Questions about ldap authentication, huntgroup and authorize file

Jérôme BERTHIER Jerome.Berthier at
Mon Oct 9 16:29:26 CEST 2017


I'm moving a setup from freeradius 2 (CentOS 6) to freeradius 3 (CentOS 7).

The server is hosting :

- a backend to authenticate users on Wifi 802.1X TTLS-PAP (openldap) and 
PEAP-MSCHAPv2 (Active Directory)

- a backend to authenticate users on network equipment for admin purpose

We use several ldap instances described in the ldap module.

Our openldap server does not permit to read password. We use anonymous 
binding to run the authentication process.

So, auth-type := <ldap_instance> is setted by ldap module file in each 
ldap instance : set_auth_type = yes

Network equipements are grouped in the file huntgroup to apply a 
specific policy by using filters on huntgroup and ldap group in the file 

The filter replies differents vendor specific attributes for each ldap 
group and finally, we reject the authentication if there is no match.

For example, for devices from Juniper, we use this setup :

DEFAULT         Ldap-Group==ldap_group_1,Huntgroup-Name == JuniperNet
             Service-Type = Login,
             Juniper-Local-User-Name := "radius-admin"
DEFAULT         Ldap-Group==ldap_group_2,Huntgroup-Name == JuniperNet
             Service-Type = Login,
             Juniper-Local-User-Name := "radius-operator"
DEFAULT        Auth-Type := Reject,Huntgroup-Name == JuniperNet

I took care of the file README.rst.

I had also a look to the documentation page about ldap module :

I still have few questions :

1) I notice that the variable Ldap-Group is no more set by the last ldap 
instance called. So, I corrected my config to describe the default 
instance ldap {}. It works but is it planned to be able to call another 
instance in the file authorize ?

2) Since the module ldap does not set auth-type := ldap anymore, I add 
the lines to the configuration of the site where needed :

         if ((ok || updated) && User-Password) {
                 update {
                         control:Auth-Type := ldap

Is it correct ?

3) Is it correct to use the file authorize to apply filters like we do ? 
or, shall we do it in the post auth section (it could be innacurate if 
we need to reject the access) ?

Thanks you for your help



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3670 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the Freeradius-Users mailing list