LDAP, FreeRadius, Ruckus / Zone Director
aland at deployingradius.com
Wed Jun 24 02:01:39 CEST 2020
On Jun 23, 2020, at 4:57 PM, Steve Sheldon <steve.sheldon at invenshure.com> wrote:
> First Post Here. Hope everyone is doing well during this season of life we are all in. I have been struggling with a validation Auth issue from Ruckus wifi for a long time. I have poured through so many docs, trying to get this to work.
Most third-party docs are just terrible.
> My Setup: LDAP (jumpcloud), FreeRADIUS Version 3.0.16, Ubuntu (18.04), Ruckus (Zonedirector 1200 - 10.4.0.0 build 70)
Hmm... jumpcloud. The people that keep posting blog entries about how terrible FreeRADIUS is. And that everyone should switch to their cloud hosted RADIUS server... based on FreeRADIUS.
Talk about biting the hand that feeds you. :(
> Group in LDAP users are members of: Wifiusers
> What works:
> 1. ldapsearch -H ldaps://ldap.jumpcloud.com:636 -x -b "ou=Users,o=orgid,dc=jumpcloud,dc=com" -D "uid=binduser,ou=Users,o=orgid,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)”
That's good. You should be able to use those parameters in the mods-enabled/ldap configuration.
If you look at the latest versions of the server, that file has explicit documentation on how to map ldapsearch parameters to mods-enabled/ldap config, and vice versa. That helps a lot.
> 2. radtest username userpassword 127.0.0.1 -1 testing123 - "Received Access-Accept"
Reading the output of "radtest" is usually useless. You really need to run "radiusd -X" as suggested, oh... everywhere.
> 3. ZoneDirector - Test Authentication/Accounting Servers Settings - enter in username/userpassword - " Success! The user will be assigned a role of "Default”.”
And... what does "radiusd -X" say?
> What does’t Work:
> 1. From a computer accessing the configured wifi that has been setup to use my Authentication/Accounting Server.
What is the computer doing?
Answer: read "radiusd -X" to see.
This is extensively documented.
> 1. Would anyone be willing to share their "sites-available/default” settings or any other settings he or she used to get Ruckus Auth to work?
The default configuration works. You should be able to do only *minimal* changes to get 802.1X / EAP to work. There is no "share a working config". Just configure the LDAP module for your LDAP server. Enable the ldap module. Drop in certificates for EAP. It *will* work.
And read the documentation for what to post to the list. Honestly, it really helps.
More information about the Freeradius-Users