SHARE
TWEET

Untitled

a guest Apr 23rd, 2019 93 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Assuming that HOSTNAME is enrolled to IPA realm already,
  2. # run the following on HOSTNAME where RADIUS server will be deployed
  3. # In FreeIPA 4.6+ host principal has permissions to create own services
  4. kinit -k
  5. ipa service-add 'radius/HOSTNAME'
  6. # create keytab for radius user
  7. ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
  8. chown root:radiusd /etc/raddb/radius.keytab
  9. chmod 640 /etc/raddb/radius.keytab
  10.  
  11. # Test daemon with the new keytab
  12. KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X
  13.  
  14. # make radius use the keytab for SASL GSSAPI
  15. mkdir -p /etc/systemd/system/radiusd.service.d
  16. cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
  17. [Service]
  18. Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
  19. ExecStartPre=-/usr/bin/kdestroy -A
  20. ExecStopPost=-/usr/bin/kdestroy -A
  21. EOF
  22. systemctl daemon-reload
  23.  
  24. edit /etc/raddb/mods-enabled/ldap
  25. ldap server = 'LDAP HOSTNAME'
  26. ldap base_dn = 'cn=accounts,dc=example,dc=org'
  27. ldpa sasl mech = 'GSSAPI'
  28. ldpa sasl realm = 'YOUR REALM'
  29. ldap sasl update control:NT-Password := 'ipaNTHash'
  30.  
  31. # How to request certificates from IPA server for RADIUS
  32. mv /etc/raddb/certs /etc/raddb/certs.bak
  33. mkdir /etc/raddb/certs
  34. openssl dhparam 2048 -out /etc/raddb/certs/dh
  35. ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
  36.  
  37. Edit /etc/raddb/mods-enabled/eap
  38. tls-config tls-common {
  39.     private_key_file = /etc/pki/tls/private/radius.key
  40.     certificate_file = /etc/pki/tls/certs/radius.pem
  41.     ca_file = /etc/ipa/ca.crt
  42.  
  43. Make the files readable for radiusd
  44. chmod 644 /etc/pki/tls/certs/radius.pem
  45. chown root.radiusd /etc/pki/tls/private/radius.key
  46. chmod 640 /etc/pki/tls/private/radius.key
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top