HOWTO:Centralised LDAP Authentication - Part 2 - Using dyamic-clients instead of huntgroups

Peter Lambrechtsen plambrechtsen at gmail.com
Wed Oct 6 12:07:49 CEST 2010 

Following on from my previous post on Centralised LDAP Auth post:
http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html

I've found that using dynamic-clients gives me a few advantages over using
huntgroups.

1) Dynamic Clients allows you to have per-NAS shared secrets stored in LDAP
(or SQL) instead of having a whole network with the same shared secret.
This way you have better pseudo security by being able to set a password for
each individual NAS element.
2) Reduced LDAP queries due to dynamic-client's caching of the query
results.  This is also helps to reduce one extra query against the LDAP
database since the client is cached in radiusd's memory.

So to set it up it's the same configuration as specified in the above post,
with the following differences:

Element Setup:  It's the same apart from now you need to add a second value
to each element for the Shared Secret password.  In the below cases I use
the "ou" or Department attribute.

---
OU=Elements,OU=Radius,DC=ACME,DC=COM
Elements will hold a record of every NAS in your Network.  You will create
Group objects based on the IP Address of the NAS and set the "Location" or
"l" attribute to the NAS Huntgroup the NAS belongs to allow them to be
centrally managed in LDAP.
IE
CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
With a "l" value of "CiscoRTR" for a Cisco Router that has a NAS-IP-Address
or Source-IP-Address of 10.1.2.3.  This will make more sense further on.
And with a "ou" value of the shared secret password for the NAS element. ie
"password"
---

FILE:/etc/raddb/clients.conf
- Don't need to make any changes into this file anymore.

With the default config you will need to copy or symlink the dynamic-clients
file into the sites-enabled directory.  The easist way is to symlink:

cd etc/raddb/sites-enabled
ln -s ../sites-available/dynamic-clients dynamic-clients

Now modify the dynamic-clients file:
FILE: /etc/raddb/sites-available/dynamic-clients
client dynamic {
        #Include all IP's in the Dynamic Clients range
        ipaddr = 0.0.0.0
        netmask = 0
        dynamic_clients = dynamic_client_server
        lifetime = 86400
}

server dynamic_client_server {
authorize {
#Do a ldap lookup in the elements OU, check to see if the
Packet-Src-IP-Address object has a "ou" attribute, if it does continue.
if
("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}")
{
update control {
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
#Set the Client-Shortname to be the Location "l" just like in the
Huntgroups, but this time to the shortname.
FreeRADIUS-Client-Shortname =
"%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
#NAS Type can't be used so no point in including it.
#FreeRADIUS-Client-NAS-Type =
"%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?o?sub?cn=%{Packet-Src-IP-Address}}"
#Lookup and set the Shared Secret based on the "ou" attribute.
FreeRADIUS-Client-Secret =
"%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
}
}
ok
}
}
----- END

FILE:/etc/raddb/sites-enabled/default

Instead of setting the Huntgroup, set the FreeRadius Client Name, so change:

   update request {
     Huntgroup-Name :=
"%{ldap:ldap:///ou=Elements,ou=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
   }

with

   update request {
      Client-Shortname  := "%{Client-Shortname}"
   }

So that Client-Shortname is available in this virtual server and make all
the same changes in the default file as per the above post.

Now lastly the changes in the users file to perform the lookup.

Change:

DEFAULT Huntgroup-Name == Junipers, Ldap-Group ==
"cn=JuniperAdmin,ou=Roles,ou=Radius,DC=ACME,DC=COM"

With

DEFAULT Client-Shortname == Junipers, Ldap-Group ==
"cn=JuniperAdmin,ou=Roles,ou=Radius,DC=ACME,DC=COM"

And all the same settings as per the previous post.

This way you still have the advantages of per-NAS authentication, and now
you can also set passwords per-NAS, and less un-necessary traffic to the
LDAP server.

A win win all around.

Alan, do you want me to turn this into a Wiki entry???
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101006/2a4f2b80/attachment.html>

More information about the Freeradius-Users mailing list