Radius with LDAP Authentication

The notes here are a quick howto for using LDAP authentication against Active Directory. It is possible to use Samba/Winbind/Kerberos authentication within Radius too and I may post those notes when I get a chance but for now this is how I implemented it with LDAP.

Install required software on CentOS/Red Hat:

yum install freeradius freeradius-ldap freeradius-utils

Edit the default site config file:

vi /etc/raddb/sites-available/default

Uncomment the ldap line under ‘authorize’ and the ‘Auth-Type LDAP’ lines under ‘authenticate’ so that it looks similar to below:

authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP{
               ldap
       }
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}

Next

vi /etc/raddb/modules/ldap


ldap {
server = "111.222.111.222"
identity = "CN=Jonny,OU=Whatever,DC=ad,DC=org,DC=uk"
basedn = "DC=ad,DC=org,DC=uk"
groupmembership_attribute = "memberOf"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
chase_referrals = yes
rebind = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}

Then edit the users file

vi /etc/raddb/users

add:

DEFAULT LDAP-Group == "mygroupname", Auth-Type := Accept
Reply-Message = "OK You are a member of the required group"
DEFAULT LDAP-Group != "mygroupname", Auth-Type := Reject
Reply-Message = "OOPS You are not a member of the required group"
DEFAULT Auth-Type := LDAP
Fall-Through = 1

Testing

On the server run:

/usr/sbin/radiusd -X

On the client run:

/usr/bin/radtest "myusername" "topsecret" 127.0.0.1 2 testing123

Response:

Sending Access-Request of id 12 to 127.0.0.1 port 1812
User-Name = "myusername"
User-Password = "topsecret"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=12, length=20

Next step is to have the same Radius server/port combination deal with LDAP authentication for some devices and MAC authentication for other devices/requests. Hopefully within the next week.

 

One Response to “Radius with LDAP Authentication”

  1. rashid

    My have mentioned the steps for LDAP authentication – but i need some clarification-

    Do i need to join the freeradius server to Domain controller prior to installing freeradius package on server?
    Do i need to install the LDAP client linux package on my CentOS or Linux OS prior to installing the freeRadius?
    Do i need to configure the LDAP client (where freeRADIUS going to be installed ) authentication with LDAP server ?

    Reply

Leave a Reply to rashid

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>