[RADIATOR] Need your help on setting up NTLM for Radiator

Jhonny Freire de Oliveira joliveira at reitoria.ul.pt
Fri Feb 12 06:42:03 CST 2010


Now I see why I should document every configuration I make :-)

Here it goes:

HOWTO setup Radiator to authenticate in Active Directory top level domain (using NTLM/MSCHAPv2) and domain childs

Assuming your (AD) domain is mydomain.pt (top level domain), netbios MYDOMAIN, your radius server is radius01.mydomain.pt and your AD servers are mydomain-dc01.mydomain.pt and mydomain-dc02.mydomain.pt

1- Configure network and host/fqdn properly

2- install winbind (you don't need to install samba)

3- configure kerberos
# cat /etc/krb5.conf 
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 ticket_lifetime = 24000
 dns_lookup_realm = true
 dns_lookup_kdc = true

  kdc = mydomain.pt:88
  admin_server = mydomain.pt:749
  default_domain = MYDOMAIN.PT

 .mydomain.pt = MYDOMAIN.PT
  mydomain.pt = MYDOMAIN.PT

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

4- Configure winbind (same file as samba)

# cat /etc/samba/smb.conf
workgroup = MYDOMAIN
netbios name = RADIUS01

security = ADS
;password server = *
password server = mydomain-dc01.mydomain.pt mydomain-dc02.mydomain.pt
encrypt passwords = yes

idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes


winbind use default domain = no
winbind trusted domains only = no
allow trusted domains = yes
client schannel = no

log level = 3
;log file = /var/log/samba/%m
;max log size = 50

5- Join radius01.mydomain.pt to mydomain.pt AD domain, you can use any user that has enough privileges to join a domain. After joining you should see a new computer in your AD computer default container

net ads join -U administrator

6- If it works, start winbind (don't forget to activate automatic startup, unless you want to start it by yourself every time you start your system)

7- Teste it (note: everytime I run this tests after having winbind running for a while, winbind crashes, and I have to restart it :-(, old version in a very old OS):

#list of trusted domains
wbinfo -m
#list of available group...
wbinfo -g

8- Configure radiator
# cat /etc/radiator/radius.cfg

<AuthBy NTLM>
        Identifier Auth4Tunneled
        UsernameFormat %U
        DomainFormat %R
        EAPType MSCHAP-V2

<Handler  TunnelledByPEAP=1, Client-Identifier=wism >
        AuthBy Auth4Tunneled

<Handler  TunnelledByTTLS=1, Client-Identifier=wism >
        AuthBy Auth4Tunneled

<Handler Realm = /mydomain\.pt$/i>
#       MaxSessions 2
        <AuthBy NTLM>
                EAPType PEAP, TTLS

                EAPTLS_CAFile /etc/radiator/certs/GS-sureserverEDU.pem
                EAPTLS_CertificateFile /etc/radiator/certs/mycert.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile /etc/radiator/certs/mycert.key
                EAPTLS_MaxFragmentSize 1000

                SSLeayTrace 2

                EAPTLS_PEAPVersion 0
                EAPAnonymous %0
        AcctLogFileName %L/%R-%m-%Y.detail

9- Restart radiator

10- Login in whatever your radius client is with: myusername at mydomain.pt or myusername at mydomainchild.mydomain.pt, ....

Final notes:

In Kerberos and winbind configuration there a few variables that are optional (local machine authentication is also done through Kerberos), some that are redundant and some that where always there, but it works! :-)

Feel free to make a fancy HOWTO and share it with the community :-)

Let me know if you need further assistance.

Jhonny Freire Oliveira    Núcleo de Informática e Comunicações da UL
joliveira at reitoria.ul.pt  Reitoria da UL,  Alameda  da  Universidade
Tel: +351 210170194       Campo Grande - 1649-004 Lisboa,   Portugal

-----Original Message-----
From: Kam Ng [mailto:kng at mtroyal.ca] 
Sent: quinta-feira, 11 de Fevereiro de 2010 23:03
To: Jhonny Freire de Oliveira
Subject: Need your help on setting up NTLM for Radiator

Hi Jhonny,

Let me introduce myself first. I worked as the IT security analyst in a Canadian University, Mount Royal University located in Calgary Alberta.

I am working on a project to authenticate wireless user using Radiator.
Decision has been made to use PEAP-MSCHAPv2. Therefore NTLM is needed for Radiator to authenticate the user against our Active Directory.

I just started the process and found in the Radiator email thread archive that you have successfully done this.

I just wonder if you could share your experience to shorten my learning cycle.  In particular, I would like to know what extra software (samba, winbind, kerberos?...) are needed and their configurations. We are using linux to host Radiator.

Thanks in advance and hope to hear from you.


Kam Ng

IT Security Analyst
Information Technology Services

(Embedded image moved to file: pic28489.jpg)

4825 Mount Royal Gate SW
Calgary, Alberta, T3E 6K6
Phone: 403-440-8682
Email: kng at mtroyal.ca


This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact the sender immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed.

More information about the radiator mailing list