4 This document describes how to setup Freeradius on a Freebsd machine
5 using LDAP as a backend. This is by no means complete and your
6 mileage may vary. If you are having any problems with the setup of
7 your freeradius installation, please read the documentation that comes
8 with Freeradius first as that is where all the information for this
9 project came from. If you find any bugs, typos, alternative ideas, or
10 just plain wrong information, please let me know by sending an email
13 The radius servers in this document are built on Freebsd 4.8, using
14 Freeradius .81 with OpenLDAP 2.0.27 as the backend. The servers are
15 designed to support customers for multiple services. In this document
16 we will use regular dialup and dialup ISDN as examples of two
17 different services using the same radius server for authentication.
22 The radius servers are to be provisioned by a some sort of system we
23 will call Billing. Billing could simply be a script, a web front-end,
24 or an actual integration into a billing system. Billing will provision
25 to the master LDAP server. The master LDAP server is running slurpd,
26 which will replicate all changes to the other radius servers. Each
27 radius server will run a local instance of LDAP.
29 The radius servers will be accepting Radius auth packets and Radius
30 acct packets. The accounting packets will be stored locally on each
31 radius server and then forwarded to the Accounting radius server,
32 using radrelay. The Accounting radius server will store all the
33 radius information in some sort of database such as MySQL, Postgres,
34 or Oracle. The configuration of the actual Accounting radius server
35 is outside the scope of this document. Please refer to the freeradius
36 documentation for setting up that server.
38 The Accounting radius server will help to provide a searchable
39 interface to the accounting data for billing and usage purposes and
40 could allow a web front-end to be built for helpdesk/customer service
41 usage. If that is not needed for your purposes, then disregard all
42 details about the Accounting radius server.
44 In order to make sure no data is lost in the event of the Accounting
45 radius server going down, the replication of data will take place
46 using radrelay. Radrelay will do the equivalent of a tail on the
47 detail file and will continually attempt to duplicate each radius
48 packet that is stored in the detail file and send it off to the
49 recipient(s) specified. Upon receipt of an accounting_response packet
50 radrelay will consider that packet completed and continue working on
51 the others. Each radius server will also be storing its own copy of
52 all accounting packets that are sent to it.
54 Each NAS will be setup with a primary radius server and a failover
55 radius server. We will spread the load among the group of radius
56 servers that we have so some are acting as a primary to some NAS's and
57 acting as a secondary to others. In the event of a radius failure,
58 the NAS should failover to the backup radius server. How to configure
59 this is dependent on the particular NAS being used.
63 Will use Radius acct data Billing will provision
64 for real-time billing out to the Master LDAP
67 | Accounting | +---------+
68 | Radius | | Billing |
69 +------------+ +----+----+
82 | +------------------| LDAP Master|
85 | Slurpd Slurpd Replication
91 The Radius servers | | | LDAP Slave |
92 will create a local | \|/ +------------+
93 copy of all acct +-------------+
94 packets and then | Radius1 |
95 fwd a copy back | LDAP Slave | All Radius servers run a
96 to accounting +-------------+ local copy of LDAP for
97 /|\ /|\ Authorization and Authentication
115 The NAS will be setup to
116 use one of the Radius servers
117 as primary and the others as failover
123 The LDAP directory is designed to start with the top level of
124 dc=mydomain,dc=com. The next level of the tree contains the different
125 services that will be stored within the ldap server. For the radius
126 users, it will be specified as ou=radius. Below ou=radius, will be
127 the different types of accounts. For example, ou=users will store the
128 users and ou=profiles will store the default radius profiles. The
129 profiles are entries that will be used to store group-wide radius
130 profiles. The group ou=admins will be a place to enter the users for
131 Billing, Freeradius, and any other administrative accounts that are
136 +---------------------+
138 | Dc=mydomain,dc=com |Objectclass:organizationalUnit
139 | |Objectclass:dcObject
140 +---------------------+
146 | Ou=radius | Objectclass:organizationalUnit
150 +-----------------------+-------------------------|
153 +---------+ +---------------+ +-------------+
155 |Ou=users | | Ou=profiles | | Ou=admins |
157 +---------+ +---------------+ +------|------+
161 ----- Objectclass: | ----- Objectclass:
162 // \\ radiusprofile | // \\ person
165 ----- \|/ ----- Dn:cn=freeradius
166 Dn: uid=example,ou=users, ----- ObjectClass: ou=admins,ou=radius
167 dc=mydomain,dc=com // \\ radiusprofile dc=mydomain,dc=com
172 Dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
175 An example LDIF file is below.
176 NOTE: There are unique radius attribute types and objectclasses, these will be
177 explained in the configuration section.
181 dn: dc=mydomain,dc=com
182 objectClass: dcObject
183 objectClass: organizationUnit
184 ou: Mydomain.com Radius
187 dn: ou=radius,dc=mydomain,dc=com
188 objectclass: organizationalunit
191 dn: ou=profiles,ou=radius,dc=mydomain,dc=com
192 objectclass: organizationalunit
195 dn: ou=users,ou=radius,dc=mydomain,dc=com
196 objectclass: organizationalunit
199 dn: ou=admins,ou=radius,dc=mydomain,dc=com
200 objectclass: organizationalunit
203 dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
204 objectclass: radiusprofile
206 radiusServiceType: Framed-User
207 radiusFramedProtocol: PPP
208 radiusFramedIPNetmask: 255.255.255.0
209 radiusFramedRouting: None
211 dn: uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com
212 objectclass: radiusprofile
214 radiusServiceType: Framed-User
215 radiusFramedProtocol: PPP
216 radiusFramedIPNetmask: 255.255.255.0
217 radiusFramedRouting: None
219 dn: uid=example,ou=users,ou=radius,dc=mydomain,dc=com
220 objectclass: radiusProfile
223 radiusGroupName: dial
224 radiusGroupName: isdn
226 dn: cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
230 userPassword: freeradius
232 dn: cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com
236 userPassword: billing
238 dn: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
242 userPassword: replica
244 In order to configure the ldap server to understand the radius schema that we
245 are using, the attribute types and objectclasses must be defined in slapd.conf.
246 The file is included with the following line in slapd.conf::
248 include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
250 Below is the complete Schema::
252 ----Begin RADIUS-LDAPv3.schema----
254 #################################################
255 ##### custom radius attributes ##################
257 objectIdentifier myOID 1.1
258 objectIdentifier mySNMP myOID:1
259 objectIdentifier myLDAP myOID:2
260 objectIdentifier myRadiusFlag myLDAP:1
261 objectIdentifier myObjectClass myLDAP:2
265 NAME 'radiusAscendRouteIP'
266 DESC 'Ascend VSA Route IP'
267 EQUALITY caseIgnoreIA5Match
268 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
274 NAME 'radiusAscendIdleLimit'
275 DESC 'Ascend VSA Idle Limit'
276 EQUALITY caseIgnoreIA5Match
277 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
283 NAME 'radiusAscendLinkCompression'
284 DESC 'Ascend VSA Link Compression'
285 EQUALITY caseIgnoreIA5Match
286 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
292 NAME 'radiusAscendAssignIPPool'
293 DESC 'Ascend VSA AssignIPPool'
294 EQUALITY caseIgnoreIA5Match
295 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
302 NAME 'radiusAscendMetric'
303 DESC 'Ascend VSA Metric'
304 EQUALITY caseIgnoreIA5Match
305 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
309 #################################################
312 ( 1.3.6.1.4.1.3317.4.3.1.1
313 NAME 'radiusArapFeatures'
315 EQUALITY caseIgnoreIA5Match
316 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
321 ( 1.3.6.1.4.1.3317.4.3.1.2
322 NAME 'radiusArapSecurity'
324 EQUALITY caseIgnoreIA5Match
325 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
330 ( 1.3.6.1.4.1.3317.4.3.1.3
331 NAME 'radiusArapZoneAccess'
333 EQUALITY caseIgnoreIA5Match
334 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
339 ( 1.3.6.1.4.1.3317.4.3.1.44
340 NAME 'radiusAuthType'
342 EQUALITY caseIgnoreIA5Match
343 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
348 ( 1.3.6.1.4.1.3317.4.3.1.4
349 NAME 'radiusCallbackId'
351 EQUALITY caseIgnoreIA5Match
352 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
357 ( 1.3.6.1.4.1.3317.4.3.1.5
358 NAME 'radiusCallbackNumber'
360 EQUALITY caseIgnoreIA5Match
361 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
366 ( 1.3.6.1.4.1.3317.4.3.1.6
367 NAME 'radiusCalledStationId'
369 EQUALITY caseIgnoreIA5Match
370 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
375 ( 1.3.6.1.4.1.3317.4.3.1.7
376 NAME 'radiusCallingStationId'
378 EQUALITY caseIgnoreIA5Match
379 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
384 ( 1.3.6.1.4.1.3317.4.3.1.8
387 EQUALITY caseIgnoreIA5Match
388 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
392 ( 1.3.6.1.4.1.3317.4.3.1.45
393 NAME 'radiusClientIPAddress'
395 EQUALITY caseIgnoreIA5Match
396 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
401 ( 1.3.6.1.4.1.3317.4.3.1.9
402 NAME 'radiusFilterId'
404 EQUALITY caseIgnoreIA5Match
405 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
410 ( 1.3.6.1.4.1.3317.4.3.1.10
411 NAME 'radiusFramedAppleTalkLink'
413 EQUALITY caseIgnoreIA5Match
414 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
419 ( 1.3.6.1.4.1.3317.4.3.1.11
420 NAME 'radiusFramedAppleTalkNetwork'
422 EQUALITY caseIgnoreIA5Match
423 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
428 ( 1.3.6.1.4.1.3317.4.3.1.12
429 NAME 'radiusFramedAppleTalkZone'
431 EQUALITY caseIgnoreIA5Match
432 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
437 ( 1.3.6.1.4.1.3317.4.3.1.13
438 NAME 'radiusFramedCompression'
440 EQUALITY caseIgnoreIA5Match
441 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
446 ( 1.3.6.1.4.1.3317.4.3.1.14
447 NAME 'radiusFramedIPAddress'
449 EQUALITY caseIgnoreIA5Match
450 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
455 ( 1.3.6.1.4.1.3317.4.3.1.15
456 NAME 'radiusFramedIPNetmask'
458 EQUALITY caseIgnoreIA5Match
459 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
464 ( 1.3.6.1.4.1.3317.4.3.1.16
465 NAME 'radiusFramedIPXNetwork'
467 EQUALITY caseIgnoreIA5Match
468 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
473 ( 1.3.6.1.4.1.3317.4.3.1.17
474 NAME 'radiusFramedMTU'
476 EQUALITY caseIgnoreIA5Match
477 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
482 ( 1.3.6.1.4.1.3317.4.3.1.18
483 NAME 'radiusFramedProtocol'
485 EQUALITY caseIgnoreIA5Match
486 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
491 ( 1.3.6.1.4.1.3317.4.3.1.19
492 NAME 'radiusFramedRoute'
494 EQUALITY caseIgnoreIA5Match
495 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
499 ( 1.3.6.1.4.1.3317.4.3.1.20
500 NAME 'radiusFramedRouting'
502 EQUALITY caseIgnoreIA5Match
503 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
508 ( 1.3.6.1.4.1.3317.4.3.1.46
509 NAME 'radiusGroupName'
511 EQUALITY caseIgnoreIA5Match
512 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
516 ( 1.3.6.1.4.1.3317.4.3.1.47
519 EQUALITY caseIgnoreIA5Match
520 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
525 ( 1.3.6.1.4.1.3317.4.3.1.48
526 NAME 'radiusHuntgroupName'
528 EQUALITY caseIgnoreIA5Match
529 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
534 ( 1.3.6.1.4.1.3317.4.3.1.21
535 NAME 'radiusIdleTimeout'
537 EQUALITY caseIgnoreIA5Match
538 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
543 ( 1.3.6.1.4.1.3317.4.3.1.22
544 NAME 'radiusLoginIPHost'
546 EQUALITY caseIgnoreIA5Match
547 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
552 ( 1.3.6.1.4.1.3317.4.3.1.23
553 NAME 'radiusLoginLATGroup'
555 EQUALITY caseIgnoreIA5Match
556 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
561 ( 1.3.6.1.4.1.3317.4.3.1.24
562 NAME 'radiusLoginLATNode'
564 EQUALITY caseIgnoreIA5Match
565 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
570 ( 1.3.6.1.4.1.3317.4.3.1.25
571 NAME 'radiusLoginLATPort'
573 EQUALITY caseIgnoreIA5Match
574 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
579 ( 1.3.6.1.4.1.3317.4.3.1.26
580 NAME 'radiusLoginLATService'
582 EQUALITY caseIgnoreIA5Match
583 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
588 ( 1.3.6.1.4.1.3317.4.3.1.27
589 NAME 'radiusLoginService'
591 EQUALITY caseIgnoreIA5Match
592 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
597 ( 1.3.6.1.4.1.3317.4.3.1.28
598 NAME 'radiusLoginTCPPort'
600 EQUALITY caseIgnoreIA5Match
601 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
606 ( 1.3.6.1.4.1.3317.4.3.1.29
607 NAME 'radiusPasswordRetry'
609 EQUALITY caseIgnoreIA5Match
610 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
615 ( 1.3.6.1.4.1.3317.4.3.1.30
616 NAME 'radiusPortLimit'
618 EQUALITY caseIgnoreIA5Match
619 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
624 ( 1.3.6.1.4.1.3317.4.3.1.49
625 NAME 'radiusProfileDn'
627 EQUALITY distinguishedNameMatch
628 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
633 ( 1.3.6.1.4.1.3317.4.3.1.31
636 EQUALITY caseIgnoreIA5Match
637 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
642 ( 1.3.6.1.4.1.3317.4.3.1.50
643 NAME 'radiusProxyToRealm'
645 EQUALITY caseIgnoreIA5Match
646 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
651 ( 1.3.6.1.4.1.3317.4.3.1.51
652 NAME 'radiusReplicateToRealm'
654 EQUALITY caseIgnoreIA5Match
655 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
660 ( 1.3.6.1.4.1.3317.4.3.1.52
663 EQUALITY caseIgnoreIA5Match
664 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
669 ( 1.3.6.1.4.1.3317.4.3.1.32
670 NAME 'radiusServiceType'
672 EQUALITY caseIgnoreIA5Match
673 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
678 ( 1.3.6.1.4.1.3317.4.3.1.33
679 NAME 'radiusSessionTimeout'
681 EQUALITY caseIgnoreIA5Match
682 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
687 ( 1.3.6.1.4.1.3317.4.3.1.34
688 NAME 'radiusTerminationAction'
690 EQUALITY caseIgnoreIA5Match
691 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
696 ( 1.3.6.1.4.1.3317.4.3.1.35
697 NAME 'radiusTunnelAssignmentId'
699 EQUALITY caseIgnoreIA5Match
700 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
704 ( 1.3.6.1.4.1.3317.4.3.1.36
705 NAME 'radiusTunnelMediumType'
707 EQUALITY caseIgnoreIA5Match
708 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
712 ( 1.3.6.1.4.1.3317.4.3.1.37
713 NAME 'radiusTunnelPassword'
715 EQUALITY caseIgnoreIA5Match
716 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
721 ( 1.3.6.1.4.1.3317.4.3.1.38
722 NAME 'radiusTunnelPreference'
724 EQUALITY caseIgnoreIA5Match
725 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
729 ( 1.3.6.1.4.1.3317.4.3.1.39
730 NAME 'radiusTunnelPrivateGroupId'
732 EQUALITY caseIgnoreIA5Match
733 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
737 ( 1.3.6.1.4.1.3317.4.3.1.40
738 NAME 'radiusTunnelServerEndpoint'
740 EQUALITY caseIgnoreIA5Match
741 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
745 ( 1.3.6.1.4.1.3317.4.3.1.41
746 NAME 'radiusTunnelType'
748 EQUALITY caseIgnoreIA5Match
749 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
753 ( 1.3.6.1.4.1.3317.4.3.1.42
756 EQUALITY caseIgnoreIA5Match
757 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
761 ( 1.3.6.1.4.1.3317.4.3.1.43
762 NAME 'radiusTunnelClientEndpoint'
764 EQUALITY caseIgnoreIA5Match
765 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
769 #need to change asn1.id
771 ( 1.3.6.1.4.1.3317.4.3.1.53
772 NAME 'radiusSimultaneousUse'
774 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
779 ( 1.3.6.1.4.1.3317.4.3.1.54
780 NAME 'radiusLoginTime'
782 EQUALITY caseIgnoreIA5Match
783 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
788 ( 1.3.6.1.4.1.3317.4.3.1.55
789 NAME 'radiusUserCategory'
791 EQUALITY caseIgnoreIA5Match
792 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
797 ( 1.3.6.1.4.1.3317.4.3.1.56
798 NAME 'radiusStripUserName'
800 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
805 ( 1.3.6.1.4.1.3317.4.3.1.57
808 EQUALITY caseIgnoreIA5Match
809 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
814 ( 1.3.6.1.4.1.3317.4.3.1.58
815 NAME 'radiusExpiration'
817 EQUALITY caseIgnoreIA5Match
818 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
823 ( 1.3.6.1.4.1.3317.4.3.1.59
824 NAME 'radiusCheckItem'
826 EQUALITY caseIgnoreIA5Match
827 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
831 ( 1.3.6.1.4.1.3317.4.3.1.60
832 NAME 'radiusReplyItem'
834 EQUALITY caseIgnoreIA5Match
835 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
840 ( 1.3.6.1.4.1.3317.4.3.2.1
846 radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
847 radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
848 radiusCalledStationId $ radiusCallingStationId $ radiusClass $
849 radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $
850 radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
851 radiusFramedCompression $ radiusFramedIPAddress $
852 radiusFramedIPNetmask $ radiusFramedIPXNetwork $
853 radiusFramedMTU $ radiusFramedProtocol $
854 radiusCheckItem $ radiusReplyItem $
855 radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $
856 radiusGroupName $ radiusHint $ radiusHuntgroupName $
857 radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
858 radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
859 radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
860 radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $
861 radiusRealm $ radiusReplicateToRealm $ radiusServiceType $
862 radiusSessionTimeout $ radiusStripUserName $
863 radiusTerminationAction $ radiusTunnelAssignmentId $
864 radiusTunnelClientEndpoint $ radiusIdleTimeout $
865 radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
866 radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
867 radiusLoginTCPPort $ radiusPasswordRetry $ radiusPortLimit $
868 radiusPrompt $ radiusProfileDn $ radiusServiceType $
869 radiusSessionTimeout $ radiusSimultaneousUse $
870 radiusTerminationAction $ radiusTunnelAssignmentId $
871 radiusTunnelClientEndpoint $ radiusTunnelMediumType $
872 radiusTunnelPassword $ radiusTunnelPreference $
873 radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $
874 radiusTunnelType $ radiusUserCategory $ radiusVSA $
875 radiusExpiration $ dialupAccess $
876 radiusAscendRouteIP $ radiusAscendIdleLimit $
877 radiusAscendLinkCompression $
878 radiusAscendAssignIPPool $ radiusAscendMetric )
880 ----End RADIUS-LDAPv3.schema----
883 Now we need to setup the permissions on the ldap server. Notice above we
884 created three users in the admin ou. These users will be specific for billing,
885 freeradius, and replication.
887 On the master ldap server, we will set the following permissions::
889 access to attr=userPassword
891 by dn="cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com" write
897 by dn="cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com" write
901 This will give the billing user write access to add/delete users. For security
902 we will not give read access to any other users. You can easily add another
903 read-only user to this setup if you want to build some sort of web interface to
906 Now on the slave ldap servers (aka the radius servers) we will setup the
907 following permissions::
909 access to attr=userPassword
911 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
915 access to dn="ou=users,ou=radius,dc=mydomain,dc=com"
916 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
917 by dn="cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" read
923 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
928 This will give the replica user write access. This user will be discussed
929 below and it is involved in the process of replicating the master server to the
930 slaves. The freeradius user only needs read access to do the lookups for
933 Now we will want to setup indexes to speed up searches. At the minimum, below
934 will work. Since all radius lookups are currently using the uid, we will want
935 to index that. It is also a good idea to index the objectclass attribute.
937 # Indices to maintain
941 Now we need to setup the replication from the master to the slave servers. To
942 do this, we will add the following to the slapd.conf file on the master:
944 On the master LDAP server::
945 replica host=radius1.mydomain.com
946 binddn=cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
947 bindmethod=simple credentials=replica
949 replica host=radius2.mydomain.com
950 binddn=cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
951 bindmethod=simple credentials=replica
953 We will need to add a replica for each slave LDAP server. The binddn is the
954 name that is used to bind to the slave server, and the credentials is the
955 secret for that user.
957 On the slave LDAP servers::
959 updatedn cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
960 updateref ldap://ldapmaster.mydomain.com
962 Those will determine what name is allowed to update the LDAP server and if an
963 update is attempted directly, what server to refer the update to.
968 The radius server is setup to use LDAP for both Authorization and
969 Authentication. This section will describe what events will take place during
970 an AAA session with a NAS. When the NAS sends a access_request to the radius
971 server, the radius server will perform authorization and authentication based
972 on a series of modules that are defined in radiusd.conf. For example, the
973 module defined as ldap, will be used to make connections to the LDAP directory.
975 An example is listed below::
979 identity = cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
981 #this is the basedn to do searches on a user
982 basedn = ou=users,ou=radius,dc=mydomain,dc=com
983 #notice the username is the stripped user-name or user-name
984 filter = (uid=%{Stripped-User-Name:-{User-Name}})
987 #this maps ldap attributetypes to radius attributes
988 dictionary_mapping = ${raddbdir}/ldap.attrmap
989 ldap_cache_timeout = 120
991 ldap_connections_number = 10
992 #password_header = {clear}
993 #While integrating FreeRADIUS with Novell eDirectory, set
994 #'password_attribute = nspmpassword' in order to use the universal password
995 #of the eDirectory users for RADIUS authentication. This will work only if
996 #FreeRADIUS is configured to build with --with-edir option.
997 password_attribute = userPassword
998 #Comment out the following to disable the eDirectory account policy check and
999 #intruder detection. This will work only if FreeRADIUS is configured to build
1000 #with --with-edir option.
1001 #edir_account_policy_check=no
1002 groupname_attribute = radiusGroupName
1003 groupmembership_filter = (&(uid=%{Stripped-User-Name:-%{User-Name}})
1004 (objectclass=radiusprofile))
1005 groupmembership_attribute = radiusGroupName
1009 compare_check_items = no
1010 #access_attr_used_for_allow = yes
1013 The first thing that is done is authorization of the user. The radius server
1014 will process the modules in the order specified in the authorization section of
1015 radiusd.conf. Currently, they are in the following order.
1022 The first module will be preprocess. This will first check the huntgroups of
1023 the user coming in. The huntgroups are defined in the file huntgroups and they
1024 are a group listing of the NAS-IP-Addresses that make the access_request. This
1025 is useful in creating specific actions based on the NAS-IP that the request is
1026 made from. An example, is below::
1028 isdncombo NAS-IP-Address == 10.10.10.1
1029 dialup NAS-IP-Address == 10.10.10.2
1030 dialup NAS-IP-Address == 10.10.10.3
1032 We will have one NAS that is used for both ISDN and regular dialup customers,
1033 the other NAS's will be only used for dialup.
1035 The preprocess module may also use the hints file, to load hints to the radius
1036 server, and add additional hacks that are based on the type of request that
1037 comes in. This is to help with certain NAS's that don't conform to radius
1038 RFC's. Check the comments in radiusd.conf for an explanation on those.
1040 The second module is suffix. This event will determine which realm the user is
1041 in, based on the User-Name attribute. It is currently setup to split the
1042 username at the occurence of the @symbol. For example, the username of
1043 example@mydomain.com, will be split into example and mydomain.com. The realm
1044 is then checked against the file proxy.conf, which will determine what actions
1045 should be taken for that realm. Certain realms can be setup to be proxied to a
1046 different radius server or set to authenticate locally. Also, the username can
1047 be setup to be stripped from the realm or left intact. An example of
1048 proxy.conf, is listed below. If the realm is to be proxied, then a secret is
1049 needed, which is the secret of the radius server it is to be proxied to.
1050 By default the User-Name will be stripped, unless the nostrip option is set.
1052 Currently we will not be using realms with our users, but adding this ability
1053 in the future will be much easier with already incorporating proxy.conf into the
1061 servers_per_realm = 15
1062 default_fallback = yes
1069 #secret = testing123
1076 #secret = testing123
1079 The next module is files, which is commonly know as the users file. The users
1080 file will start with either a username to determine how to authorize a specific
1081 user, or a DEFAULT setting. In each line it will define what items must be
1082 present for there to be a match in the form of attribute == value. If all the
1083 required attributes are matched, then attributes specified with attribute :=
1084 value will be set for that user. If no match is found the users file will
1085 continue to be processed until there is a match. The last DEFAULT setting will
1086 be set as a catch-all, in case there is no previous match. If a match is made,
1087 the statement of Fall-Through determines if the users file should continue to
1088 be processed or if it should stop right there.
1090 The Ldap-Group corresponds to the LDAP attribute of radiusGroupName (see ldap
1091 configuration above). The user may be assigned multiple radiusGroupNames, one
1092 for each of the services that the user is authorized for. If the user does
1093 belong to the correct group, then the user will be authorized for that type of
1094 access. If the user does not belong to that group, then there will not be a
1095 match and the users file will continue to be processed. If a match is made and
1096 there is a User-Profile set, then the radius server will lookup the attributes
1097 that exist in that User-Profile in the LDAP directory. These are radius
1098 attributes that will be sent to the NAS as a reply-item.
1100 An example users file is below::
1102 DEFAULT Ldap-Group == disabled, Auth-Type := Reject
1103 Reply-Message = "Account disabled. Please call the helpdesk."
1105 DEFAULT Huntgroup-Name == isdncombo, NAS-Port-Type == Async, Ldap-Group == dial,
1106 User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
1109 DEFAULT Huntgroup-Name == isdncombo, NAS-Port-Type == ISDN, Ldap-Group == isdn,
1110 User-Profile := "uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com"
1113 DEFAULT Huntgroup-Name == dial, Ldap-Group == dial,
1114 User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
1117 DEFAULT Auth-Type := Reject
1118 Reply-Message = "Please call the helpdesk."
1120 Notice that the catchall DEFAULT is set to Reject the user. This will stop the
1121 authorization and immediately send back an access_reject message. Because
1122 business rules are applied above to each scenario where the user will be
1123 authorized for access, if no match is found, then we will want to stop the
1124 process immediately to save resources.
1126 By using the Ldap-Group feature we can limit user logins to only the services
1127 they are subscribed to. Some examples of possible user setups are below::
1129 #user with access to dial-up
1130 dn: uid=user1,ou=users,ou=radius,dc=mydomain,dc=com
1131 objectclass: radiusprofile
1133 userPassword: whatever
1134 radiusgroupname: dial
1136 #user with access to ISDN and dial
1137 dn: uid=user2,ou=users,ou=radius,dc=mydomain,dc=com
1138 objectclass: radiusprofile
1140 userPassword: whatever
1141 radiusgroupname: dial
1142 radiusgroupname: isdn
1144 #same user as above that was suspended for not paying
1145 dn: uid=user2,ou=users,ou=radius,dc=mydomain,dc=com
1146 objectclass: radiusprofile
1148 userPassword: whatever
1149 radiusgroupname: dial
1150 radiusgroupname: isdn
1151 radiusgroupname: disabled
1153 Now that we have authorized the user, the final piece is to authenticate the
1154 user. Authentication is currently done by checking if the password sent in the
1155 access_request packet is correct. This action will be done with an attempted
1156 bind to the LDAP server using the User-Name and User-Password attributes
1157 passed to it from the access_request. If the user is successfully authorized,
1158 then an access_accept message will be sent back to the NAS, with any reply
1159 items that were defined in the authorization section. If the user did not
1160 supply the correct password, then an access_reject message will be sent to the
1163 If the NAS is sent an access_accept packet then the user will be given access
1164 to the service and the NAS will then send an acct_request packet. This will be
1165 a request packet to start a radius accounting session. The way the server will
1166 log the accounting packets is determined in the detail module in the
1167 radiusd.conf file. Since we will be storing a local copy and forwarding on all
1168 accounting to the Accounting radius server, we will store two local copies on
1169 the machine. The first one is done in a regular detail file as defined in the
1173 detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
1178 The second detail file will be used by the program radrelay to relay a copy of
1179 all accounting packets to the Accounting radius server. This file is stored as
1180 a catchall for all accounting packets. The radrelay program will basically do
1181 a tail on that file and will then attempt to send a copy of each addition to it
1182 to the Accounting server. If the copy is successfully sent, then it will be
1183 deleted from this file. If the Accounting server were to go down, then this
1184 file will continue to build up entries. As soon as the Accounting server is
1185 back online, an attempt to re-send the packets to the Accounting server will
1186 made. This file is defined in the following section of radiusd.conf::
1189 detailfile= ${radacctdir}/detail-combined
1198 The new radius servers are currently built on Freebsd 4.8. As the version may
1199 eventually change, these instructions may no longer apply. The steps for
1200 building the server are the following:
1203 * Install other FreeBSD items
1204 * Install OpenLDAP *NOTE: this must be done before installing Freeradius*
1205 * Install FreeRadius
1207 Under the assumption that FreeBSD is already installed and the kernel rebuilt
1208 to the specifications needed for the machine, there are several other things
1209 that may be needed at this time and the purpose of this is just as a reminder.
1211 install cvsup-without-gui from the ports collection
1213 run cvsup on all to update the ports to the most recent versions
1215 might be a good idea to upgrade the src
1217 edit and run cvsup on /usr/share/examples/cvsup/standard-supfile
1219 cd /usr/src - vi Makefile and follow instructions
1221 install sendmail from ports to keep up to date with the most recent versions.
1222 In the ports collection /ports/mail/sendmail run make; make install; make
1223 mailer.conf. Then edit rc.conf and change to sendmail_enable=NO
1224 radius servers only need the local interface to send daily reports
1226 edit rc.conf to make sure inetd_enable=NO
1228 no reason to have extra services running
1230 if you rebuilt the kernel to add support for IPFIREWALL, then remember to add a
1231 firewall rule to rc.conf
1234 firewall_type=OPEN (or actually create a real firewall rule)
1236 add crontab to keep date accurate for accounting::
1238 15 03 * * * /usr/sbin/ntpdate -s thetimeserver.mydomain.com
1240 install openldap from ports
1242 download the freeradius source as the ports collection is often outdated
1243 the default settings are /usr/local/etc/raddb, /var/log/radius.log, /var/log/radacct
1245 since openldap was installed first, you should not need any special flags to
1248 Now its time to configure openlap and freeradius. First we will be looking at
1249 configuring OpenLDAP
1252 copy RADIUS-LDAPv3.schema to /usr/local/etc/openldap/schema
1254 edit /usr/local/etc/openldap/slapd.conf
1258 ----Begin slapd.conf----
1259 # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.7 2003/03/24 03:54:12
1262 # See slapd.conf(5) for details on configuration options.
1263 # This file should NOT be world readable.
1265 include /usr/local/etc/openldap/schema/core.schema
1266 include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
1268 # Define global ACLs to disable default read access.
1270 # Do not enable referrals until AFTER you have a working directory
1271 # service AND an understanding of referrals.
1272 #referral ldap://root.openldap.org
1276 pidfile /var/run/slapd.pid
1277 argsfile /var/run/slapd.args
1279 # Load dynamic backend modules:
1280 # modulepath /usr/local/libexec/openldap
1281 # moduleload back_bdb.la
1282 # moduleload back_ldap.la
1283 # moduleload back_ldbm.la
1284 # moduleload back_passwd.la
1285 # moduleload back_shell.la
1287 password-hash {SSHA}
1289 access to attr=userPassword
1291 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1295 access to dn="ou=users,ou=radius,dc=mydomain,dc=com"
1296 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1297 by dn="cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" read
1303 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1308 #######################################################################
1309 # ldbm database definitions
1310 #######################################################################
1313 suffix "dc=mydomain,dc=com"
1314 rootdn "cn=root,dc=mydomain,dc=com"
1315 # Cleartext passwords, especially for the rootdn, should
1316 # be avoid. See slappasswd(8) and slapd.conf(5) for details.
1317 # Use of strong authentication encouraged.
1318 rootpw {SSHA}Eu5EwPxTrwhEGrXQ9SaQZyfpu4iHt3NP
1319 # The database directory MUST exist prior to running slapd AND
1320 # should only be accessible by the slapd and slap tools.
1321 # Mode 700 recommended.
1322 directory /var/db/openldap-data
1323 # Indices to maintain
1324 index objectClass eq
1329 # replica one for each
1330 #replica host=radius1.mydomain.com
1331 # binddn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com"
1332 # bindmethod=simple credentials=secret
1334 replogfile /var/db/openldap-slurp/replog
1336 ## REMEMBER TO ADD THIS TO THE SLAVES
1337 updatedn "cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
1338 updateref ldap://ldapmaster.mydomain.com
1339 ----End slapd.conf----
1342 To create a rootdn that is not stored in plain text, enter the following command::
1346 it will ask for password and verification::
1349 Re-enter new password::
1351 while in the shell create the directory for the ldap database, this must be created before slapd can start::
1353 $ mkdir /var/db/openldap-data
1355 move the slapd.sh.sample file to slapd.sh in /usr/local/etc/rc.d::
1357 $ mv /usr/local/etc/rc.d/slapd.sh.sample slapd.sh
1359 enable logging in /etc/syslog.conf by adding the following::
1361 local4.* /var/log/ldap.log
1364 start it up on both the master and slave ldap servers::
1366 $ /usr/local/etc/rc.d/slapd start
1368 create the structural ldif, schema.ldif::
1370 ----Begin schema.ldif----
1371 dn: dc=mydomain,dc=com
1372 objectClass: dcObject
1373 objectClass: organizationUnit
1374 ou: Mydomain.com Radius
1377 dn: ou=radius,dc=mydomain,dc=com
1378 objectclass: organizationalunit
1381 dn: ou=profiles,ou=radius,dc=mydomain,dc=com
1382 objectclass: organizationalunit
1385 dn: ou=users,ou=radius,dc=mydomain,dc=com
1386 objectclass: organizationalunit
1389 dn: ou=admins,ou=radius,dc=mydomain,dc=com
1390 objectclass: organizationalunit
1393 dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
1394 objectclass: radiusprofile
1396 radiusServiceType: Framed-User
1397 radiusFramedProtocol: PPP
1398 radiusFramedIPNetmask: 255.255.255.0
1399 radiusFramedRouting: None
1401 dn: uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com
1402 objectclass: radiusprofile
1404 radiusServiceType: Framed-User
1405 radiusFramedProtocol: PPP
1406 radiusFramedIPNetmask: 255.255.255.0
1407 radiusFramedRouting: None
1409 dn: uid=example,ou=users,ou=radius,dc=mydomain,dc=com
1410 objectclass: radiusProfile
1413 radiusGroupName: dial
1414 radiusGroupName: isdn
1416 dn: cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
1420 userPassword: freeradius
1422 dn: cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com
1426 userPassword: billing
1428 dn: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
1432 userPassword: replica
1433 ----End schema.ldif----
1435 add the organizational structure to the master ldap database::
1437 $ ldapadd -D uid=billing,ou=admins,ou=radius,dc=mydomain,dc=com -w billing -f
1438 schema.ldif -h ldapmaster.mydomain.com
1440 run slapcat to see what the directory looks like::
1444 If all went well the LDAP directory should be up and running and propagated to
1445 the slaves. Now you can add your users to the master.
1447 Now its time to setup FreeRadius. First cd into /usr/local/etc/raddb and take
1448 a look at all the configuration files, they are heavily documented so you may
1449 wish to read through them all before making and changes.
1454 ----Begin radiusd.conf----
1456 ## radiusd.conf -- FreeRADIUS server configuration file.
1460 exec_prefix = ${prefix}
1461 sysconfdir = /usr/local/etc/raddb
1462 localstatedir = ${prefix}/var
1463 sbindir = ${exec_prefix}/sbin
1465 raddbdir = /usr/local/etc/raddb
1466 radacctdir = /var/log/radacct
1468 # Location of config and logfiles.
1469 confdir = ${raddbdir}
1470 run_dir = ${localstatedir}/run/radiusd
1471 log_file = ${logdir}/radius.log
1472 libdir = ${exec_prefix}/lib
1473 pidfile = ${run_dir}/radiusd.pid
1478 max_request_time = 30
1479 delete_blocked_requests = no
1484 hostname_lookups = no
1485 allow_core_dumps = no
1486 regular_expressions = yes
1487 extended_expressions = yes
1488 log_stripped_names = no
1490 log_auth_badpass = no
1491 log_auth_goodpass = no
1493 # The program to execute to do concurrency checks.
1494 #checkrad = ${sbindir}/checkrad
1497 max_attributes = 200
1502 proxy_requests = yes
1503 $INCLUDE ${confdir}/proxy.conf
1505 $INCLUDE ${confdir}/clients.conf
1510 min_spare_servers = 3
1511 max_spare_servers = 10
1512 max_requests_per_server = 0
1518 server = "localhost"
1519 identity = "uid=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
1521 basedn = "ou=users,ou=radius,dc=mydomain,dc=com"
1522 filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})
1523 (objectclass=radiusprofile)"
1526 #default_profile = "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
1527 #profile_attribute = "radiusProfileDn"
1528 dictionary_mapping = ${raddbdir}/ldap.attrmap
1529 ldap_cache_timeout = 120
1531 ldap_connections_number = 10
1532 #password_header = "{clear}"
1533 password_attribute = userPassword
1534 groupname_attribute = radiusGroupName
1535 groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}))
1536 (objectclass=radiusProfile)"
1537 groupmembership_attribute = radiusGroupName
1541 compare_check_items = no
1542 #access_attr_used_for_allow = yes
1551 huntgroups = ${confdir}/huntgroups
1552 #hints = ${confdir}/hints
1553 with_ascend_hack = no
1554 ascend_channels_per_line = 23
1555 with_ntdomain_hack = no
1556 with_specialix_jetstream_hack = no
1557 with_cisco_vsa_hack = no
1561 usersfile = ${confdir}/users
1562 #acctusersfile = ${confdir}/acct_users
1564 #use old style users
1566 # regular detail files
1568 detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
1572 # temp detail file to replicate to accountrad
1574 detailfile= ${radacctdir}/detail-combined
1581 key = "User-Name, Acct-Session-Id, NAS-IP-Address,
1582 Client-IP-Address, NAS-Port-Id"
1587 # filename = ${logdir}/radutmp
1593 # filename = ${logdir}/sradutmp
1599 # attrsfile = ${confdir}/attrs
1603 # The "always" module is here for debugging purposes. Each
1604 # instance simply returns the same result, always, without
1619 # The 'expression' module current has no configuration.
1662 # Get an address from the IP Pool.
1665 ----End radiusd.conf----
1668 edit huntgroups to specify a NAS to a huntgroup::
1670 ----Begin huntgroups----
1672 isdncombo NAS-IP-Address == 10.10.10.1
1675 dialup NAS-IP-Address == 10.10.10.2
1676 dialup NAS-IP-Address == 10.10.10.3
1677 ----End huntgroups----
1679 * edit proxy.conf to setup the different realms::
1681 ----Begin proxy.conf----
1687 servers_per_realm = 15
1688 default_fallback = yes
1695 #secret = testing123
1702 #secret = testing123
1704 ----End proxy.conf----
1706 -edit clients.conf to setup the NAS's that can talk to it
1709 ----Begin clients.conf----
1712 shortname = localhost
1717 # isdn and dialup nas
1736 ----End clients.conf----
1739 You may wish to look at the other files, but they should all be OK by default.
1741 create startup files in /usr/local/etc/rc.d
1743 radiusd.sh - the radiusd startup file::
1745 ----Begin radiusd.sh----
1749 /usr/local/sbin/radiusd
1753 if [ -f /usr/local/var/run/radiusd/radiusd.pid ]; then
1754 kill -TERM `cat /usr/local/var/run/radiusd/radiusd.pid`
1755 rm -f /usr/local/var/run/radiusd/radiusd.pid
1760 if [ -f /usr/local/var/run/radiusd/radiusd.pid ]; then
1761 kill -HUP `cat /usr/local/var/run/radiusd/radiusd.pid`
1762 echo 'radiusd restarted'
1766 echo "Usage: ${0##*/}: { start | stop | restart }" 2>&1
1770 ----End radiusd.sh----
1772 radrelay.sh - the radrelay startup file::
1775 ----Begin radrelay.sh----
1780 /usr/local/bin/radrelay -a /var/log/radacct -d /usr/local/etc/raddb \
1781 -S /usr/local/etc/raddb/radrelay_secret -f -r accounting.mydomain.com:1813 \
1783 echo -n ' radrelay started'
1788 /usr/bin/killall radrelay
1789 echo ' radrelay stopped'
1793 echo "Usage: $[0##*/}: { start | stop }" 2>&1
1798 ----End radrelay.sh----
1800 create radrelay_secret in /usr/local/etc/radddb
1801 This file will contain the secret to connect to the Accounting radius server::
1803 ----Begin radrelay_secret----
1805 ----End radrelay_secret----
1808 $ /usr/local/etc/rc.d/radiusd.sh start
1809 $ /usr/local/etc/rc.d/radrelay.sh start
1811 You should be all set to start testing now.
1813 OTHER RANDOM NOTES AND THOUGHTS
1814 -------------------------------
1816 The client programs used to connect to the ldap directory are:
1825 to search for a record
1827 to show the entire directory
1829 to generate a crypted password
1831 Read the man pages on those commands, they tell you everything you
1834 They all follow this basic syntax::
1836 $ ldapwhatever -D "uid=someone,ou=admins,ou=radius,dc=mydomain,dc=com" -w thesecret -andthenotherstuff
1838 Finally, if you are having trouble with LDAP, run it in debug mode by
1839 changing the following in slapd.sh::
1847 There is a program included with freeradius to test the radius server,
1848 its called radclient. Typing it alone will tell you all the options.
1849 You will need to create a file that contains radius attributes, such
1853 User-Password = test
1854 Service-Type = Framed-User
1855 NAS-IP-Address = 10.10.10.1
1856 NAS-Port-Type = Async
1858 Then you fire that radius packet at the server by issuing::
1860 $ radclient -f testradiusfile localhost auth thesecret
1863 localhost is the server you are hitting
1864 auth or acct depending on the type of packet
1865 thesecret to connect to that server
1867 Finally, if you are having trouble you can run radius in debug mode
1868 and it will output everything that happens to the screen. To do that,
1869 kill the current process and run::
1880 * _`FreeRADIUS`: http://www.freeradius.org
1881 * _`FreeRADIUS Documentation`: http://www.freeradius.org/radiusd/doc
1882 * _`FreeRADIUS Wiki`: http://wiki.freeradius.org/
1887 * _`OpenLDAP`: http://www.openldap.org
1888 * _`OpenLDAP Administrator's Guide`: http://www.openldap.org/doc/admin21
1893 * _`RFC2865: RADIUS Authentication`: http://www.freeradius.org/radiusd/doc/rfc/rfc2865.txt
1894 * _`RFC2866: RADIUS Accounting`: http://www.freeradius.org/radiusd/doc/rfc/rfc2866.txt
1895 * _`RFC2869: RADIUS Extentions`: http://www.freeradius.org/radiusd/doc/rfc/rfc2869.txt
1896 * _`RFC2251: LDAP v3`: http://www.ietf.org/rfc/rfc2251.txt
1897 * _`RFC2252: LDAP v3 Attribute Syntax Definitions`: http://www.ietf.org/rfc/rfc2252.txt
1898 * _`RFC2253: LDAP UTF-8 String Representation of Distinguishe d Names (DNs)`: http://www.ietf.org/rfc/rfc2252.txt
1899 * _`RFC2849: LDAP Data Interchange Fromat (LDIFs)`: http://www.ietf.org/rfc/rfc2849.txt
1900 * _`RFC3377: LDAP v3 Technical Specs`: http://www.ietf.org/rfc/rfc3377.txt