FreeRadius is a very versatile, powerful application for network RADIUS authentication. Perhaps too powerful! The problem is that is can seem to have too many options, and unless your a RADIUS expert, your screwed! What I needed for a customer was way to "proxy" LDAP/eDirectory authentication through RADIUS, and perhaps define redundant LDAP servers. That's all! Through a great deal of research, trial and error; I can up with the following slimmed down configuration file. Simple, Secure and Functional!
Copy this file (with your specific modifications) and export your eDirectory Self-Signed CA (without private key) as Base64 to /etc/raddb/certs/cert.b64
You might also want to create a link to the init.d script.
ln -s /etc/init.d/radiusd /usr/sbin/rcradiusd
I also had some minor problems with permissions on the cert.b64 file (make sure radiusd user and group can see the file)
If you run into any problems just run the following command to see all the necessary troubleshooting output:
radiusd -A -X
##############################################################################
# #
# /etc/raddb/radiusd.conf #
# #
# Author: Bob Brandt (projects@brandt.ie) #
# #
# FreeRADIUS Redundant LDAP Configuration #
# #
##############################################################################
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = after
lower_pass = no
nospace_user = after
nospace_pass = no
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
# CLIENTS CONFIGURATION
client 0.0.0.0/0 {
secret = companysecret
shortname = company
}
# THREAD POOL CONFIGURATION
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
# LDAP Information
ldap_identity = "cn=RadiusAdmin,ou=RemoteAccess,o=tree"
ldap_password = thisisnottherealpassword
ldap_basedn = "o=tree"
ldap_tls_cacertfile = "/etc/raddb/certs/cert.b64"
# MODULE CONFIGURATION
modules {
ldap ldap1 {
server = "ldap1.domain.name"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"
start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
ldap ldap2 {
server = "ldap2.domain.name"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"
start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
}
authorize {
ldap1
ldap2
}
authenticate {
Auth-Type LDAP {
ldap1
ldap2
}
}
post-auth {
Post-Auth-Type REJECT {
ldap1
ldap2
}
}
References: