When using FreeRADIUS with LDAP passthrough authentication, such as OpenLDAP with SASL or Kerberos passthrough, you are very restricted in what you can do.
DeployingRADIUS, Alan DeKok's site, has a handy compatibility matrix that lists authentication systems and their authentication protocol compatibility. LDAP servers with passthrough authentication require you to bind to LDAP as the user, which in the compatibility matrix limits you to PAP authentication and its EAP variations (such as EAP-TTLS/PAP and EAP-TTLS/EAP-GTC with PAP).
1. Modify FreeRADIUS LDAP support
- Install the freeradius-ldap module, if you haven't already.
- Configure the
ldapmodule as per the standard configuration with the server name(s), port(s), and whether TLS is required.
- Below the
base_dn, from which all searches start, you will find the
updatesection, which returns attributes from LDAP. This may include the
userPasswordLDAP attribute, which FreeRADIUS will use to authenticate. Since you will use bind-as-user, this is not required. Comment it out.
Scroll to the
usersection. You may wish to modify the
scopesettings there to match what your LDAP requires to return a single user object. FreeRADIUS will set an
Ldap-UserDNattribute that will be used for binding as a user if the search is successful.
You may wish to test your LDAP search with tools such as
ldapsearchto test your DN and your filters. See http://wiki.freeradius.org/modules/Rlm_ldap for more information.
- Save the file.
2. Modify FreeRADIUS authentication support
It is assumed here that you will modify the
inner-tunnel site as Moonshot will use EAP-TTLS, and set the default EAP type in the
ttls section to
gtc for PAP support.
Insert into the bottom of the
authorizesection after the
papline the following:
authenticatesection, modify the
Auth-Type PAPoption as shown below:
- Additionally, remove the comment from the
ldapline in the
Auth-Type LDAPblock, but not the block itself.
- Save the file.
3. Modify FreeRADIUS EAP support
It is rare that network access servers still use PAP. Instead, they use a variety of EAP types, which can wrap PAP to provide better security for user credentials.
Since bind-as-user is limited to PAP, you are limited to EAP-GTC (which has PAP support).
The default settings in the
eap module in FreeRADIUS set PAP as the password mechanism for EAP-GTC, so no changes are required. What is required though is setting the default type for EAP conversations:
- If you intend to use just EAP-GTC without any further tunnelling, set the first instance of
To set the default EAP type in tunneled EAP conversations, such as EAP-TTLS, scroll to the
ttlssection, then set its
PEAP support also includes a
If you are using Cisco's PEAPv1, which supports EAP-GTC, you can set that
If you are using Microsoft's PEAPv0, the