Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Assuming that HOSTNAME is enrolled to IPA realm already,
- # run the following on HOSTNAME where RADIUS server will be deployed
- # In FreeIPA 4.6+ host principal has permissions to create own services
- kinit -k
- ipa service-add 'radius/HOSTNAME'
- # create keytab for radius user
- ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
- chown root:radiusd /etc/raddb/radius.keytab
- chmod 640 /etc/raddb/radius.keytab
- # Test daemon with the new keytab
- KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X
- # make radius use the keytab for SASL GSSAPI
- mkdir -p /etc/systemd/system/radiusd.service.d
- cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
- [Service]
- Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
- ExecStartPre=-/usr/bin/kdestroy -A
- ExecStopPost=-/usr/bin/kdestroy -A
- EOF
- systemctl daemon-reload
- edit /etc/raddb/mods-enabled/ldap
- ldap server = 'LDAP HOSTNAME'
- ldap base_dn = 'cn=accounts,dc=example,dc=org'
- ldpa sasl mech = 'GSSAPI'
- ldpa sasl realm = 'YOUR REALM'
- ldap sasl update control:NT-Password := 'ipaNTHash'
- # How to request certificates from IPA server for RADIUS
- mv /etc/raddb/certs /etc/raddb/certs.bak
- mkdir /etc/raddb/certs
- openssl dhparam 2048 -out /etc/raddb/certs/dh
- ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
- Edit /etc/raddb/mods-enabled/eap
- tls-config tls-common {
- private_key_file = /etc/pki/tls/private/radius.key
- certificate_file = /etc/pki/tls/certs/radius.pem
- ca_file = /etc/ipa/ca.crt
- Make the files readable for radiusd
- chmod 644 /etc/pki/tls/certs/radius.pem
- chown root.radiusd /etc/pki/tls/private/radius.key
- chmod 640 /etc/pki/tls/private/radius.key
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement