Thoughts on a FreeRadius setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients

[A.L.M.Buxey at lboro.ac.uk]

Hi,

>    1. user authentication and authorisation against our OpenLDAP directory,
>    which is currently setup to store passwords with a SASL mechanism (the
>    pass is hashed, and Apache Directory Studio shows the value of the
>    UserPassword attribute of each user as "SASL hashed password". This note
>    is important, see further on)

you can use external code for validation....but that could get tricky for different
EAP types

>    2. Switchport dynamic VLAN assignment on the Cisco Catalyst switches
>    depending on the gidNumber of the user

not a problem. reply items can contain whatever you need...which can be gleaned
from whatever oracle you choose

>    3. Multiplatform support (Windows 7, Ubuntu 10.04, Ubuntu 12.04)

..they all do EAP 

>    4. FreeRadius server certificate validation (no client certificates used)
>    and 802.1x authentication by providing user/pass

works out of the box.

>    software succeeds and gives me an accept-accept. Intentionally mistyping
>    the pass gives a reject. What am I doing wrong? Is the radtest tool using
>    some other mechanism then MSCHAPv2?

radtest is a PAP method  - you need to use eg eapol_test (part of wpa_supplicant
package) or radeaptest with required configuration files.....or any other test tool
(NTRadping for windows , JRadiusSimulator etc)

>    2. this appears to be fairly easy to achieve by configuring the users file
>    with one line per LDAP group like  "DEFAULT LdapGroup == xxx"  to return
>    the "Tunnel-private-group-ID [81]" VDA depending on the match... or maybe
>    in some other place of the config via ulang? I still need to understand
>    how it works

that method (users file) is basic but works. unlang or external script can also be used

client certificates would mean no problem with LDAP for authentication. then you just
need to work out how to deploy the client certs..

alan