[RADIATOR] Need your help on setting up NTLM for Radiator
Jhonny Freire de Oliveira
joliveira at reitoria.ul.pt
Fri Feb 12 06:42:03 CST 2010
Hi,
Now I see why I should document every configuration I make :-)
Here it goes:
HOWTO setup Radiator to authenticate in Active Directory top level domain (using NTLM/MSCHAPv2) and domain childs
Assuming your (AD) domain is mydomain.pt (top level domain), netbios MYDOMAIN, your radius server is radius01.mydomain.pt and your AD servers are mydomain-dc01.mydomain.pt and mydomain-dc02.mydomain.pt
1- Configure network and host/fqdn properly
2- install winbind (you don't need to install samba)
3- configure kerberos
Sample:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYDOMAIN.PT = {
kdc = mydomain.pt:88
admin_server = mydomain.pt:749
default_domain = MYDOMAIN.PT
}
[domain_realm]
.mydomain.pt = MYDOMAIN.PT
mydomain.pt = MYDOMAIN.PT
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
4- Configure winbind (same file as samba)
Sample:
# cat /etc/samba/smb.conf
[global]
workgroup = MYDOMAIN
netbios name = RADIUS01
security = ADS
;password server = *
password server = mydomain-dc01.mydomain.pt mydomain-dc02.mydomain.pt
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
realm = MYDOMAIN.PT
;Optional
;;;
winbind use default domain = no
winbind trusted domains only = no
allow trusted domains = yes
client schannel = no
;;;
log level = 3
;log file = /var/log/samba/%m
;max log size = 50
5- Join radius01.mydomain.pt to mydomain.pt AD domain, you can use any user that has enough privileges to join a domain. After joining you should see a new computer in your AD computer default container
net ads join -U administrator
6- If it works, start winbind (don't forget to activate automatic startup, unless you want to start it by yourself every time you start your system)
7- Teste it (note: everytime I run this tests after having winbind running for a while, winbind crashes, and I have to restart it :-(, old version in a very old OS):
#list of trusted domains
wbinfo -m
#list of available group...
wbinfo -g
...
8- Configure radiator
# cat /etc/radiator/radius.cfg
#(...)
<AuthBy NTLM>
Identifier Auth4Tunneled
UsernameFormat %U
DomainFormat %R
EAPType MSCHAP-V2
</AuthBy>
<Handler TunnelledByPEAP=1, Client-Identifier=wism >
AuthBy Auth4Tunneled
</Handler>
<Handler TunnelledByTTLS=1, Client-Identifier=wism >
AuthBy Auth4Tunneled
</Handler>
<Handler Realm = /mydomain\.pt$/i>
# MaxSessions 2
<AuthBy NTLM>
EAPType PEAP, TTLS
EAPTLS_CAFile /etc/radiator/certs/GS-sureserverEDU.pem
EAPTLS_CertificateFile /etc/radiator/certs/mycert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/mycert.key
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 2
EAPTLS_PEAPVersion 0
EAPAnonymous %0
</AuthBy>
AcctLogFileName %L/%R-%m-%Y.detail
</Handler>
#(...)
9- Restart radiator
10- Login in whatever your radius client is with: myusername at mydomain.pt or myusername at mydomainchild.mydomain.pt, ....
Final notes:
In Kerberos and winbind configuration there a few variables that are optional (local machine authentication is also done through Kerberos), some that are redundant and some that where always there, but it works! :-)
Feel free to make a fancy HOWTO and share it with the community :-)
Let me know if you need further assistance.
Regards,
____________________________________________________________________
Jhonny Freire Oliveira Núcleo de Informática e Comunicações da UL
joliveira at reitoria.ul.pt Reitoria da UL, Alameda da Universidade
Tel: +351 210170194 Campo Grande - 1649-004 Lisboa, Portugal
-----Original Message-----
From: Kam Ng [mailto:kng at mtroyal.ca]
Sent: quinta-feira, 11 de Fevereiro de 2010 23:03
To: Jhonny Freire de Oliveira
Subject: Need your help on setting up NTLM for Radiator
Hi Jhonny,
Let me introduce myself first. I worked as the IT security analyst in a Canadian University, Mount Royal University located in Calgary Alberta.
I am working on a project to authenticate wireless user using Radiator.
Decision has been made to use PEAP-MSCHAPv2. Therefore NTLM is needed for Radiator to authenticate the user against our Active Directory.
I just started the process and found in the Radiator email thread archive that you have successfully done this.
I just wonder if you could share your experience to shorten my learning cycle. In particular, I would like to know what extra software (samba, winbind, kerberos?...) are needed and their configurations. We are using linux to host Radiator.
Thanks in advance and hope to hear from you.
Kam
=========================================
Kam Ng
IT Security Analyst
Information Technology Services
(Embedded image moved to file: pic28489.jpg)
4825 Mount Royal Gate SW
Calgary, Alberta, T3E 6K6
Canada
Phone: 403-440-8682
Email: kng at mtroyal.ca
------------------------------------------------------------------------------------------------------------------------
This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact the sender immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed.
More information about the radiator
mailing list