How to Integrate FreeRADIUS with Active Directory [Step-by-Step]

FreeRADIUS: Active Directory Integration and PEAP-MschapV2 with Dynamic Vlan Assignment

We will setup authentication and authorization for a wireless network that can be used for a large organization, ensuring network users are able to securely authenticate to the network. Here's what you'll need:

• A FreeRADIUS Server
• A Domain Controller
• A Wireless Controller
• An Access Point (AP)
• Some Clients with Different Operating System

The clients will be classified depend on device type (Android, iPhone, Windows) and assigned to different vlans after being authenticated. We will use Protected Extensible Authentication Protocol (PEAP) with Mschapv2. My network topology will look like below.

 

Following table shows the device type and the vlans they will be assigned.

 

Integrate FreeRADIUS with Active Directory

Mschapv2 is a challenge-response based authentication protocol. Since it does not support sending client credentials in complete clear text, we will not be able to use LDAP database in Active Directory for authentication. There can be a workaround but, we will not cover that scenario in this article. Instead, we will use Active Directory integration which supports Mschapv2 authentication. We will use Samba server ant it’s utilities to join the Active Directory.

Followings steps show Samba installation and the other required tools.

Step-1: A fully qualified domain name (FQDN) must be defined. Open "/etc/hosts" file in your preferred text editor and add localhost IP address, FQDN and hostname respectively as below.

root@freeradius:/home/celal# nano /etc/hosts

My configuration is below.

 

Step-2: Verify the hostname and FQDN with the commands below.

root@freeradius:/home/celal# hostname
freeradius

root@freeradius:/home/celal# hostname -f
freeradius.mydomain.com

 

Step-3: Update package information from all the configured sources.

root@freeradius:/home/celal# apt-get update

 

Step-4: Install the required packages with the command below.

root@freeradius:/home/celal# apt-get install samba winbind libnss-winbind krb5-user

During the installation, the window below will appear. Enter your domain name and click "OK".

 

Enter your Domain Controllers FQDN. If you have more than one, then separate them with a space.

 

Enter the administrative server FQDN and click "OK".

 

Step-5: After the installation, we need to configure Samba server. Open "/etc/samba/smb.conf" file with your preferred text editor and modify it the way it suits you. Mine is below.

root@freeradius:/home/celal# nano /etc/samba/smb.conf
[global]
    workgroup = MYDOMAIN
    security = ads
    winbind use default domain = yes
    realm = MYDOMAIN.COM
    password server = mydc1.mydomain.com

 

Step-6: Although we configured Kerberos in step 4, we need to add more config. Open "/etc/krb5.conf" and modify it as below.

root@freeradius:/home/celal# nano  /etc/krb5.conf
[libdefaults]
        default_realm = MYDOMAIN.COM

[realms]
        MYDOMAIN.COM = {
                kdc = mydc1.mydomain.com
                kdc = mydc2.mydomain.com
                admin_server = mydc1.mydomain.com
        }

[domain_realm]
        .mydomain.com = MYDOMAIN.COM
        mydomain.com = MYDOMAIN.COM

 

Step-7: Now that we have installed and configured Samba server and Kerberos authentication, we need to join the Active Directory. Remember that when you join a windows client to an Active Directory, you must have an administrator account. Before joining the Active Directory, you provide your credentials. For Ubuntu, we will use "kinit" tool to obtain and cache Kerberos ticket-granting ticket then join the AD.

root@freeradius:/home/celal# kinit Administrator
Password for Administrator@MYDOMAIN.COM:

Following output shows Kerberos obtaining ticket-granting ticket in packet level.

Join the Active Directory with command below.

root@freeradius:/home/celal# net ads -k join

Following figure shows joining the Active Directory in the packet level.

 

Step-8: Restart the services as below.

root@freeradius:/home/celal# service smbd restart
root@freeradius:/home/celal# service nmbd restart
root@freeradius:/home/celal# service winbind restart

 

Step-9: At this point, we have joined the Active Directory and will confirm if New Technology LAN Manager (NTLM) authentication works. FreeRADIUS uses "ntlm_auth" tool to allow external access to Winbind's NTLM authentication function. Apply the command below to confirm if NTLM authentication works.

root@freeradius:/home/celal# ntlm_auth --request-nt-key --domain=mydomain.com --username=administrator --password=mypassword
NT_STATUS_OK: The operation completed successfully. (0x0)

root@freeradius:/home/celal#

When the authentication is successful, it returns 0 (zero). Following screenshot shows that the ntlm authentication has made over Remote Procedure Call (RPC), which is a Microsoft proprietary protocol.

 

Configure FreeRADIUS

I assume that you have already installed FreeRADIUS. If not, please visit here (FreeRADIUS Installing and Configuring (Part 1)).

Step-1: The "default" virtual server contains too much settings. Thus, I will remove it and create my own simple server.

root@freeradius:/home/celal# rm /etc/freeradius/3.0/sites-enabled/default

 

Step-2: My Aruba testing wireless controller are able to classify a client based on its Operating System. It sends device type in an "Access-Request" packet, using "Aruba-Device-Type" vendor specific attribute. After authenticating the user, I use this attribute to distinguish the clients from each other, then I assign them the vlan accordingly with "post-auth" block. FreeRADIUS comes with many vendor specific dictionaries. They are stored in "/usr/share/freeradius/" directory. If there is currently no dictionary for your vendor, you can create a new one in the directory. Change the configuration below to suit your needs.

root@freeradius:/home/celal# nano /etc/freeradius/3.0/sites-enabled/my_server

server my_server {

        listen {
        ipaddr = *
        port = 1812
        type = auth
        }

        authorize {
        preprocess
        mschap
        suffix
        eap
        files
        }

        authenticate {
        Auth-Type MS-CHAP {
        mschap
        }

        eap
}

post-auth {
if (Aruba-Device-Type == "Android") {
        update reply {
                Reply-Message := "you are an Android"
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = "100"
    }
}
if (Aruba-Device-Type == "iPhone") {
        update reply {
                Reply-Message := "you are an iPhone"
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = "101"
    }
}
if (Aruba-Device-Type == "Win 10") {
        update reply {
                Reply-Message := "you are a windows"
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = "102"
    }
}
}
}

Step-3: Define a RADIUS client in "/etc/freeradius/3.0/clients.conf" file.

client Wireless_Controller {
                ipaddr = 192.168.1.13
                secret = celaldogan
}

 

Step-4: Change "default_eap_type" to "peap". Some legacy clients may not support TLS version 1.2, so make the changes as you need. I commented out (disabled) some settings, and modified the TLS min and max values. Open "eap" module and follow below.

root@freeradius:/home/celal# nano /etc/freeradius/3.0/mods-available/eap
eap {
default_eap_type = peap
---
---
---
tls-config tls-common {
	#               disable_tlsv1_1 = yes
	#               disable_tlsv1 = yes
 
	tls_min_version = "1.0"
                tls_max_version = "1.2"
				}
 }

Step-5: Open "mschap" module and configure it as below. FreeRADIUS will use an external program called "ntlm_auth" to authenticate the users.

nano /etc/freeradius/3.0/mods-available/mschap
mschap {

use_mppe = yes
require_encryption = yes
require_strong = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
}

Step-6: Add "freerad" user to "winbindd_priv" group which will be able to reach "winbind" program.

root@freeradius:/home/celal#  usermod -a -G winbindd_priv freerad
root@freeradius:/home/celal#  chown root:winbindd_priv /var/lib/samba/winbindd_privileged/

 

Testing PEAP-MschapV2 with an Android device

I will connect my Service Set Identifier (SSID) using an Android device. During the authentication, I captured RADIUS packets between the wireless controller and FreeRADIUS. Because of most of packets are encrypted with TLS, I will omit them. Here is below the "Access-Request" packet.

 

As you see in the screenshot above, the wireless controller sends "Aruba-Device-Type" vendor specific attribute with value of "Android". After authentication, this attribute will be used in the policy to decide to which vlan a user will be assigned. Following shows the last RADIUS packet (Access-Accept).

 

The FreeRADIUS server insert vlan information (in this case vlan 100), Wi-Fi Protected Access (WPA) encryption and decryption keys into the "Access-Accept" packet. The wireless controller receives the packet and apply the policy accordingly, then it conveys the encryption and decryption keys to the Access Point (AP).

 

Final thoughts

FreeRADIUS can be integrated into many systems. Active Directory is just one of them. With a simple configuration, you can have a RADIUS integrated into Active Directory.