samba:freeradius-ad

Setting up Freeradius and Samba AD for WPA2 WiFi Auth

There are several steps to make this work. This is not a pure Samba article, but I think it's good to have it here in my notebook for my reference. Radius is quite a complex system; it took me a while to make things work. Most of this has been possible with the help of Kees Van Vloten and his Freeradius Enterprise WiFi notes. They are presented here in a different fashion.

Steps to follow:

You already have a Samba member server joined to the domain. See Setting up a Member Server.
You have created an AD permission group (named 'MAD\wifi' in our example) that contains all Windows machines allowed to connect to WiFi.
Configure Samba to allow ntlm_auth to use mschapv2 and ntlmv2.
Create a PKI infrastructure to generate and maintain certificates.
Install and configure Freeradius on a member server.
Install the CA certificate on Windows clients.

Configure Samba to allow ntlm_auth to use mschapv2 and ntlmv2

This one is pretty straightforward. Add the following line to `/etc/samba/smb.conf` in *all* your DCs:

ntlm auth = mschapv2-and-ntlmv2-only

Save and restart Samba AD DC:

/etc/init.d/samba-ad-dc restart

Install EasyRSA to manage your PKI

EasyRSA is part of the OpenVPN group and allows you to very easily manage a simple (internal only) Public Key Infrastructure. See EasyRSA.

You do not need root privileges to run EasyRSA. This is a very simple collection of programs; it can be run on any machine or server, and it has no dependencies on Samba or Freeradius.

git clone https://github.com/OpenVPN/easy-rsa
cd ~/easy-rsa/easyrsa3
cp vars.example vars

Edit `./vars` file and have:

set_var EASYRSA_REQ_COUNTRY     "ES"
set_var EASYRSA_REQ_PROVINCE    "Madrid"
set_var EASYRSA_REQ_CITY        "Madrid"
set_var EASYRSA_REQ_ORG         "Caponato Enterprises"
set_var EASYRSA_REQ_EMAIL       "capo@caponato.es"
set_var EASYRSA_REQ_OU          "ITS"

In order to have a location for a CDP — Certificate Revocation List Distribution Point — for your internal Certification Authority, edit `./x509-types/COMMON` and:

authorityInfoAccess = caIssuers;URI:http://pki.caponato.es/pki/ca.crt
crlDistributionPoints = URI:http://pki.caponato.es/cdp/crl.pem

You need to set up a basic webserver, create a virtual host (in our example `pki`), and upload those files (`ca.crt` and `crl.pem`) when they are issued. Setting up the webserver is beyond the scope of this article.

See for better and longer explanations.

I named my Radius server `radius-1`:

cd ~/easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req radius-1 nopass
./easyrsa sign-req server radius-1
./easyrsa gen-crl

Upload your CA and CRL to your PKI webserver. Please note your destination directories in the webserver will be different.

Please note, if you revoke any certificate, you must generate a new CRL (Certificate Revocation List) file and redistribute it to your PKI webserver. Create your CA / CRL combo file and redistribute.

cd ~/easy-rsa/easyrsa3
rsync ./pki/ca.crt pki:/var/www/html/pki/
rsync ./pki/crl.pem  pki:/var/www/html/cdp/

Copy your newly generated certificates to your Radius server: private key, public key, CA cert, and CRL certificates:

cd ~/easy-rsa/easyrsa3
rsync -av ./pki/private/radius-1.key radius-1:/etc/ssl/private/
rsync -av ./pki/issued/radius-1.crt radius-1:/etc/ssl/certs/
rsync -av ./pki/ca.crt radius-1:/etc/ssl/certs/ca-caponato.pem
rsync -av ./pki/crl.pem radius-1:/etc/ssl/certs/crl-caponato.pem
# Please note CA and CRL certificates have been renamed for clarity.
# Please note CA cert extension has been changed to pem — equivalent to crt.

Log on to your `radius-1` server and set up permissions for certificates correctly:

chmod 640 /etc/ssl/private/radius-1.key
chgrp ssl-cert /etc/ssl/private/radius-1.key
chmod 644 /etc/ssl/certs/radius-1.crt
chmod 644 /etc/ssl/certs/ca-caponato.pem
chmod 644 /etc/ssl/certs/crl-caponato.pem

Your certificates are all set and ready for Freeradius!

Install and configure Freeradius on a member server

Install Freeradius, and add the `freerad` user to Winbind and SSL groups:

apt-get install freeradius freeradius-common freeradius-utils makepasswd
usermod -a -G winbindd_priv,ssl-cert freerad

Configuration steps:

Create a combined CA and CRL certificate:

cat /etc/ssl/certs/ca-caponato.pem /etc/ssl/certs/crl-caponato.pem > /etc/freeradius/3.0/ca_and_crl.pem

Add this line to the top of `/etc/freeradius/3.0/users`:

DEFAULT Auth-Type = ntlm_auth

Add this to `/etc/freeradius/3.0/clients.conf`:

# For each access-point add:
client <AP_HOSTNAME> {
    ipaddr = <AP_IPADDRESS>
    netmask = 32
    secret = <AP_SECRET>
    shortname = <AP_HOSTNAME>
}

Or, if you have a subnet with all APs in it — like my setup — you can do:

# For all access-points add:
client unifi-ap {
    ipaddr = 192.168.254.0/24
    secret = radius-24
    shortname = unifi-ap
}

Remove default configurations:

rm /etc/freeradius/3.0/sites-enabled/default
rm /etc/freeradius/3.0/sites-enabled/inner-tunnel

Replace `/etc/freeradius/3.0/proxy.conf` with the following (update your domain name at the end):

proxy server {
    default_fallback = no
}
home_server localhost {
    type = auth
    ipaddr = 127.0.0.1
    port = 1812
    secret = testing123
    response_window = 20
    zombie_period = 40
    revive_interval = 120
    status_check = status-server
    check_interval = 30
    check_timeout = 4
    num_answers_to_alive = 3
    max_outstanding = 65536
    coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
    }
    limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
    }
}
home_server_pool samba_auth_failover {
    type = fail-over
    home_server = localhost
}
realm mad.caponato.es {
    auth_pool = samba_auth_failover
}
realm LOCAL {
}

Enable sites and modules

ln -s /etc/freeradius/3.0/sites-available/samba_default /etc/freeradius/3.0/sites-enabled/samba_default
ln -s /etc/freeradius/3.0/sites-available/samba_inner-tunnel /etc/freeradius/3.0/sites-enabled/samba_inner-tunnel
ln -s /etc/freeradius/3.0/mods-available/eap /etc/freeradius/3.0/mods-enabled/eap
ln -s /etc/freeradius/3.0/mods-available/mschap /etc/freeradius/3.0/mods-enabled/mschap
ln -s /etc/freeradius/3.0/mods-available/ntlm_auth /etc/freeradius/3.0/mods-enabled/ntlm_auth

Enable and start Freeradius:

systemctl enable freeradius
systemctl start freeradius

Preparing for client onboarding to the enterprise network

We are now ready to onboard our first client to the enterprise network. As per the configuration established earlier, the authorized group for network access is identified as `wifi`. Every user who needs access to the enterprise Wi-Fi network, as well as every workstation that requires joining the network, must be a member of the Active Directory group named `wifi`.

To ensure smooth and secure access, it is essential that this group remains up-to-date with the correct membership. Please implement regular audits and updates of this group to ensure that only authorized users and devices are granted access. This will help maintain the security and integrity of the network while minimizing unauthorized access.

If you require every computer to be able to join the network, the easiest way is to add the `Domain Computers` group as a member of the `wifi` group.

Moving forward, please make sure that all new employees or devices requiring network access are promptly added to the `wifi` group, and that any users or devices that no longer need access are removed in a timely manner.

If any automation is in place to manage this group, it should also be reviewed and updated regularly to reflect the most current user and device access needs.

Caponato's Samba notebook. Start here or else Main menu.