keestux · April 13, 2019 20:12 · keestux · Apr 13, 2019
diff --git a/FreeRadius + FreeIPA b/FreeRadius + FreeIPA
 # Assuming that HOSTNAME is enrolled to IPA realm already,
 # run the following on HOSTNAME where RADIUS server will be deployed
 # In FreeIPA 4.6+ host principal has permissions to create own services
 kinit -k
 ipa service-add 'radius/HOSTNAME'
 # create keytab for radius user
 ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
 chown root:radiusd /etc/raddb/radius.keytab
 chmod 640 /etc/raddb/radius.keytab

 # Test daemon with the new keytab
 KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X

 # make radius use the keytab for SASL GSSAPI
 mkdir -p /etc/systemd/system/radiusd.service.d
 cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
 [Service]
 Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
 ExecStartPre=-/usr/bin/kdestroy -A
 ExecStopPost=-/usr/bin/kdestroy -A
 EOF
 systemctl daemon-reload

 edit /etc/raddb/mods-enabled/ldap
 ldap server = 'LDAP HOSTNAME'
 ldap base_dn = 'cn=accounts,dc=example,dc=org'
 ldpa sasl mech = 'GSSAPI'
 ldpa sasl realm = 'YOUR REALM'
 ldap sasl update control:NT-Password := 'ipaNTHash'

 # How to request certificates from IPA server for RADIUS
 mv /etc/raddb/certs /etc/raddb/certs.bak
 mkdir /etc/raddb/certs
 openssl dhparam 2048 -out /etc/raddb/certs/dh
 ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME

 Edit /etc/raddb/mods-enabled/eap
 tls-config tls-common {
    private_key_file = /etc/pki/tls/private/radius.key
    certificate_file = /etc/pki/tls/certs/radius.pem
    ca_file = /etc/ipa/ca.crt

 Make the files readable for radiusd
 chmod 644 /etc/pki/tls/certs/radius.pem
 chown root.radiusd /etc/pki/tls/private/radius.key
 chmod 640 /etc/pki/tls/private/radius.key
	# Assuming that HOSTNAME is enrolled to IPA realm already,
	# run the following on HOSTNAME where RADIUS server will be deployed
	# In FreeIPA 4.6+ host principal has permissions to create own services
	kinit -k
	ipa service-add 'radius/HOSTNAME'
	# create keytab for radius user
	ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
	chown root:radiusd /etc/raddb/radius.keytab
	chmod 640 /etc/raddb/radius.keytab

	# Test daemon with the new keytab
	KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X

	# make radius use the keytab for SASL GSSAPI
	mkdir -p /etc/systemd/system/radiusd.service.d
	cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
	[Service]
	Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
	ExecStartPre=-/usr/bin/kdestroy -A
	ExecStopPost=-/usr/bin/kdestroy -A
	EOF
	systemctl daemon-reload

	edit /etc/raddb/mods-enabled/ldap
	ldap server = 'LDAP HOSTNAME'
	ldap base_dn = 'cn=accounts,dc=example,dc=org'
	ldpa sasl mech = 'GSSAPI'
	ldpa sasl realm = 'YOUR REALM'
	ldap sasl update control:NT-Password := 'ipaNTHash'

	# How to request certificates from IPA server for RADIUS
	mv /etc/raddb/certs /etc/raddb/certs.bak
	mkdir /etc/raddb/certs
	openssl dhparam 2048 -out /etc/raddb/certs/dh
	ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME

	Edit /etc/raddb/mods-enabled/eap
	tls-config tls-common {
	private_key_file = /etc/pki/tls/private/radius.key
	certificate_file = /etc/pki/tls/certs/radius.pem
	ca_file = /etc/ipa/ca.crt

	Make the files readable for radiusd
	chmod 644 /etc/pki/tls/certs/radius.pem
	chown root.radiusd /etc/pki/tls/private/radius.key
	chmod 640 /etc/pki/tls/private/radius.key
No results found