Highlighted
dlietz Absent Member.
Absent Member.
7439 views

FreeRadius eDirectory integration help

I'm trying to get freeradius/eDirectory/802.11 authentication working for a educational wireless environment and need some assistance. I'm working with SLES11sp1/OES11 and FreeRadius rpm version 2.1.1-7.12.1. I'm using a couple of HP MSM422 WAPs but the majority of the WAP's are Ruckus, with a ZoneDirector 3000. My goal is to provide private wireless networks that require user authentication and either place students and staff on different wireless vlans or return group membership to our firewall to differentiate web content filtering.

I used this document for my initial config: https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadmin.pdf.

Right now all I've been trying to do is get a user to authenticate and connect via 802.1x.

Here's what I have so far:

ldap file:

ldap {[INDENT]server = "server.org.dom"[/INDENT]
[INDENT] identity = "cn=freeRadius,o=ORG"[/INDENT]
[INDENT] password = freeradiuspassword [/INDENT]
[INDENT] basedn = "o=ORG"[/INDENT]
[INDENT] filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"[/INDENT]
[INDENT] ldap_connections_number = 5
[/INDENT]
[INDENT] timeout = 4[/INDENT]
[INDENT] timelimit = 3[/INDENT]
[INDENT] net_timeout = 1[/INDENT]
[INDENT] tls {
[/INDENT]
[INDENT=2] start_tls = yes[/INDENT]
[INDENT=2] cacertfile = /home/freeRadius/rootcert.pem[/INDENT]
[INDENT=2] require_cert = "demand"[/INDENT]
[INDENT] }
[/INDENT]
[INDENT]access_attr = "dialupAccess"[/INDENT]
[INDENT] dictionary_mapping = ${raddbdir}/ldap.attrmap[/INDENT]
[INDENT] password_attribute = nspmPassword[/INDENT]
[INDENT] edir_account_policy_check = yes[/INDENT]
[INDENT] groupname_attribute = cn[/INDENT]
[INDENT] groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"[/INDENT]
[INDENT] groupmembership_attribute = StaffMember[/INDENT]
[INDENT] access_attr_used_for_allow = yes[/INDENT]
}


users file:

DEFAULT Ldap-Group == "cn=StaffMember,o=ORG"[INDENT]Reply-Message="you have been authenticated",[/INDENT]
[INDENT] Auth-Type :=Accept,
[/INDENT]
[INDENT] Fall-Through = No
[/INDENT]

eap.conf:

eap {[INDENT]default_eap_type = peap [/INDENT]
[INDENT] timer_expire = 60[/INDENT]
[INDENT] ignore_unknown_eap_types = no[/INDENT]
[INDENT] cisco_accounting_username_bug = no[/INDENT]
[INDENT] max_sessions = 2048[/INDENT]
[INDENT] md5 {[/INDENT]
[INDENT] }[/INDENT]
[INDENT] leap {[/INDENT]
[INDENT] }[/INDENT]
[INDENT] gtc {[/INDENT]
[INDENT=2] auth_type = PAP[/INDENT]
[INDENT] }[/INDENT]
[INDENT] tls {[/INDENT]
[INDENT=2] certdir = ${confdir}/certs[/INDENT]
[INDENT=2] cadir = ${confdir}/certs[/INDENT]
[INDENT=2] private_key_password = radiuskeypass[/INDENT]
[INDENT=2] private_key_file = ${certdir}/srvcert.pem[/INDENT]
[INDENT=2] certificate_file = ${certdir}/srvcert.pem[/INDENT]
[INDENT=2] CA_file = ${cadir}/rootcert.pem[/INDENT]
[INDENT=2] dh_file = ${certdir}/dh[/INDENT]
[INDENT=2] random_file = ${certdir}/random[/INDENT]
[INDENT=2] cipher_list = "DEFAULT"[/INDENT]
[INDENT=2] make_cert_command = "${certdir}/bootstrap"[/INDENT]
[INDENT=2] cache {[/INDENT]
[INDENT=3] enable = no[/INDENT]
[INDENT=3] lifetime = 24 # hours[/INDENT]
[INDENT=3] max_entries = 255[/INDENT]
[INDENT=2] }[/INDENT]
[INDENT] }
[/INDENT]
[INDENT]ttls {[/INDENT]
[INDENT=2] default_eap_type = md5[/INDENT]
[INDENT=2] copy_request_to_tunnel = no[/INDENT]
[INDENT=2] use_tunneled_reply = no[/INDENT]
[INDENT=2] virtual_server = "inner-tunnel"[/INDENT]
[INDENT] }[/INDENT]
[INDENT] peap {[/INDENT]
[INDENT=2] default_eap_type = mschapv2[/INDENT]
[INDENT=2] copy_request_to_tunnel = no[/INDENT]
[INDENT=2] use_tunneled_reply = no[/INDENT]
[INDENT=2] virtual_server = "inner-tunnel"[/INDENT]
[INDENT] }[/INDENT]
[INDENT] mschapv2 {[/INDENT]
[INDENT] }
[/INDENT]
}

If there are other relevant config files that someone would like to see, please let me know.

I have an HP MSM422 WAP configured with encryption set to WPA2/AES and Radius authentication. Here is an example of the radiusd debug output:

rad_recv: Access-Request packet from host 192.168.3.30 port 32772, id=99, length=363[INDENT]Acct-Session-Id = "e13821b5-00000064"[/INDENT]
[INDENT] NAS-Port = 101[/INDENT]
[INDENT] NAS-Port-Type = Wireless-802.11[/INDENT]
[INDENT] NAS-Identifier = "AA111BBB2C"[/INDENT]
[INDENT] NAS-IP-Address = 192.168.3.30[/INDENT]
[INDENT] Framed-MTU = 1496[/INDENT]
[INDENT] User-Name = "UserA"[/INDENT]
[INDENT] Calling-Station-Id = "00-16-6F-88-18-24"[/INDENT]
[INDENT] Called-Station-Id = "00-0F-61-BA-BD-81"[/INDENT]
[INDENT] Service-Type = Framed-User[/INDENT]
[INDENT] EAP-Message = 0x021100591900170301004e93d1a95094e0e72278daeaf9b98be33d70ec4166833a31bad41f906acf7e963b4a3d4ba8febaea641f9c6d1df82c684565611b90ad91067c64cab7091cbea452997272c85911c9c89c88a87e3cb4[/INDENT]
[INDENT] State = 0x34f61f0833e706a7c3ad30034d6ab423[/INDENT]
[INDENT] Colubris-AVPair = "ssid=PrivateSSID"[/INDENT]
[INDENT] Colubris-AVPair = "incoming-vlan-id=10"[/INDENT]
[INDENT] Colubris-AVPair = "vsc-unique-id=2"[/INDENT]
[INDENT] Colubris-AVPair = "phytype=IEEE802dot11g"[/INDENT]
[INDENT] Colubris-Attr-250 = 0x00000000[/INDENT]
[INDENT] Colubris-Attr-249 = 0x00000000[/INDENT]
[INDENT] Message-Authenticator = 0xc67b3addfed486fb5b2822bbbc5f0706
[/INDENT]
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "UserA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 89
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request[INDENT]EAP-Message = 0x021100421a0211003d3117c29ec2260e40cf8966bf3d774edf19000000000000000025114d54fd90897f6e1e377172baef7c6ad9b514c3dde99a006861736c657474[/INDENT]
server (null) {
PEAP: Setting User-Name to UserA
Sending tunneled request
EAP-Message = 0x021100421a0211003d3117c29ec2260e40cf8966bf3d774edf19000000000000000025114d54fd90897f6e1e377172baef7c6ad9b514c3dde99a006861736c657474[INDENT]FreeRADIUS-Proxied-To = 127.0.0.1[/INDENT]
[INDENT] User-Name = "UserA"[/INDENT]
[INDENT] State = 0xf3999ba6f388814c9ebc43799ca87859
[/INDENT]
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "UserA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 17 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=ORG -> o=ORG
[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[files] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=UserA)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=ORG, with filter (uid=UserA)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dUserA\2cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dUserA\2cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=StaffMember,o=ORG, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dUserA\2cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dUserA\2cou\3dADM\2cou\3dCE\2cou\3dAD\2co\3dORG)))
rlm_ldap::ldap_groupcmp: User found in group cn=StaffMember,o=ORG
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 214
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for UserA with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [UserA/<via Auth-Type = EAP>] (from client comedwap port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3[INDENT]Reply-Message = "you have been authenticated"[/INDENT]
[INDENT] Auth-Type := Accept[/INDENT]
[INDENT] MS-CHAP-Error = "\021E=691 R=1"[/INDENT]
[INDENT] EAP-Message = 0x04110004[/INDENT]
[INDENT] Message-Authenticator = 0x00000000000000000000000000000000
[/INDENT]
[peap] Got tunneled reply RADIUS code 3[INDENT] Reply-Message = "you have been authenticated"[/INDENT]
[INDENT] Auth-Type := Accept[/INDENT]
[INDENT] MS-CHAP-Error = "\021E=691 R=1"[/INDENT]
[INDENT] EAP-Message = 0x04110004[/INDENT]
[INDENT]Message-Authenticator = 0x00000000000000000000000000000000
[/INDENT]
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 99 to 192.168.3.30 port 32772[INDENT] EAP-Message = 0x011200261900170301001b772c2f752dcc139cf4e8758b8cedb4dc0d1061a21a270b11564673[/INDENT]
[INDENT] Message-Authenticator = 0x00000000000000000000000000000000[/INDENT]
[INDENT] State = 0x34f61f083ce406a7c3ad30034d6ab423
[/INDENT]
Finished request 26.
Going to the next request



Thanks for any assistance.
Labels (2)
0 Likes
23 Replies
gleach1 Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

have you created your radius groups in edirectory using the imanager plugin?

have you set up universal password as I believe radius requires this if you are folowing the PDF - from my experience anyway...

those cleartext password messages sound like possibly universal password is not configured to me

0 Likes
dlietz Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

I've tried using radius groups, but they are not affecting the members with the attributes I change so right now I'm changing attributes just on the one user.

Yes, Universal Password is set up.

gleach1;2241984 wrote:
have you created your radius groups in edirectory using the imanager plugin?

have you set up universal password as I believe radius requires this if you are folowing the PDF - from my experience anyway...


those cleartext password messages sound like possibly universal password is not configured to me
0 Likes
warper2 Outstanding Contributor.
Outstanding Contributor.

Re: FreeRadius eDirectory integration help

dlietz wrote:

>
> I've tried using radius groups, but they are not affecting the members
> with the attributes I change so right now I'm changing attributes just
> on the one user.
>
> Yes, Universal Password is set up.
>
> gleach1;2241984 Wrote:
>> have you created your radius groups in edirectory using the imanager
>> plugin?
>>
>> have you set up universal password as I believe radius requires this if
>> you are folowing the PDF - from my experience anyway...
>>
>>
>> those cleartext password messages sound like possibly universal
>> password is not configured to me

>
>


I have yet to get it to work reliably with SLES11/freeradius 2.x. I have it
running Sles10 SP4/freeradius 1.x I have set up several that way. I doubt
edit is the issue. Learn to use ndstrace with nmas and ldap turned on.


0 Likes
dlietz Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

Here is output from ndstrace with ldap and nmas turned on - I never see any ldap in the trace, only nmas:

NMAS Audit with Audit PA not installed
NMAS Audit with XDAS not installed
Successful get password for CN=UserA.OU=ADM.OU=CE.OU=AD.O=ORG
NMAS Audit with Audit PA not installed
NMAS Audit with XDAS not installed
Successful get password for CN=UserA.OU=ADM.OU=CE.OU=AD.O=ORG
NMAS Audit with Audit PA not installed
NMAS Audit with XDAS not installed
Successful get password for CN=UserA.OU=ADM.OU=CE.OU=AD.O=ORG
NMAS Audit with Audit PA not installed
NMAS Audit with XDAS not installed
Successful get password for CN=UserA.OU=ADM.OU=CE.OU=AD.O=ORG
Server: server
NDSTrace:

Can you give me sample config for a working setup in SLES10sp4 and freeradius 1.x? Are there any differences compared to what I have listed?

Thanks.

Dan

warper2;2242310 wrote:
dlietz wrote:


I have yet to get it to work reliably with SLES11/freeradius 2.x. I have it
running Sles10 SP4/freeradius 1.x I have set up several that way. I doubt
edit is the issue. Learn to use ndstrace with nmas and ldap turned on.
0 Likes
warper2 Outstanding Contributor.
Outstanding Contributor.

Re: FreeRadius eDirectory integration help

dlietz wrote:

>
> Here is output from ndstrace with ldap and nmas turned on - I never see
> any ldap in the trace, only nmas:
>
> NMAS Audit with Audit PA not installed
> NMAS Audit with XDAS not installed
> Successful get password for CN=UserA.OU=ADM.OU=CE.OU=AD.O=ORG
> NMAS Audit with Audit PA not installed
> NMAS Audit with XDAS not installed
> Successful get password for CN=UserA.OU=ADM.OU=CE.OU=AD.O=ORG
> NMAS Audit with Audit PA not installed
> NMAS Audit with XDAS not installed
> Successful get password for CN=UserA.OU=ADM.OU=CE.OU=AD.O=ORG
> NMAS Audit with Audit PA not installed
> NMAS Audit with XDAS not installed
> Successful get password for CN=UserA.OU=ADM.OU=CE.OU=AD.O=ORG
> Server: server
> NDSTrace:
>
> Can you give me sample config for a working setup in SLES10sp4 and
> freeradius 1.x? Are there any differences compared to what I have
> listed?
>
> Thanks.
>
> Dan
>
> warper2;2242310 Wrote:
>> dlietz wrote:
>>
>>
>> I have yet to get it to work reliably with SLES11/freeradius 2.x. I
>> have it
>> running Sles10 SP4/freeradius 1.x I have set up several that way. I
>> doubt
>> edit is the issue. Learn to use ndstrace with nmas and ldap turned on.

>
>


How about this link. does it help.

https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/documentation/edir_radius/radiusadmin/data/front.html
0 Likes
dlietz Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

I think that is the same document I referenced in my OP, so it is what I used initially. Problem is that it does not explain leveraging group membership for authorization and that's what I'm trying to accomplish. I can use the access_attr and that works, but I'm thinking it only provides authentication and not authorization.

Thanks for the assistance.

Dan
0 Likes
simonpalmer123 Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

dlietz;2245078 wrote:
I think that is the same document I referenced in my OP, so it is what I used initially. Problem is that it does not explain leveraging group membership for authorization and that's what I'm trying to accomplish. I can use the access_attr and that works, but I'm thinking it only provides authentication and not authorization.

Thanks for the assistance.

Dan


Did you get group membership to work? I've not tried it.

If you didn't fix this, it looks from the debug that your auth user
identity = "cn=freeRadius,o=ORG"
needs
"Allow the following to retrieve passwords"
in the password policy> configuration options?

Here's my FR2 ldap file:
ldap {
server = "myldapserver"
port = 636
identity = "cn=specialproxyuser,o=org"
password = "password"
basedn = "O=org"
filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
# Our ldap filter is for username OR email address for eduroam
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
tls_mode = yes
require_cert = "never"
#never just for testing
}
access_attr = "dialupAccess"
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = nspmPassword
edir_account_policy_check = no
# I can't remember why we switched this back to no. There was a problem.

We then use the
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
in ldap.attrmap
and put a VLAN id on every user with IDM.

The LDAP-Group post-auth bit here
modules/Rlm_ldap
looks neat too.
Si
0 Likes
dlietz Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

OK, so I started from scratch, following the instructions here: https://www.netiq.com/documentation/edir_radius/

I extracted the self-signed certificate of the eDir certificate authority server in Base 64 format per the prerequisites. I also made two other changes based on reading this: Support | Setting up FreeRADIUS and eDirectory for 802.1X Authentication. I changed the port to 636 as you show in your example and changed tls_mode = yes.

Now when I use radtest I get the following result:

rad_recv: Access-Request packet from host 127.0.0.1 port 49351, id=48, length=59
User-Name = "UserA"
User-Password = "userpassword"
NAS-IP-Address = 127.0.0.2
NAS-Port = 1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "UserA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for UserA
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for det ails
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=UserA)
[ldap] expand: o=ORG -> o=ORG
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to server.org.dom:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /home/freeRadius/cert.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Operations error
rlm_ldap: (re)connection attempt failed


So now I'm wondering if I have a cert problem...

Ideas? I extracted the root cert of the CA without a private key in b64 format to create the cert used. It is owned by the user freeradius and is placed in that user's home directory so he should be able to read it without difficulty.
0 Likes
dlietz Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

Since I can't edit this, please disregard this post.
0 Likes
dlietz Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

When I modify my ldap file to match yours - specifically when I change to port 636, remove start_tls = yes and add tls_mode = yes radtest works, but when I attempt to log in from a workstation it prompts me for user and password but fails to connect with this error:

+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for UserA with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE


If I turn on ldap /etc/raddb/sites-available/inner-tunnel I get a little farther, but still fails:

+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for UserA with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.


simonpalmer123;2247295 wrote:
Did you get group membership to work? I've not tried it.

If you didn't fix this, it looks from the debug that your auth user
identity = "cn=freeRadius,o=ORG"
needs
"Allow the following to retrieve passwords"
in the password policy> configuration options?

Here's my FR2 ldap file:
ldap {
server = "myldapserver"
port = 636
identity = "cn=specialproxyuser,o=org"
password = "password"
basedn = "O=org"
filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
# Our ldap filter is for username OR email address for eduroam
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
tls_mode = yes
require_cert = "never"
#never just for testing
}
access_attr = "dialupAccess"
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = nspmPassword
edir_account_policy_check = no
# I can't remember why we switched this back to no. There was a problem.

We then use the
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
in ldap.attrmap
and put a VLAN id on every user with IDM.

The LDAP-Group post-auth bit here
modules/Rlm_ldap
looks neat too.
Si
0 Likes
igortolk Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

Hi
I'm currently also going through freeRadius/eDirectory integration.
I plan to setup EAP-PEAP MSCHAP2 for windows users (the only available EAP option), thus MSCHAP2 is a MUST requirement for freeRadius/eDirectory to handle.

the questions are: Is ts possible to implement?
If yes, do I have to go through installing RADIUS plugin from iManager?
Does the eDirectory schema have to be extended?
Does the Radius have to extract clear-text password from eDirectory (in extended schema attributes), in order to make it work with MSCHAP2?
0 Likes
simonpalmer123 Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

Hi, yes, we use freeradius 2, EAP-PEAP, MSCHAPv2 against eDir. You don't need to use the RADIUS plugin unless you want to. Depends what you want to set and how. We use IDM or LDIF scripts to set everything, and not the RADIUS plugin.
Schema, if you use the access_attr = "dialupAccess" bit in the ldap module, you need the schema extension. If you don't care that you enabe everyone, or have another way of checking (use the ldap filter), then I don't believe you need the schema extensions. We extended ours and use use the radiustunnelprivategroupID attribute too, but no reason why you can't use another attribute for that. You can map things in freeradius.
Clear-text - yes unfortunately, unless you have DSFW and query it like you would AD.
0 Likes
simonpalmer123 Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

Clear-text. On this topic, you could probably choose another non-secure LDAP attribute as a password, something like a pin number, just for wifi, that doesn't change. Password changes are one of the biggest problems with mobile devices.
0 Likes
igortolk Absent Member.
Absent Member.

Re: FreeRadius eDirectory integration help

Hi,
The WiFi system is EDUROAM, so the requirement is to enable users to use their eDir password, therefore i believe clear text password is the only way to make it work with MSCHAPv2.

I would appreciate any suggestions on how to configure eDirectory to include clear-text password in reply to a freeRadius requests.

Thanks
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.