7.13. Radius LDAP Authentication
In most cases to authenticate against an AD/LDAP you need to join the domain, but there is a possibility to avoid this by configuring the RADIUS to do the LDAPS authentication through the LDAP RADIUS module if the credentials comes with plain-text password.
To configure the LDAP module, you must follow these steps:
1. Configure the LDAP /etc/raddb/mods-available/ldap module with the following attributes:
#LDAP server address
server = '<LDAP_HOST>'
#LDAP server port (389\LDAP 636\LDAPS)
port = <LDAP_PORT>
#User to perform authentications
identity = 'LDAP_BIND_USER'
#User password
password = <LDAP_BIND_PASSWORD>
#The dn from which all searches will start from.
base_dn = '<LDAP_BASE_DN>'
#In the filter block use the attribute of the Account ID:
# Typically "uid" when it is an LDAP (default option)
# Typically "sAMAccountName" when it is an AD
filter = "(<ACCOUNT_ID_ATTR>=%{%{Stripped-User-Name}:-%{User-Name}})"
Note
If you plan to use LDAP for MSCHAP authentication you will need to match some LDAP attribute to set the NT-Password, to do this uncomment the control:NT-Password := 'ntPassword' line in the update section and change ntPassword value for the one set on your LDAP.
2. Enable the LDAP module in FreeRADIUS mods-enabled:
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
3. Depending on the type of authentication you are performing, use one procedure or another:
3.1. Clear password authentication
Enable the LDAP module in /etc/raddb/sites-enabled/default
Uncomment the LDAP module in the “authorize” section:
# ldap
# if ((ok || updated) && User-Password && !control:Auth-Type) {
# update {
# control:Auth-Type := ldap
# }
# }
Uncomment the LDAP module in “authenticate”:**
# Auth-Type LDAP {
# ldap
# }
Note
If you do not find the following lines of code, you may have an outdated configuration version of the file. Make a backup of the current “/etc/raddb/sites-available/default” and overwrite the file with: “cp /etc/raddb/sites-available/default_opennac /etc/raddb/sites-available/default” Verify beforehand that you do not have any additional configuration that you must apply later.
3.2. 802.1x authentication using Tunneled EAP (PEAP or EAP-TTLS):
Enable the LDAP module in /etc/raddb/sites-enabled/inner-tunnel
Uncomment the LDAP module in the “authorize” section:
# ldap
If you do not perform authentications against an AD, disable ntlm auth error in /etc/raddb/sites-enabled/inner-tunel uncommenting the following lines in Auth-Type MS-CHAP:
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap_ad_opennac {
fail = 2
reject = 2
}
if (fail || reject) {
# Just in case AD is no configured and
# AD module message error can be omitted
if (Module-Failure-Message) {
update request {
Module-Failure-Message !* ANY
}
}
mschap_default_opennac
}
}
Note
If you do not find the following lines of code, you may have an outdated configuration version of the file. Make a backup of the current “/etc/raddb/sites-available/inner-tunnel” and overwrite the file with: “cp /etc/raddb/sites-available/inner-tunnel_opennac /etc/raddb/sites-available/inner-tunnel” Verify beforehand that you do not have any additional configuration that you must apply later.
Warning
Remember, to use LDAP for MSCHAP authentication you must specify a control:NT-Password in order to authenticate, please check that you are setting this value on your ldap module configuation.
4. Restart radiusd service:
systemctl restart radiusd
7.13.1. Multiple LDAP Servers
In the case that there is more than one LDAP server to which we can make queries for authentication, we must follow the following steps:
1. In /etc/raddb/mods-enabled/ldap we will define all the available servers with the following format:
ldap ldap1 {
...
}
ldap ldap2 {
...
}
2. In the file /etc/raddb/sites-enabled/default we will use the “redundant” statement with the LDAP servers defined above:
Note
Based on the previous steps, we will replace the lines with the “LDAP” statement with the “redundant” one as follows:
authorize {
...
redundant {
ldap1
ldap2
}
}
authenticate {
...
Auth-Type LDAP {
redundant {
ldap1
ldap2
}
}
...
}