radius

FreeRADIUS with Secure LDAP (LDAPS) on Azure AD Domain Services

I recently had to integrate FreeRADIUS with a Secure LDAP (LDAPS, or LDAP over SSL) service running in Azure cloud. This post is an attempt to consolidate all the steps that were required to make it work successfully.

Introduction to LDAPS

LDAP (Lightweight Directory Access Protocol) traffic uses TCP and UDP port 389 and is unencrypted by default. LDAPS, on the other hand, uses TCP port 636 and encrypts communication between client and server.

LDAP uses bind operation to authenticate users. It can either use simple bind, which means username & password are sent unencrypted, or SASL (simple authentication and security layer), which provides several authentication methods like MD5, Kerberos etc.

For encryption LDAP can either use LDAPS or StartTLS. StartTLS is the preferred encryption method that works with LDAP while LDAPS is deprecated.

FreeRADIUS can use LDAP as an authentication oracle, meaning FreeRADIUS passes authentication credentials to LDAP, and LDAP returns a pass/fail response. FreeRADIUS can then generate an Access-Accept or Access-Reject packet based on that. A method to make LDAP work with CHAP/MS-CHAT/PEAP is documented here, but it only works with cleartext passwords.

(Source) Only PAP works with LDAP “bind as user”

Integration Parameters

We will be using LDAP “bind as user” with simple bind instead of SASL. As my customer was using LDAPS so this guide is based on that.

FreeRADIUS Installation

I recommend using FreeRADIUS v3.0.17. Version 3.0.15 and some older versions have a bug where during LDAP authentication FreeRADIUS server crashes with a “segment fault” error.

The is the procedure to install FreeRADIUS on Ubuntu 16.04.5 LTS with the dependencies required to compile FreeRADIUS with LDAP support:

apt-get install libssl-dev libtalloc-dev libkqueue-dev build-essential libmysqlclient-dev libgcrypt11-dev libldap2-dev ldap-utils
git clone https://github.com/FreeRADIUS/freeradius-server.git
cd freeradius-server
git checkout release_3_0_17
./configure
make
make install

At this point you should be able to successfully run FreeRADIUS in debug mode using the following command:

radiusd -X

LDAPS Setup

Before configuring LDAPS in FreeRADIUS we should first test it locally using ldapsearch utility (for Linux) or ldp.exe (for Windows).

You might need to add your server’s certificate to the Trusted Root Certification Authorities’ store. On Linux, you would need to convert .pfx certificates .crt format. It can be done using this command:

openssl pkcs12 -in [certificate.pfx] -clcerts -nokeys -out [certificate.crt] 

After conversion, place your .crt certificate file in /usr/share/ca-certificates/extra/ directory:

mkdir /usr/share/ca-certificates/extra
cp [certificate.crt] /usr/share/ca-certificates/extra/certificate.crt
dpkg-reconfigure ca-certificates

The dpkg-reconfigure ca-certificates command will run an interactive wizard where you’ll need to select your newly added certificate to add it to CA certificate configuration.

Now you can use ldapsearch to connect to LDAPS. Assuming the domain for which you’re setting this up is example.com, and the LDAPS server is located at ldaps.example.com:

ldapsearch -H ldaps://ldaps.example.com:636 -x -D <username>@example.com -w <password> -b "DC=example,DC=com" -a always "(objectClass=User)" cn

Another useful command to verify user credentials is ldapwhoami:

ldapwhoami -v -H ldaps://ldaps.example.com:636 -D <username>@example.com -x -w <password>

If there are any issues in connectivity at this point you would need to troubleshoot them. If it connects successfully it means we are ready to setup FreeRADIUS for LDAPS.

LDAPS on FreeRADIUS

FreeRADIUS certificates are stored in raddb/certs directory. We need to convert our .pfx certificate to .pem format and place that certificate in raddb/certs directory:

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem
mkdir /usr/local/etc/raddb/certs/ldaps
cp certificate.pem /usr/local/etc/raddb/certs/ldaps

Enable LDAP module in FreeRADIUS like this:

cd /usr/local/etc/raddb/mods-enabled
ln -s ../mods-available/ldap ldap

Open LDAP’s configuration file for editing:

nano /usr/local/etc/raddb/mods-available/ldap

Configure LDAP module like this:

ldap {

        server = 'ldaps://ldaps.example.com'
        port = 636

        # Login credentials for a special user for FreeRADIUS which has the required permissions

        identity = <username>@example.com
        password = <password>

        base_dn = 'DC=example,DC=com'
        user {

        # Comment out the default filter which uses uid and replace that with samaccountname

                #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
        }
        tls {
                ca_file = /usr/local/etc/raddb/certs/ldaps/publiccert.pem
        }
}

Save the file and exit.

Virtual Server Configuration

Open the configuration file for default virtual server:

nano /raddb/sites-available/default

In authorize section locate ldap and add the following code:

-ldap
	if ((ok || updated) && User-Password) {
		update {
			control:Auth-Type := ldap
		}
	}

Uncomment this in authenticate section:

Auth-Type LDAP {
		ldap
}

Save and exit.

Testing

Open FreeRADIUS in debug mode using radiusd -X. If FreeRADIUS in unable to start and displays an error, check the debug output for error details and troubleshoot accordingly. Once it starts successfully, open another session to the server and use radtest utility to test authentication:

radtest <username> <password> localhost -0 testing123

If everything goes well you should receive an Accept-Accept packet, indicating that FreeRADIUS is successfully integrated with LDAPS.

Nasir Hafeez

A CCIE certified networks and systems specialist with 8+ years of experience in designing, configuring, troubleshooting, and documenting diverse IT scenarios for ISPs, enterprises and startups

5 Comments

  1. Спасибо

  2. Filip says:

    And what about using MSCHAP?

    1. Please check this link

  3. Adam says:

    This config doesn’t work. radtest succeeds but eapol_test does not. AADDS does not allow the userPassword field to be accessible, there is no auth on behalf phase so it never auths.

    1. It only works with PAP, which is not very practical, I have to admit.

Leave a Reply

Your email address will not be published. Required fields are marked *