eduroam IdP using Active Directory

Author

Sami Ait Ali Oulahcen

Published

April 4, 2024

1. Install samba and prerequisites

First let’s install Samba and all needed prerequesites.
Samba is a free software that can integrate Linux/Unix servers into Active Directory. We will use it to intergrate our eduroam server into AD, then use Mschapv2 authentication with NTLM to authenticate our users.

dnf install -y samba samba-winbind samba-winbind-krb5-locator samba-common-tools krb5-workstation realmd samba-winbind-clients

2. Configure samba and kerberos

We’ll need to modify the file /etc/samba/smb.conf according to our settings.

/etc/samba/smb.conf

[global]
    workgroup = UNI
    security = ads
    winbind use default domain = yes
    realm = UNI.AC.MA
    password server = dc.uni.ac.ma

Then we modify kerberos settings at /etc/krb5.conf

/etc/krb5.conf

[libdefaults]
        default_realm = UNI.AC.MA

[realms]
        UNI.AC.MA = {
                kdc = dc.uni.ac.ma
                admin_server = dc.uni.ac.ma
        }

[domain_realm]
        .uni.ac.ma = UNI.AC.MA
        uni.ac.ma = UNI.AC.MA

3. Join the AD domain

Let us now join the server to the Active Directory domain.

We first need to add an SRV record for the domain controller. This entry needs to be added into your domain’s DNS zone. This will help the server find the DC when trying to join the active directory domain.

_ldap._tcp.dc._msdcs.uni.ac.ma IN SRV   0 100 389 dc.uni.ac.ma.

Next, we will use “kinit” tool to obtain and cache Kerberos ticket-granting ticket

kinit Administrator

Then we can join the domain

net ads -k join

Finally, lets restart and enable the services

systemctl restart smb
systemctl restart nmb
systemctl restart winbind

4. Test and configure NTLM auth

Let’s test external access to winbind’s NTLM authentication function.

ntlm_auth --request-nt-key --domain=uni.ac.ma --username=administrator --password=adminPasswd
NT_STATUS_OK: The operation completed successfully. (0x0)

If this is succesful, we can configure NTLM authentication inside the mschap module.

/etc/raddb/mods-available/mschap

mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
}

Make sure the default eap type is peap

/etc/raddb/mods-available/eap

eap {
.
    default_eap_type = peap
.
}

And make sure that radiusd can reach samba-winbind

usermod -a -G wbpriv radiusd
chown root:wbpriv /var/lib/samba/winbindd_privileged/
systemctl restart radiusd

5. Setup a shared secret with NRO and test

For our users’ requests to be correctly routed to our server, we’ll need to communicate our realms (uni.ma, uni.ac.ma) to the NRO and agree on a shared secret. We will then proceed to configure the shared secret in the file /etc/raddb/proxy.conf in all our eTLR entries.

/etc/raddb/proxy.conf

FLRx {
...
    secret = new secret here
...
}

After all configuration is complete, let’s restart radiusd and test.

systemctl restart radiusd

Sources

https://www.golinuxcloud.com/integrate-freeradius-with-active-directory/