Load balance LDAP servers for group checking

Petar Marinkovic highl1 at gmail.com
Fri May 12 16:09:25 CEST 2017


Hi,

I have a very interesting freeradius 2.2setup, that works like this:

1. Check MAC address in static file /etc/raddb/mac_auth
2. Check EAP-TLS machine certificate (issued by Windows AD CA)
3. Check if the username from the certificate is a member of an AD group

And it works quite good for me, I've also managed to write PowerShell
scripts to create certificates for Linux machines, and both my Windows and
Linux computes can authenticate if they're in a right group.

But, sometimes I rarely get a hickup in LDAP binding, and since the bind
fail, because freeradius cannot connect to LDAP, request is rejected and
user cannot connect. Usually, this is random, and if user retries
authentication right away, it will get connected, but still it happens once
a month.

I've tried to follow https://wiki.freeradius.org/config/Load-balancing this
to set up redundance/load balancing, but all the time for group checking,
it's actually using the server I put last in the list, srom my case, it's
2nd ldap server defined in /etc/raddb/modules/ldap2

In post-auth, I am first checking the format of the username, since Windows
and Linux are differently sending username (Windows is host/
machine.domain.com while Linux is what you set in identity of the 802.1x
setup in network manager, so I fix both to be in username at domain.com format)

Here is a copy of my default file, I just stripped out comments:

authorize {
preprocess
auth_log
rewrite.calling_station_id
        mac_auth
if (!ok) {
            reject
        }
if (!EAP-Message) {
  update control {
                        Auth-Type := Accept
                }
  }
else {
eap
}

}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}

digest
unix
eap

Auth-Type LDAP {
redundant {
ldap1
ldap2
}
}
}

preacct {
preprocess
acct_unique
suffix
files
}

accounting {

detail
exec
}

session {
radutmp
}

post-auth {
        if (User-Name =~ /host\/([a-z0-9\-]*)[\.]{1}domain[\.]{1}com/i) {
                update request {
                        #Stripped-User-Name := "%{1}$"
                        Stripped-User-Name := "%{1}.domain.com"
                }
        }

 if (LDAP-Group == "Users") {
          update reply {
  Tunnel-Type = VLAN
          Tunnel-Medium-Type = IEEE-802
          Tunnel-Private-Group-ID = "user"
          }
}
else {
 reject
}

exec
attr_filter.access_reject
}

pre-proxy {

}


post-proxy {
eap
}

Thanks for the help in advance, I am not a freeradius advanced user, so I
imagine I maybe did some errors here in trying to provide fault tolerance


More information about the Freeradius-Users mailing list