Debian/Ubuntu
tar zxf freeradius-server-2.X.Y.tar.gz
cd freeradius-server-2.X.Y
fakeroot dpkg-buildpackage -b -uc
dpkg -i ../*freeradius*_2.X.Y-*_*.deb
add-apt-repository ppa:freeradius/stable-3.0
or
deb http://ppa.launchpad.net/freeradius/stable-3.0/ubuntu UBUNTU_VERSION_HERE main
deb-src http://ppa.launchpad.net/freeradius/stable-3.0/ubuntu UBUNTU_VERSION_HERE main
apt-get install dpkg-dev
apt-get build-dep freeradius
Dependencies
For OpenCSW install GCC
pkg-util -i -y gcc4-core
FreeRadius on Solaris
./configure
make
make install
export PATH='/usr/sbin:/usr/bin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/ccs/bin:/opt/SUNWspro/bin'
export CFLAGS='-I/usr/local/openldap/include/ -I/usr/local/mysql/include/mysql/ -I/opt/csw/include/'
export LDFLAGS='-L/usr/local/openldap/lib/ -R/usr/local/openldap/lib -L/usr/local/mysql/lib -R/usr/local/mysql/lib -L/opt/csw/lib -R/opt/csw/lib'
export LD_OPTIONS='-L/usr/local/openldap/lib/ -R/usr/local/openldap/lib -L/usr/local/mysql/lib -R/usr/local/mysql/lib -L/opt/csw/lib -R/opt/csw/lib'
./configure --prefix=/usr/local/freeradius-1.1.2-mysql-ldap --with-ldap --with-mysql-dir=/usr/local/mysql-5.0.21
gmake
gmake install
vim /usr/local/lib/gcc-lib/sparc-sun-solaris2.10/3.3.2/install-tools/mkheaders.conf
SHELL=/bin/sh
SYSTEM_HEADER_DIR="/usr/include"
OTHER_FIXINCLUDES_DIRS=""
FIXPROTO_DEFINES=""
STMP_FIXPROTO="stmp-fixproto"
STMP_FIXINC="stmp-fixinc"
Rebuild the headers.
./mkheaders
On mac
curl -LO http://www.samba.org/ftp/talloc/talloc-2.1.0.tar.gz
tar zxvf talloc-2.1.0.tar.gz
cd talloc-2.1.0
./configure --without-gettext
make
make install
cd ../
curl -LO ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.0.tar.gz
tar zxvf freeradius-server-3.0.0.tar.gz
cd freeradius-server-3.0.0
./configure --enable-developer
make
make install
Centos
yum install freeradius
yum upgrade freeradius
yum install freeradius-mysql
yum --enablerepo=updates-testing update freeradius
yum info freeradius\*
rpm -qa freeradius\*
rpm -qf /usr/lib/freeradius/rlm_sql_mysql.so
yum whatprovides /usr/lib/freeradius/rlm_sql_mysql\*.so
service radiusd start
chkconfig radiusd on
chkconfig --list radiusd
chkconfig radiusd off
rpm -ql freeradius-mysql
rpm -qlp /usr/src/redhat/RPMS/i386/freeradius-mysql-2.1.1-7.fc10.i386.rpm
rpm -qf /usr/lib/freeradius/rlm_sql_mysql-2.1.1.so
yum install rpm-build
yum install yum-utils
yum install freeradius freeradius-libs freeradius-utils freeradius-ldap freeradius-python freeradius-mysql
for manual installation of dependencies packages
rpm -Uhv /usr/src/redhat/RPMS/pkgName.x86_64.rpm
For CentOS CentOS-6 run the following as root:
cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/home:freeradius:3.0.x:centos/CentOS_CentOS-6/home:freeradius:3.0.x:centos.repo
yum install freeradius
vim smb.conf
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = XYZDOM //the name of your domain
# Security mode. Most people will want user level
# security. See security_level.txt for details.
security = ads
======== Share Definitions ========
...
winbind use default domain = no
password server = XYZSRV.XYZ-COMPANY.COM //your AD-server
realm = XYZ-COMPANY.COM //your realm
[homes]
comment = Home Directories
browseable = no
writable = yes
vim etc/krb5.conf.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
XYZ-COMPANY.COM = {
kdc = XYZSRV.XYZ-COMPANY.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
vim /etc/nsswitch.conf
#and add winbind at the end of each line shown below
passwd: files winbind
shadow: files winbind
group: files winbind
protocols: files winbind
services: files winbind
netgroup: files winbind
automount: files winbind
reboot
ps –ef | grep nmbd
ps –ef | grep smbd
net join –U Administrator
Administrator is the name of the domain controller admin. Enter your password when prompted. If everything works fine, the Linux server has been registered to the Windows domain.
Verify now if the winbindd daemon is running
ps –ef | grep winbindd
Try next if you can authenticate a user from the domain
wbinfo –a user%password
The error is absolutely normal in this case because there are no cleartext user credentials on the domain Controller (Active Directory) for this user
challenge/response password authentication succeeded
Type the following line
ntlm_auth –-request-nt-key –-domain=<your domain> –-username=<your username>
For example
ntlm_auth –-request-nt-key –-domain=XYZDOM –-username=example_user
You will be prompted for your password.
The command line returns
NT_STATUS_OK : Success (0x0)
If the username and password are the same as those stored in Active Directory.
The radiusd.conf file sets the uid and gid your radiusd process will run as (by the user and group directives, respectively). The ntlm_auth process will have the same identity. If your filesystem containing the winbindd_privileged directory supports POSIX ACLs, you can safely grant ntlm_auth the necessary permissions, in case your disribution's default setting were insufficient. If radiusd runs as the user radiusd for example, then you should use setfacl the following way
setfacl -m u:radiusd:rx winbindd_privileged
man setfacl
for more information on POSIX ACLs!
In order to get FreeRADIUS working, the following files must be configured:
clients.conf
mods-available/mschap
mods-available/eap
users
vim clients.conf
client 192.168.2.44 {
secret = 2!34r&dp0t
shortname = 192.168.2.44
nastype = cisco
}
#Shared secret for them all
client 192.168.2.0/24 {
secret = 2!34r&dp0t
shortname = network1
}
mods-available/mschap
with_ntdomain_hack = yes
ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
--domain=%{mschap:NT-Domain}
mods-available/eap
default_eap_type = peap.
tls-config tls-common {
random_file = /dev/urandom.
vim raddb/users
username1 Cleartext-Password := "user-password1", MS-CHAP-Use-NTLM-Auth := 0
username2 Cleartext-Password := "user-password2", MS-CHAP-Use-NTLM-Auth := 0
username3 Cleartext-Password := "user-password3", MS-CHAP-Use-NTLM-Auth := 0
authorize {
...
# Read the 'users' file
files # <--- This one!
...
}
Activate AAA (Authentication, Authorization, Accounting)
enable aaa new-model
Create a list of authentication methods by using Radius group as default.
aaa authentication dot1x default group radius
Activate authorization for using dynamic VLAN assignment by Radius.
aaa authorization network default group radius
Configure parameters of Radius server. In this case we use IP 192.168.2.16 and the default ports 1812 and 1813
radius-server host 192.168.2.16 auth-port 1812 acct-port 1813 timeout 3
Configure the maximum number of retransmissions to the server for the requests
radius server retransmit 3
Configure the shared secret between switch and Radius server.
radius server key <mysharedsecret>
Please use the secret that you have specified in the clients.conf file.
Next we must configure each interface (port) to operate in 802.1X mode.
Repeat this procedure for each port that should do access control
configure terminal
(config)#interface FastEthernet1/0/12
(config-if)# switchport mode access
(config-if)# dot1x port-control auto
(config-if)# end
The command show dot1x< allows to check 802.1X settings.
Do not forget to save the configuration of your switch.
copy running-config startup-config
vim /usr/local/openssl/ssl/openssl.cnf
# req_extensions = v3_req
# The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = LU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Luxembourg
localityName = Locality Name (eg, city)
localityName_default = Luxembourg-city
0.organizationName = Organization Name (eg, company)
0.organizationName_default = XYZ
organizationalUnitName = Organizational Unit Name
organizationalUnitName_default = IT
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = administrator
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = operations@xyz.com
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
challengePassword_default = whatever
unstructuredName = An optional company name
echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl –newca
find / -name CA.all
Move all the files to /etc/raddb/certs/
No comments:
Post a Comment