Discussion:
FreeRADIUS 3 and ldap
(too old to reply)
Victor Cenac
2018-11-26 19:38:08 UTC
Permalink
Bellow is my previous interaction:

The info graciously provided by Alan seem to not match my version... or I
need more hand holding. My installation is on ubuntu server 18.04 and I
installed freeradius with apt-get. So I have version 3.0.16+dfsg-1ubuntu3.
Following some other instructions I also installed freeradius-ldap.
My installation is here:
/etc/freeradius/3.0
so no radb folder, but that's not a big deal, as I assume on other OS the
install is in /etc/radb/

In my version the ldap module is enabled according to these instructions in
mods-available/README.rst:

"Modules are enabled by creating a file in the mods-enabled/ directory.
You can also create a soft-link from one directory to another::

$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo

Simplification
--------------

Allowing conditional modules simplifies the default virtual servers
that are shipped with FreeRADIUS. This means that if you want to
enable LDAP (for example), you no longer need to edit the files in
raddb/sites-available/ in order to enable it.

Instead, you should edit the raddb/mods-available/ldap file to point
to your local LDAP server. Then, enable the module via the soft-link
method described above.

Once the module is enabled, it will automatically be used in the
default configuration."

Which I did. According to this explanation, that's all I had to do to make
the FreeRADIUS use the ldap.
Now, to do the matching between the ldap attributes (group membership) and
the vlan communicated by the radius server to the switch... I found this in
the ldap file (in mods-available):
"
# Mapping of LDAP directory attributes to RADIUS dictionary
attributes.
#

# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <ldap attr>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <ldap attr>: Is the attribute associated with user or
# profile objects in the LDAP directory.
# If the attribute name is wrapped in double
# quotes it will be xlat expanded.
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
# Note: LDAP attribute names should be single quoted unless you
want
# the name value to be derived from an xlat expansion, or an
# attribute ref.
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID :=
'radiusTunnelPrivategroupId'

# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
"
Is this the right place? Which lines do I repeat for multiple group-->vlan
translation?
For example:
ldap group Staff = vlan 1
ldap group Student = vlan 2
etc.

Thank you!

Victor



Fri, 16 Nov 2018 17:58:39 -0500
From: Alan DeKok <***@deployingradius.com>
To: FreeRadius users mailing list
<freeradius-***@lists.freeradius.org>
Subject: Re: MAC auth with LDAP
Message-ID: <0EEDAAC5-C2DA-4ABC-B0D3-***@deployingradius.com>
Content-Type: text/plain; charset=us-ascii
I have a Juniper network where we assign devices to vlans based on their
MAC. The MACS are stored in an LDAP with the MAC as username and password.
The group membership is what distinguishes the vlan needed.
That should be simple enough,
I managed to configure the ldap and enable the ldap module. FreeRADIUS
starts fine with it. I also added all the switches as clients.
OK.
1. Where do I tell FreeRADIUS to look for users in ldap (vs the users
file)?

raddb/sites-enabled/default

Look for "ldap". And, raddb/mods-available/ldap

See also http://wiki.freeradius.org/. Search for "ldap". It has lots of
documentations.
2. Where do I match the group in ldap with the vlan number that needs to
be
sent to the client (switch)? For example, for group Staff value is 10
(vlan
10).
You don't map LDAP names directly to VLANs. They might be "sales", and
you can't use "sales" as a VLAN number.

Instead, do this:

if (LDAP-Group == "staff") {
update reply {
Tunnel Type = VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 10
}
}

Alan DeKok.
Victor Cenac-Mehedinti
Senior Systems Administrator
Fuller Theological Seminary
626 396 6060
-
List info/subscribe/uns
Alan DeKok
2018-11-26 22:00:05 UTC
Permalink
Post by Victor Cenac
The info graciously provided by Alan seem to not match my version... or I
need more hand holding. My installation is on ubuntu server 18.04 and I
installed freeradius with apt-get. So I have version 3.0.16+dfsg-1ubuntu3.
Following some other instructions I also installed freeradius-ldap.
/etc/freeradius/3.0
so no radb folder, but that's not a big deal, as I assume on other OS the
install is in /etc/radb/
The default is /etc/raddb. Different operating systems change our packaging, and put the files into different places.

I don't know which version you have, so I just use *our* defaults, and hope that people can figure it out.
Post by Victor Cenac
In my version the ldap module is enabled according to these instructions in
Please don't post documentation to the list. We already know it.
Post by Victor Cenac
Which I did. According to this explanation, that's all I had to do to make
the FreeRADIUS use the ldap.
You also need to configure the LDAP module itself. i.e. point to the correct LDAP server, admin account, etc.
Post by Victor Cenac
Now, to do the matching between the ldap attributes (group membership) and
the vlan communicated by the radius server to the switch... I found this in
Again, there's no need to post this to the list. We're is already familiar with that file.
Post by Victor Cenac
Is this the right place? Which lines do I repeat for multiple group-->vlan
translation?
ldap group Staff = vlan 1
ldap group Student = vlan 2
No. What you do is READ MY PREVIOUS MESSAGE. If you're not sure what it means, ASK.

What I said was to do this:

if (LDAP-Group == "staff") {
update reply {
Tunnel Type = VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 10
}
}

This configuration goes into a virtual server, along with all of the other "if" and "update" blocks. As per the "man unlang" documentation, and as per the dozens of other examples.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Alan Buxey
2018-11-27 12:03:15 UTC
Permalink
hi,
Post by Victor Cenac
/etc/freeradius/3.0
so, if in that dir you have mods-enabled sites-enabled etc directotries,
then thats your config path - so whereever you see /etc/raddb mentioned
(the default path)
just swap that with /etc/freeradius/3.0

then, if following Alans instructions, just put the stuff into post-auth
section of the default server in sites-enabled

if (LDAP-Group == "staff") {
update reply {
Tunnel Type = VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 10
}
}


alan
-
List info/subscribe/unsubscribe? See http://www.fr

Loading...