Jisc Regional Support Centre for Wales

support@rsc-wales.ac.uk
FreeRADIUS 3.0.3 on Ubuntu 14.04 LTS
with Active Directory for eduroam
(document is in progress...!)
FreeRADIUS on Ubuntu 14.04 LTS with AD for
eduroam
The following are based on installing FreeRADIUS on Ubuntu Server 14.04 (Trusty) with
Active Directory support for deployment of eduroam. In this instance we use a pre-compiled
FreeRADIUS package from a Personal Package Archive (PPA). This documentation should
also work with Ubuntu 12.04 Precise and 10.04 Lucid. No prebuilt packages are available for
non-LTS Ubuntu releases.
Hardware Requirements
Physical
Generally any hardware that you are comfortable with using and managing on an ongoing basis
for this service. As you can see from the basic VM requirements.
VM
(Absolute minimum, you may need to scale-up as usage increases)
1 x vCPU
512MB RAM
8GB Storage
Networking and Remote access
Ensure that the server has a static IP address
Ensure that you have remote access to the server via SSH
Update/Upgrade
Samba and Authentication with Active Directory
sudo aptitude install snmp samba krb5-user winbind
Configure Kerberos and Samba
In this example;
RSC-WALES.LOCAL (or rsc-wales.local) equals the FQDN of our AD domain
RSC-WALES = the Netbios name of our AD domain
dc0.rsc-wales.local = one of our Domain Controllers
/etc/krb5.conf
[libdefaults]
default_realm = rsc-wales.local
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
RSC-WALES = {
kdc = dc0.rsc-wales.local
admin_server = dc0.rsc-wales.local
default_domain = dc0.rsc-wales.local
}
.

/etc/samba/smb.conf
#Global parameters
[global]
workgroup = rsc-wales
#winbind use default domain = no
realm = rsc-wales.local
preferred master = no
local master = no
domain master = no
server string = rsc-wales freeradius
security = ADS
encrypt passwords = yes
winbind separator = +
idmap uid = 1000-60000
idmap gid = 1000-60000
password server = *

Check that services are started;
sudo service winbind restart
sudo service smbd restart
sudo service nmbd restart
http://wiki.samba.org/index.php/Join_a_domain_as_a_DC
Adding the server to the domain
sudo net ads join -U administrator
Using short domain name -- RSC-WALES
Joined 'RADIUS1' to realm 'rsc-wales.local'
If above fails try adding -S dc0.rsc-wales.local to the command;
sudo net ads join -U administrator -S dc0.rsc-wales.local
Confirming authentication requests using ntlm_auth
ntlm_auth --request-nt-key --domain=rsc-wales.local --username=Administrator
NT_STATUS_OK: Success (0x0)
If you get the following output;
could not obtain winbind separator!
Reading winbind reply failed! (0x01)
: (0x0)
then check that the service winbind is running
ps -A | grep winbind
2952 ? 00:00:00 winbindd
2953 ? 00:00:00 winbindd
If required start the winbind service;
sudo service winbind start
winbind start/running, process 2954
FreeRADIUS install
sudo add-apt-repository ppa:freeradius/stable-3.0
sudo aptitude update
sudo aptitude upgrade
sudo aptitude install freeradius
FreeRADIUS configuration files need some changes, as FreeRADIUS currently wont start or
allow additional packages to be installed.
/etc/freeradius/radiusd.conf
allow_vulrenable_openssl = CVE-2014-0160
name = freeradius
Install the following packages, two are freeradius plugins, the third is used for build the SSL
certificate authority.
sudo aptitude install freeradius-ldap freeradius-krb5 make
sudo chown -R :adm /etc/freeradius/ /var/log/freeradius/
cd /etc/freeradius/certs
sudo rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
sudo make ca.pem
sudo make server.pem
FreeRADIUS will create a certificate authority and server certificate on first installation. You can
re-configure this as described below to your own requirements or utilise your own CA. If you
introduce a secondary FreeRADIUS server, then you shouldn't create a new CA, but should get
a certificate signed by the CA on the primary FreeRADIUS server.
Changes to openSSL config files
ll the information below could be made available to users by clients connecting or you providing
the Public CA key to them.
days = 3650
default_days = 3650
/etc/freeradius/certs/ca.cnf
/etc/freeradius/certs/server.cnf
For ca.cnf only in [ ca_default] and
[v3_ca]
crlDistributionPoints URI:http://eduroam.rsc-wales.ac.uk/ca.crl URI:http://yourdomain/ca.crl
For ca.cnf in [certifcate_authority]
For server.cnf in [server]
countryName GB GB
stateOrProvinceName Wales County (or nation if you're Welsh!)
localityName Swansea Town/City
organizationalUnitName Jisc Regional Support Centre Wales Organisation Name
emailAddress support@rsc-wales.ac.uk IT service helpdesk?
commonName Jisc RSC Wales - eduroam This should be a sensible name as it
will display to users. e.g. "College XX-
eduroam"
Note: Update input_password and output_password and make a note as you will also need to
configure this in eap.conf later
Now update the certificates from that install by the ubuntu package
sudo make ca.pem
sudo make server.pem
Config with eduroam(UK)
Copy the config from the UK eduroam Support site into clients.conf and proxy.conf. In
clients.conf replace nastype with nas_type
For proxy.conf
Replace
/etc/freeradius/proxy.conf
realm LOCAL
realm ~.*
In order to enable sufficient logging to comply with the eduroam specification, uncomment the
following lines in the virtual servers that contain:
/etc/freeradius/sites-available/default
/etc/freeradius/sites-available/inner-tunnel
auth_log
reply_log
attr_filter.pre-proxy
pre_proxy_log
post_proxy_log
attr_filter.post-proxy
Create an eduroam virtual router
To create an eduroam virtual router, simply copy the default router, and modify
sudo cp /etc/freeradius/sites-available/default /etc/freeradius/sites-available/
eduroam
Sites-available contains all the virtual routers, sites-enabled is simply symbolic links to the files
in sites-available, therefore we need to create a link using the command ln;
sudo ln -s /etc/freeradius/sites-available/eduroam /etc/freeradius/sites-enabled/
eduroam
Make the following changes to /etc/freeradius/sites-enabled/eduroam, starting at the top of the
file (note that we have discounted the comments, with the comments this is approximately 160
lines)
sites-available/eduroam
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
server eduroam {

Add to the following to the authorize sections of sites-available/default after suffix
(approximately line 300) that will send all requests that arent for your realms, to the NRPS.
sites-available/default
if("%{Realm}" !~ /(.*\\.)?(rsc-wales\\.ac\\.uk|rsc-cymru\\.ac\\.uk)$/) {
update control {
Proxy-To-Realm := 'eduroam'
}
}
In the pre-proxy section of sites-available/default uncomment operator-name
site-available/default
#operator-name
operator-name
But we dont want to send certain invalid realms, so modify the policy.d/filter:
/etc/freeradius/policy.d/filter
filter_username {
if (User-Name != "%{tolower:%{User-Name}}") {
reject
}
filter_username {
if (User-Name !~ /@/) {
update reply {
Reply-Message += "Rejected: Username has no realm"
}
reject
}
mods-enabled/eap
Ensure that the password matches the input_password / output_password in certs/ca.cnf
and certs/server.cnf
change all instances of copy_request_to_tunnel = no to copy_request_to_tunnel =
yes
change default_eap_type=md5 to default_eap_type=peap
The following is a sample eap.conf file with all comments removed;
/etc/freeradius/mods-enabled/eap
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
CA_path = ${cadir}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
The following is a sample modules/mschap file with all comments removed;
/etc/freeradius/mods-enabled/mschap
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-
User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-rsc-
wales.local} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-
Response:-00}"
}
LDAP details
Update modules/ldap with your LDAP details. The following table, lists the key details;
sudo ln -s /etc/freeradius/mods-available/ldap /etc/freeradius/mods-enabled
/etc/freeradius/mods-enabled/ldap
server dc0.rsc-wales.local This refers to one domain controller,
within most AD environments there will
be a number of DCs. Consider using
domaindnszones.rsc-wales.local or read
the following article on FreeRADIUS and
multiple LDAP - http://www.novell.com/
support/kb/doc.php?id=3807164
identity cn=ldap,cn=Users,dc=rsc-wales,dc=local This will be an account that you have
created within your AD environment, this
maybe shared between other systems,
but it shouldnt be an account used by
users. You should ensure that it doesnt
become disabled or removed. Ensure
that Password Never Expires and User
Cannot Change Password
password This will be your password for the identity
above.
basedn cn=Users,dc=rsc-wales,dc=local You will need to Search an ou
(Organisational Unit) or cn (Container)
within AD. You cannot search from the dc
(domain) level. If you require multiple bases
then this is similar to multiple servers - see
http://www.novell.com/support/kb/doc.php?
id=3807164
filter "(sAMAccountName=%{%{Stripped-User-
Name}:-%{User-Name}})"
This is an important bit that you will need
to test for your environment. The example
given should largely work in most AD
environments, but you may not want to
use sAMAccountName and may prefer
to use mail or UserPrincipalName. For
the inner-tunnel authentication based on
using mschap, then you will need to map to
sAMAccountName.
Attribute files
When working with attribute files (attr) remember to add a comma to the last entry when adding
more to the file. Comma is used a separator and therefore isnt need after the last entry.
Change the DEFAULT sections of the following to attrs filters; the other ones in the DEFAULT
section are not required as part of the eduroam spec, therefore we should drop them all and
only allow the ones that should be there.
/etc/freeradius/mods-config/attr_filter/pre-proxy
DEFAULT
User-Name =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
State =* ANY,
Proxy-State =* ANY,
Operator-Name =* ANY,
Class =* ANY,
Calling-Station-Id =* ANY,
Chargeable-User-Identity =* ANY
/etc/freeradius/mods-config/attr_filter/post-proxy
DEFAULT
Reply-Message =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
State =* ANY,
Calling-Station-Id =* ANY,
Operator-Name =* ANY,
User-Name =* ANY,
Class =* ANY,
Chargeable-User-Identity =* ANY
FreeRADIUS Virtual Servers (sites-enabled)
eduroam Provides virtual router for all
external authentication requests
i.e. your users when roaming
elsewhere
Mostly default config
default Provides a virtual router for all
authentication at your site. This
provides the default EAP (outer
tunnel) as used by College
clients locally and users that are
roaming locally.
Mostly default configuration with
changes to allow ldap. Set proxy
to eduroam for all realms that
are not local to eduroam for non-
ystrad-mynach realm
inner-tunnel This provides the MSCHAP
authentication for our local
users, and redirects visited
users to the eduroam virtual
router.
Majority of configuration work
has been in this file.
Redirect to eduroam for non-
ystrad-mynach realm
Other FreeRADIUS configuration files
eap.conf This provides the default EAP
configuration. Defining the
inner-tunnels to use, and SSL
Certificate information.
Minor changes to enable eap,
and for the certificate password.
certs/ca.cnf
certs/server.cnf
These provide the configuration
which are used by FreeRADIUS
(and its certs/bootstrap script) to
create a certificate and authority
when first running RADIUS.
These are customised to
each organisation to provide
sensible information for
users in the certificate and
certificate authority. Under
no circumstance should a
production server be put on-
line with these files left in their
default state
clients.conf This provides the IP address
and shared secret with clients
including other RADIUS servers
We configure all clients here,
this includes any full Wireless
APs, or where using thin
Wireless APs just the controller.
In addition, we also configure
the JANET RADIUS servers,
configuration items for this is
provided on the JRS support
site.
modules/mschap MS Chap Configuration Changes to the ntlm_auth
command only
modules/ldap LDAP configuration Significant configuration in this
file with the usual LDAP details.
Username/Password/BaseDN/
ServerName/Attribute
Clients
You will need to add clients for all Wireless Access-Points, Wireless Access-Point Controllers,
Network Switches or other RADIUS servers that need to communicate with this RADIUS server.
In addition the JANET NRPS (National Radius Proxy Servers) will need to be configured here.
However, the eduroam(UK) support page provides the relevant configuration snipit.
You may wish to define these as IP subnets if you have majority APs in a single IP subnet. You
should be careful of using these over broader subnets which may contain client machines or
servers.
The following is an example entry for clients.conf. This defines a client for all hosts in
192.168.1.0/24 (or 192.168.1.*)
clients.conf
client 192.168.1.0/24 {
secret = mysecret
}
Testing
If you would like to test on the command line, then use the following instructions to build
rad_eap_test and eapol_test programs.
https://docs.google.com/a/jiscadvance.ac.uk/document/d/1NfB8JbUs-EhlHX-wLIsquoc7E8l4-
FAqFyXOwvKGbE8/edit#heading=h.b5fil0xvkowd
Enable login with userPrincipalName and/or sAMAccountName
in mods-enabled/ldap
in the user section change filter to
filter = "(|(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(userPrincipalName=%{User-Name}))"
(this means that you can login as either sAMAccountName@realm or userPrincipalName)
Alternatively, set this to:
filter = "(userPrincipalName=%{User-Name})
if you dont want to allow login as sAMAccountName, i.e. only allow userPrincipalName
in the update section add
request:Stripped-User-Name := 'sAMAccountName'
(we need to use the sAMAccountName for the inner tunnel where you use
the mschap module and ntlm_auth command)