Working with LDAP, radius clients, users, etc

Paul Pathiakis pathiaki2 at yahoo.com
Wed Aug 21 16:52:14 CEST 2019


Hi,
What would be the correct configuration for something like this:

I'd like all the clients in domain example.com to authenticate using the same 'secret' - foobar

If the address space for example.com is 192.168.0.0/22, does my client entry look like this in clients.conf:

client example.com {
        ipaddr    = 192.168.0.0/22        secret    = foobar}?

Is my understanding correct that any and all clients that are configured in the 192.168.0.1 - 192.168.3.254 range can be authenticated via freeradius at that point, using just the secret 'foobar'?

Moving on, I also want to verify that the user is in the LDAP database before starting the login process.

In my /etc/raddb/mods-available/ldap file, I should have an entry that looks like (without certs for now):

ldap {   
    server = 192.168.1.20  (LDAP Server address)    port = 389    base_dn = 'ou=People,dc=example,dc=com' (Where my 'user' entries live)
    update {
        control:Password-With-Header    += 'userPassword'
        control:                        += 'radiusControlAttribute'
        request:                        += 'radiusRequestAttribute'
        reply:                          += 'radiusReplyAttribute'

    }
    user {
        base_dn = "${..base_dn}"        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"    }
    group {        base_dn = "${..base_dn}"
        filter = '(objectClass=posixGroup)'        membership_attribute = 'memberOf'
    }

    attribute {
                ipaddr                          = 'radiusClientIdentifier'
                secret                          = 'radiusClientSecret'
#               shortname                       = 'radiusClientShortname'
#               nas_type                        = 'radiusClientType'
#               virtual_server                  = 'radiusClientVirtualServer'
#               require_message_authenticator   = 'radiusClientRequireMa'
     }}

### OK, I'm a little confused about the attribute block above.### In my openldap configuration, I have put the schema files include     /etc/openldap/schema/freeradius.schema
include     /etc/openldap/schema/freeradius-clients.schema

in the location above and those are the schema files I got from downloading the FreeRADIUS source 
in the <path>/doc/schemas/ldap/openldap/ location and I copied them into correct location.

I know this isn't an LDAP list, however with regards to the schemas and attribute block, is thischecking to see if those entries exist (radiusClientIndentifier, radiusClientSecret) in the user entry in ldap?That is, is this using those schema entries to authenticate the user for access to the client?

I'm starting to see that FreeRADIUS will authenticate all the units on a network from the first two points and then check the existence of the user from LDAP.  However, if I'm trying to be very secure, wouldn't I want to limit the scope of the machines?
For example, say I have a smallish network that grows/contracts with the number of hosts on the desktop and it has as few as a 100 and almost 250.  So, I have 192.168.1.0/24 as my CIDR network.  I can use DHCP and Dynamic Updating of DNS, to track everything at the IP level but I don't want to have hosts that are in an 'unknown' state on my network.  For arguments sake, I have someone that plugs into my network and knows the address space that is used.  They are not a 'sanctioned user' for that network space but due to the scope of what RADIUS allows in my above network range of 192.168.0.0/22, the machine gets authenticated.  It seems that it would be beneficial to have an entry for all the machines in my LDAP to allow authentication for that client.
Is this possible?
I'm thinking it would be a good thing to be able to have entry upon entry of clients and users on a case-by-case basis added and removed to LDAP with a flag in the record to allow authentication.
Do people do this?  Am I going in the wrong direction?  If so, which way?  If not, how would this be addressed?
TY!
P




More information about the Freeradius-Users mailing list