Setup FreeRadius Authentication with OpenLDAP

    By 2 Mins Read

    FreeRadius is an implementation of RADIUS server. Its support multiple types of authentication. This article will help you to setup freeradius authentication with OpenLDAP.

    Step 1: Setup OpenLDAP Server

    First its required to setup openldap server to complete below setup. Use below link to install it.

    Setup Openldap Server on CentOS, RHEL System

    Step 2: Install freeradius Packages

    Install all freeradius2 server packages on your system using following command.

    # yum install freeradius2 freeradius2-utils freeradius2-ldap

    Step 3: Download Schema File

    Download radius ldap schema file and copy to ldap schema directory using below commands.

    3.1 Download File

    # wget http://open.rhx.it/phamm/schema/radius.schema

    3.2 Copy file in schema directory

    # cp radius.schema /etc/openldap/schema/

    3.3 Include file in ldap configuration file /etc/openldap/slapd.conf 

    include /etc/openldap/schema/radius.schema

    Step 4: Edit Radius LDAP Files

    Edit radius ldap file /etc/raddb/modules/ldap and add below ldap server details.

    # vim /etc/raddb/modules/ldap

    ldap {
	server = "openldap.example.com"
	basedn = "dc=example,dc=com"
	identity = "cn=Manager,ou=people,dc=example,dc=com"
	filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
	base_filter = "(objectclass=radiusprofile)"
	start_tls = no
	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
	profile_attribute = "radiusprofile"
	access_attr = "uid"
	dictionary_mapping = {raddbdir}/ldap.attrmap
	ldap_connections_number = 10
	timeout = 4
	timelimit = 5
	net_timeout = 1
	set_auth_type = yes
}

    Edit /etc/freeradius/ldap.attrmap add following details.

    # vim /etc/freeradius/ldap.attrmap

    checkItem User-Password userPassword
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId

    Step 5: Enable LDAP Authentication

    After updating above files, Lets enable LDAP authentication in /etc/raddb/sites-available/inner-tunnel and /etc/raddb/sites-available/default by uncomment below lines.

    Auth-Type LDAP {
       ldap
}

    Step 6: Test Setup

    Finally setup your setup by using following command

    # radtest ldapuser1 password ldap.example.com 2 testing123

Sending Access-Request of id 165 to 127.0.0.1 port 1812
User-Name = "ldapuser1"
User-Password = "password"
NAS-IP-Address = 192.168.10.50
NAS-Port = 2
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=64
Filter-Id = "Enterasys:version=1:policy=Enterprise User"

    If you get rad_recv: Access-Accept then authentication is successes.

    Congratulation’s! You have successfully configured FreeRadius authentication with OpenLDAP.

    Share.

    Related Posts

    View 7 Comments

    7 Comments

    2. Declan Markls on

      Great but it would be helpful if you showed actually adding a user to openldap. This is a section that is completely missed. I have know idea what attributes to give to a user

      Reply
    4. Alessio Trivisonno on

      You forgot to uncomment the line

      #ldap

      in /etc/freeradius/sites-available/default and /etc/freeradius/sites-available/inner-tunnel in step 5.

      Without this option set Auth-Type isn’t set to ldap and the module ldap is not called resulting in an unauthorized authentication.

      Reply
    5. Iksweet on

      thanks for nice article….one question, can i monitor my users data and internet usage by using RADIUS with LDAP? i need my users log …..please help

      Reply

    Leave A Reply