Setup FreeRadius Authentication with OpenLDAP

FreeRadius is an implementation of RADIUS server. Its support multiple types of authentication. This article will help you to setup freeradius authentication with OpenLDAP.

Step 1: Setup OpenLDAP Server

First its required to setup openldap server to complete below setup. Use below link to install it.

Setup Openldap Server on CentOS, RHEL System

Step 2: Install freeradius Packages

Install all freeradius2 server packages on your system using following command.

# yum install freeradius2 freeradius2-utils freeradius2-ldap

Step 3: Download Schema File

Download radius ldap schema file and copy to ldap schema directory using below commands.

3.1 Download File

# wget http://open.rhx.it/phamm/schema/radius.schema

3.2 Copy file in schema directory

# cp radius.schema /etc/openldap/schema/

3.3 Include file in ldap configuration file /etc/openldap/slapd.conf

include /etc/openldap/schema/radius.schema

Step 4: Edit Radius LDAP Files

Edit radius ldap file /etc/raddb/modules/ldap and add below ldap server details.

# vim /etc/raddb/modules/ldap

ldap {
	server = "openldap.example.com"
	basedn = "dc=example,dc=com"
	identity = "cn=Manager,ou=people,dc=example,dc=com"
	filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
	base_filter = "(objectclass=radiusprofile)"
	start_tls = no
	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
	profile_attribute = "radiusprofile"
	access_attr = "uid"
	dictionary_mapping = {raddbdir}/ldap.attrmap
	ldap_connections_number = 10
	timeout = 4
	timelimit = 5
	net_timeout = 1
	set_auth_type = yes
}

Edit /etc/freeradius/ldap.attrmap add following details.

# vim /etc/freeradius/ldap.attrmap

checkItem User-Password userPassword
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId

Step 5: Enable LDAP Authentication

After updating above files, Lets enable LDAP authentication in /etc/raddb/sites-available/inner-tunnel and /etc/raddb/sites-available/default by uncomment below lines.

Auth-Type LDAP {
       ldap
}

Step 6: Test Setup

Finally setup your setup by using following command

# radtest ldapuser1 password ldap.example.com 2 testing123

Sending Access-Request of id 165 to 127.0.0.1 port 1812
User-Name = "ldapuser1"
User-Password = "password"
NAS-IP-Address = 192.168.10.50
NAS-Port = 2
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=64
Filter-Id = "Enterasys:version=1:policy=Enterprise User"

If you get rad_recv: Access-Accept then authentication is successes.

Congratulation’s! You have successfully configured FreeRadius authentication with OpenLDAP.

7 Comments

carlos J. on May 6, 2019 8:54 pm
You can explain the user format in ldap, so that this configuration works
Declan Markls on February 11, 2019 8:59 am
Great but it would be helpful if you showed actually adding a user to openldap. This is a section that is completely missed. I have know idea what attributes to give to a user
Anil Kumar on December 3, 2018 9:54 am
Please share the changes to be made in users.conf and clients.conf file.
Regars
Alessio Trivisonno on March 6, 2017 5:15 pm
You forgot to uncomment the line
#ldap
in /etc/freeradius/sites-available/default and /etc/freeradius/sites-available/inner-tunnel in step 5.
Without this option set Auth-Type isn’t set to ldap and the module ldap is not called resulting in an unauthorized authentication.
Iksweet on January 10, 2016 2:37 pm
thanks for nice article….one question, can i monitor my users data and internet usage by using RADIUS with LDAP? i need my users log …..please help
venky on August 25, 2015 7:02 pm
Can you help how to install on debian?
As i cannot find the package and instructions for it,
longchamp outlet on April 20, 2013 6:12 pm
You certainly have some agreeable opinions and views