freeradius active directory integration howto.htm

802.1x认证的认证服务器freeradius的howto文档

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>
<title>FreeRADIUS Active Directory Integration HOWTO - FreeRADIUS Wiki</title>
<meta http-equiv="Content-type" content="text/html; charset=UTF-8" />
<meta name="keywords" content="FreeRADIUS Active Directory Integration HOWTO,802.1X,Cisco,FreeRADIUS,Supplicant,PEAP,Access Point" />
<link rel="shortcut icon" href="/favicon.ico" />
<link rel="search" type="application/opensearchdescription+xml" href="/opensearch_desc.php" title="FreeRADIUS Wiki (English)" />
<link rel='stylesheet' type='text/css' media='print' href='/skins/common/wikiprintable.css' />
<script type= "text/javascript">
			var skin = "cologneblue";
			var stylepath = "/skins";

			var wgArticlePath = "/$1";
			var wgScriptPath = "";
			var wgServer = "http://wiki.freeradius.org";
                        
			var wgCanonicalNamespace = "";
			var wgNamespaceNumber = 0;
			var wgPageName = "FreeRADIUS_Active_Directory_Integration_HOWTO";
			var wgTitle = "FreeRADIUS Active Directory Integration HOWTO";
			var wgArticleId = 1625;
			var wgIsArticle = true;
                        
			var wgUserName = null;
			var wgUserLanguage = "en";
			var wgContentLanguage = "en";
		</script>
		<script type="text/javascript" src="/skins/common/wikibits.js"></script>
<style type='text/css'>
/*/*/ /*<![CDATA[*/
@import "/skins/common/cologneblue.css?2";
@import "/index.php?title=MediaWiki:Common.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000";
@import "/index.php?title=MediaWiki:Cologneblue.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000";
a.new, #quickbar a.new { color: #CC2200; }
#quickbar { position: absolute; left: 4px; }
#article { margin-left: 148px; margin-right: 4px; }

/*]]>*/ /* */
</style>
</head>

<body bgcolor='#FFFFFF' onload='' class='ns-0 ltr'>

<div id='content'>
<div id='topbar'><table width='100%' border='0' cellspacing='0' cellpadding='8'><tr><td class='top' align='left' valign='middle' nowrap='nowrap'><a href="/Main_Page"><span id='sitetitle'>FreeRADIUS Wiki</span></a></td><td class='top' align='right' valign='bottom' width='100%'><a href="/Main_Page" title="Main Page">Main Page</a> | <a href="/FreeRADIUS_Wiki:About" title="FreeRADIUS Wiki:About">About</a> | <a href="/Help:Contents" title="Help:Contents">Help</a> | <a href="/FreeRADIUS_Wiki:FAQ" title="FreeRADIUS Wiki:FAQ">FAQ</a> | <a href="/Special:Specialpages" title="Special:Specialpages">Special pages</a> | <a href="/index.php?title=Special:Userlogin&amp;returnto=FreeRADIUS_Active_Directory_Integration_HOWTO" title="Special:Userlogin">Log in</a></td></tr><tr><td valign='top'><font size='-1'><span id='sitesub'></span></font></td><td align='right'><font size='-1'><span id='langlinks'><br /><a href="/index.php?title=FreeRADIUS_Active_Directory_Integration_HOWTO&amp;printable=yes">Printable version</a> | <a href="/FreeRADIUS_Wiki:General_disclaimer" title="FreeRADIUS Wiki:General disclaimer">Disclaimers</a> | <a href="/FreeRADIUS_Wiki:Privacy_policy" title="FreeRADIUS Wiki:Privacy policy">Privacy policy</a></span></font></td></tr></table>

</div>
<div id='article'><h1 class="pagetitle">FreeRADIUS Active Directory Integration HOWTO</h1><p class='subtitle'>From FreeRADIUS Wiki</p>

<dl><dt>Charles Schwartz
</dt><dd>Network Security Engineer
</dd></dl>
<table id="toc" class="toc" summary="Contents"><tr><td><div id="toctitle"><h2>Contents</h2></div>
<ul>
<li class="toclevel-1"><a href="#Introduction"><span class="tocnumber">1</span> <span class="toctext">Introduction</span></a></li>
<li class="toclevel-1"><a href="#Principles"><span class="tocnumber">2</span> <span class="toctext">Principles</span></a></li>
<li class="toclevel-1"><a href="#Prerequisites"><span class="tocnumber">3</span> <span class="toctext">Prerequisites</span></a></li>
<li class="toclevel-1"><a href="#Set_up_the_Linux_server"><span class="tocnumber">4</span> <span class="toctext">Set up the Linux server</span></a></li>
<li class="toclevel-1"><a href="#Installation_of_FreeRADIUS"><span class="tocnumber">5</span> <span class="toctext">Installation of FreeRADIUS</span></a>
<ul>
<li class="toclevel-2"><a href="#Configuration_of_clients.conf"><span class="tocnumber">5.1</span> <span class="toctext">Configuration of clients.conf</span></a></li>
<li class="toclevel-2"><a href="#Configuration_of_radiusd.conf"><span class="tocnumber">5.2</span> <span class="toctext">Configuration of radiusd.conf</span></a></li>
<li class="toclevel-2"><a href="#Configuration_of_eap.conf"><span class="tocnumber">5.3</span> <span class="toctext">Configuration of eap.conf</span></a></li>
<li class="toclevel-2"><a href="#Configuration_of_users"><span class="tocnumber">5.4</span> <span class="toctext">Configuration of users</span></a></li>
</ul>
</li>
<li class="toclevel-1"><a href="#Configuration_of_the_switch"><span class="tocnumber">6</span> <span class="toctext">Configuration of the switch</span></a></li>
<li class="toclevel-1"><a href="#Configuration_of_the_supplicant"><span class="tocnumber">7</span> <span class="toctext">Configuration of the supplicant</span></a></li>
</ul>
</td></tr></table><script type="text/javascript"> if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } </script>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=FreeRADIUS_Active_Directory_Integration_HOWTO&amp;action=edit&amp;section=1" title="Edit section: Introduction">edit</a>]</div><a name="Introduction"></a><h2>Introduction</h2>
<p>This document describes how to set up <a href="/FreeRADIUS" title="FreeRADIUS">FreeRADIUS</a> server in order to authenticate Windows XP network users transparently against Active Directory.
</p><p>It is a step by step 'quick &amp; dirty' guide to configure FreeRADIUS server, network <a href="/index.php?title=Access_Point&amp;action=edit" class="new" title="Access Point">Access Points</a> and WindowsXP <a href="/Supplicant" title="Supplicant">supplicants</a>.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=FreeRADIUS_Active_Directory_Integration_HOWTO&amp;action=edit&amp;section=2" title="Edit section: Principles">edit</a>]</div><a name="Principles"></a><h2>Principles</h2>
<p><a href="/FreeRADIUS" title="FreeRADIUS">FreeRADIUS</a> offers authentication via port based access control. A user can connect to the network only if its credentials have been validated by the authentication server. User credentials are verified by using special authentication protocols which belong to the 802.1X standard. 
</p><p><a href="/Image:10000000000001E30000017DC650BE65.png" class="image" title="Image:10000000000001E30000017DC650BE65.png"><img src="/images/a/a2/10000000000001E30000017DC650BE65.png" alt="Image:10000000000001E30000017DC650BE65.png" width="483" height="381" longdesc="/Image:10000000000001E30000017DC650BE65.png" /></a>
</p><p>Refer to the graphic. Network access is only granted to the workstation if the user credentials have been authenticated by the <a href="/FreeRADIUS" title="FreeRADIUS">FreeRADIUS</a> server. Otherwise the switch port will be down for any network traffic. 
The RADIUS server is allowed to contact the domain controller for user authentication. 
Although the switch port is down, the workstation can communicate with the RADIUS server via an authentication protocol.
The RADIUS server is able to check on the domain controller if the user exists and if its password is correct. If this is the case, the RADIUS server tells the switch to open the port and the user will get access to the network.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=FreeRADIUS_Active_Directory_Integration_HOWTO&amp;action=edit&amp;section=3" title="Edit section: Prerequisites">edit</a>]</div><a name="Prerequisites"></a><h2>Prerequisites</h2>
<p>The following components are required to install the access control solution:
</p>
<ul><li> A Linux server
</li><li> FREERADIUS 1.0.x
</li><li> Samba 3.0.x
</li><li> Openssl
</li><li> Cisco Catalyst Switch
</li><li> Windows XP clients (Win2k is not supported!)
</li></ul>
<p>The Linux distribution used is this context was Fedora Core 3.
</p><p><br />
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=FreeRADIUS_Active_Directory_Integration_HOWTO&amp;action=edit&amp;section=4" title="Edit section: Set up the Linux server">edit</a>]</div><a name="Set_up_the_Linux_server"></a><h2>Set up the Linux server</h2>
<p>Linux must be configured in order to belong to a Windows domain.
This is done by using the Samba file server which offers several interesting tools.
The goal is not to create a Samba file server but only to use some tools which come with this server.
</p><p>Samba server contains among others the following components:
</p>
<ul><li> Winbind, a daemon which permits connectivity to Windows 鈥揘T environment.
</li></ul>
<ul><li> Ntlm_auth, a tool which uses winbind for evaluating NTLM (NT Lan Manager) requests. This tool allows verifying user credentials on the domain controller and returns either a success or an error message. 
</li></ul>
<p>Please have a look at your Linux box and check if Samba is already installed.
</p>
<pre>[root@radiussrv1]# rpm 鈥搎a | grep samba 
</pre>
<p>Find the file smb.conf and open it with your preferred editor.
</p><p>The file must contain the following lines:
</p><p>In the [global] section
</p>
<pre>
# workgroup = NT-Domain-Name or Workgroup-Name
  workgroup = XYZDOM  //the name of your domain

# Security mode. Most people will want user level
# security. See security_level.txt for details.
  security = ads


#==================== Share Definitions =====================
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = no
   password server = XYZSRV.XYZ-COMPANY.COM //your AD-server
   realm = XYZ-COMPANY.COM	//your realm


Verify the following lines in the [homes] section
   comment = Home Directories
   browseable = no
   writable = yes
</pre>
<p><br />
Next, find the file krb5.conf.
Normally it should be found in /etc/krb5.conf.
</p><p>Edit this file with the following information: (Watch out for case sensitivity)
</p>
<pre>
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 XYZ-COMPANY.COM = {
  kdc = XYZSRV.XYZ-COMPANY.COM
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
</pre>
<p>Edit the file /etc/nsswitch.conf and add <i>winbind</i> at the end of each line shown below:
</p>
<pre>
passwd:     files winbind
shadow:     files winbind
group:      files winbind

protocols:  files winbind

services:   files winbind

netgroup:   files winbind

automount:  files winbind
</pre>
<p>Restart the machine.
</p><p>Verify if the Samba service is running by typing:
</p>
<pre>ps 鈥揺f | grep nmbd
ps 鈥揺f | grep smbd
</pre>
<p>Execute the following command line (you must be connected as root)
</p>
<pre>net join 鈥揢 Administrator
</pre>
<p><i>Administrator</i> is the name of the domain controller admin.  Enter your password when prompted.  If everything works fine, the Linux server has been registered to the Windows domain.
</p><p>Verify now if the winbindd daemon is running:
</p>
<pre>~#ps 鈥揺f | grep winbindd
</pre>
<p>Try next if you can authenticate a user from the domain:
</p>
<pre>~#wbinfo 鈥揳 user%password
</pre>
<p>The output should be something like the following:
</p>
<pre>
[root@radiussrv1]# wbinfo 鈥揳 CHSchwartz%mypassword
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
Could not authenticate user CHSchwartz%mypassword with plaintext password
</pre>
<p>The error is absolutely normal in this case because there are no cleartext user credentials on the domain Controller (Active Directory) for this user.
</p><p>challenge/response password authentication succeeded
</p><p>As cleartext authentication fails, wbinfo tries a challenge/response.
If a challenge/response succeeds, the Linux server is configured correctly to authenticate users against Active Directory, however despite of the succes of this test, you may need to set some extra permissions on the winbindd_privileged directory (see below at WARNING)!
</p><p>Let鈥檚 try to authenticate with NTLM, which is necessary for using FREERADIUS with Active Directory.
</p><p>Type the following line:
</p>
<pre>[root@radiussrv1]# ntlm_auth 鈥