FreeRADIUS and Okta LDAP Interface

Alan DeKok aland at deployingradius.com
Wed Mar 6 20:57:25 UTC 2024 

On Mar 6, 2024, at 3:27 PM, Brian Blater <brian.blater+freeradius at digitalturbine.com> wrote:
> Okta supports RADIUS from a handful of proprietary systems. None of
> which we have. We are using Unifi APs for our WiFi. As is typically
> the case, I have ZERO budget for this. So, implementing an online
> proprietary system at $X/user/month isn't possible, all though much
> easier.

  Until they double the prices.  That's all-too common.

> So, I spun up a new Ubuntu VM and installed FreeRADIUS. I've already
> got the Okta LDAP Interface created and working. I've used it with
> both Jamf and ldapsearch. That piece seems to be working at this time.
> I have followed various instructions online and have FreeRADIUS up and
> working using a test user in the local sql db.

  That's good.

> Now the part of integrating it with Okta. I have searched all over for
> information on configuring FreeRADIUS with Okta and I've found very
> little. Okta does have a RADIUS agent for linux, but from my install
> and attempt to configure that I've found it lacking many features.

  There's no documentation specific to Okta.  If they have an LDAP interface, just configure the ldap module, and it will work.

  Read the comments in the mods-available/ldap file.  Get the "ldapsearch" command working first.  Then, convert that text to the FreeRADIUS configuration.

  The comments describe how to do this.
> I've also made the necessary changes in the user and group sections.
> In the tls section I've changed start_tls = yes and specified the
> ca_file.
> 
> Now I can't even get freeradius -X to start. I get the following when
> running that:
> /etc/freeradius/3.0/mods-enabled/ldap[8]: ldaps:// scheme is not
> compatible with 'start_tls'
> /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module
> "ldap"
> 
> If I change start_tls to no, I get the following:
> TLS: can't connect: (unknown error code).
> rlm_ldap (ldap): Bind with uid=<redacted>, dc=com to
> ldaps://redacted.ldap.okta.com:636 failed: Can't contact LDAP server
> rlm_ldap (ldap): Opening connection failed (0)
> rlm_ldap (ldap): Removing connection pool
> /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module
> "ldap"

  Likely the LDAP server isn't available at that host / port.  Or, something else is blocking the connection.

> One thing to mention here is when doing an ldapsearch using the following:
> ldapsearch -x -H ldaps://digitalturbine.ldap.okta.com -D
> "uid=<redacted>,dc=com" -W -b dc=redacted,dc=okta,dc=com
> uid=<username>
> I get results.

  Then copy the command-line from ldapsearch to the mods-available/ldap file, as documented in the comments.  It *will* work.

  FreeRADIUS uses the same LDAP library as is used by the ldapsearch command.  So if one works, it's just a matter of configuration to get the other one to work.

> How do I configure FreeRADIUS ldap to do simple auth in this case?
> Must be something I'm missing in the ldap file, but can't put my
> finger on it.

  If you're using the same URIs, etc. as ldapsearch, it will work.  If you're using different URIs, then it might work (or not).

  Use the same URIs and configuration for both ldapsearch, and for mods-available/ldap.

  Alan DeKok.

More information about the Freeradius-Users mailing list