LDAP authentication for Unifi wireless APs

Erwin Rutgers erwin.rutgers at enshore.nl
Tue Nov 17 12:03:34 CET 2020

Hello freeradius community,

To start off, this is my first post to the community so if there is anything I am doing wrong despite readying the help pages, please point this out to me and it will never happen again.

Then to the plan and the problems: We are using Unifi Access points and like to switch to WPA-Enterprise authentication against our internal ldap. The ldap server is a freeipa server which contains the username and password for all of our users. After installation of freeradius, I entered a cleartext-password user in /etc/raddb/users and added the Aps as clients. In the Unifi controller, I configured a new RADIUS profile pointing to the freeradius server and added this to a test network. Wireless EAP authentication  was successful.
After that, I went on and configured the ldap module with the filters and ldap settings that apply for our freeipa server. That worked too then with a radtest command and I got a an Accept-Accept result with the credentials from a testuser in the ldap server. I already removed the Clear-text password user from the /etc/raddb/users file.

From here on, I'm not quite sure on how to get both methods to connect properly. To get the ldap to work in the above test, I mainly wanted to prove that the freeradius ldap module was able to authenticate against our ldap at all. To get this to work I uncommented the following section in /etc/raddb/sites-available:
Auth-Type LDAP {

Your guides specifically stated that this should be avoided and when I ran a wireless connection test, the radiusd -X output gave a pretty clear message stating that setting Auth-Type will not work.
So then, I disabled this section and ran another test. See the attached file: failed_attempt2.txt.
Then I restored the /etc/raddb/mods-config/files/authorize file to it's original state and added "ldap" to the /etc/raddb/sites-available/default file instead of the Auth-Type LDAP part.
I ran another test and added the debug information in file freeradius_debug2.

Initially I chose for the ldap module instead of the ntlm_auth method because the ldap module allowed for better directory filtering to my liking. I did try to setup a samba ntlm connection to the freeipa server though, but the guides did not seem to work for freeipa.

I hope this is enough information for anyone to work with. I'm looking forward to your insights.
Thanks in advance and thank you for your time!

Kind regards,
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: failed_attempt2.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201117/47d79930/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius_debug2
Type: application/octet-stream
Size: 77138 bytes
Desc: freeradius_debug2
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201117/47d79930/attachment-0001.obj>

More information about the Freeradius-Users mailing list