Step 3 Linking FreeRADIUS

Full blown authentication system

  1. Installation and basic configuration of OpenLDAP and MITv5 Kerberos
  2. Linking OpenLDAP with MITv5 Kerberos
  3. Linking FreeRADIUS
  4. Replication
  5. Hardening your setup
  6. Configure your clients
  7. Varia
apt-get install freeradius-krb5 freeradius

Add a principal for the radius service:

kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc radius/provider.example.com
WARNING: no policy specified for radius/provider.example.com@EXAMPLE.COM; defaulting to no policy
Enter password for principal "radius/provider.example.com@EXAMPLE.COM": 
Re-enter password for principal "radius/provider.example.com@EXAMPLE.COM": 
Principal "provider.example.com@EXAMPLE.COM" created.

Add it to the key tab:

kadmin.local:  ktadd radius/radius/provider.example.com
Entry for principal radius/radius/provider.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal radius/radius/provider.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal radius/radius/provider.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal radius/radius/provider.example.com with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.

Edit the freeRADIUS kerberos module:

vim /etc/freeradius/modules/krb5

Add the principal you just created and the key tab that contains the password:

krb5{
    keytab = /etc/krb5.keytab
    service_principal = radius/provider.example.com
 }
vim /etc/freeradius/users

At the top of the file, set the authentication type to Kerberos by default:

DEFAULT Auth-Type = Kerberos

Add the hostname and port for the Radius server in the realm EXAMPLE.COM:

vim /etc/freeradius/proxy.conf
realm EXAMPLE.COM{
        authhost = provider.example.com:1812
        accthost = provider.example.com:1813
        secret = testing123
}
vim /etc/freeradius/sites-enables/default
...
authenticate {
…
        Auth-Type Kerberos{
                krb5
        }
…

Test it by issuing the following command:

radtest radius/provider.example.com  127.0.0.1 0 testing123

If this works, you can try to do the same on a client on your network. Do not forget to install freeradius-utils:

apt-get install freeradius-utils
Add the client to /etc/freeradius/clients.conf:
client w.x.y.z{
        secret  = testing123
        nastype = other
}

This was step 3. To proceed, go to step 4.