Radius enable LDAP authentication mechanism

Prerequisites

• LDAP
• Radius

Configure ldap module

Create a new configuration file ldap in directory /etc/raddb/mods-available, name it ldap
Code as following:

ldap {
        server = 'localhost'
        identity = 'cn=admin,dc=abc,dc=com'
        password = testpassord
        base_dn = 'dc=abc,dc=com'
        user {
                base_dn = "${..base_dn}"
                filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
                scope = 'sub'
        }
        group {
                base_dn = 'cn=group_xxx,ou=users,dc=abc,dc=com'
                filter = '(objectClass=groupOfUniqueNames)'
                membership_attribute = 'memberOf'
                scope = 'sub'
        }
}

Enable ldap module

Create a link file ldap to enalbe module LDAP

cd /etc/raddb/mods-enabled
ln -s  ../mods-available/ldap ldap

Configure client

cd /etc/raddb
touch clients.conf

client localhost {
        ipaddr = 127.0.0.1
        proto = *
        secret = testing123
        require_message_authenticator = no
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}
client localhost_ipv6 {
        ipv6addr        = ::1
        secret          = testing123
}

Site Configuration

touch /etc/raddb/sites-available/ldap

vim   ldap
 server site_ldap { 
    listen { 
         ipaddr = 0.0.0.0
         port = 1833
         type = auth
    } 
    authorize {
         update {
             control:Auth-Type := ldap
         }
    }
    authenticate {
        Auth-Type ldap {
            ldap
        }
    }
   
    post-auth {
        Post-Auth-Type Reject {
        }
    }
}

Enable site

cd  /etc/raddb/sites-enabled
ln -s ../sites-available/ldap ldap

Testing

radtest -h
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
         -d RADIUS_DIR       Set radius directory
         -t <type>           Set authentication method
                             type can be pap, chap, mschap, or eap-md5
         -P protocol         Select udp (default) or tcp
         -x                  Enable debug output
         -4                  Use IPv4 for the NAS address (default)
         -6                  Use IPv6 for the NAS address
         

radtest -x test_user  xxxxx  localhost:1833 0  testing123
Sent Access-Request Id 30 from 0.0.0.0:53242 to 127.0.0.1:1833 length 76
        User-Name = "test_user"
        User-Password = "xxxxx"
        NAS-IP-Address = 172.18.x.x
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "xxxxxxx"
Received Access-Accept Id 30 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

Trouble Shoooting

• Radius log /var/log/radius/radius.log
• LDAP log /var/log/slapd.log
• File Permission ,make raddius running could read the ldap modules file

chown  root.radiusd   /etc/raddb/mods-available/ldap
chmod 640  /etc/raddb/mods-available/ldap