FreeRADIUS is often deployed with an LDAP directory used as the identity store.
This means that the password is retrieved from the directory as an attribute and then verified by FreeRADIUS. It is important that you know which obfuscation mechanism is being used in your LDAP directory as not all EAP authentication protocols are compatible with all obfuscation types. DeployingRADIUS, Alan DeKok's site, has a handy compatibility matrix that lists authentication systems and their authentication protocol compatibility.
To use LDAP directories with passthrough authentication (such as SASL) with FreeRADIUS, please see the FreeRADIUS + OpenLDAP with SASL topic. This may be your only option if the compatibility matrix shows that the obfuscation type is incompatible with the EAP-TTLS inner authentication type.
To use Active Directory as an LDAP directory, please see the Using Active Directory topic.
1. Modify FreeRADIUS LDAP support
freeradius-ldapmodule, if you haven't already.
/etc/raddb/mods-availableon RedHat/CentOS or
/etc/freeradius/mods-availableon Debian/Ubuntu) as per the standard configuration with the server name(s), port(s), and whether TLS is required.We recommend you use TLS.
passwordoptions for a user that will have browse and attribute retrieval rights on the LDAP directory.We recommend using a user that is as unprivileged as possible and not used for anything else.
- Below the
base_dn, from which all searches start, you will find the
updatesection, which returns attributes from LDAP.
- This may include the
userPasswordLDAP attribute, which FreeRADIUS will use to authenticate. If the password attribute in your LDAP directory has a different name, change that here.
Scroll to the
usersection. You may wish to modify the
scopesettings there to match what your LDAP directory requires to return a single user object. FreeRADIUS will set an
Ldap-UserDNattribute that will be used for binding as a user if the search is successful.
You may wish to test your LDAP search with tools such as
ldapsearchto test your DN and your filters. See http://wiki.freeradius.org/modules/Rlm_ldap for more information.
- Save the file.
3. Modify FreeRADIUS EAP support, if necessary
It is rare that network access servers still use PAP. Instead, they use a variety of EAP types, which can wrap PAP to provide better security for user credentials. The default is EAP-MD5.
Depending on the compatibility matrix, you may need to adjust the
default_eap_type for the
ttls EAP type to something different.
The default settings in the
eap module in FreeRADIUS set PAP as the password mechanism for EAP-GTC, so no changes are required. What is required though is setting the default type for EAP conversations:
To set the default EAP type in tunneled EAP conversations, such as EAP-TTLS, scroll to the
ttlssection, then set its
PEAP support also includes a
default_eap_typesetting. This setting should not be modified.