-
-
Save keestux/e0ff6453f1359ba0ef1ac08bd236ce7c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Assuming that HOSTNAME is enrolled to IPA realm already, | |
# run the following on HOSTNAME where RADIUS server will be deployed | |
# In FreeIPA 4.6+ host principal has permissions to create own services | |
kinit -k | |
ipa service-add 'radius/HOSTNAME' | |
# create keytab for radius user | |
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab | |
chown root:radiusd /etc/raddb/radius.keytab | |
chmod 640 /etc/raddb/radius.keytab | |
# Test daemon with the new keytab | |
KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X | |
# make radius use the keytab for SASL GSSAPI | |
mkdir -p /etc/systemd/system/radiusd.service.d | |
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF | |
[Service] | |
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab | |
ExecStartPre=-/usr/bin/kdestroy -A | |
ExecStopPost=-/usr/bin/kdestroy -A | |
EOF | |
systemctl daemon-reload | |
edit /etc/raddb/mods-enabled/ldap | |
ldap server = 'LDAP HOSTNAME' | |
ldap base_dn = 'cn=accounts,dc=example,dc=org' | |
ldpa sasl mech = 'GSSAPI' | |
ldpa sasl realm = 'YOUR REALM' | |
ldap sasl update control:NT-Password := 'ipaNTHash' | |
# How to request certificates from IPA server for RADIUS | |
mv /etc/raddb/certs /etc/raddb/certs.bak | |
mkdir /etc/raddb/certs | |
openssl dhparam 2048 -out /etc/raddb/certs/dh | |
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME | |
Edit /etc/raddb/mods-enabled/eap | |
tls-config tls-common { | |
private_key_file = /etc/pki/tls/private/radius.key | |
certificate_file = /etc/pki/tls/certs/radius.pem | |
ca_file = /etc/ipa/ca.crt | |
Make the files readable for radiusd | |
chmod 644 /etc/pki/tls/certs/radius.pem | |
chown root.radiusd /etc/pki/tls/private/radius.key | |
chmod 640 /etc/pki/tls/private/radius.key | |
Hmm. Apparently not. userPassword is not an allowed attribute.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just adding a note for myself. The Radius server still can't see the user passwords. Don't we need the following?