(i) overview
This document describes how to set up a Freeradius server to authenticate ActiveDirectory to Windows client network users transparently.
1.1. Principle:
Frreradius provides authentication through port-based access control. A user can connect to a network only if the certificate is validated by the authentication server. User certificates are verified by using the Special authentication Protocol of the 802.1X standard. (Freeradius offers authentication via port based access control. A user can connect to the network only if its credentials has been validated by the authentication server. User credentials is verified by using special authentication protocols which belong to the 802.1X standard.---official documentation)
As shown, if the user credentials have been authenticated by the Frieradius server, only the workstation's network access rights are granted. Otherwise, the switch port will be turned off for all network traffic. The RADIUS server allows contact with the domain controller for user authentication. Although the switch port is turned off, the workstation can communicate with the RADIUS server through the authentication protocol. The RADIUS server is able to check the domain controller if the user exists and the password is correct. If this is the case, the RADIUS server tells the switch to open the port and the user will access the network.
1.2, the required environment
- CentOS7.4
- Freeradius 3.0.17 (https://freeradius.org/releases/)
- Samba 3.0.x
- Openssl
- Cisco Switch
- WINDOWS7 SP1
(ii) Installation configuration of Linux servers
1. Turn off firewall and SELinux
[[email protected] ~]$ sudo iptables -L -nChain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source
2、编译安装freeradius
[[email protected] ~]# sudo xf freeradius-server-3.0.17.tar.gz[[email protected] ~]# cd freeradius-server-3.0.17[[email protected] freeradius-server-3.0.17]# sudo yum install libtalloc-devel -y[[email protected] freeradius-server-3.0.17]#yum install openssl openssl-devel[[email protected] freeradius-server-3.0.17]#sudo ./configure[[email protected] freeradius-server-3.0.17]# sudo make && make install[[email protected] raddb]# cp /usr/local/sbin/rc.radiusd /etc/init.d/radiused[[email protected] raddb]# /etc/init.d/radiused start[[email protected] raddb]# ps -ef|grep radiusdroot 5529 1 0 17:04 ? 00:00:00 /usr/local/sbin/radiusdroot 5537 26619 0 17:04 pts/2 00:00:00 grep --color=auto radiusd[[email protected] raddb]# /etc/init.d/radiused stopStopping FreeRADIUS: radiusd.[[email protected] raddb]# ps -ef|grep radiusd
3. Install the configuration Samba
[[email protected] ~]$ sudo yum install samba samba-client samba-winbind krb5-serverloaded plugins:fastestmirror Loading mirror speeds from cached hostfileresolving dependencies--> Running transaction Check---> Package krb5-serv Er.x86_64 0:1.15.1-19.el7 'll be installedinstalled:krb5-server.x86_64 0:1.15.1-19.el7 samba.x86_64 0:4.7.1-6.el7 Sam ba-client.x86_64 0:4.7.1-6.el7 samba-winbind.x86_64 0:4.7.1-6.el7 Dependency installed:avahi-libs.x86_64 0:0.6.31-19.el7 cups-libs.x86_64 1:1.6.3-35.el7 libarchive.x86_64 0:3.1.2-10.el7_2 libe vent.x86_64 0:2.0.21-4.el7 libldb.x86_64 0:1.2.2-1.el7 libsmbclient.x86_64 0:4.7.1-6.el7 libtalloc.x86_64 0:2.1.10-1.el7 libtdb.x86_64 0:1.3.15-1.el7 libtevent.x86_64 0:0.9.33- 2.el7 libverto-libevent.x86_64 0:0.2.5-4.el7 libwbclient.x86_64 0:4.7.1-6.el7 pytalloc.x86 _64 0:2.1.10-1.el7 Samba-client-libs.x86_64 0:4.7.1-6.el7 samba-common.noarch 0:4.7.1-6.el7 samba-common-libs.x86_64 0:4.7.1-6.el 7 samba-common-tools.x86_64 0:4.7.1-6.el7 samba-libs.x86_64 0:4.7.1-6.el7 samba-winbind-modules.x 86_64 0:4.7.1-6.el7 words.noarch 0:3.0-22.el7 Dependency Updated:dbus.x86_64 1:1.10.24-7.el7 dbus-libs.x86_64 1:1.10.24-7.el7 krb5-devel.x86_64 0:1.15.1-19.el7 krb5-libs.x86_64 0:1.15.1-19.el7 libkadm5.x86_64 0 : 1.15.1-19.el7complete!
3. Configure the Samba server and restart the Samba service.
Once the PAP certification test succeeds, the next step in a site that uses ActiveDirectory is to configure the system to authenticate users with ActiveDirectory. PlainText passwords are not available through activedirectory, so we must use Samba and ntlm_auth programs. In this configuration, we use ActiveDirectory as the authentication Oracle, not the LDAP database. Once samba is installed on your system, you should edit the smbconf file and configure the [Global] section to point to the NT Server, including the host name and NT domain. This article configures only the [Global] section in the Samba configuration file
[[email protected] raddb]# Vim/etc/samba/smb.conf[global] workgroup = CORP # #指定域的netbios名称 Security = ads # #指定samba的工作模式, and domain integrated winbind use Default domain = no p Assword Server = x.x.x.x #指定定身份验证的服务器为域控 realm = CORP. Baidu.com #指定AD域名 [Homes] Comment = Home directories Valid users =%s,%d%w%s browseable = No Read O nly = No Inherit ACLS = yes[printers] Comment = all printers path =/var/tmp printable = Yes Create mask = 0600 browseable = no[print$] Comment = Printer Drivers path =/var/lib/samba/drivers Write list = @printadmin Root force group = @printadmin Create mask = 0664 Directory mask = 0775[[email protected] raddb]# systemctl Start smb[[email protected] raddb]# systemctl status SMB smb.service-samba SMB Daemon loaded:loaded (/usr/lib/s Ystemd/system/smb.service; Enabled Vendor preset:disabled) active:aCtive (running) since Tue 2018-07-31 17:16:05 CST; 4s ago Main pid:5587 (SMBD) Status: "Smbd:ready to serve connections ..." CGroup:/SYSTEM.SLICE/SMB.SERVICE├─5587/USR/SBIN/SMBD--foreground--NO-PROCESS-GROUP├─5589/USR/SB IN/SMBD--foreground--no-process-group├─5590/usr/sbin/smbd--foreground--no-process-group└─5591/ USR/SBIN/SMBD--foreground--no-process-group
4, Configuration/etc/krb5.conf
[[email protected] ~]# vim /etc/krb5.conf[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = CORP.BAIDU.COM #指定域名 dns_lookup_realm = false dns_lookup_kdc = false[realms]CORP.PPDAI.COM = { kdc = 10.128.105.170:88 #指域控为kdc服务器及端口 admin_server = 10.128.105.170:749 #指定域控的管理端口 default_domain = corp.baidu.com }[domain_realm] .corp.ppdai.com = CORP.BAIDU.COM corp.ppdai.com = CORP.BAIDU.COM[kdc] profile =/var/kerberos/krb5kdc/kdc.conf[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
5, edit/etc/nsswich.conf, add winbind at the end of the following line, other unchanged
[[email protected] ~]# cat /etc/nsswitch.confpasswd: files sss winbindshadow: files sss winbindgroup: files sss winbindprotocols: files sss winbindservices: files sss winbindnetgroup: files sss winbindautomount: files sss winbind
6. Add the change server to the domain. If you do not join the domain, the start Winbind service will not come up with an error.
[[email protected] radiusd]# net join -U liqingbiaoEnter liqingbiao‘s password:Using short domain name -- CORPJoined ‘FREERADIUS2‘ to dns domain ‘corp.baidu.com‘No DNS domain configured for freeradius2. Unable to perform DNS Update.DNS update failed: NT_STATUS_INVALID_PARAMETER
7, start Smaba and Winbind services.
[[email protected] radiusd]# systemctl enable winbind[[email protected] radiusd]# systemctl enable smb[[email protected] radiusd]# systemctl start winbind[[email protected] radiusd]# systemctl start smb[[email protected] radiusd]# systemctl status winbind● winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2018-07-31 17:26:30 CST; 1min 5s ago Main PID: 5651 (winbindd) Status: "winbindd: ready to serve connections..." CGroup: /system.slice/winbind.service ├─5651 /usr/sbin/winbindd --foreground --no-process-group └─5653 /usr/sbin/winbindd --foreground --no-process-group
8, through the Wbinfo account pull test. Wbinfo–a User%password
[[email protected] appuser]# wbinfo -a it001%123456plaintext password authentication failedCould not authenticate user it004%Aa123456 with plaintext passwordchallenge/response password authentication succeeded ###成功了[[email protected] appuser]# ntlm_auth --request-nt-key --domain=CORP --username=it001 ###ntlm是windows 域环境下的认证方式Password: NT_STATUS_OK: The operation completed successfully. (0x0)
9. Modify/var/lib/samba/winbindd_privileged Permissions
[[email protected] appuser]#usermod –G wbpriv radiusd[[email protected] appuser]#chown –R root.radiusd /var/lib/samba/winbindd_privileged
(iii) configuration of Freeradius
Freeradius specifically related configurations are as follows:
- Clients.conf
- Mods-available/mschap
- Mods-available/eap
- Users
1. Configure the clients.conf file to add the communication client.
[[email protected] ~]# vim /usr/local/etc/raddb/clients.confclient 172.20.19.0/24 { secret = test showtanme = CE-SW }client 172.20.66.0/24 { secret = [email protected]@123456 showtanme = CE-SW }client 172.20.94.0/24 { secret = [email protected]@123456 showtanme = CE-SW }
2, configure the Mods-available/mschap file. Edit/usr/local/etc/raddb/mods-available/mschap File
[Email protected] ~]# Vim/usr/local/etc/raddb/mods-available/mschap
with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-CORP.BAIDU.COM}"
3. Configure the Mods-available/eap file, edit the/usr/local/etc/raddb/mods-available/eap file
[[email protected] ~]# vim /usr/local/etc/raddb/mods-available/eap default_eap_type = peap.random_file = /dev/urandom
4. Configuring the/usr/local/etc/raddb/mods-enabled/ntlm_auth File
[[email protected] ~]# vim /usr/local/etc/raddb/mods-enabled/ntlm_authexec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=CORP.PPDAI.COM --username=%{mschap:User-Name} --password=%{User-Password}"
5. Edit/etc/raddb/sites-enabled/default and/etc/raddb/sites-enabled/inner-tunnel files
authenticate { ... ntlm_auth ...}
Freeradius+cisco switch +windows ad for 802.1X authentication