Setting up FreeRadius with Samba

This is the Third post in my series about setting up Samba AD and FreeRADIUS on Debian.

Previous step: Setting up Samba AD DC on Debian

---

Getting Started

Step 1: Install Freeradius

To install freeradius and needed tools run the following:

sudo apt update
sudo apt install freeradius openssl -y

Step 2: Setup certificates

Start by creating a self signed certificate

openssl req -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -sha256 -days 730 -noenc -out server.crt -keyout server.key -subj '/C=US/ST=Colorado/L=Colorado Springs/O=UCCS/CN=Radius test server' -addext extendedKeyUsage=1.3.6.1.5.5.7.3.1 -addext "subjectAltName=DNS:debiandc.uccslab.lan" 

Get certificate details and then install it to FreeRadius

openssl x509 -in server.crt -noout -text
sudo cp server.* /etc/freeradius/3.0/certs

Step 3: Allow FreeRadius to use NTLMv2

Edit smb.conf and add the following under global

nano /etc/samba/smb.conf
...
[global]
...
ntlm auth = mschapv2-and-ntlmv2-only

Then restart Samba-ad-dc (replace with Samba if domain member)

sudo systemctl restart samba-ad-dc

Step 4: Configure FreeRadius

First we need edit EAP to enable MSCHAPv2 via Samba’s ntlm_auth

sudo nano /etc/freeradius/3.0/mods-available/mschap
...
mschap {
...
    ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

Next we need to give freeradius access to winbind

sudo usermod -a -G winbindd_priv freerad
sudo chown root:winbindd_priv /var/lib/samba/winbindd_privileged

Finally, restart freeradius

sudo systemctl restart freeradius

Step 5: Testing

To test we need to create a test user. I’m using the username testuser and the password asdfghjkl11.

sudo samba-tool user add testuser

Next, test RADIUS

radtest -t mschap testuser asdfghjkl11. localhost:18120 0 testing123

Once testing is done disable the test user

sudo samba-tool user disable testuser

Step 6: Adding a client (such as a network switch)

To create a client, you can add the following configuration to clients.conf

sudo nano /etc/freeradius/3.0/clients.conf
...
client router {
	ipaddr = <IP address, hostname or CIDR range>
    secret = <shared_secret>
	require_message_authenticator = yes
}

“router” is the name of the device in the configuration and can be set to anything without a space.

“ipaddr” is the allowed source IP(s) for the client

“secret” is the shared secret used to authenticate the client. To generate a random hard to guess secret, you can use the following:

openssl rand -base64 30