Skip to content

GitLab

Commit 2d87b92a authored by Frederic Pasteleurs's avatar Frederic Pasteleurs
Browse files
Options

FreeRADIUS: LDAP setup

parent 40e3bfb8
Pipeline #50054313 passed with stages
      in 1 minute and 16 seconds
      Hide whitespace changes
      Inline Side-by-side
      Showing with 70 additions and 1 deletion
      content/projects/network_radius/index.md
      View file @ 2d87b92a
      ......@@ -17,17 +17,86 @@ We will be using FreeRADIUS 3.0.
      * 802.1x authentication on access points
      * Roaming (SpaceFED/EduRoam)
      * LDAP user backend
      * Dynamic VLAN assignment
      * Dynamic VLAN assignment on WiFi
      * RADIUS authentication on wiki (later)
      # LDAP setup
      We need a back-end that contains a list of users with their passwords. You can choose to use the file /etc/freeradius/3.0/users instead of a full LDAP installation for small configurations (1-3 users), but you will feel the administrative pain very quickly. Do yourself a favour and save yourself from unneeded pain: use LDAP.
      Since our LDAP server does not allow to be queried as anonymous, the FreeRADIUS server will need credentials to connect to the LDAP server and do some queries
      ## Generate a password for the FreeRADIUS user
      ~~~~
      # pwgen 30 1
      baigah2cai6chaa5Osh1en3Ahde4Je
      # /usr/sbin/slappasswd -s baigah2cai6chaa5Osh1en3Ahde4Je
      {SSHA}l0uiXg0djOmSAf3SIcN44f7muWrLPpOt
      ~~~~
      ## Create a LDAP user for FreeRADIUS
      ~~~~
      dn: uid=FreeRADIUS,ou=services,dc=hsbxl,dc=be
      objectclass: account
      objectclass: simpleSecurityObject
      objectclass: top
      uid: FreeRADIUS
      userpassword: {SSHA}l0uiXg0djOmSAf3SIcN44f7muWrLPpOt
      ~~~~
      ## Configure FreeRADIUS to use LDAP
      File /etc/freeradius/3.0/mods-enabled/ldap
      ~~~~
      ldap {
      ...
      identity = 'uid=FreeRADIUS,ou=services,dc=hsbxl,dc=be'
      password = baigah2cai6chaa5Osh1en3Ahde4Je
      base_dn = 'dc=hsbxl,dc=be'
      ...
      group {
      ...
      filter = '(objectClass=groupOfNames)'
      ...
      membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
      ...
      }
      ...
      }
      ~~~~
      ## Test the setup
      Once you got LDAP configured, you need to test if it is working correctly
      ~~~~
      ~~~~
      If the test above succeeds, we can go to the next step below:
      # Clients
      The clients are the devices that will contact the RADIUS server for authentication. Clients can be any of the following:
      * a switch
      * a firewall
      * an access point
      * an application (web applications included)
      * another RADIUS server acting as a proxy (think spaceFED)
      ## Setting up the first client
      ~~~~
      ~~~~
      # Advanced configurations
      ## Cisco switch
      ~~~~
      ~~~~
      ## Juniper switch/firewall
      ~~~~
      ~~~~
      ## Unifi access points
      ~~~~
      ~~~~
      Markdown is supported
      0% or .
      You are about to add 0 people to the discussion. Proceed with caution.
      Finish editing this message first!
      Please register or to comment