MacOS Server Replacement #4 – Moving (Free)Radius to FreeIPA

After migrating OpenDirectory (LDAP) to FreeIPA, the next step in my MacOS Server replacement is to migrate the (Free)Radius service as well so that FreeIPA becomes the single authentication source within my network like the MacOS Server has been for years. There are several online guides available describing how to setup FreeRadius on FreeIPA, also on the FreeIPA HowTo list, though as I ended up using fragments of multiple guides to install and configure FreeRadius on FreeIPA with LDAP and MSCHAPv2 support (needed for EAP and other mechanisms) I wrote this post as a single step by step guide.

In my setup I decided to host radius (FreeRadius) on the FreeIPA server. This is not strictly necessary but makes sense in my setup. For load balancing (if needed) I would rather have multiple FreeIPA servers than a separate machine for the radius service. The steps below assume that FreeRadius will be installed on the FreeIPA machine though it is not necessary and most of the steps can also be used to install FreeRadius on a separate host (which does not even have to be integrated with FreeIPA as all that used for the integration is an LDAP connection).

The first thing to do is to install FreeRadius and its LDAP plugin (used to integrate with FreeIPA) by running:

sudo dnf install freeradius freeradius-ldap
cd /etc/raddb/

Integrating FreeRadius with FreeIPA as user store for authentication is straightforward as for FreeIPA this is just another LDAP client. Although it is quite straightforward to setup a host and service account in FreeIPA, giving it a simple password allowing it to do a simple (i.e. non-Kerberos) bind requires a direct change to the LDAP database. As also mentioned in an earlier post the script freeipa-service-password.sh (available from my GitLab repository) can be used to set this up. After downloading the script on you FreeIPA server, make sure you have a valid admin ticket with:

kinit admin

Which will prompt you you for the admin password. Next create a radius service account with:

./freeipa-service-password.sh `hostname -f` radius

The script will output the bind DN and bind password for the service account, which are needed in the next step so store these somewhere safely and/or capture them on your clipboard. Next open up the FreeRadius LDAP module’s configruation with:

sudo vi mods-available/ldap

To configure the LDAP module, a number of settings have to be updated within the ldap { ... } block. Update the following settings to setup the connection parameters (replacing them with your values):

server = 'localhost'
identity = 'krbprincipalname=radius/auth.mydomain.tld@MYDOMAIN.TLD,cn=services,cn=accounts,dc=mydomain,dc=tld'
password = BIND_PASSWORD
base_dn = 'dc=mydomain,dc=tld'

If you would like to support MSCHAPv2 (which you probably do), make sure that in the control { .. } subsection the following is present and not commented out:

update {
        control:Password-With-Header    += 'userPassword'
        control:NT-Password             := 'ipaNTHash'
}

Configure the user and group lookups in the corresponding sections and make sure they contain the following settings:

user {
        base_dn = "cn=users,cn=accounts,${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}

group {
        base_dn = "cn=groups,cn=accounts,${..base_dn}"
        filter = '(objectClass=posixGroup)'
        membership_attribute = 'memberOf'
}

The other settings can be left commented out or as they are in the example. There is a lot more to configure as FreeRadius and its LDAP plugin are very flexible though I recommend to get the basics working first with this configuration and start tweaking afterwards.

To support MSCHAPv4 authentication, the radius service account needs access to the ‘ipaNTHash’ attribute. This can be configured manually in the FreeIPA web GUI and also with the script freeipa-service-ntlm.sh (available from my GitLab repository – please make sure you got the today’s updated version) by running:

./freeipa-service-ntlm.sh `hostname -f` radius

Which will make sure that a permission and role exist and then grant this role to the radius service user.

Next enable the ldap module by running (still in /etc/raddb):

sudo ln -s ../mods-available/ldap mods-enabled

If you configured MSCHAPv2 and need that for EAP authentication (which is recommended and often needed for WPA2-Enterprise) then also edit mods-available/eap and modify the eap { .. } block to set the default eap type to MSCHAPv2 with:

default_eap_type = mschapv2

The default FreeRadius configuration has LDAP authentication optional though you may want to check to ensure that sites-enabled/default virtual host’s authorize section contains:

authorize {
      -ldap
}

(the – in front of the ldap module’s name makes it optional / non-fatal in case the LDAP module is not configured). Perhaps good to check the other modules enabled to ensure nothing is activated that should not be used to authenticate users though the default configuration is pretty sane.

Before restarting the FreeRadius server to pick up the configuration, copy-over any customizations made to your MacOS Server’s radius configuration (in my setup most were in the users file) to retain the MacOS Server’s functionality (you can do this later as well if you first want to test the authentication). Restart the service with:

sudo service radiusd restart

Next test your setup with radtest using the default client (which is only authorized to connect on localhost):

radtest -t mschap $(read -p user:\  u; echo $u) $(read -sp password: p; echo $p) 127.0.0.1:1812 0 testing123

The above will ask for a userid and password and then invoke the radtest command so that this won’t be in the command history. Please note that while the command is running the password (and userID) will be visible in the process list so be careful!


This post is part of a series on moving functionality removed as of Fall 2018 from MacOS Server:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.