OPENSUSE 11.3/SLES 11 ** INTEGRATING FREERADIUS TO LDAP SERVER

Bonnie Kurniawan — Fri, 12 Nov 2010 15:19:12 +0000

FreeRADIUS is a modular, high performance free RADIUS suite developed and distributed under the GNU General Public License, version 2, and is free for download and use. The FreeRADIUS Suite includes a RADIUS server, a BSD-licensed RADIUS client library, a PAM library, anApache module, and numerous additional RADIUS related utilities and development libraries (wikipedia)

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc., in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards(wikipedia)

Well, then again a bit of introduction about “what is RADIUS ?” and the FreeRADIUS, the most popular OpenSource RADIUS Server .

This tutorial based on an existing LDAP Server Configuration ( you can read this post) and it already has 1-2 users on it ( you can read this post again ), and this post is explain how-to integrate FreeRADIUS to read and use existing user on LDAP Server.

you can install the FreeRadius server on the same server or on a seperate server ( it’s your choice :p )

Add the FreeRADIUS repository from software.opensuse.org

# zypper ar http://download.opensuse.org/repositories/network:/aaa/SLE_11/ FreeRadius

# zypper ref

Install the FreeRADIUS Server Package

# zypper in freeradius-server freeradius-client freeradius-server-utils

After Installing the FreeRADIUS Packages, edit /etc/raddb/modules/ldap file, and then find and edit following lines (in my case : dc=malayin,dc=net) :

ldap {

server = “192.168.0.30″ – the LDAP Server

#identity = “cn=Adminstrator,dc=malayin,dc=net”

#password = admin

basedn = “dc=malayin,dc=net” – The Base DN LDAP Server

#filter = “(uid=%{Stripped-User-Name:-%{User-Name}})”

filter = “(uid=%u)”

#base_filter = “(objectclass=radiusprofile)”

ldap_connections_number = 5

timeout = 4

timelimit = 3

net_timeout = 1

tls {

start_tls = no

}

access_attr = “uid”

edir_account_policy_check = yes

}

After editing the ldap file, save it and then edit /etc/raddb/sites-available/default. FIND THE LINES that contain LDAP word and uncomment the lines :

authorize {

# The preprocess module takes care of sanitizing some bizarre

# attributes in the request, and turning them into attributes

# which are more standard.

# It takes care of processing the ‘raddb/hints’ and the

# ’raddb/huntgroups’ files.

# It also adds the %{Client-IP-Address} attribute to the request.

#preprocess

# If you want to have a log of authentication requests,

# un-comment the following line, and the ‘detail auth_log’

# section, above.

# auth_log

# The chap module will set ‘Auth-Type := CHAP’ if we are

# handling a CHAP request and Auth-Type has not already been set

#chap

# If the users are logging in with an MS-CHAP-Challenge

# attribute for authentication, the mschap module will find

# the MS-CHAP-Challenge attribute, and add ‘Auth-Type := MS-CHAP’

# to the request, which will cause the server to then use

# the mschap module for authentication.

#mschap

# If you have a Cisco SIP server authenticating against

# FreeRADIUS, uncomment the following line, and the ‘digest’

# line in the ‘authenticate’ section.

# digest

# Look for IPASS style ‘realm/’, and if not found, look for

# ’@realm’, and decide whether or not to proxy, based on

# that.

# IPASS

# If you are using multiple kinds of realms, you probably

# want to set “ignore_null = yes” for all of them.

# Otherwise, when the first style of realm doesn’t match,

# the other styles won’t be checked.

#suffix

# ntdomain

# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP

# authentication.

# It also sets the EAP-Type attribute in the request

# attribute list to the EAP type from the packet.

# As of 2.0, the EAP module returns “ok” in the authorize stage

# for TTLS and PEAP. In 1.x, it never returned “ok” here, so

# this change is compatible with older configurations.

# The example below uses module failover to avoid querying all

# of the following modules if the EAP module returns “ok”.

# Therefore, your LDAP and/or SQL servers will not be queried

# for the many packets that go back and forth to set up TTLS

# or PEAP. The load on those servers will therefore be reduced.

#eap {

# ok = return

# Pull crypt’d passwords from /etc/passwd or /etc/shadow,

# using the system API’s to get the password. If you want

# to read /etc/passwd or /etc/shadow directly, see the

# passwd module in radiusd.conf.

#unix

# Read the ‘users’ file

#files

# Look in an SQL database. The schema of the database

# is meant to mirror the “users” file.

# See “Authorization Queries” in sql.conf

# sql

# If you are using /etc/smbpasswd, and are also doing

# mschap authentication, the un-comment this line, and

# configure the ‘etc_smbpasswd’ module, above.

# etc_smbpasswd

# The ldap module will set Auth-Type to LDAP if it has not

# already been set

ldap

# Enforce daily limits on time spent logged in.

# daily

# Use the checkval module

# checkval

expiration

logintime

# If no other module has claimed responsibility for

# authentication, then try to use PAP. This allows the

# other modules listed above to add a “known good” password

# to the request, and to do nothing else. The PAP module

# will then see that password, and use it to do PAP

# authentication.

# This module should be listed last, so that the other modules

# get a chance to set Auth-Type for themselves.

#pap

# If “status_server = yes”, then Status-Server messages are passed

# through the following section, and ONLY the following section.

# This permits you to do DB queries, for example. If the modules

# listed here return “fail”, then NO response is sent.

# Autz-Type Status-Server {

# }

}

# Authentication.

# This section lists which modules are available for authentication.

# Note that it does NOT mean ‘try each module in order’. It means

# that a module from the ‘authorize’ section adds a configuration

# attribute ‘Auth-Type := FOO’. That authentication type is then

# used to pick the apropriate module from the list below.

# In general, you SHOULD NOT set the Auth-Type attribute. The server

# will figure it out on its own, and will do the right thing. The

# most common side effect of erroneously setting the Auth-Type

# attribute is that one authentication method will work, but the

# others will not.

# The common reasons to set the Auth-Type attribute by hand

# is to either forcibly reject the user (Auth-Type := Reject),

# or to or forcibly accept the user (Auth-Type := Accept).

# Note that Auth-Type := Accept will NOT work with EAP.

# Please do not put “unlang” configurations into the “authenticate”

# section. Put them in the “post-auth” section instead. That’s what

# the post-auth section is for.

authenticate {

# PAP authentication, when a back-end database listed

# in the ‘authorize’ section supplies a password. The

# password can be clear-text, or encrypted.

#Auth-Type PAP {

# pap

# Most people want CHAP authentication

# A back-end database listed in the ‘authorize’ section

# MUST supply a CLEAR TEXT password. Encrypted passwords

# won’t work.

#Auth-Type CHAP {

# chap

# }

# MSCHAP authentication.

#Auth-Type MS-CHAP {

# mschap

# If you have a Cisco SIP server authenticating against

# FreeRADIUS, uncomment the following line, and the ‘digest’

# line in the ‘authorize’ section.

# digest

# Pluggable Authentication Modules.

# pam

# See ‘man getpwent’ for information on how the ‘unix’

# module checks the users password. Note that packets

# containing CHAP-Password attributes CANNOT be authenticated

# against /etc/passwd! See the FAQ for details.

#unix

# Uncomment it if you want to use ldap for authentication

# Note that this means “check plain-text password against

# the ldap database”, which means that EAP won’t work,

# as it does not supply a plain-text password.

Auth-Type LDAP {

ldap

}

# Allow EAP authentication.

# eap

}

# Pre-accounting. Decide which accounting type to use.

preacct {

preprocess

# Ensure that we have a semi-unique identifier for every

# request, and many NAS boxes are broken.

acct_unique

# Look for IPASS-style ‘realm/’, and if not found, look for

# ’@realm’, and decide whether or not to proxy, based on

# that.

# Accounting requests are generally proxied to the same

# home server as authentication requests.

# IPASS

suffix

# ntdomain

# Read the ‘acct_users’ file

files

}

# Accounting. Log the accounting data.

accounting {

# Create a ‘detail’ed log of the packets.

# Note that accounting requests which are proxied

# are also logged in the detail file.

detail

# daily

# Update the wtmp file

# If you don’t use “radlast”, you can delete this line.

unix

# For Simultaneous-Use tracking.

# Due to packet losses in the network, the data here

# may be incorrect. There is little we can do about it.

radutmp

# sradutmp

# Return an address to the IP Pool when we see a stop record.

# main_pool

# Log traffic to an SQL database.

# See “Accounting queries” in sql.conf

# sql

# Instead of sending the query to the SQL server,

# write it into a log file.

# sql_log

# Cisco VoIP specific bulk accounting

# pgsql-voip

# Filter attributes from the accounting response.

attr_filter.accounting_response

# See “Autz-Type Status-Server” for how this works.

# Acct-Type Status-Server {

# }

}

# Session database, used for checking Simultaneous-Use. Either the radutmp

# or rlm_sql module can handle this.

# The rlm_sql module is *much* faster

session {

radutmp

# See “Simultaneous Use Checking Queries” in sql.conf

# sql

}

# Post-Authentication

# Once we KNOW that the user has been authenticated, there are

# additional steps we can take.

post-auth {

# Get an address from the IP Pool.

# main_pool

# If you want to have a log of authentication replies,

# un-comment the following line, and the ‘detail reply_log’

# section, above.

# reply_log

# After authenticating the user, do another SQL query.

# See “Authentication Logging Queries” in sql.conf

# sql

# Instead of sending the query to the SQL server,

# write it into a log file.

# sql_log

# Un-comment the following if you have set

# ’edir_account_policy_check = yes’ in the ldap module sub-section of

# the ‘modules’ section.

ldap

#exec

# Access-Reject packets are sent through the REJECT sub-section of the

# post-auth section.

# Add the ldap module name (or instance) if you have set

# ’edir_account_policy_check = yes’ in the ldap module configuration

Post-Auth-Type REJECT {

attr_filter.access_reject

}

save the file, then add these line to /etc/raddb/clients.conf filem to decide which network is ALLOWED to use and access FreeRADIUS service (in my case : 192.168.0.0/24) :

client 192.168.0.0/24 {

secret = testing123-1

shortname = testing123-1

}

After finish editing clients.conf file, save it and then test the connectivity by using radtest command

You can see detail http://www.malayin.net

openSUSE Lizards » Bonnie Kurniawan

OPENSUSE 11.3/SLES 11 ** INTEGRATING FREERADIUS TO LDAP SERVER