How to integrate RADIUS with Kerberos?
Solution 1
This can be done w/ 802.1x - PEAP-MSCHAP to MIT's kerberos with the help of KCRAP. Originally developed to allow Samba users to authenticate to kerberos using NTLM, it's libraries can be used in freeradius to do the required verification of the NTLM hash.
This solution requires that you're comfortable running and maintaining custom software. The rough steps to implementation are:
- Add the
arcfour-hmac:normalpassword hash to your KDB. Users will have to update their passwords to create the required hash for NTLM. - Build and install a kcrapd daemon to run on the KDB(s) to lookup user hashes.
- Build, install, and configure the kcrap-libs on your RADIUS server(s).
- Build an auth module for your radius server that interfaces w/ the kcrap-libs to authenticate users.
We run this solution for an entire campus w/ windows devices automatically authenticating using their native AD credentials against our synchronized KDBs.
Solution 2
Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf:
modules {
krb5 {
keytab = ${confdir}/radius.keytab
service_principal = radius/radius.example.com
}
ldap {
cache = no
server = "ldap"
identity = "uid=freeradius,ou=Accounts,dc=example,dc=com"
password = secret
basedn = "dc=com"
filter = "(krbPrincipalName=%{User-Name})"
base_filter = "(objectClass=radiusprofile)"
tls {
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
}
default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com"
profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
#groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
# set_auth_type = yes
}
}
This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames).
Solution 3
If Microsoft then there are a couple of articles. Technet and a document here TechNet Word Doc
Related videos on Youtube
05 : 00
06 : 08
57 : 36
12 : 13
02 : 55
minder
Linux enthusiast, teacher and Python/Django developer-wannabe ;)
Updated on September 17, 2022Comments
-
minder almost 2 years
We've got properly configured LDAP+Kerberos on our wired network.
Now we want our users to log in to our WiFi network by using their normal credentials. I've found lots of HOWTOS about LDAP+RADIUS but none of them mention Kerberos in the pack. Can anyone point me to a good HOWTO on integrating RADIUS with Kerberos? I found only this short article and some non-informative posts on Usenet.
EDIT: The system is Gentoo Linux using OpenLDAP and Heimdal (Kerberos). The WiFi hardware are several Linksys WRT54GL with OpenWRT.
-
Khaled over 13 yearsYou did not mention your platform!
-
mfinni over 13 yearsSeconded - detail the name and version of all of the relevant software - OS, LDAP, Kerberos, and probably the WiFi hardware as well.
-
