381 lines
6.5 KiB
HTML
381 lines
6.5 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Radius authentication using LDAP</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="LDAP Implementation HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="LDAP authentication using pam_ldap and
|
|
nss_ldap"
|
|
HREF="pamnss.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Samba"
|
|
HREF="samba.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>LDAP Implementation HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="pamnss.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="samba.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="RADIUS"
|
|
>3. Radius authentication using LDAP</A
|
|
></H1
|
|
><P
|
|
>A Radius Server, is a daemon for un*x operating systems which allows one
|
|
to set up (guess what!) a radius protocol server, which is usually used for
|
|
authentication and accounting of dial-up users. To use server, you also need a
|
|
correctly setup client which will talk to it, usually a terminal server or a PC
|
|
with appropriate which emulates it (PortSlave, radiusclient etc). [From the
|
|
freeradius FAQ] </P
|
|
><P
|
|
>Radius has its own database of users, anyway, since this information is
|
|
already contained in LDAP, it will be more convenient to use it!</P
|
|
><P
|
|
>There are several freeware Radius servers, the one that has good support
|
|
for LDAP is the FreeRadius server (<A
|
|
HREF="http://www.freeradius.org"
|
|
TARGET="_top"
|
|
>http://www.freeradius.org</A
|
|
>), it is still
|
|
a development version, anyway the LDAP module works fine.</P
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN352"
|
|
>3.1. FreeRadius Radiusd configuration</A
|
|
></H2
|
|
><P
|
|
>Once you have installed the server you have to configure it using the
|
|
configuration files, that are located under <TT
|
|
CLASS="FILENAME"
|
|
>/etc/raddb</TT
|
|
> (or
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/usr/local/etc/raddb</TT
|
|
>) </P
|
|
><P
|
|
>In the <TT
|
|
CLASS="FILENAME"
|
|
>radiusd.conf</TT
|
|
> file edit : </P
|
|
><P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>[...omissis]
|
|
# Uncomment this if you want to use ldap (Auth-Type = LDAP)
|
|
# Also uncomment it in the authenticate{} block below
|
|
ldap {
|
|
server = ldap.yourorg.com
|
|
#login = "cn=admin,o=My Org,c=US"
|
|
#password = mypass
|
|
basedn = "ou=users,dc=yourorg,dc=com"
|
|
filter = "(posixAccount)(uid=%u))"
|
|
}
|
|
|
|
[...omissis]
|
|
|
|
# Authentication types, Auth-Type = System and PAM for now.
|
|
authenticate {
|
|
pam
|
|
unix
|
|
# sql
|
|
# sql2
|
|
# Uncomment this if you want to use ldap (Auth-Type = LDAP)
|
|
ldap
|
|
}
|
|
[...omissis]</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>Also edit the <TT
|
|
CLASS="FILENAME"
|
|
>dictionary</TT
|
|
> file:</P
|
|
><P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>[...omissis]
|
|
#
|
|
# Non-Protocol Integer Translations
|
|
#
|
|
|
|
VALUE Auth-Type Local 0
|
|
VALUE Auth-Type System 1
|
|
VALUE Auth-Type SecurID 2
|
|
VALUE Auth-Type Crypt-Local 3
|
|
VALUE Auth-Type Reject 4
|
|
VALUE Auth-Type ActivCard 4
|
|
VALUE Auth-Type LDAP 5
|
|
[...omissis]</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
> And the <TT
|
|
CLASS="FILENAME"
|
|
>users</TT
|
|
> file to have a default authorization
|
|
entry:</P
|
|
><P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>[...omissis]
|
|
DEFAULT Auth-Type := LDAP
|
|
Fall-Through = 1
|
|
[...omissis]</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>If you alreay set up an LDAP server for Un*x accounts management, this
|
|
is enough.</P
|
|
><P
|
|
>On the LDAP server ensure also that the radius server can read the all
|
|
the posixAccount attributes (expecially <TT
|
|
CLASS="FILENAME"
|
|
>uid</TT
|
|
> and
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>userpassword</TT
|
|
>).</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN373"
|
|
>3.2. Testing Radius Authentication</A
|
|
></H2
|
|
><P
|
|
>To test everything server start <TT
|
|
CLASS="FILENAME"
|
|
>radiusd</TT
|
|
> in debugging
|
|
mode:</P
|
|
><P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>/usr/local/sbin/radiusd -X -A</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>Then use the <TT
|
|
CLASS="FILENAME"
|
|
>radtest</TT
|
|
> program whith a syntax like</P
|
|
><P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>radtest username "password" radius.yourorg.com 1 testing123 </PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>If everything went fine you should receive an Acces-Accept packet from the
|
|
Radius server.</P
|
|
><P
|
|
>You can also use stunnel in client mode to provide SSL in the connection
|
|
between the Radius server and the LDAPS server. For details on SSL refer to
|
|
<A
|
|
HREF="ssl.html"
|
|
>Section 10</A
|
|
>.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN386"
|
|
>3.3. Sample CISCO IOS Configuration</A
|
|
></H2
|
|
><P
|
|
>Just for completeness, here is a sample Cisco IOS configuration. Anyway,
|
|
this is outside the purpose of the HOWTO so it may not suit your needs.</P
|
|
><P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>[...omissis]
|
|
aaa new-model
|
|
aaa authentication login default radius enable
|
|
aaa authentication ppp default radius
|
|
aaa authorization network radius
|
|
[...omissis]
|
|
radius-server host 192.168.10.1
|
|
radius-server timeout 10
|
|
radius-server key cisco
|
|
[...omissis]</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><DIV
|
|
CLASS="NOTE"
|
|
><BLOCKQUOTE
|
|
CLASS="NOTE"
|
|
><P
|
|
><B
|
|
>Note: </B
|
|
>Almost all NAS use port 1645 for radius, check it out and configure
|
|
the server appropriately.</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="pamnss.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="samba.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>LDAP authentication using pam_ldap and
|
|
nss_ldap</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Samba</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |