06InstanceFreeRadiusLdap - amagerard/FreeRadius GitHub Wiki
RedHat/FreeRadius
| 01 Sypnoptic | 02 Network | 03 FreeRadius | 04 InstanceDefault | |
|---|---|---|---|---|
| 05 InstanceSql | 06 InstanceLdap | 07 InstanceAD | 08 Selinux | 09 GnomeShell |
| DaloRadius | OpenLdap | SambaAD |
6. Instance Freeradius-ldap.
6.1 Principle.
It is not recommended to install the user accounts ldap on the Freeradius server.
The ldap is on another server (example: openldap server).
Freeradius will use a secure ldap connection to access the ldap on openldap server .
I will create a freeradius-ldap instance reserved for users of the ldap hosted on the openldap server.
6.2 Openldap.
Go to Install Openldap.
IMPORTANT.
Your openldap server should be ready to continue.
Very important.
the mods-available/ldap needs to have the same CA as freeradius and openldap.
On February 10, 2025, the mods-available/ldap does not work with a CA generated by OpenSSL from Redhat 9.5.
It is necessary to create the certificate of authority (CA) with a live CD Alamlinux 9.4.
And then import the CA.CRT and CA.KEY from Live CD Almalinux to freeradius and openldap.
Maybe this problem will be resolved in future versions.
6.3 Add user system ldaprad.
groupadd ldaprad
useradd -g ldaprad -s /bin/false -d /etc/freeradius-ldap ldaprad
Give permissions for ldaprad.
setfacl -m u:ldaprad:rx /etc/pki/tls/private/freeradius.key
setfacl -m u:ldaprad:rx /etc/pki/tls/certs/freeradius.crt
setfacl -m u:ldaprad:rx /etc/pki/tls/private/CA.key
setfacl -m u:ldaprad:rx /etc/pki/tls/certs/CA.crt
6.4 Freeradius-ldap installation.
Copy /etc/raddb to /etc/freeradius-sql.
cp -R /etc/raddb/* /etc/freeradius-ldap/
chgrp -R ldaprad /etc/freeradius-ldap
6.5 Configuration.
vi /etc/freeradius-ldap/radiusd.conf
prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/freeradius-ldap
raddbdir = ${sysconfdir}/freeradius-ldap
radacctdir = ${logdir}/radacct
name = freeradius-ldap
user = ldaprad
group = ldaprad
Create the directory for the logs.
mkdir /var/log/freeradius-ldap
mkdir /var/log/freeradius-ldap/radacct
touch /var/log/freeradius-ldap/radius.log
chown -R ldaprad:ldaprad /var/log/freeradius-ldap
chmod 0755 /var/log/freeradius-ldap
6.6 Create a freeradius-ldap service.
Create the /run/freeradius-ldap folder at startup.
vi /usr/lib/tmpfiles.d/freeradius-ldap.conf
#Type Path Mode UID GID Age Argument
d /run/freeradius-ldap 0775 root ldaprad - -
You must restart to activate
"/usr/lib/tmpfiles.d/freeradius-ldap.conf"
reboot
Copy the service radiusd.service to freeradius-ldap.service.
See InstanceDefault chapter 3.1.
cp /opt/freeradius/redhat/radiusd.service /usr/lib/systemd/system/freeradius-ldap.service
Edit the file.
vi /usr/lib/systemd/system/freeradius-ldap.service
[Service]
Type=forking
WatchdogSec=0
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/radiusd
# FreeRADIUS can do static evaluation of policy language rules based
# on environmental variables which is very useful for doing per-host
# customization.
# Unfortunately systemd does not allow variable substitutions such
# as %H or $(hostname) in the EnvironmentFile.
# We provide HOSTNAME here for convenience.
Environment=HOSTNAME=%H
# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
# is not memory hungry, if it's using more than this, then there's probably
# a leak somewhere.
MemoryMax=2G
RuntimeDirectory=radiusd radiusd/tmp
RuntimeDirectoryMode=0775
User=ldaprad
Group=ldaprad
PIDFile=/run/freeradius-ldap/freeradius-ldap.pid
#ExecStartPre=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cx -lstdout
ExecStart=/usr/sbin/radiusd -d /etc/freeradius-ldap -l /var/log/freeradius-ldap/radius.log
Restart=on-failure
RestartSec=5
ExecReload=/usr/sbin/radiusd -d /etc/freeradius-ldap -l /var/log/freeradius-ldap/radius.log
ExecReload=/bin/kill -HUP $MAINPID
# Don't elevate privileges after starting
NoNewPrivileges=true
# Allow binding to secure ports, broadcast addresses, and raw interfaces.
#
# This list of capabilities may not be exhaustive, and needs
# further testing. Please uncomment, test, and report any issues.
#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
# Private /tmp that isn't shared by other processes
PrivateTmp=true
# cgroups are readable only by radiusd, and child processes
ProtectControlGroups=true
# don't load new kernel modules
ProtectKernelModules=true
# don't tune kernel parameters
ProtectKernelTunables=true
# Only allow native system calls
SystemCallArchitectures=native
# We shouldn't be writing to the configuration directory
ReadOnlyDirectories=/etc/freeradius-ldap/
# We can read and write to the log directory.
ReadWriteDirectories=/var/log/freeradius-ldap/
[Install]
WantedBy=multi-user.target
Change ports of sites-available/default.
Modify listen port 0 by 2812 and accounting config.
vi /etc/freeradius-ldap/sites-available/default
server default {
listen {
type = auth
ipaddr = *
port = 2812
limit {
----- # Do not change anything
}
}
# This second "listen" section is for listening on the accounting
listen {
type = acct
ipaddr = *
# ipv6addr = ::
port = 2813
limit {
}
}
Change port of sites-available/inner-tunnel.
Replace the port 18120 by 28120.
vi /etc/freeradius-ldap/sites-available/inner-tunnel
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 28120
type = auth
}
Change line 366 /etc/freeradius-ldap/sites-enabled/inner-tunnel.
vi /etc/freeradius-ldap/sites-available/inner-tunnel
# Instead of "use_tunneled_reply", change this "if (0)" to an
# "if (1)".
#
if (1) {
Ignoring sql /etc/freeradius-ldap/sites-enabled/default
Put "#" before line with -sql.
#-sql
Ignoring sql /etc/freeradius-ldap/sites-enabled/inner-tunnel
Put "#" before line with -sql.
#-sql
6.7 Mods-available.
Edit the ldap file.
vi /etc/freeradius-ldap/mods-available/ldap
# Lightweight Directory Access Protocol (LDAP)
ldap {
server = 'openldap.ol26modk.com'
identity = 'cn=Manager,dc=ol26modk,dc=com'
password = X2m56AB50!
base_dn = 'dc=ol26modk,dc=com'
update {
# Comment this line
# control:Password-With-Header += 'userPassword'
# add the line
control:Cleartext-Password += 'userPassword'
tls {
start_tls = yes
ca_file = /etc/pki/tls/certs/CA.crt
ca_path = /etc/pki/tls/certs
certificate_file = /etc/pki/tls/certs/freeradius.crt
private_key_file = /etc/pki/tls/private/freeradius.key
random_file = /dev/urandom
tls_min_version = "1.2"
Create the ldap link in mods-nabled.
ln -s /etc/freeradius-ldap/mods-available/ldap /etc/freeradius-ldap/mods-enabled/ldap
Edit the eap file.
Maybe already done Instancedefault chapter eap 4.4.
vi /etc/freeradius-ldap/mods-available/eap
eap {
tls-config tls-common {
private_key_file = /etc/pki/tls/private/freeradius.key
certificate_file = /etc/pki/tls/certs/freeradius.crt
ca_file = /etc/pki/tls/certs/CA.crt
ca_path = /etc/pki/tls/certs
Change permissions.
chgrp -R ldaprad /etc/freeradius-ldap/mods-enabled
6.8 Check if there are any other errors.
To this step, freeradius-ldap must not announce an error.
If there are errors, review the configuration.
radiusd -d /etc/freeradius-ldap -l /var/log/freeradius-ldap/radius.log -X
Ctrl+C exit.
If it's good.
systemctl enable --now freeradius-ldap
Check the ports.
netstat -tunlp | grep radiusd
udp 0 0 127.0.0.1:28120 0.0.0.0:* 2575/radiusd
udp 0 0 0.0.0.0:53552 0.0.0.0:* 2575/radiusd
udp 0 0 0.0.0.0:2812 0.0.0.0:* 2575/radiusd
udp 0 0 0.0.0.0:2813 0.0.0.0:* 2575/radiusd
6.9 Nas.
The nas is a device that makes its authentication request to freereadius.
In my example, it's a dd-wrt wifi router.
We need a secret key shared between nas and freeradius.
First change all "secret" by another password.
cat /etc/freeradius-ldap/clients.conf| grep secret
Example: new secret = 3bd45df3-3bd45df3
sed -i -e "s/testing123/3bd45df3-3bd45df3/g" /etc/freeradius-ldap/clients.conf
Put a "#" in front of the Ipv6 configurations of clients.conf file.
vi /etc/freeradius-ldap/clients.conf
# IPv6 Client
##client localhost_ipv6 {
## ipv6addr = ::1
## secret = 3bd45df3-3bd45df3
##}
Add a new "nas" at the end of clients.conf file.
vi /etc/freeradius-ldap/clients.conf
client linksys2 {
#ip du linksys2.
ipaddr = 192.168.5.1
# Shared key.
secret = ABjA#3r3bAB6n
}
Change value require_message_authenticator = yes.
vi /etc/freeradius-ldap/clients.conf
# allowed values: yes, no, auto
#
require_message_authenticator = yes
6.10 Proxy.
First change all "secret" by another password.
cat /etc/freeradius-ldap/proxy.conf| grep secret
Example: new secret = 3bd45df3-3bd45df3
sed -i -e "s/testing123/3bd45df3-3bd45df3/g" /etc/freeradius-ldap/proxy.conf
Add a new realm.
vi /etc/freeradius-ldap/proxy.conf
Add at the end of proxy.conf file.
realm ol26modk.com {
type = radius
authhost = LOCAL
accthost = LOCAL
}
Delete realm example.com.
Put a "#" in front.
vi /etc/freeradius-ldap/proxy.conf
## realm example.com {
## auth_pool = my_auth_failover
## }
Change the port 1812 by 2812.
vi /etc/freeradius-ldap/proxy.conf
home_server localhost {
port = 2812
6.11 Logs.
vi /etc/freeradius-ldap/radiusd.conf
Change only these lines.
log {
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
tail -200 /var/log/freeradius-ldap/radius.log
Auth: (2) Login OK: [jemarre/<via Auth-Type = mschap>] (from client localhost port 2812)
6.12 Check user openldap connection.
-
Openldap server.
Ldap database.
User: jemarre
Password: 7YhjiDfg4 -
Freeradius server.
1-Open a terminal console.
systemctl stop freeradius-ldap
radiusd -d /etc/freeradius-ldap -l /var/log/freeradius-ldap/radius.log -X
2-Open another terminal console.
radtest jemarre "7YhjiDfg4" localhost:2812 0 3bd45df3-3bd45df3
Sent Access-Request Id 45 from 0.0.0.0:50187 to 127.0.0.1:2812 length 77
User-Name = "jemarre"
User-Password = "7YhjiDfg4"
NAS-IP-Address = 192.168.50.41
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "7YhjiDfg4"
Received Access-Accept Id 45 from 127.0.0.1:2812 to 127.0.0.1:50187 length 20
radtest -t mschap jemarre "7YhjiDfg4" localhost:2812 0 3bd45df3-3bd45df3
Sent Access-Request Id 48 from 0.0.0.0:52137 to 127.0.0.1:2812 length 133
User-Name = "jemarre"
MS-CHAP-Password = "7YhjiDfg4"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2812
Message-Authenticator = 0x00
Cleartext-Password = "7YhjiDfg4"
MS-CHAP-Challenge = 0x697ae9ca2ff6da03
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004692ebe011da80322fcc0786b8d33e7f3ec03b49285d9919
Received Access-Accept Id 48 from 127.0.0.1:2812 to 127.0.0.1:52137 length 84
MS-CHAP-MPPE-Keys = 0x000000000000000051b05c393881ae8342b2abac522eae39
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
Information.
Phpldapadmin
The user password must be clear and not MD5.
The user login is UID (User Name) and not the CN.