Configuring Authentication against Active Directory
Once the PAP authentication test has been successful, the next step for sites using Active Directory is to configure the system to perform user authentication against Active Directory. The clear-text passwords are unavailable through Active Directory, so we have to use Samba, and the ntlm_auth helper program. In this configuration, we are using Active Directory as an authentication oracle, and not as an LDAP database.
Once Samba has been installed on
your system, you should edit the smb.conf
file, and configure the [global] section to point to your
NT server, including hostname and NT domain.
workgroup = MYDOMAIN
...
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = ads
# Use password server option only with security = server
password server = nt-server-hostname.company.com
...
realm = realm.company.com
You will also have to edit the /etc/krb5.conf file, to
add an entry that points to the Active Directory Server
...
realm.company.com = {
kdc = nt-server-hostname.company.com
}
...
Start the Samba and Kerberos
servers, and as root join the domain:
Enter the administrator password at the prompt.
Next, verify that a user in the domain can be authenticated:
You should see a number of lines of text, followed by
authentication succeeded. The next step is to try the same login with the ntlm_auth program, which is what FreeRADIUS will be using:
If all goes well, you should see authentication succeeding
(NT_STATUS_OK). You should also see the
NT_KEY output, which is needed in order for FreeRADIUS
to perform MS-CHAP authentication.
Configuring FreeRADIUS to use ntlm_auth
Once you have verified that Samba is installed and working
correctly, and that the ntlm_auth
program works, you can proceed with configuring FreeRADIUS to use ntlm_auth.
For initial testing, we will be using the exec module,
and will run the exact command line used above.
In the radiusd.conf file, add the following text to
the modules section:
wait = no
program = "/path/to/ntlm_auth ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
This configuration tells the server to run the ntlm_auth
program with the user name and password obtained from the Access-Request.
You will also have to list ntlm_auth in the
authenticate section of the radiusd.conf file:
...
ntlm_auth
...
}
and add the following text for testing purposes only to the top of the users file.
Start the server using radiusd -X, and wait for the debugging text to stop scrolling by. If all goes well, you should see the following text:
In another terminal window on the same machine, type the following command:
If all goes well, you should see the server returning an Access-Accept message, and the window with radtest should print text similar to the following:
This text means that authentication succeeded. A few lines above this text, the debug output will also show the exact command line used to run ntlm_auth.
Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Once you have the previous steps working, configuring FreeRADIUS to
use ntlm_auth
for MS-CHAP is simple. First, delete the testing entry used above
from the users file, as leaving it in will break other authentication types.
Then, fine the mschap entry in the modules
section of the radiusd.conf file, and look for the line
containing ntlm_auth = . It is commented out by default,
and should be uncommented, and edited to be as follows. As before,
update the fields in bold to match your local
configuration.
Start the server and use a test client to send an MS-CHAP
authentication request. The radclient cannot currently
be used to send this request, unfortunately, which makes testing a
little difficult If everything goes well, you should see the server
returning an Access-Accept
message as above.