FreeRADIUS 3 and ldap
Victor Cenac
victor at fuller.edu
Mon Nov 26 20:38:08 CET 2018
Bellow is my previous interaction:
The info graciously provided by Alan seem to not match my version... or I
need more hand holding. My installation is on ubuntu server 18.04 and I
installed freeradius with apt-get. So I have version 3.0.16+dfsg-1ubuntu3.
Following some other instructions I also installed freeradius-ldap.
My installation is here:
/etc/freeradius/3.0
so no radb folder, but that's not a big deal, as I assume on other OS the
install is in /etc/radb/
In my version the ldap module is enabled according to these instructions in
mods-available/README.rst:
"Modules are enabled by creating a file in the mods-enabled/ directory.
You can also create a soft-link from one directory to another::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
Simplification
--------------
Allowing conditional modules simplifies the default virtual servers
that are shipped with FreeRADIUS. This means that if you want to
enable LDAP (for example), you no longer need to edit the files in
raddb/sites-available/ in order to enable it.
Instead, you should edit the raddb/mods-available/ldap file to point
to your local LDAP server. Then, enable the module via the soft-link
method described above.
Once the module is enabled, it will automatically be used in the
default configuration."
Which I did. According to this explanation, that's all I had to do to make
the FreeRADIUS use the ldap.
Now, to do the matching between the ldap attributes (group membership) and
the vlan communicated by the radius server to the switch... I found this in
the ldap file (in mods-available):
"
# Mapping of LDAP directory attributes to RADIUS dictionary
attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <ldap attr>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <ldap attr>: Is the attribute associated with user or
# profile objects in the LDAP directory.
# If the attribute name is wrapped in double
# quotes it will be xlat expanded.
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
# Note: LDAP attribute names should be single quoted unless you
want
# the name value to be derived from an xlat expansion, or an
# attribute ref.
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID :=
'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
"
Is this the right place? Which lines do I repeat for multiple group-->vlan
translation?
For example:
ldap group Staff = vlan 1
ldap group Student = vlan 2
etc.
Thank you!
Victor
Fri, 16 Nov 2018 17:58:39 -0500
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: MAC auth with LDAP
Message-ID: <0EEDAAC5-C2DA-4ABC-B0D3-93D9A0C35483 at deployingradius.com>
Content-Type: text/plain; charset=us-ascii
On Nov 16, 2018, at 5:13 PM, Victor Cenac <victor at fuller.edu> wrote:
> I have a Juniper network where we assign devices to vlans based on their
> MAC. The MACS are stored in an LDAP with the MAC as username and password.
> The group membership is what distinguishes the vlan needed.
That should be simple enough,
> I managed to configure the ldap and enable the ldap module. FreeRADIUS
> starts fine with it. I also added all the switches as clients.
OK.
> I need help figuring out:
> 1. Where do I tell FreeRADIUS to look for users in ldap (vs the users
file)?
raddb/sites-enabled/default
Look for "ldap". And, raddb/mods-available/ldap
See also http://wiki.freeradius.org/. Search for "ldap". It has lots of
documentations.
> 2. Where do I match the group in ldap with the vlan number that needs to
be
> sent to the client (switch)? For example, for group Staff value is 10
(vlan
> 10).
You don't map LDAP names directly to VLANs. They might be "sales", and
you can't use "sales" as a VLAN number.
Instead, do this:
if (LDAP-Group == "staff") {
update reply {
Tunnel Type = VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 10
}
}
Alan DeKok.
Victor Cenac-Mehedinti
Senior Systems Administrator
Fuller Theological Seminary
626 396 6060
More information about the Freeradius-Users
mailing list