In my previous article in here openldap-installation I have showed OpenLDAP installation and in this article openldap-ssl you can find how to enable TLS for LDAP. Before going forward you have to setup LDAP and enable TLS by following above articles.
Configure FreeRADIUS with OpenLDAP
FreeRADIUS is most popular Remote Authentication Dial In User Service (RADIUS) which provides AAA (Authentication , Authorization and Accounting services). Here I am using Debian 7 as a OS, let's install RADIUS.
$ sudo apt-get install freeradius freeradius-ldap
Once its installed , lets start configuring it with LDAP server.
- /etc/freeradius/clients.conf
This file is used to authenticate Radius client to Radius server, as below we can define the allowed clients for Radius access.client localhost { ipaddr = 127.0.0.1 secret = testing123 } - /etc/freeradius/modules/ldap
Here we will be integrating Radius with OpenLDAP server. Below entries are modified abd rest is untouched.server = "ldap.example.com" identity = "cn=admin,ou=ldap,dc=example,dc=com" password = passwd basedn = "ou=ldap,dc=example,dc=com" #Changed from uid to mail as we are using mail address to lookup users on LDAP filter = "(mail=%{%{Stripped-User-Name}:-%{User-Name}})" # # Group membership checking. To provide authorization based on LDAP group the user belongs to. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName - /etc/freeradius/sites-available/default
We need to enable ldap on this file as well , there are two sections you need to remove the comments from.authorize { . . . ldap . . } - /etc/freeradius/sites-available/inner-tunnel
In here also remove the comments from below section/s.authorize { . . . ldap . . } - /etc/freeradius/usersThis file is used for authorizing users based on LDAP groups they are belongs to. Also to dynamically assign VLAN ids to each user based on groups matched, which will be used for VLAN assignment by switch. For this to work you should have created a cn with object class groupOfNames and saman as a member of the created group.
DEFAULT Ldap-Group == "cn=test1,dc=example,dc=com" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "17" DEFAULT Auth-Type := RejectOnce you completed the above configurations you should be able to test the Radius using radius client as below.
$radtest saman@example.com saman 127.0.0.1 0 testing123 Sending Access-Request of id 79 to 127.0.0.1 port 1812 User-Name = "saman@example.com" User-Password = "saman" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=79, length=36 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17"As you can see when you try to connect the Radius, first it checks the group authorization and user authorization, if it was successful then it authenticate the user with provided password and finally return the above output to Radius client.
From the below Radius logs , you can verify the above steps. (Only parts of the logs are displayed)
Thu Nov 27 21:02:48 2014 : Info: +- entering group authorize {...} Thu Nov 27 21:02:48 2014 : Debug: [ldap] Entering ldap_groupcmp() Thu Nov 27 21:02:48 2014 : Info: [files] expand: dc=example,dc=com -> dc=example,dc=com Thu Nov 27 21:02:48 2014 : Info: [files] expand: %{Stripped-User-Name} -> Thu Nov 27 21:02:48 2014 : Info: [files] ... expanding second conditional Thu Nov 27 21:02:48 2014 : Info: [files] expand: %{User-Name} -> saman@example.com Thu Nov 27 21:02:48 2014 : Info: [files] expand: (mail=%{%{Stripped-User-Name}:-%{User-Name}}) -> (mail=saman@example.com) Thu Nov 27 21:02:48 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Nov 27 21:02:48 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Nov 27 21:02:48 2014 : Debug: [ldap] performing search in dc=example,dc=com, with filter (mail=saman@example.com) Thu Nov 27 21:02:48 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Nov 27 21:02:48 2014 : Info: [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dsaman\2cou\3dstaff\2cdc\3dexample\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsaman\2cou\3dstaff\2cdc\3dexample\2cdc\3dcom))) Thu Nov 27 21:02:48 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Nov 27 21:02:48 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Nov 27 21:02:48 2014 : Debug: [ldap] performing search in cn=test1,dc=example,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=uid\3dsaman\2cou\3dstaff\2cdc\3dexample\2cdc\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsaman\2cou\3dstaff\2cdc\3dexample\2cdc\3dcom))) Thu Nov 27 21:02:48 2014 : Debug: rlm_ldap::ldap_groupcmp: User found in group cn=test1,dc=example,dc=com Thu Nov 27 21:02:48 2014 : Info: ++[files] returns ok Thu Nov 27 21:02:48 2014 : Info: [ldap] performing user authorization for saman@example.com Thu Nov 27 21:02:48 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Thu Nov 27 21:02:48 2014 : Info: [ldap] ... expanding second conditional Thu Nov 27 21:02:48 2014 : Info: [ldap] expand: %{User-Name} -> saman@example.com Thu Nov 27 21:02:48 2014 : Info: [ldap] expand: (mail=%{%{Stripped-User-Name}:-%{User-Name}}) -> (mail=saman@example.com) Thu Nov 27 21:02:48 2014 : Info: [ldap] expand: dc=example,dc=com -> dc=example,dc=com Thu Nov 27 21:02:48 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Nov 27 21:02:48 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Nov 27 21:02:48 2014 : Debug: [ldap] performing search in dc=example,dc=com, with filter (mail=saman@example.com) Thu Nov 27 21:02:48 2014 : Info: [ldap] No default NMAS login sequence Thu Nov 27 21:22:54 2014 : Info: ++[ldap] returns ok Thu Nov 27 21:02:48 2014 : Info: +- entering group PAP {...} Thu Nov 27 21:02:48 2014 : Info: [pap] login attempt with password "saman" Thu Nov 27 21:02:48 2014 : Info: [pap] Using MD5 encryption. Thu Nov 27 21:02:48 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Thu Nov 27 21:02:48 2014 : Info: [pap] User authenticated successfully Thu Nov 27 21:02:48 2014 : Info: ++[pap] returns okBelow two configuration files are used for implementing TLS in Radius. - /etc/freeradius/eap.conf
Generate your own CA and do self sign and also create a key pair for Radius as well.#Create root CA openssl genrsa -out ca.key 2048 openssl genrsa -out ca.key 2048 -des3 openssl req -x509 -new -nodes -key ca.key -days 4024 -out ca.pem #Create CSR openssl genrsa -des3 -out server.key 2048 openssl req -new -key server.key -out server.csr #Sign the CSR openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 500
Now do the configuration changes in above file (/etc/freeradius/eap.conf) as below. This certificates are used for outer EAP configurations.tls { . . certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = saman #This was generated when server keys are generated. private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom . . . } - /etc/freeradius/modules/inner-eap
In here generate separate certificates and sign using the same CA certificate used earlier. This certificates are used for inner EAP configurations.#Create CSR openssl genrsa -des3 -out server-inner.pem 2048 openssl req -new -key server-inner.pem -out server-inner.csr #Sign the CSR openssl x509 -req -in server-inner.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server-inner.crt -days 500Now in the configuration file ( /etc/freeradius/modules/inner-eap) do below changes.tls { . . certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = saman #This was generated when server keys are generated. private_key_file = ${certdir}/server-inner.key certificate_file = ${certdir}/server-inner.crt CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom . . . }
9 comments:
Hi, maybe you can share freeradius (with ldap) configuration file?
Hi,
Can you please share a file which shows LDAP authentication with freeradius server. I have a freeradius server and I want to connect it to our Local AD. waiting for your possible help.
Thank you.
regrads,
Arindam
Hi Folks,
I just wanted to understand the benefits of using LDAP for Radius authentication.
One of our client is using Radius in back end its LDAP and then ldap is integrated with MySQL.
so flow is like Node->Radius->LDAP->MySQL.
cant this could be Node->Radius->MySQL
Dear
Could you please share for me config file with LDAP. I config the freeRadius on CentOS7 auth by LDAP (SAMBA4 Active Directory) but it not working. Thank you so much.
so uncommenting the authorize sections from /etc/freeradius/sites-available/default means that every user first authenticates via LDAP unless it is stored in /freeradius/users?
Other manuals say that for every user using LDAP there has to be an entry in /freeradius/users pointing them to the LDAP authentification.
Great post.Thanks for sharing with us.
LDAP Integration Module
Best Orange HRM Module in the town. Get this Orange HRM Module by Medma that offers you 4 plugins along with their manual that makes it easy for you to install the plugin step by step without hassle.
http://orangehrm-modules.medma.net/
* LDAP Plugin
* Calendar Improvement Plugin
* Performance Review Plugin
* Performance Attachment Plugin
For more details you can also contact our support team at support@medma.in
Post a Comment