This document provides instructions for configuring FreeRADIUS for WPA2 Enterprise authentication with Active Directory integration on an Ubuntu server. It describes installing FreeRADIUS and EasyRSA for certificate generation. The instructions explain how to configure the RADIUS server certificates and test basic authentication. It then details how to integrate Active Directory for MSCHAP authentication by configuring Samba and Kerberos, joining the Active Directory domain, and modifying FreeRADIUS configuration files. Finally, it explains how to configure wireless clients and start the FreeRADIUS service.

1. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017
Page 1 chanakan@cclk.lk
FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE
DIRECTORY INTEGRATION

2. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017
Page 2 chanakan@cclk.lk
CONFIGURING FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION

3. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017
Page 3 chanakan@cclk.lk
The Conclusion That Having a Single Wi-Fi Password for A Growing Startup Just Isn't a Viable Solution. Shared Passwords in
General Are Not a Very Good Idea, And the Very Large Number of Devices Connected Make Changing the Wireless Password
a Cumbersome Task. Therefore, The Best Practice Is to Implement WPA2 Enterprise.
WPA2 Enterprise Is a Protocol for Wireless Authentication. It Passes Authentication Requests to A Radius Server. Radius Is
a Very Large Open-Ended Protocol for Authentication. The End Goal from This Is to Have Individual Usernames and
Passwords for Each User of The WIFI Network.
INSTALLATION
Install Freeradius and easy-rsa. We'll borrow the Openvpn project's easy-rsa scripts to make the Openssl configuration
easier.
apt-get install freeradius easy-rsa samba winbind
The server starts automatically, so we'll stop it for now.
service freeradius stop
The first thing we'll do is configure the server certificates. Copy the easy-rsa scripts into your certificate directory
cp -R /usr/share/easy-rsa /etc/freeradius/certs/
Now generate the certificate authority
cd /etc/freeradius/certs/easy-rsa
source vars
./clean-all
./build-ca
The build-ca command will ask you for some information. I highly recommend you enter a password for your CA. Make
sure you keep this password as you will need it for creating certificates. Note: do not make the common name of the CA
your server's fully qualified domain name or FQDN. Common names should be unique and you will use your server's FQDN
for its certificate, which we will generate next.
./build-key-server server

4. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017
Page 4 chanakan@cclk.lk
You'll have to enter your information again. This time put the server's FQDN as the common name. I.E.
freerad.practichem.com. Answer yes to sign the certificate with the CA.
Now we will copy the needed files for Freeradius.
cp -r keys/ca.crt /etc/freeradius/certs/
I will leave a copy of the CA in the easy-rsa directory so we can generate client keys with it later.
mv keys/radius* /etc/freeradius/certs/
Now We Need to Change the Owner Of The Server Certificates To The Freerad User
chown -R freerad: freerad /etc/freeradius/certs/server*
At This Point You Should Have a Working Radius Server Setup. You Can Test It by Adding This Line to The Users File. Just
Remember to Remove It When You Are Finished Testing.
testuser Cleartext-Password := "testpassword
Now, start your radius server in debugging mode, and in another terminal run the radtest command.
freeradius -X
radtest testuser testpassword localhost 0 testing123
You Should See an Access Accepted Response. If You See Access Rejected, Something on Your Server Has Been Incorrectly
Setup. The Output of The Freeradius -X Command Should Have More Information.

5. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017
Page 5 chanakan@cclk.lk
ACTIVE DIRECTORY INTEGRATION
This Active Directory Integration Method Uses MSCHAP And Mschapv2. The Two Main Authentication Methods That Will
Work with This Are PEAP With MSCHAP Or TTLS with MSCHAP. Both Are Equally Secure, But PEAP Works on A Wider Range
of Devices, So I Decided to Have Users Use PEAP.
First You Will Want To Edit Your smb.conf
vim /etc/samba/smb.conf
Make sure the following parameters are set. Workgroup was the only one that was in my smb.conf by default.
workgroup = ADDomain
security = ads
password server = domain-controller.domain.tld
realm = domain.tld
The Realm Will Generally Be Just the Domain.
Now Edit Your Kerberos Configuration.
vim /etc/krb5.conf
Under the [realms] heading add the following. Again, the default in active directory is to set the realm to the domain.
domain.tld = {
>kdc = **domain-controller.domain.tld**
>}
Start samba
service samba start

6. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017
Page 6 chanakan@cclk.lk
Now join the active directory domain. You will need a domain admin's credentials to do this.
net join -u Administrator
Verify That the Domain Is Connected. Note That You Can Add a Space Before a Command to Prevent It from Being Added
to The History. This Is Useful When Dealing with Cleartext Passwords.
ntlm_auth --request-nt-key --domain=ADDomain --username=user --password=password
You Should See an NTSTATUSOK Message.
Before Freeradius Can Connect to Winbind, It Will Need Access to Its Socket. While The Socket Itself Has 777 Permissions,
The Surrounding Directory Is Root:Root 750. The Freerad User Needs Read and Execute Access. There Are a Couple of Ways
to Do This; I Added the Freerad User to The Winbindd_Priv Group, And Gave That Group Access to The Socket Directory.
usermod -a -G winbindd_priv freerad
chmod :winbindd_priv /var/lib/samba/winbindd_privileged/
Now We Will Configure Freeradius To Use the Ntlm_Auth for MSCHAP. Edit /Etc/Freeradius/Modules/Ntlm_Auth. Replace
/Path/To/Ntlm_Auth with /Usr/Bin/Ntlm_Auth. Replace MYDOMAIN As Your Active Directory Domain.
Open /Etc/Freeradius/Modules/Mschap. Replace /Path/To/Ntlm_Auth with /Usr/Bin/Ntlm_Auth. Replace MYDOMAIN As
Your Active Directory Domain.
Edit /Etc/Freeradius/Sites-Enabled/Default And /Etc/Freeradius/Sites-Enabled/Inner-Tunnel. Under the Authenticate
Section Add Ntlm_Auth.
>authenticate {
>...
>ntlm_auth
>...
>}

7. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017
Page 7 chanakan@cclk.lk
Now you can test the MSCHAP authentication with radtest.
radtest -t mschap **aduser** **adpassword** localhost 0 testing123
If you see an access-accept message, active directory is integrating with Freeradius.
CONFIGURE CLINETS
Now we will configure FreeRadius to allow an AP to connect. Edit /etc/freeradius/clients.conf Add a client config.
>client **client IP** {
>secret = **client-shared-secret**
>shortname = wirelessAP
>nastype = other
>}
Finally start freeradius in service mode.
service freeradius start
You should now be able to connect your wireless access point to your Freeradius server. Clients will be able to authenticate
with their AD credentials with PEAP MSCHAP or TTLS MSCHAP. This will get you support on pretty much every single
platform. If you have clients that you want to just authenticate with certificates.

8. FREERADIUS FOR WPA2 ENTERPRISE WITH ACTIVE DIRECTORY INTEGRATION June 15, 2017
Page 8 chanakan@cclk.lk