7.13. Radius LDAP Authentication

In most cases to authenticate against an AD/LDAP you need to join the domain, but there is a possibility to avoid this by configuring the RADIUS to do the LDAPS authentication through the LDAP RADIUS module if the credentials comes with plain-text password.

To configure the LDAP module, you must follow these steps:

7.13.1. Configure and enable LDAP module

1. Configure the LDAP /etc/raddb/mods-available/ldap module with the following attributes:

#LDAP server address
server = '<LDAP_HOST>'
#LDAP server port (389\LDAP 636\LDAPS)
port = <LDAP_PORT>
#User to perform authentications
identity = 'LDAP_BIND_USER'
#User password
password = <LDAP_BIND_PASSWORD>
#The dn from which all searches will start from.
base_dn = '<LDAP_BASE_DN>'
#In the filter block use the attribute of the Account ID:
# Typically "uid" when it is an LDAP (default option)
# Typically "sAMAccountName" when it is an AD
filter = "(<ACCOUNT_ID_ATTR>=%{%{Stripped-User-Name}:-%{User-Name}})"

Note

If you plan to use LDAP for MSCHAP authentication you will need to match some LDAP attribute to set the NT-Password, to do this uncomment the control:NT-Password := 'ntPassword' line in the update section and change ntPassword value for the one set on your LDAP.

2. Enable the LDAP module in FreeRADIUS mods-enabled:

ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap

7.13.2. Configure RADIUS to use LDAP Module

3. Depending on the type of authentication you are performing, use one procedure or another:

3.1. Clear password authentication

Enable the LDAP module in /etc/raddb/sites-enabled/default

Uncomment the LDAP module in the “authorize” section:

# ldap

3.1.1. Special case (do not apply by default): If we do not have access to credentials for ldap queries:

If you don’t have access to credentials to make queries to the LDAP, we must use the LDAP Bind method for authentication.

Warning

This method basically consists of making a bind to the LDAP using the user’s credentials. Since LDAP should act as a database and not as an authentication source, this method is not recommended and it is advisable to be able to obtain credentials to perform LDAP queries.

To configure it, uncomment the following lines in /etc/raddb/sites-enabled/default:

Uncomment the following lines in “authorize”:

# if ((ok || updated) && User-Password && !control:Auth-Type) {
#     update {
#         control:Auth-Type := ldap
#     }
# }

Uncomment the LDAP module in “authenticate”:

# Auth-Type LDAP {
#   ldap
# }

Note

If you do not find the following lines of code, you may have an outdated configuration version of the file. Make a backup of the current “/etc/raddb/sites-available/default” and overwrite the file with: “cp /etc/raddb/sites-available/default_opennac /etc/raddb/sites-available/default” Verify beforehand that you do not have any additional configuration that you must apply later.

3.2. 802.1x authentication using Tunneled EAP (PEAP or EAP-TTLS):

Enable the LDAP module in /etc/raddb/sites-enabled/inner-tunnel Uncomment the LDAP module in the “authorize” section:

# ldap

If you do not perform authentications against an AD, disable ntlm auth error in /etc/raddb/sites-enabled/inner-tunel uncommenting the following lines in Auth-Type MS-CHAP:

#
#  MSCHAP authentication.
Auth-Type MS-CHAP {
        mschap_ad_opennac {
                fail = 2
                reject = 2
        }
        if (fail || reject) {
                # Just in case AD is no configured and
                # AD module message error can be omitted
                if (Module-Failure-Message) {
                        update request {
                                Module-Failure-Message !* ANY
                        }
                }
                mschap_default_opennac
        }
}

Note

If you do not find the following lines of code, you may have an outdated configuration version of the file. Make a backup of the current “/etc/raddb/sites-available/inner-tunnel” and overwrite the file with: “cp /etc/raddb/sites-available/inner-tunnel_opennac /etc/raddb/sites-available/inner-tunnel” Verify beforehand that you do not have any additional configuration that you must apply later.

Warning

Remember, to use LDAP for MSCHAP authentication you must specify a control:NT-Password in order to authenticate, please check that you are setting this value on your ldap module configuation.

4. Restart radiusd service:

systemctl restart radiusd

7.13.3. Multiple LDAP Servers

In the case that there is more than one LDAP server to which we can make queries for authentication, we must follow the following steps:

1. In /etc/raddb/mods-enabled/ldap we will define all the available servers with the following format:

ldap ldap1 {
    ...
}
ldap ldap2 {
    ...
}

2. In the file /etc/raddb/sites-enabled/default we will use the “redundant” statement with the LDAP servers defined above:

Note

Based on the previous steps, we will replace the lines with the “LDAP” statement with the “redundant” one as follows:

authorize {
    ...
    redundant {
        ldap1
        ldap2
    }

}

authenticate {
    ...
    Auth-Type LDAP {
        redundant {
            ldap1
            ldap2
        }
    }
    ...
}