Radius with LDAP Authentication

The notes here are a quick howto for using LDAP authentication against Active Directory. It is possible to use Samba/Winbind/Kerberos authentication within Radius too and I may post those notes when I get a chance but for now this is how I implemented it with LDAP.

Install required software on CentOS/Red Hat:

yum install freeradius freeradius-ldap freeradius-utils

Edit the default site config file:

vi /etc/raddb/sites-available/default

Uncomment the ldap line under ‘authorize’ and the ‘Auth-Type LDAP’ lines under ‘authenticate’ so that it looks similar to below:

authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
authenticate {
Auth-Type LDAP{
               ldap
       }
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}

Next

vi /etc/raddb/modules/ldap


ldap {
server = "111.222.111.222"
identity = "CN=Jonny,OU=Whatever,DC=ad,DC=org,DC=uk"
basedn = "DC=ad,DC=org,DC=uk"
groupmembership_attribute = "memberOf"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
chase_referrals = yes
rebind = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}

Then edit the users file

vi /etc/raddb/users

add:

DEFAULT LDAP-Group == "mygroupname", Auth-Type := Accept
Reply-Message = "OK You are a member of the required group"
DEFAULT LDAP-Group != "mygroupname", Auth-Type := Reject
Reply-Message = "OOPS You are not a member of the required group"
DEFAULT Auth-Type := LDAP
Fall-Through = 1

Testing

On the server run:

/usr/sbin/radiusd -X

On the client run:

/usr/bin/radtest "myusername" "topsecret" 127.0.0.1 2 testing123

Response:

Sending Access-Request of id 12 to 127.0.0.1 port 1812
User-Name = "myusername"
User-Password = "topsecret"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=12, length=20

Next step is to have the same Radius server/port combination deal with LDAP authentication for some devices and MAC authentication for other devices/requests. Hopefully within the next week.

 

2 Responses to “Radius with LDAP Authentication”

  1. rashid

    My have mentioned the steps for LDAP authentication – but i need some clarification-

    Do i need to join the freeradius server to Domain controller prior to installing freeradius package on server?
    Do i need to install the LDAP client linux package on my CentOS or Linux OS prior to installing the freeRadius?
    Do i need to configure the LDAP client (where freeRADIUS going to be installed ) authentication with LDAP server ?

    Reply
    • jonny

      Rashid, I did this 7 years ago and haven’t needed to work with radius since but this is operating over LDAP so no need to join the domain. Ldap is not needed on the client since the ldap auth is handled by the radius server – so long as the client can speak to radius. And yes the config above describes configuring freeradius so it will authenticate via LDAP.

      Reply

Leave a Reply to rashid

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>