Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
gleach1 Absent Member.
Absent Member.
5076 views

freeRadius with edir group authentication

Hi all,
have set up freeRadius with edir a couple of times now, but am looking to try and streamline the process with less fiddling with individual accounts

I'd like to configure freeRadius for either of the following:

Authentication based on group membership in eDir, or have the profile setting that I create actually apply to the users that I assign the profile to

previously i've had to assign the settings to each user manually (eg dialupaccess) even though it's in the profile

I've looked at TID 3002371 and it hasn't helped me at all

If I remove the access_attr_used_for_allow = yes and access_attr = "dialupAccess" line from the radius.conf file then any user can use radius which is ok, but I would much prefer radius to either use the settings in the profile like I would expect it to, or use the group membership to work out who can have radius access

As a test i've added the following lines to the users file:

DEFAULT Ldap-Group == "test", Auth-Type = LDAP
Fall-Through = 0

DEFAULT Auth-Type = Reject
Fall-Through = 1

And here's the LDAP portion of the radius.conf file:

ldap {
server = "192.168.93.10"
identity = "cn=admin,o=cluster"
password = somepassword
basedn = "o=cluster"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
port = 636
# base_filter = "(objectclass=radiusprofile)"

# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no

tls_cacertfile = /etc/raddb/cert.b64
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"

default_profile = "cn=radius,o=cluster"
profile_attribute = "cn=radius,o=cluster"
access_attr = "dialupAccess"

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5

#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
edir_account_policy_check=yes
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
access_attr_used_for_allow = yes

#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
}

Labels (2)
0 Likes
19 Replies
Knowledge Partner
Knowledge Partner

Re: freeRadius with edir group authentication

I've got it working with just group membership (not using any of the RADIUS attributes). So like, if the user is not in group=blah, then they don't get in

Is that what you want to accomplish?

If so, I'll dig up my docs and post the section here. It was quite an ordeal to get it going, but I finally did manage to get it to work.
0 Likes
gleach1 Absent Member.
Absent Member.

Re: freeRadius with edir group authentication

Hi kjhurni,
yes that's what i'm after

if they're a member of a certain group they get wireless access, otherwise they get nothing

i'm sure it can't be as much of an ordeal as getting eap / freeradius to work in the first place... for me that was a lot of messing around, so much so that I made a doc with each step of my own to do it...

0 Likes
Knowledge Partner
Knowledge Partner

Re: freeRadius with edir group authentication

I THINK this is what I changed in my radiusd.conf in the:
{ldap

section:

#
groupname_attribute = cn
#groupmembership_filter = "(member=%{Ldap-UserDn})"
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
groupmembership_attribute = VPN-RAS-access-group
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
access_attr_used_for_allow = yes


Then I also had to modify the:
users

file to contain this:

DEFAULT Ldap-Group == "cn=VPN-RAS-access-group,o=ABC", Auth-Type := LDAP
Fall-Through = 0

DEFAULT Auth-Type = REJECT
Fall-Through = 1
0 Likes
gleach1 Absent Member.
Absent Member.

Re: freeRadius with edir group authentication

thanks for the config portions, will be onsite doing this today so will see how I go
if i've got any problems i'll post back

0 Likes
Knowledge Partner
Knowledge Partner

Re: freeRadius with edir group authentication

I'm 99% sure that in my case, it was the "users" file that was key for me.
0 Likes
brianrbenson1 Absent Member.
Absent Member.

Re: freeRadius with edir group authentication

Hi kjhurni, I'm interested in your group filter and users file also.

I'm assuming this is freeradius 2.x right?

Thanks,
-B

Touchstone Technology Network Consulting Engineer www.touchstonetech.com
0 Likes
Knowledge Partner
Knowledge Partner

Re: freeRadius with edir group authentication

Hi Brian,

Mine says it's 1.1.7-21.77.1 of freeradius

(of course, the free radius docs on the free radius website is at 2.something)

Note that in my setup I'm not using wireless or EAP or things like that

We're actually using it for a Cisco RAS server and an old Nortel Contivity VPN as they use RADIUS as their protocol.
0 Likes
brianrbenson1 Absent Member.
Absent Member.

Re: freeRadius with edir group authentication

Thanks, I'd still like to see your group membership setup. I dont think that is all that different between the major versions. Most of the differences seem to be that the configs are broken up into a modular style in 2.x and they are inline in 1.x

Touchstone Technology Network Consulting Engineer www.touchstonetech.com
0 Likes
Knowledge Partner
Knowledge Partner

Re: freeRadius with edir group authentication

brianrbenson;2149555 wrote:
Thanks, I'd still like to see your group membership setup. I dont think that is all that different between the major versions. Most of the differences seem to be that the configs are broken up into a modular style in 2.x and they are inline in 1.x


Sure, did you see the posts above where i put my snippet of my files?
Or were you more interested in the entire content of the 3 config files I've used?
0 Likes
Highlighted
brianrbenson1 Absent Member.
Absent Member.

Re: freeRadius with edir group authentication

Some how I missed it, but I see it now, thanks a lot.
-Brian

Touchstone Technology Network Consulting Engineer www.touchstonetech.com
0 Likes
gleach1 Absent Member.
Absent Member.

Re: freeRadius with edir group authentication

I've just done this yesterday, worked like a treat
I think I had 99% of it working, just a couple of things I missed by the looks of it when I was testing before I posted the question in the first place

thanks for your help muchly kjhurni

0 Likes
Knowledge Partner
Knowledge Partner

Re: freeRadius with edir group authentication

Not a problem. Sometimes the news readers skip things (or if you're using the hybrid view in the web version it gets a bit weird sometimes)
0 Likes
Knowledge Partner
Knowledge Partner

Re: freeRadius with edir group authentication

You're welcome!

Glad I could help after suffering myself for about 2 days trying to get the darn thing to work.
0 Likes
JVOORT Absent Member.
Absent Member.

Re: freeRadius with edir group authentication

Is this discussion still current? If so, I would like to discuss an edir group configuration issue that I am facing on sles 10 sp3 x 64 with freeradius 2.1.12 (installed from OBS) Everything works just fine, we can authenticate as individual users (through Univ PW), but not based on group membership.
here is my /etc/raddb/ldap file (relevant content). Quotes (") are not in the real file, they are just around the sections that are private.

ldap {
server = "servername"
identity = "account with sufficient rights to read passwords"
password = "password"
basedn = "o=orgname"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
groupname_attribute = cn
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
groupmembership_attribute = cn="RadiusUserGroupname"
access_attr_used_for_allow = yes
compare_check_items = no
timeout = 4
timelimit = 3
net_timeout = 1

and the relevant content of the users file (/etc/raddb/users):

DEFAULT
Ldap-Group == ""cn=groupname,ou=etc,o=etc"" <- double quotes, so in reality " "

Putting a user in a group or removing the user from the group has no effect, user will always be able to authenticate through RADIUS. I guess I need to set compare_check_items to yes, but when doing that, radiusd -X complains that "pairs do not match" and user is unable to authenticate through RADIUS (tested with ntradping).

Hope this makes sense to anyone...

thx in advance,,

jvoort
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.