http://deployingradius.com/documents/configuration/active_directory.

html

Blog | Contact us | Content | Navigation | Footer

FreeRADIUS HowTos
Getting things done quickly.

Configuring Authentication with Active

Directory
Once the PAP authentication test has been successful, the next step for sites
using Active Directory is to configure the system to perform user authentication
against Active Directory. The clear-text passwords are unavailable through
Active Directory, so we have to use Samba, and the ntlm_auth helper program.
In this configuration, we are using Active Directory as an authentication oracle,
and not as an LDAP database.

Using ntlm_auth for PAP authentication may not work on recent versions of
Samba and Active Directory. If so, just skip to the next section.

Once Samba has been installed on your system, you should edit the smb.conf
file, and configure the [global] section to point to your NT server, including
hostname and NT domain.

# workgroup = NT-Domain-Name
workgroup = MYDOMAIN
...
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = ads
# Use password server option only with security = server
password server = nt-server-hostname.company.com
...
realm = realm.company.com

For Samba 4, you also have to set the ntlm authconfiguration variable. It should
be set to either yes, or to mschapv2-and-ntlmv2-only. This configuration needs to be
set all participating Samba members, and also on (Samba4) AD-DC servers.

ntlm auth = mschapv2-and-ntlmv2-only

...

1 of 5 11/8/21, 11:04 PM
http://deployingradius.com/documents/configuration/active_directory.html

You may also have to edit the /etc/krb5.conf file, to add an entry that points to the
Active Directory Server. This is often not necessary, as Samba can just "figure it
out" when Active Directory is also the main DNS server.

[realms]
...
realm.company.com = {
kdc = nt-server-hostname.company.com
}
...

Start the Samba and Kerberos servers, and as root join the domain:

$ net join -U Administrator

Enter the administrator password at the prompt.

Next, verify that a user in the domain can be authenticated:

$ wbinfo -a user%password

You should see a number of lines of text, followed by authentication succeeded. The
next step is to try the same login with the ntlm_auth program, which is what
FreeRADIUS will be using:

$ ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user

--password=password

If all goes well, you should see authentication succeeding (NT_STATUS_OK). You may
also see the NT_KEY output, which is needed in order for FreeRADIUS to perform
MS-CHAP authentication.

Configuring FreeRADIUS to use ntlm_auth

Once you have verified that Samba is installed and working correctly, and that
the ntlm_auth program works, you can proceed with configuring FreeRADIUS
to use ntlm_auth. For initial testing, we will be using the exec module, and will
run the exact command line used above.

Create or edit the ntlm_auth module configuration. In version 2, this file should be
saved as raddb/modules/ntlm_auth. In version 3, it should be saved as raddb/mods-
enabled/ntlm_auth. The contents of the file are below, with the fields to edit in bold.

exec ntlm_auth {
wait = yes

2 of 5 11/8/21, 11:04 PM
http://deployingradius.com/documents/configuration/active_directory.html

program = "/path/to/ntlm_auth --request-nt-key

--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%
{User-Password}"
}

This configuration tells the server to run the ntlm_auth program with the user
name and password obtained from the Access-Request. You will also have to list
ntlm_auth in the authenticate sections of each the raddb/sites-enabled/default file, and
of the raddb/sites-enabled/inner-tunnel file:

authenticate {
...
ntlm_auth
...
}

and add the following text for testing purposes only to the top of the users file.
In version 3, the "users" file has moved to raddb/mods-config/files/authorize.

DEFAULT Auth-Type = ntlm_auth

This configuration says "for all users, if the authenticate method has not been
set, set it to use the ntlm_auth program".

Start the server using radiusd -X, and wait for the debugging text to stop
scrolling by. If all goes well, you should see the following text:

Ready to process requests.

In another terminal window on the same machine, type the following command:

$ radtest user password localhost 0 testing123

If all goes well, you should see the server returning an Access-Accept message,
and the window with radtest should print text similar to the following:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, length=20

This text means that authentication succeeded. A few lines above this text, the
debug output will also show the exact command line used to run ntlm_auth.

Configuring FreeRADIUS to use ntlm_auth for

MS-CHAP
Once you have the previous steps working, configuring FreeRADIUS to use

3 of 5 11/8/21, 11:04 PM
http://deployingradius.com/documents/configuration/active_directory.html

ntlm_auth for MS-CHAP is simple. First, delete the testing entry used above
from the users file, as leaving it in will break other authentication types. Then,
find the mschap module in raddb/modules/mschap file, and look for the line containing
ntlm_auth = . It is commented out by default, and should be uncommented, and
edited to be as follows. As before, update the fields in bold to match your local
configuration.

ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2

--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-
Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-
response=%{mschap:NT-Response:-00}"

Start the server and use radtest to send an MS-CHAP authentication request.
You will need to have version 2.1.10 or later for this to work:

$ radtest -t mschap bob hello localhost 0 testing123

If everything goes well, you should see the server returning an Access-Accept
message as above.

If it does not work, double-check the password you entered on the supplicant
against the password in Active Directory. If it still does not work, it might be a
bug in Samba. Change your version of Samba, either by installing a fixed
version, or by repeatedly down-grading it (and testing) until it works.

If it does not work, then it is possible to test authentication with just the
ntlm_auth command-line. Look at the FreeRADIUS debug output, and see the
arguments passed to ntlm_auth. Copy and paste them to a command-line, and
then use that command line for testing. This limited test is often simpler and
faster than running a complex test with a full RADIUS server. When this limited
test passes, then authentication with FreeRADIUS will work, too.

Samba Documentation
The Samba project also has a wiki page for configuring FreeRADIUS against
Active Directory.

Welcome!
RADIUS implementations can be complicated. This site contains a collection of
hints, documentation, and information for people who are using RADIUS.

Pages:

4 of 5 11/8/21, 11:04 PM
http://deployingradius.com/documents/configuration/active_directory.html

Front page
Alan DeKok's Blog
Downloads
Protocols
Configurations
Scripts
Link archive
Back to top

Site news:
How to perform an initial setup of the server.

Configuring PAP as step one to getting the server up and running with your
local policy.

Authenticating against Active Directory is a common deployment of

FreeRADIUS

The protocol compatibility matrix shows which authentication protocols are

compatible with what password storage scheme.

Links:
FreeRADIUS
Wiki
RADIUS books
RADIUS (O'Reilly)
RADIUS (Wiley)

Contact us | Privacy policy | Sitemap | Back to top

© 2014 Alan DeKok | Design by Andreas Viklund
All rights reserved

5 of 5 11/8/21, 11:04 PM