freeradius + ldap (AD) + dot1x
Alan DeKok
aland at deployingradius.com
Sun Jun 11 15:33:03 CEST 2017
On Jun 11, 2017, at 5:41 AM, Paweł Grzęda <pawel.grzeda at kamieniarstwo.pl> wrote:
> ,
>
> I'm newbie at FreeRADIUS. I'm trying to prepare a solution which will
> provide authentication for PC/laptop's in corporate network. I need this
> for Cisco switches and Ubiquiti APs/controller. There is Samba4
> configured as domain controller which is central authentication point. I
> installed Freeradius 3.0.14 on Fedora 25. I red all the man pages and
> documentation stored in configuration files and to be honest it's huge
> amount of information which is not clear for a newbie.
You should read the documentation at:
http://networkradius.com/freeradius-documentation/
Specifically the technical guide.
> I also used
> tutorial which seems to be third-party, however link was on official
> freeradius wiki I think.
That's one of the better ones.
But...most of the third-party documentation is terrible. Wrong, misleading, out of date, etc. Worse, many people don't read the wiki / FR documentation, and just "google it". Then, they read random documentation and wonder why it doesn't work. :(
> I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the
> binding works, however I still can't get Access-Accept message. I think
> my problem is related to clear-text passwords (warning about no known
> good password), however I don't know how to fix it.
If you read the debug output, you'll see that it doesn't query the LDAP module. That's why it can't find the password.
While the server is complex, each individual piece is relatively simple. The problem is in tying them all together.
So the solution is simple: configure one piece at a time. Save the configuration, test it, etc. Follow the procedure in "man radiusd". This *is* documented.
And for testing EAP, follow the guide at:
http://deployingradius.com/documents/configuration/active_directory.html
It will work. Even for Samba.
The nic thing about Samba is that it will give FreeRADIUS the user's credentials via a simple LDAP query. So the whole "ntlm_auth" stuff isn't necessary.
But still... follow the guide. It's documented, it has multiple intermediate steps, it explains what's going on.
Alan DeKok.
More information about the Freeradius-Users
mailing list