !~ /^(guest|client|@)/) {
update request {
Module-Failure-Message = "User-Name is not anonymized"
}
reject
}
....
Nota: Valide se o link simbólico esta criado no diretório site-enable para o serviço inner-tunnel.
# cat clients.conf
client APs {
ipaddr = 10.2.25.10/24
password = <PASSWORD>
}
client home {
ipaddr = 192.168.1.10
proto = *
secret = <PASSWORD USED BY YOUR AP TO AUTHENTICATE WITH THIS RADIUS SERVER>
shortname = <YOUR_SSID>
require_message_authenticator = no
nas_type = other
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
# cd /etc/raddb/sites-available
# mv default default.Default
# egrep -v "^\s*(#|$)" default.Default > default
# Assuming that HOSTNAME is enrolled to IPA realm already,
# run the following on HOSTNAME where RADIUS server will be deployed
# In FreeIPA 4.6+ host principal has permissions to create own services
kinit -k
ipa service-add 'radius/HOSTNAME'
# create keytab for radius user
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
chown root:radiusd /etc/raddb/radius.keytab
chmod 640 /etc/raddb/radius.keytab
# make radius use the keytab for SASL GSSAPI
mkdir -p /etc/systemd/system/radiusd.service.d
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
systemctl daemon-reload
edit /etc/raddb/mods-enabled/ldap
ldap server = 'LDAP HOSTNAME'
ldap base_dn = 'cn=accounts,dc=example,dc=org'
ldpa sasl mech = 'GSSAPI'
ldpa sasl realm = 'YOUR REALM'
ldap sasl update control:NT-Password := 'ipaNTHash'
# How to request certificates from IPA server for RADIUS
mv /etc/raddb/certs /etc/raddb/certs.bak
mkdir /etc/raddb/certs
openssl dhparam 2048 -out /etc/raddb/certs/dh
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
if NT hashes will not work against FreeIPA, what should I use in place of:
ldap sasl update control:NT-Password := 'ipaNTHash'
in the /etc/raddb/mods-enabled/ldap file?
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>
$ sudo vi /etc/raddb/users
steve Cleartext-Password := "testing"
$ sudo radiusd -X
And make a test connection from localhost
$ sudo radtest steve testing 127.0.0.1 1812 testing123
$ sudo vi /etc/raddb/radiusd.conf
Uncomment the line that starts with '# $INCLUDE clients.conf'
$ sudo nano /etc/raddb/clients.conf
client 192.168.1.100 { secret = mysecretkey shortname = myhostname }
$ sudo systemctl restart radiusd
$ sudo radtest test password 192.168.1.100 0 mysecretkey
$ sudo radacct -f /var/log/radius/radacct/192.168.1.100/detail-$(date +%Y%m%d)
Link: 1 / 2 / 3