FreeRadius, Active Directory, LDAP Authorization

Alan DeKok aland at deployingradius.com
Mon Dec 5 16:38:33 CET 2011 

suggestme wrote:
> I have installed FreeRadius server 2.1.12, installed and configured
> Kerberos, Samba; configured ntlm_auth program for FreeRadius Authentication
> with Active Directory. Everything is successful and running smoothly till
> this stage. Now, I am in the phase of configuration of Authorization in
> FreeRadius. For Authorization process I want to use LDAP database which is
> already up and running in another server (not in the server where FreeRadius
> is installed). The authorization should be granted in such a way that some
> users should be allowed/restricted VPN, some should be allowed/restricted
> wifi, etc....... 

  What does that mean?  i.e. HOW do you determine which users get what
access?

  For most people, this means LDAP groups.  Put users into groups, and
give them permissions based on LDAP groups.  You can check the groups at
run time from FreeRADIUS.

> I am not sure whether this is the best way to do
> Authorization using LDAP or not because it is first time I am trying this in
> FreeRadius. After changing the configuration as mentioned below and running
> FreeRadius in debug mode, I get successful "Ready to process requests" but
> while supplying user credentials I get rad_recv: *Access-Reject *packet from
> host 127.0.0.1 port 1812, id=60, length=20. 

  The debug log will tell you why the user was rejrected.  Read it.

> What I have done so far is:

  Not post the debug log as suggested in the FAQ, README, "man" page,
web site, and daily on this list.

> But while following *"rlm_ldap"* doc I have seen that it is mentioned: 
> 
> LDAP and Active Directory
> -------------------------
> 
>  *You can only use PAP, and then only if you list "ldap" in the
> "authenticate" section.*
> 
> Does this mean I need to list ldap in authenticate section also. If I list
> it, what about ntlm_auth that is already enabled for authentication. I am
> confused with this.

  Read my web page on Active Directory  integration  It explains this/

> Should I need to install openldap & openssl also in the machine where
> freeradius is installed to make LDAP authorisation work properly?

  No.

> Please suggest me whether the configuration & process I am following related
> to LDAP is the good way to do or not. If not what is the best way to achieve
> it. Any documentation/site/thread suggestion regarding this would be
> greately appreciated. 

  My AD integration page (http://deployingradius.com) explains this in
great detail.

  Alan DeKok.

More information about the Freeradius-Users mailing list