Commit 2d87b92a authored by Frederic Pasteleurs's avatar Frederic Pasteleurs

FreeRADIUS: LDAP setup

parent 40e3bfb8
Pipeline #50054313 passed with stages
in 1 minute and 16 seconds
......@@ -17,17 +17,86 @@ We will be using FreeRADIUS 3.0.
* 802.1x authentication on access points
* Roaming (SpaceFED/EduRoam)
* LDAP user backend
* Dynamic VLAN assignment
* Dynamic VLAN assignment on WiFi
* RADIUS authentication on wiki (later)
# LDAP setup
We need a back-end that contains a list of users with their passwords. You can choose to use the file /etc/freeradius/3.0/users instead of a full LDAP installation for small configurations (1-3 users), but you will feel the administrative pain very quickly. Do yourself a favour and save yourself from unneeded pain: use LDAP.
Since our LDAP server does not allow to be queried as anonymous, the FreeRADIUS server will need credentials to connect to the LDAP server and do some queries
## Generate a password for the FreeRADIUS user
~~~~
# pwgen 30 1
baigah2cai6chaa5Osh1en3Ahde4Je
# /usr/sbin/slappasswd -s baigah2cai6chaa5Osh1en3Ahde4Je
{SSHA}l0uiXg0djOmSAf3SIcN44f7muWrLPpOt
~~~~
## Create a LDAP user for FreeRADIUS
~~~~
dn: uid=FreeRADIUS,ou=services,dc=hsbxl,dc=be
objectclass: account
objectclass: simpleSecurityObject
objectclass: top
uid: FreeRADIUS
userpassword: {SSHA}l0uiXg0djOmSAf3SIcN44f7muWrLPpOt
~~~~
## Configure FreeRADIUS to use LDAP
File /etc/freeradius/3.0/mods-enabled/ldap
~~~~
ldap {
...
identity = 'uid=FreeRADIUS,ou=services,dc=hsbxl,dc=be'
password = baigah2cai6chaa5Osh1en3Ahde4Je
base_dn = 'dc=hsbxl,dc=be'
...
group {
...
filter = '(objectClass=groupOfNames)'
...
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
...
}
...
}
~~~~
## Test the setup
Once you got LDAP configured, you need to test if it is working correctly
~~~~
~~~~
If the test above succeeds, we can go to the next step below:
# Clients
The clients are the devices that will contact the RADIUS server for authentication. Clients can be any of the following:
* a switch
* a firewall
* an access point
* an application (web applications included)
* another RADIUS server acting as a proxy (think spaceFED)
## Setting up the first client
~~~~
~~~~
# Advanced configurations
## Cisco switch
~~~~
~~~~
## Juniper switch/firewall
~~~~
~~~~
## Unifi access points
~~~~
~~~~
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment