Skip to content

Instantly share code, notes, and snippets.

@keestux

keestux/FreeRadius + FreeIPA

Forked from abbra/FreeRadius + FreeIPA
Last active April 13, 2019 20:12
Show Gist options
  • Save keestux/e0ff6453f1359ba0ef1ac08bd236ce7c to your computer and use it in GitHub Desktop.
Save keestux/e0ff6453f1359ba0ef1ac08bd236ce7c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
FreeRadius + FreeIPA
# Assuming that HOSTNAME is enrolled to IPA realm already,
# run the following on HOSTNAME where RADIUS server will be deployed
# In FreeIPA 4.6+ host principal has permissions to create own services
kinit -k
ipa service-add 'radius/HOSTNAME'
# create keytab for radius user
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
chown root:radiusd /etc/raddb/radius.keytab
chmod 640 /etc/raddb/radius.keytab
# Test daemon with the new keytab
KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X
# make radius use the keytab for SASL GSSAPI
mkdir -p /etc/systemd/system/radiusd.service.d
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
systemctl daemon-reload
edit /etc/raddb/mods-enabled/ldap
ldap server = 'LDAP HOSTNAME'
ldap base_dn = 'cn=accounts,dc=example,dc=org'
ldpa sasl mech = 'GSSAPI'
ldpa sasl realm = 'YOUR REALM'
ldap sasl update control:NT-Password := 'ipaNTHash'
# How to request certificates from IPA server for RADIUS
mv /etc/raddb/certs /etc/raddb/certs.bak
mkdir /etc/raddb/certs
openssl dhparam 2048 -out /etc/raddb/certs/dh
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
Edit /etc/raddb/mods-enabled/eap
tls-config tls-common {
private_key_file = /etc/pki/tls/private/radius.key
certificate_file = /etc/pki/tls/certs/radius.pem
ca_file = /etc/ipa/ca.crt
Make the files readable for radiusd
chmod 644 /etc/pki/tls/certs/radius.pem
chown root.radiusd /etc/pki/tls/private/radius.key
chmod 640 /etc/pki/tls/private/radius.key
@keestux
Copy link
Author

keestux commented Apr 13, 2019

Just adding a note for myself. The Radius server still can't see the user passwords. Don't we need the following?

ipa permission-add "FreeRADIUS server can read user passwords" \
   --attrs={userPassword} \
   --type=user --right={read,search,compare} --bindtype=permission
ipa privilege-add "FreeRADIUS server privilege"
ipa privilege-add-permission "FreeRADIUS server privilege" \
   --permission="FreeRADIUS server can read user passwords"
ipa role-add "FreeRADIUS server"
ipa role-add-privilege "FreeRADIUS server" --privilege="FreeRADIUS server privilege"
ipa role-add-member "FreeRADIUS server" --services=radius/host2.vm.example.com

@keestux
Copy link
Author

keestux commented Apr 13, 2019

Hmm. Apparently not. userPassword is not an allowed attribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment