Freeradius + LDAP Group check

Douglas Caro douglas.caro at lightcomm.com.br
Wed Aug 18 18:29:52 CEST 2010 

Hello!

I'm trying to modify a working configuration to add one more 
authentication service in FreeRadius.

I already have one configuration to authenticate users in ldap to use 
wireless network. See the radiusd.conf:


radiusd.conf
========================================
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad

listen {
  ipaddr = *
  port = 0
  type = auth
}

listen {
  ipaddr = *
  port = 0
  type = acct
}

thread pool {
  start_servers = 1
  max_servers = 4
  min_spare_servers = 1
  max_spare_servers = 3
  max_requests_per_server = 0
}

$INCLUDE ${confdir}/clients.conf

modules {
  pap {
     encryption_scheme = clear
  }
  chap {
     authtype = CHAP
  }
  $INCLUDE ${confdir}/eap.conf
  mschap {
     authtype = MS-CHAP
     with_ntdomain_hack = yes
  }
  mschapv2 {
  }
  files {
     usersfile = ${confdir}/users
     compat = no
  }
       ldap ldap_1x {
               server = "127.0.0.1"
               identity = "cn=Manager,dc=company,dc=com,dc=br"
               password = "XXXXXX"
               basedn = "ou=Users,dc=company,dc=com,dc=br"
               start_tls = no
               access_attr = "uid"
               dictionary_mapping = ${raddbdir}/ldap.attrmap
               authtype = ldap
               ldap_connections_number = 5
               timeout = 4
               timelimit = 3
               net_timeout = 1
       }
}
authorize {
  pap
  files
  mschap
  ldap_1x
  eap
}
authenticate {
       Auth-Type PAP {
               pap
       }
       Auth-Type MS-CHAP {
               mschap
       }
       Auth-Type PPP {
               ldap_1x
       }

       eap
}
log {
       destination = files
       file = /var/log/freeradius/radius.log
       syslog_facility = daemon
       stripped_names = no
       auth = yes
       auth_badpass = no
       auth_goodpass = no
}
========================================

and, the users file:

users
========================================
DEFAULT Auth-Type := MS-CHAP

DEFAULT Hint == "CSLIP"
       Framed-Protocol = SLIP,
       Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
       Framed-Protocol = SLIP
========================================

This is enough to provide access to users in wireless network.

I need to add a Radius Auth in Ldap to Switches devices with Group Check.
The users are in cn=TacAdm,ou=Groups,dc=company,dc=com,dc=br

I already tryed to add a new module called

ldap ldap_switch {
...
}

and many instances like groupmembership_filter, groupname_attribute, 
filter, base_filter, access_attr, groupmembership_attribute, but nothing 
do the group check in ldap!

What do I need to this checking group works and maintain the wireless 
configuration working well?

Thanks!
Douglas

More information about the Freeradius-Users mailing list