How to integrate RADIUS with Kerberos?

We've got properly configured LDAP+Kerberos on our wired network.

Now we want our users to log in to our WiFi network by using their normal credentials. I've found lots of HOWTOS about LDAP+RADIUS but none of them mention Kerberos in the pack. Can anyone point me to a good HOWTO on integrating RADIUS with Kerberos? I found only this short article and some non-informative posts on Usenet.

EDIT: The system is Gentoo Linux using OpenLDAP and Heimdal (Kerberos). The WiFi hardware are several Linksys WRT54GL with OpenWRT.


Solution 1:

This can be done w/ 802.1x - PEAP-MSCHAP to MIT's kerberos with the help of KCRAP. Originally developed to allow Samba users to authenticate to kerberos using NTLM, it's libraries can be used in freeradius to do the required verification of the NTLM hash.

This solution requires that you're comfortable running and maintaining custom software. The rough steps to implementation are:

  1. Add the arcfour-hmac:normal password hash to your KDB. Users will have to update their passwords to create the required hash for NTLM.
  2. Build and install a kcrapd daemon to run on the KDB(s) to lookup user hashes.
  3. Build, install, and configure the kcrap-libs on your RADIUS server(s).
  4. Build an auth module for your radius server that interfaces w/ the kcrap-libs to authenticate users.

We run this solution for an entire campus w/ windows devices automatically authenticating using their native AD credentials against our synchronized KDBs.

Solution 2:

Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf:

modules {
    krb5 {
            keytab = ${confdir}/radius.keytab
            service_principal = radius/radius.example.com
    }

    ldap {
            cache = no
            server = "ldap"
            identity = "uid=freeradius,ou=Accounts,dc=example,dc=com"
            password = secret
            basedn = "dc=com"
            filter = "(krbPrincipalName=%{User-Name})"
            base_filter = "(objectClass=radiusprofile)"

            tls {
                    start_tls = no
                    # tls_cacertfile        = /path/to/cacert.pem
                    # tls_cacertdir         = /path/to/ca/dir/
                    # tls_certfile          = /path/to/radius.crt
                    # tls_keyfile           = /path/to/radius.key
                    # tls_randfile          = /path/to/rnd
                    # tls_require_cert      = "demand"
            }

            default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com"
            profile_attribute = "radiusProfileDn"
            access_attr = "dialupAccess"

            dictionary_mapping = ${raddbdir}/ldap.attrmap

            ldap_connections_number = 5

            groupname_attribute = cn
            groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
            #groupmembership_attribute = radiusGroupName
            timeout = 4
            timelimit = 3
            net_timeout = 1
            # compare_check_items = yes
            # do_xlat = yes
            # access_attr_used_for_allow = yes

            # set_auth_type = yes
    }
}

This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames).

Solution 3:

If Microsoft then there are a couple of articles. Technet and a document here TechNet Word Doc