Tuesday, April 12, 2011

FreeRADIUS+OpenLDAP Step By Step

1. Install needed packages.



yum install openldap*


yum install freeradius*


2. Set the services to automatically start of system startup


chkconfig --level 2345 slapd on


chkconfig --level 2345 radiusd on


Configure and start LDAP



1. Copy the needed ladp schemas for radius. Your path may vary a bit



cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema


2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file


slappasswd








3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created


useradd ldap


groupadd ldap


4. Create the directory and assign permissions for the database files


mkdir /var/lib/ldap


chmod 700 /var/lib/ldap


chown ldap:ldap /var/lib/ldap



5. Edit the slapd.conf file.


cd /etc/openldap


vi slapd.conf


#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw #
{SSHA#}



cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none



6. Remove the slapd.d directory


cd /etc/openldap


rm -rf slapd.d



7. Hopefully if everything is correct, should be able to start up slapd with no problem


service slapd start


8. Create the initial database in a text file called /tmp/initial.ldif



dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user John
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg



9. Add the file to the database


ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif





10. Issue a basic query to the ldap db, makes sure that we can request and receive results back


ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"


Configure and Start FreeRadius



1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses



cd /etc/raddb


vi ldap.attrmap


For dynamic vlan assignments, verify the follow lines exist:


replyItem Tunnel-Type radiusTunnelType


replyItem Tunnel-Medium-Type radiusTunnelMediumType


replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId


Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:


checkItem Cleartext-Password userPassword



2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.



eap
{ default_eap_type = peap ..... }





tls {


#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.



}



peap {


default_eap_type = mschapv2


#you will have to set this to allowed the inner tls tunnel attributes into the final accept message


use_tunneled_reply = yes



......



}


3. Change the authenication and authorization modules and order.


cd /etc/raddb/sites-enabled


vi default


For the authorize section, uncomment the ldap module.


For the authenicate section, uncomment the ldap module


vi inner-tunnel


Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:


authorize
{ ldap mschap ...... }




4. Configure ldap module


cd /etc/raddb/modules


ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }



5. Start up radius in debug mode on another console


radiusd -X


6. radtest localhost 12 testing123


You should get a Access-Accept back


7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test


First install openssl support libraries, required to compile



yum install openssl*


yum install gcc



wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 


tar xvf wpa_supplicant-0.6.10.tar.gz


cd wpa_supplicant-0.6.10/wpa_supplicant


vi defconfig


Uncomment CONFIG_EAPOL_TEST = y and save/exit



cp defconfig .config



make eapol_test


cp eapol_test /usr/local/bin


chmod 755 /usr/local/bin/eapol_test


8. Create a test config file named eapol_test.conf.peap



network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" #If you want to verify the Server certificate the below would be needed #ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }





}


9. Run the test


eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

3 comments:

  1. Hello,

    I am install freeradius and openldap on Suse 11.3.
    It'll working except it doesn't seem to want to load the schema for freeradius. My ldap browser lists all the other schemas, but none of the attributes for freeradius.

    I have this line in my slapd.conf

    include /etc/openldap/schema/radius.schema

    raldap1:~/freeradius-server-2.1.11/doc # ls -la /etc/openldap/schema/radius.schema
    -rw-r--r-- 1 root root 14694 Sep 8 16:46 /etc/openldap/schema/radius.schema

    ReplyDelete
  2. Nevermind I reinstalled ldap now it's working.

    ReplyDelete
  3. I had found many descriptions that covered bits and pieces but this was the only article I've found that actually explains the steps needed to get ldap and radius-eap all working together.

    The trick that I was completely missing was to configure the inner-tunnel and 'use_tunneled_reply = yes' in the outer (default). It makes sense (always does after the fact) and you have put an end to many hours of head banging.

    Thank-you so much for posting this.

    ReplyDelete