radius

FreeRADIUS with Secure LDAP (LDAPS) on Azure AD Domain Services

I recently had to integrate FreeRADIUS with a Secure LDAP (LDAPS, or LDAP over SSL) service running in Azure cloud. This post is an attempt to consolidate all the steps that were required to make it work successfully.

Introduction to LDAPS

LDAP (Lightweight Directory Access Protocol) traffic uses TCP and UDP port 389 and is unencrypted by default. LDAPS, on the other hand, uses TCP port 636 and encrypts communication between client and server.

LDAP uses bind operation to authenticate users. It can either use simple bind, which means username & password are sent unencrypted, or SASL (simple authentication and security layer), which provides several authentication methods like MD5, Kerberos etc.

For encryption LDAP can either use LDAPS or StartTLS. StartTLS is the preferred encryption method that works with LDAP while LDAPS is deprecated.

FreeRADIUS can use LDAP as an authentication oracle, meaning FreeRADIUS passes authentication credentials to LDAP, and LDAP returns a pass/fail response. FreeRADIUS can then generate an Access-Accept or Access-Reject packet based on that. A method to make LDAP work with CHAP/MS-CHAT/PEAP is documented here, but it only works with cleartext passwords.

(Source) Only PAP works with LDAP “bind as user”

Integration Parameters

We will be using LDAP “bind as user” with simple bind instead of SASL. As my customer was using LDAPS so this guide is based on that.

FreeRADIUS Installation

I recommend using FreeRADIUS v3.0.17. Version 3.0.15 and some older versions have a bug where during LDAP authentication FreeRADIUS server crashes with a “segment fault” error.

The is the procedure to install FreeRADIUS on Ubuntu 16.04.5 LTS with the dependencies required to compile FreeRADIUS with LDAP support:

apt-get install libssl-dev libtalloc-dev libkqueue-dev build-essential libmysqlclient-dev libgcrypt11-dev libldap2-dev ldap-utils
git clone https://github.com/FreeRADIUS/freeradius-server.git
cd freeradius-server
git checkout release_3_0_17
./configure
make
make install

At this point you should be able to successfully run FreeRADIUS in debug mode using the following command:

radiusd -X

LDAPS Setup

Before configuring LDAPS in FreeRADIUS we should first test it locally using ldapsearch utility (for Linux) or ldp.exe (for Windows).

You might need to add your server’s certificate to the Trusted Root Certification Authorities’ store. On Linux, you would need to convert .pfx certificates .crt format. It can be done using this command:

openssl pkcs12 -in [certificate.pfx] -clcerts -nokeys -out [certificate.crt] 

After conversion, place your .crt certificate file in /usr/share/ca-certificates/extra/ directory:

mkdir /usr/share/ca-certificates/extra
cp [certificate.crt] /usr/share/ca-certificates/extra/certificate.crt
dpkg-reconfigure ca-certificates

The dpkg-reconfigure ca-certificates command will run an interactive wizard where you’ll need to select your newly added certificate to add it to CA certificate configuration.

Now you can use ldapsearch to connect to LDAPS. Assuming the domain for which you’re setting this up is example.com, and the LDAPS server is located at ldaps.example.com:

ldapsearch -H ldaps://ldaps.example.com:636 -x -D <username>@example.com -w <password> -b "DC=example,DC=com" -a always "(objectClass=User)" cn

Another useful command to verify user credentials is ldapwhoami:

ldapwhoami -v -H ldaps://ldaps.example.com:636 -D <username>@example.com -x -w <password>

If there are any issues in connectivity at this point you would need to troubleshoot them. If it connects successfully it means we are ready to setup FreeRADIUS for LDAPS.

LDAPS on FreeRADIUS

FreeRADIUS certificates are stored in raddb/certs directory. We need to convert our .pfx certificate to .pem format and place that certificate in raddb/certs directory:

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem
mkdir /usr/local/etc/raddb/certs/ldaps
cp certificate.pem /usr/local/etc/raddb/certs/ldaps

Enable LDAP module in FreeRADIUS like this:

cd /usr/local/etc/raddb/mods-enabled
ln -s ../mods-available/ldap ldap

Open LDAP’s configuration file for editing:

nano /usr/local/etc/raddb/mods-available/ldap

Configure LDAP module like this:

ldap {

        server = 'ldaps://ldaps.example.com'
        port = 636

        # Login credentials for a special user for FreeRADIUS which has the required permissions

        identity = <username>@example.com
        password = <password>

        base_dn = 'DC=example,DC=com'
        user {

        # Comment out the default filter which uses uid and replace that with samaccountname

                #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
        }
        tls {
                ca_file = /usr/local/etc/raddb/certs/ldaps/publiccert.pem
        }
}

Save the file and exit.

Virtual Server Configuration

Open the configuration file for default virtual server:

nano /raddb/sites-available/default

In authorize section locate ldap and add the following code:

-ldap
	if ((ok || updated) && User-Password) {
		update {
			control:Auth-Type := ldap
		}
	}

Uncomment this in authenticate section:

Auth-Type LDAP {
		ldap
}

Save and exit.

Testing

Open FreeRADIUS in debug mode using radiusd -X. If FreeRADIUS in unable to start and displays an error, check the debug output for error details and troubleshoot accordingly. Once it starts successfully, open another session to the server and use radtest utility to test authentication:

radtest <username> <password> localhost -0 testing123

If everything goes well you should receive an Accept-Accept packet, indicating that FreeRADIUS is successfully integrated with LDAPS.

16 Comments

  1. Спасибо

  2. Filip says:

    And what about using MSCHAP?

    1. Please check this link

  3. Adam says:

    This config doesn’t work. radtest succeeds but eapol_test does not. AADDS does not allow the userPassword field to be accessible, there is no auth on behalf phase so it never auths.

    1. It only works with PAP, which is not very practical, I have to admit.

  4. Aymeric says:

    add :
    apt install gcc libcrypto-dev for ubuntu 20.04
    😉

  5. Salih says:

    Hi,
    I did excactly the same, (ok i had an issue with libcrypted11, but it in the end installed all) but i receive always this error during radiusd -X, any ideas why?

    rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
    rlm_ldap (ldap): Connecting to ldaps://ldaps.xxx.qqq:636
    TLS: can’t connect: (unknown error code).
    rlm_ldap (ldap): Bind with CN=Salih,OU=AADDC Users,DC=xxx,DC=qqq to ldaps://ldaps.xxx.qqq:636 failed: Can’t contact LDAP server
    rlm_ldap (ldap): Opening connection failed (0)
    rlm_ldap (ldap): Removing connection pool
    /usr/local/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module “ldap”

    1. Are you able to connect to LDAP server and authenticate using ldapsearch?

      1. Salih says:

        Yes i am. Meanwhile I got the hint from freeradius support:
        # Certificate Verification requirements. Can be:
        # ‘never’ (do not even bother trying)
        # ‘allow’ (try, but don’t fail if the certificate
        # cannot be verified)
        # ‘demand’ (fail if the certificate does not verify)
        # ‘hard’ (similar to ‘demand’ but fails if TLS
        # cannot negotiate)
        #
        # The default is libldap’s default, which varies based
        # on the contents of ldap.conf.
        require_cert = ‘never’

        Other question: I want to use this as authentication for Windows 10/macOS and Smartphones. Currently I just can test Windows 10 and for this i got the message:
        (178) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
        (178) mschap: ERROR: MS-CHAP2-Response is incorrect

        and also the warning:
        (178) ldap: WARNING: No “known good” password added. Ensure the admin user has permission to read the password attribute
        (178) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)

        I checked the link above but I didn’t understand this.
        In general, is this possible or not?

        1. You can check out this blog post for G Suite integration, perhaps the configs mentioned here will help.

  6. Bryce Long says:

    I’ve Tried your config using ubuntu 18 and I run into the following issue everytime
    lm_ldap (ldap): Failed setting connection option new TLS context: Unknown error
    rlm_ldap (ldap): Opening connection failed (0)
    rlm_ldap (ldap): Removing connection pool
    /etc/freeradius/mods-enabled/ldap[1]: Instantiation failed for module “ldap”
    ldapsearch works on port 636 but I can’t get freeradius to connect

  7. etr says:

    Hello, i have followed the tutorial but seems i can not connect to google ldap.
    Freeradius says:

    Error: rlm_ldap (ldap): Failed setting connection option new TLS context: Unknown error
    Sat Apr 3 10:21:37 2021 : Debug: rlm_ldap: Closing libldap handle 0x55fc4f964ec0
    Sat Apr 3 10:21:37 2021 : Error: rlm_ldap (ldap): Opening connection failed (0)
    Sat Apr 3 10:21:37 2021 : Debug: rlm_ldap (ldap): Removing connection pool
    Sat Apr 3 10:21:37 2021 : Error: /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module “ldap”

    and ldapsearch

    ldapsearch -H ldaps://ldap.google.com:636 -x -D username -w mysecretpassword -b “DC=example,DC=it” -a always “(objectClass=User)” cn
    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

    a simple ping to ldap.google.com works

    do you have any idea ?

  8. Arak says:

    Hello, in your configuration, is

    Auth-Type LDAP {
    ldap
    }

    meanwhile there is such a note in the original configuration file

    # We do NOT recommend using this. LDAP servers are databases.
    # They are NOT authentication servers. FreeRADIUS is an
    # authentication server, and knows what to do with authentication.
    # LDAP servers do not.

    I understand that ldaps 636 forces encryption… could you explain it? very much please 🙂

    1. I also don’t recommend using this :). However, if you have to use it, this is one method of making it happen.

  9. Nigel says:

    I can connect to aadds with ldapsearch successfully but as soon as I enable the ldap mod with the config as described freeradius will not start. Am on Ubuntu 22.04 with packaged freeradius 3.0.26. Am I missing something obvious?

Leave a Reply

Your email address will not be published. Required fields are marked *