Installation of a radius server for eduroam SP & IdP First step is to prepare the server. We suppose you already have a CentOS 7 server installed with configured network. Install ntp, and enable it as a daemon to run on startup: yum -y install ntp systemctl start ntpd systemctl enable ntpd Then install freeradius and some utilities we'll need later: yum -y install epel-release yum -y install freeradius net-tools bind-utils Then update the system and reboot yum -y update reboot Now, let's start the configuration. Configure the radius daemon: cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.old > /etc/raddb/radiusd.conf vi /etc/raddb/radiusd.conf Copy and paste this config file to radiusd.conf ---------------## BEGIN ##---------------------------------------------- prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} db_dir = ${localstatedir}/lib/radiusd libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid correct_escapes = true max_request_time = 30 cleanup_delay = 5 max_requests = 16384 hostname_lookups = no log { destination = files colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad security { user = radiusd group = radiusd allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 auto_limit_acct = no } modules { $INCLUDE mods-enabled/ } instantiate { } policy { $INCLUDE policy.d/ } $INCLUDE sites-enabled/ -------------------## END ##------------------------------------------------ After, modify the clients.conf file, where we define the clients that authenticate against the radius server. vi /etc/raddb/clients.conf ---------------## BEGIN ##--------------------------- client localhost { ipaddr = 127.0.0.1 secret = testing123 } client eduroam_flr_server_1 { ipaddr = 196.200.131.17 secret = yourpasswordhere nastype = 'eduroam_flr' } # As above, only uncomment if there are two federation level servers #client eduroam_flr_server_2 { # ipaddr = # secret = # nastype = 'eduroam_flr' #} # Replace vv.zzz.dd.xx by your controller's IP address client wireless-controller { ipaddr = vv.zzz.dd.xx secret = passwordhere2 } ----------------## END ##---------------------------------- You can copy paste the file above and modify accordingly. Then modify the proxy.conf file, which contains proxies where the requests are sent. vi /etc/raddb/proxy.conf -----------------## BEGIN ##------------------------- home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth+acct secret = testing123 response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } # Please modify this with your university's domain realm university.ac.ma { type = radius authhost = LOCAL accthost = LOCAL # nostrip } realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL # nostrip } realm NULL { type = radius authhost = LOCAL accthost = LOCAL # nostrip } home_server eduroam_flr_server_1 { type = auth+acct ipaddr = 196.200.131.17 port = 1812 secret = passwordhere response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } # Only uncomment if there are two FLRS #home_server eduroam_flr_server_2 { # ipaddr = # secret = # status_check = status-server # response_window = 5 # check_interval = 10 # check_timeout = 5 #} home_server_pool eduroam_flr_pool { type = keyed-balance home_server = eduroam_flr_server_1 # Only uncomment if there are two FLRS # home_server = eduroam_flr_server_2 } realm "~.+$" { auth_pool = eduroam_flr_pool nostrip } -----------------## END ##------------------------------- Install Sambra for interconnecting radius with active directory. Then configure the samba file yum install -y samba4 samba4-winbind samba4-client samba4-winbindclients vi /etc/samba/smb.conf -----------------## BEGIN ##------------------------- [global] workgroup = YOURWORKGROUP # workgroup in uppercase security = ads password server = dc1.university.ac.ma # server hostname realm = UNIVERSITY.AC.MA # realm/domain in uppercase ntlm auth = yes [homes] comment = Home Directories valid users = %S %D%w%S browseable = No writable = yes -----------------## END ##------------------------------- You can copy paste the file above and modify accordingly. Then configure kerberos. vi /etc/krb5.conf -----------------## BEGIN ##------------------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CNRST.LOCAL [realms] CNRST.LOCAL = { kdc = dc1.university.ac.ma admin_server = dc1.university.ac.ma default_domain = cnrst.local } [domain_realm] .cnrst.local = CNRST.LOCAL cnrst.local = CNRST.LOCAL [login] krb4_convert = true krb4_get_tickets = false [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } -----------------## END ##------------------------------- You can copy paste the file above and modify accordingly. Then configure nsswitch. cp /etc/nsswitch.conf /etc/nsswitch.conf.old > /etc/nsswitch.conf vi /etc/nsswitch.conf -----------------## BEGIN ##------------------------- passwd: files winbind shadow: files winbind group: files winbind protocols: files winbind services: files winbind netgroup: files winbind automount: files nisplus winbind #hosts: db files nisplus nis dns hosts: files dns wins # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files #ethers: db files #netmasks: files #networks: files dns #protocols: db files #rpc: files #services: files #netgroup: files #publickey: nisplus #automount: files #aliases: files nisplus -----------------## END ##------------------------------- Now, enable smb, nmb, and winbind services. And reboot the machine. systemctl enable smb systemctl enable nmb systemctl enable winbind reboot Make sure all services stated correctly bu checking their status. Add the machine and domain controller's hostnames to /etc/hosts. Then join the domain. vi /etc/hosts ---------------## BEGIN ##------------------------------- 2001:4310:f6:20::2 dc1.cnrst.local dc1 192.168.20.2 dc1.cnrst.local dc1 192.168.200.33 template.cnrst.local template -----------------## END ##------------------------------- net join -U OR net ads join -U Administrateur -S dc1.cnrst.local Test authentication with ntlm_auth ntlm_auth --request-nt-key --domain=CNRST --username=eduroam.emi --password='23MiR@d515!.' vi /etc/raddb/mods-enabled/ntlm_auth vi /etc/raddb/mods-enabled/ntlm_auth ---------------## BEGIN ##------------------------------- exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=cnrst.local --username=%{mschap:User-Name} --password=%{User-Password}" } -----------------## END ##------------------------------- Add ntlm-auth in authenticate section of raddb/sitesenabled/default and raddb/sites-enabled/inner-tunnel --- authenticate { ... ntlm_auth ... } ---- Add at the end of the file /etc/raddb/mods-config/files/authorize ---- DEFAULT Auth-Type = ntlm_auth ---- Configure mschap vi /etc/raddb/mods-enabled/mschap ---------------## BEGIN ##------------------------------- ntlm_auth = "/path/to/ntlm_auth --request-nt-key -username=%{mschap:User-Name:-None} --domain=%{%{mschap:NTDomain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --ntresponse=%{mschap:NT-Response:-00}" -----------------## END ##------------------------------- Run radius in debug mode: radiusd -X If all is fine, start the server: systemctl start radiusd systemctl enable radiusd