How to configure FreeRADIUS authentication in FIPS mode

Solution Verified - Updated

Environment

  • FIPS mode enabled - running IPA server in FIPS mode is supported from >= RHEL 7.4.
  • freeradius-3.0.20-7
  • IPA server 4.9.x
  • krb5-server-1.18.2-7

Issue

  • How to configure FreeRadius authentication in FIPS mode for IPA users using the ldap module in FreeRADIUS.
  • How to configure FreeRadius authentication in FIPS mode for local users using the/etc/raddb/users configuration file.

NOTE(1): You can use the same set of steps to configure FreeRADIUS authentication in default non-FIPS mode, except that you can skip step 1.

NOTE(2): Though FreeRADIUS can run in FIPS mode, it does not mean that it is FIPS compliant as it uses weak ciphers and functions when in FIPS mode.

Resolution

1. Enable FIPS mode on the RHEL host (optional).

a) Enable FIPS mode using the steps described in 5.3. Switching the system to FIPS mode.

b) After the system boots up, verify that FIPS mode is enabled.

# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

2. Install the IPA server.

Configure an IPA server on the RHEL host as described in Chapter 2. Installing and Uninstalling an Identity Management Server.

3. Set up the FreeRADIUS server.

Install, configure and test the FreeRADIUS server as a front-end to IPA. You can configure the server on the same host running the IPA server or on a different host.

a) Install the FreeRADIUS packages.

# dnf install freeradius freeradius-utils freeradius-ldap freeradius-krb5

NOTE: Usually, freeradius-krb5 is only needed in case you want to use the rlm_krb5 module in freeradius.

b) Open the ports used by the RADIUS server.

To reach the RADIUS server from other clients, open the required ports on the firewall.

# firewall-cmd --permanent --zone=public --add-port=1812/udp --add-port=1813/udp
Success
# systemctl restart firewalld.service

c) Allow the FreeRADIUS server to accept connections from the client, which is the host running the IPA server.

  • Add the following lines in the /etc/raddb/clients.conf configuration file.
client <ipahost> {
        ipaddr = <ipaddr>
        proto = *
        secret = <freeradius_secret>
        nas_type = other
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}
  • If both IPA and FreeRADIUS servers happen to run on the same host, replace <ipahost> with localhost, else replace it with the IP address or hostname of the IPA server.

d) Enable ldap in the FreeRADIUS server sites-enabled configurations.

  • By default, the FreeRADIUS server searches for users in its local file /etc/raddb/users which happens to be a symbolic link to the /etc/raddb/mods-config/files/authorize configuration file. So any user (for example, bob, steve, etc) added to this file will be able to perform RADIUS authentication.
# cat /etc/raddb/users
....
bob    Cleartext-Password := "<bob_password>"
steve Cleartext-Password := "<steve_password>"
....

  • However, you also need to enable the ldap module in the FreeRADIUS server so that it can:
    i) search for users configured with the LDAP protocol within the IPA server.
    ii) authenticate the IPA user with an LDAP bind() operation.

  • Enable LDAP authentication within the authorize and authenticate sections of the/etc/raddb/sites-enabled/default and /etc/raddb/sites-enabled/inner-tunnel configuration files:

authorize {
....
        #  The ldap module reads passwords from the LDAP database.
        #-ldap                                            <==== replace "-ldap" with "ldap"
        ldap                                                                                      
        if ((ok || updated) && User-Password) {           <==== add these lines
            update {
                control:Auth-Type := ldap
            }
        }
....
}

authenticate {
....
        Auth-Type LDAP {                                  <==== uncomment these lines
                ldap
        }
....
}

e) Enable ldap in the mods-enabled configuration.

  • Create a symbolic link from /etc/raddb/mods-available/ldap to /etc/raddb/mods-enabled/ldap and verify it.
# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
# ls -lZ /etc/raddb/mods-enabled/ldap
lrwxrwxrwx. root root unconfined_u:object_r:radiusd_etc_t:s0 /etc/raddb/mods-enabled/ldap -> /etc/raddb/mods-available/ldap
  • Edit the following lines in /etc/raddb/mods-enabled/ldap to correctly update the value for the server and base_dn attributes.
        #server = "ldap.rrdns.example.org ldap.rrdns.example.org ldap.example.org"
        server = "ipaserver01.testdomain.com"                      <==== add the hostname of the IPA server

        #base_dn = "dc=example,dc=org"
        base_dn = "cn=users,cn=accounts,dc=testdomain,dc=com"      <==== this should start with cn=users,cn=accounts
  • Check that the user { } sub-section is present in the /etc/raddb/mods-enabled/ldap configuration file, along with the base_dn and filter attributes correctly set. If not, add the sub-section as follows:
ldap {
....
        server = "ipaserver01.testdomain.com"
        base_dn = "cn=users,cn=accounts,dc=testdomain,dc=com"
        ....
        user {
                base_dn = "${..base_dn}"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        }
        ....
}

NOTE (1): As a reference, the following is the most minimal form of the /etc/raddb/mods-enabled/ldap configuration file that has been tested successfully. You can skip the options entirely, in which case default values will be considered by the FreeRADIUS server.

ldap {
	server = "ipaserver01.testdomain.com"
	base_dn = "cn=users,cn=accounts,dc=testdomain,dc=com"

#	port = 389

	user {
		base_dn = "${..base_dn}"
		filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	}

	options {
		idle = 60
		probes = 3
		interval = 3
	}
}

NOTE (2): For Active Directory users, a group sub-section is needed along with the user sub-section.

NOTE (3): For instructions on how to set up soft-token based OTP using IdM and FreeRADIUS, refer to the additional steps provided in One time password (OTP) authentication in Identity Management.

4. Configure an IPA user in the IPA server

Add an IPA user by running the below commands:

# kinit admin
# ipa user-add --first " " --last " " radiususer --password
<Enter password when prompted>

NOTE: There is no need to add this user to /etc/raddb/users as the FreeRADIUS server is already configured to use LDAP in step 3d and 3e.

5. Start the FreeRADIUS server and test user authentication.

FreeRADIUS uses MD5 for establishing connections with services such as LDAP. However MD5 is blocked in FIPS mode which will prevent FreeRADIUS client and server applications from running. If the FreeRADIUS server is running on the same host as the IdM server, you can work around the problem and enable MD5 by performing the following steps:

  • Create the environment variable, RADIUS_MD5_FIPS_OVERRIDE for the radiusd service:
# systemctl edit radiusd 

[Service] 
Environment=RADIUS_MD5_FIPS_OVERRIDE=1
  • To apply the change, reload the systemd configuration and start the radiusd service:
# systemctl daemon-reload
# systemctl start radiusd
  • Create the /etc/krb5.conf.d/krad file with the following content:
[libdefaults] 
radius_md5_fips_override = true
  • Restart the krb5kdc service:
# systemctl start krb5kdc
  • To check authentication for the IPA user radiususer and local RADIUS user bob, use the radtest RADIUS client application:
# radtest radiususer <password> ipaserver01 1812 <freeradius_secret>
Sent Access-Request Id 3 from 0.0.0.0:49398 to <ipaddr>:1812 length 96
	User-Name = "radiususer"
	User-Password = "<password>"
	NAS-IP-Address = <ipaddr>
	NAS-Port = 1812
	Message-Authenticator = 0x00
	Cleartext-Password = "<password>"
Received Access-Accept Id 3 from <ipaddr>:1812 to <ipaddr>:49398 length 20

# radtest bob <bob_password> ipaserver01 1812 <freeradius_secret>
Sent Access-Request Id 168 from 0.0.0.0:51650 to <ipaddr>:1812 length 73
	User-Name = "bob"
	User-Password = "<bob_password>"
	NAS-IP-Address = <ipaddr>
	NAS-Port = 1812
	Message-Authenticator = 0x00
	Cleartext-Password = "<bob_password>"
Received Access-Accept Id 168 from <ipaddr>:1812 to <ipaddr>:51650 length 32

If the FreeRADIUS server returns Access-Accept as shown above, the authentication has been successfully verified.

NOTE(1): The OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable is deprecated in RHEL8.
NOTE (2): Starting radiusd in FIPS mode without the RADIUS_MD5_FIPS_OVERRIDE returns the following error:

Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.

NOTE (3): To run FreeRADIUS in debug mode:

# RADIUS_MD5_FIPS_OVERRIDE=1 radiusd -X

Additional notes

The two-factor authentication using OTP + radius can be configured if the FreeRADIUS server is running on the same host as the IdM server by following the steps below or following the instructions in One time password (OTP) authentication in Identity Management.

  • Create the /etc/systemd/system/radiusd.service.d/ipa-otp.conf file with the following content:
[Service] 
RADIUS_MD5_FIPS_OVERRIDE=1
  • Reload the systemd configuration:
# systemctl daemon-reload
  • Start the radiusd service:
#systemctl start radiusd
  • Check that /etc/krb5.conf.d/krad contains:
[libdefaults] 
radius_md5_fips_override = true
  • Set the RADIUS proxy on the IdM server:
# ipa radiusproxy-add <radius_proxy> --server=<radius_ipaddr> --secret
<Enter secret when prompted>
  • Change user mode for the IdM user:
# ipa user-mod --user-auth-type=radius <ipauser>
# ipa user-mod --radius=<radius_proxy> <ipauser>
SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.