Step by Step Free Radius Configuration authenticated by LDAP

I am installing Free-Radius Server integrated with OpenLDAP server on CentOS 5.5 using kernel 2.6.18-194.el5. I will install all packages using yum configured on CentOS server. You can configure OpenLDAP using my blog using Link http://jitendrakumaryogi.blogspot.in/2013/09/ldapsamba_23.html. After Installing OpenLDAP you can configure Free-Radius Server.

I am checking the CentOS configuration on Server.

[root@ldapnoida ~]# cat /etc/redhat-release

CentOS release 5.5 (Final)

[root@ldapnoida ~]# uname -a

Linux ldapnoida.example.com 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

You can Install FreeRadius packages on server using yum.

[root@ldapnoida ~]# yum install freeradius*

It will install following FreeRadius Packages on server.

[root@ldapnoida ~]# rpm -qa | grep radius

freeradius2-krb5-2.1.12-5.el5

freeradius2-postgresql-2.1.12-5.el5

freeradius2-utils-2.1.12-5.el5

freeradius2-python-2.1.12-5.el5

freeradius2-2.1.12-5.el5

freeradius2-ldap-2.1.12-5.el5

freeradius2-mysql-2.1.12-5.el5

freeradius2-unixODBC-2.1.12-5.el5

freeradius2-perl-2.1.12-5.el5

Once the installation is complete, “/etc/raddb” directory is created which contains all configuration files of FreeRadius server.

[root@ldapnoida raddb]# cd /etc/raddb/

[root@ldapnoida raddb]# vi eap.conf

default_eap_type = md5

 Now, open the file named “ldap” In “/etc/raddb/modules” directory and change the configuration to the following:

[root@ldapnoida raddb]# cd modules/

[root@ldapnoida modules]# pwd

/etc/raddb/modules

[root@ldapnoida modules]# vi ldap

ldap {

        #

        #  Note that this needs to match the name in the LDAP

        #  server certificate, if you're using ldaps.

        server = "127.0.0.1"                                         # Local LDAP Server on same host

        identity = "cn=Manager,dc=example,dc=com"  #ldap Account to Manage LDAP server

        password = root123                                         # Password of above mentioned ldap account

        basedn = "dc=example,dc=com"

        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

Now open file “ /etc/raddb/sites-available/default” and change the following parameters into authorize section in this file.

[root@ldapnoida sites-available]# vi /etc/raddb/sites-available/default

authorize {

        #  The ldap module will set Auth-Type to LDAP if it has not

        #  already been set

        ldap                                                               #Uncomment ldap

        #  Read the 'users' file

        #  files                                                           #Comment files

Now open file “/etc/raddb/sites-available/inner-tunnel” and change the following parameters into authorize and authenticate section in this file.

[root@ldapnoida sites-available]# vi /etc/raddb/sites-available/inner-tunnel

authorize {

        #  Read the 'users' file

        #  files                                                                           #Comment files

        #  The ldap module will set Auth-Type to LDAP if it has not

        #  already been set

        ldap                                                                               #Uncomment ldap

authenticate {

 # Uncomment it if you want to use ldap for authentication

 #

        # Note that this means "check plain-text password against

        # the ldap database", which means that EAP won't work,

        # as it does not supply a plain-text password.

        Auth-Type LDAP {

                ldap

        }

Open the “clients.conf” file and edit the IP address at 34th line of file i.e. ip address and enter the IP address of your radius server. Edit the client section to allow the APs (Access Points) to communicate with your radius server. Configuration would something look like this:

[root@ldapnoida raddb]# vi /etc/raddb/clients.conf

client 10.226.0.0/16 {

        secret          = 1234                                               # Radius Secret Key to give on Access Points

        shortname       = radping                                        # It is User Defined name of your choice

}

 Run the radius server in debug mode with “radius -X” and try to authenticate a user.

Testing of Radius Server authenticated with LDAP Server.

My Radius & Ldap Server IP Address is 10.226.2.66 which will be used for testing.

[root@ldapnoida raddb]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:50:56:90:01:0D

          inet addr:10.226.2.66  Bcast:10.226.15.255  Mask:255.255.240.0

          inet6 addr: fe80::250:56ff:fe90:10d/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:65186388 errors:0 dropped:0 overruns:0 frame:0

          TX packets:674273 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9508735851 (8.8 GiB)  TX bytes:113603579 (108.3 MiB)

You can download NTRadPing tool from Link http://www.novell.com/coolsolutions/tools/14377.html and test the Radius user authentication using this tool.

As per picture I authenticated admin user on ldap using radius and it is accepted and access is given.

 [root@ldapnoida raddb]# radiusd –X

radiusd: #### Opening IP addresses and Ports ####

listen {

        type = "auth"

        ipaddr = *

        port = 0

}

listen {

        type = "acct"

        ipaddr = *

        port = 0

}

listen {

        type = "control"

 listen {

        socket = "/var/run/radiusd/radiusd.sock"

 }

}

listen {

        type = "auth"

        ipaddr = 127.0.0.1

        port = 18120

}

 ... adding new socket proxy address * port 49997

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on command file /var/run/radiusd/radiusd.sock

Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel

Listening on proxy address * port 1814

Ready to process requests.

rad_recv: Access-Request packet from host 10.226.1.206 port 37858, id=0, length=45

        User-Name = "admin"

        User-Password = "root123"

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "admin", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[ntdomain] No '\' in User-Name = "admin", looking up realm NULL

[ntdomain] No such realm "NULL"

++[ntdomain] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

[ldap] performing user authorization for admin

[ldap]  expand: %{Stripped-User-Name} ->

[ldap]  ... expanding second conditional

[ldap]  expand: %{User-Name} -> admin

[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=admin)

[ldap]  expand: dc=example,dc=com -> dc=example,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] attempting LDAP reconnection

  [ldap] (re)connect to 127.0.0.1:389, authentication 0

  [ldap] bind as cn=Manager,dc=example,dc=com/root123 to 127.0.0.1:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

  [ldap] performing search in dc=example,dc=com, with filter (uid=admin)

[ldap] looking for check items in directory...

  [ldap] userPassword -> Password-With-Header == "{crypt}x"

  [ldap] sambaNtPassword -> NT-Password == 0x3836313939443144384638323935373639354134304642453632443346443846

[ldap] looking for reply items in directory...

[ldap] user admin authorized to use remote access

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Normalizing NT-Password from hex encoding

++[pap] returns updated

Found Auth-Type = PAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group PAP {...}

[pap] login attempt with password "root123"

[pap] Using NT encryption.

[pap]   expand: %{User-Password} -> root123

[pap] NT-Hash of root123 = 86199d1d8f82957695a40fbe62d3fd8f

[pap]   expand: %{mschap:NT-Hash %{User-Password}} -> 86199d1d8f82957695a40fbe62d3fd8f

[pap] User authenticated successfully

++[pap] returns ok

# Executing section post-auth from file /etc/raddb/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 0 to 10.226.1.206 port 37858

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 0 ID 0 with timestamp +12

Ready to process requests.



___________________________________________________________

Please give your feedback.