4 This document describes how to setup Freeradius on a Freebsd machine
5 using LDAP as a backend. This is by no means complete and your
6 mileage may vary. If you are having any problems with the setup of
7 your freeradius installation, please read the documentation that comes
8 with Freeradius first as that is where all the information for this
9 project came from. If you find any bugs, typos, alternative ideas, or
10 just plain wrong information, please let me know by sending an email
13 The radius servers in this document are built on Freebsd 4.8, using
14 Freeradius .81 with OpenLDAP 2.0.27 as the backend. The servers are
15 designed to support customers for multiple services. In this document
16 we will use regular dialup and dialup ISDN as examples of two
17 different services using the same radius server for authentication.
22 The radius servers are to be provisioned by a some sort of system we
23 will call Billing. Billing could simply be a script, a web front-end,
24 or an actual integration into a billing system. Billing will provision
25 to the master LDAP server. The master LDAP server is running slurpd,
26 which will replicate all changes to the other radius servers. Each
27 radius server will run a local instance of LDAP.
29 The radius servers will be accepting Radius auth packets and Radius
30 acct packets. The accounting packets will be stored locally on each
31 radius server and then forwarded to the Accounting radius server,
32 using radrelay. The Accounting radius server will store all the
33 radius information in some sort of database such as MySQL, Postgres,
34 or Oracle. The configuration of the actual Accounting radius server
35 is outside the scope of this document. Please refer to the freeradius
36 documentation for setting up that server.
38 The Accounting radius server will help to provide a searchable
39 interface to the accounting data for billing and usage purposes and
40 could allow a web front-end to be built for helpdesk/customer service
41 usage. If that is not needed for your purposes, then disregard all
42 details about the Accounting radius server.
44 In order to make sure no data is lost in the event of the Accounting
45 radius server going down, the replication of data will take place
46 using radrelay. Radrelay will do the equivalent of a tail on the
47 detail file and will continually attempt to duplicate each radius
48 packet that is stored in the detail file and send it off to the
49 recipient(s) specified. Upon receipt of an accounting_response packet
50 radrelay will consider that packet completed and continue working on
51 the others. Each radius server will also be storing its own copy of
52 all accounting packets that are sent to it.
54 Each NAS will be setup with a primary radius server and a failover
55 radius server. We will spread the load among the group of radius
56 servers that we have so some are acting as a primary to some NAS's and
57 acting as a secondary to others. In the event of a radius failure,
58 the NAS should failover to the backup radius server. How to configure
59 this is dependent on the particular NAS being used.
63 Will use Radius acct data Billing will provision
64 for real-time billing out to the Master LDAP
67 | Accounting | +---------+
68 | Radius | | Billing |
69 +------------+ +----+----+
82 | +------------------| LDAP Master|
85 | Slurpd Slurpd Replication
91 The Radius servers | | | LDAP Slave |
92 will create a local | \|/ +------------+
93 copy of all acct +-------------+
94 packets and then | Radius1 |
95 fwd a copy back | LDAP Slave | All Radius servers run a
96 to accounting +-------------+ local copy of LDAP for
97 /|\ /|\ Authorization and Authentication
115 The NAS will be setup to
116 use one of the Radius servers
117 as primary and the others as failover
123 The LDAP directory is designed to start with the top level of
124 dc=mydomain,dc=com. The next level of the tree contains the different
125 services that will be stored within the ldap server. For the radius
126 users, it will be specified as ou=radius. Below ou=radius, will be
127 the different types of accounts. For example, ou=users will store the
128 users and ou=profiles will store the default radius profiles. The
129 profiles are entries that will be used to store group-wide radius
130 profiles. The group ou=admins will be a place to enter the users for
131 Billing, Freeradius, and any other administrative accounts that are
136 +---------------------+
138 | Dc=mydomain,dc=com |Objectclass:organizationalUnit
139 | |Objectclass:dcObject
140 +---------------------+
146 | Ou=radius | Objectclass:organizationalUnit
150 +-----------------------+-------------------------|
153 +---------+ +---------------+ +-------------+
155 |Ou=users | | Ou=profiles | | Ou=admins |
157 +---------+ +---------------+ +------|------+
161 ----- Objectclass: | ----- Objectclass:
162 // \\ radiusprofile | // \\ person
165 ----- \|/ ----- Dn:cn=freeradius
166 Dn: uid=example,ou=users, ----- ObjectClass: ou=admins,ou=radius
167 dc=mydomain,dc=com // \\ radiusprofile dc=mydomain,dc=com
172 Dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
175 An example LDIF file is below.
176 NOTE: There are unique radius attribute types and objectclasses, these will be
177 explained in the configuration section.
181 dn: dc=mydomain,dc=com
182 objectClass: dcObject
183 objectClass: organizationUnit
184 ou: Mydomain.com Radius
187 dn: ou=radius,dc=mydomain,dc=com
188 objectclass: organizationalunit
191 dn: ou=profiles,ou=radius,dc=mydomain,dc=com
192 objectclass: organizationalunit
195 dn: ou=users,ou=radius,dc=mydomain,dc=com
196 objectclass: organizationalunit
199 dn: ou=admins,ou=radius,dc=mydomain,dc=com
200 objectclass: organizationalunit
203 dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
204 objectclass: radiusprofile
206 radiusServiceType: Framed-User
207 radiusFramedProtocol: PPP
208 radiusFramedIPNetmask: 255.255.255.0
209 radiusFramedRouting: None
211 dn: uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com
212 objectclass: radiusprofile
214 radiusServiceType: Framed-User
215 radiusFramedProtocol: PPP
216 radiusFramedIPNetmask: 255.255.255.0
217 radiusFramedRouting: None
219 dn: uid=example,ou=users,ou=radius,dc=mydomain,dc=com
220 objectclass: radiusProfile
223 radiusGroupName: dial
224 radiusGroupName: isdn
226 dn: cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
230 userPassword: freeradius
232 dn: cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com
236 userPassword: billing
238 dn: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
242 userPassword: replica
244 In order to configure the ldap server to understand the radius schema that we
245 are using, the attribute types and objectclasses must be defined in slapd.conf.
246 The file is included with the following line in slapd.conf::
248 include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
250 Below is the complete Schema::
252 ----Begin RADIUS-LDAPv3.schema----
254 #################################################
255 ##### custom radius attributes ##################
257 objectIdentifier myOID 1.1
258 objectIdentifier mySNMP myOID:1
259 objectIdentifier myLDAP myOID:2
260 objectIdentifier myRadiusFlag myLDAP:1
261 objectIdentifier myObjectClass myLDAP:2
265 NAME 'radiusAscendRouteIP'
266 DESC 'Ascend VSA Route IP'
267 EQUALITY caseIgnoreIA5Match
268 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
274 NAME 'radiusAscendIdleLimit'
275 DESC 'Ascend VSA Idle Limit'
276 EQUALITY caseIgnoreIA5Match
277 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
283 NAME 'radiusAscendLinkCompression'
284 DESC 'Ascend VSA Link Compression'
285 EQUALITY caseIgnoreIA5Match
286 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
292 NAME 'radiusAscendAssignIPPool'
293 DESC 'Ascend VSA AssignIPPool'
294 EQUALITY caseIgnoreIA5Match
295 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
302 NAME 'radiusAscendMetric'
303 DESC 'Ascend VSA Metric'
304 EQUALITY caseIgnoreIA5Match
305 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
309 #################################################
312 ( 1.3.6.1.4.1.3317.4.3.1.1
313 NAME 'radiusArapFeatures'
315 EQUALITY caseIgnoreIA5Match
316 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
321 ( 1.3.6.1.4.1.3317.4.3.1.2
322 NAME 'radiusArapSecurity'
324 EQUALITY caseIgnoreIA5Match
325 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
330 ( 1.3.6.1.4.1.3317.4.3.1.3
331 NAME 'radiusArapZoneAccess'
333 EQUALITY caseIgnoreIA5Match
334 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
339 ( 1.3.6.1.4.1.3317.4.3.1.44
340 NAME 'radiusAuthType'
342 EQUALITY caseIgnoreIA5Match
343 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
348 ( 1.3.6.1.4.1.3317.4.3.1.4
349 NAME 'radiusCallbackId'
351 EQUALITY caseIgnoreIA5Match
352 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
357 ( 1.3.6.1.4.1.3317.4.3.1.5
358 NAME 'radiusCallbackNumber'
360 EQUALITY caseIgnoreIA5Match
361 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
366 ( 1.3.6.1.4.1.3317.4.3.1.6
367 NAME 'radiusCalledStationId'
369 EQUALITY caseIgnoreIA5Match
370 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
375 ( 1.3.6.1.4.1.3317.4.3.1.7
376 NAME 'radiusCallingStationId'
378 EQUALITY caseIgnoreIA5Match
379 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
384 ( 1.3.6.1.4.1.3317.4.3.1.8
387 EQUALITY caseIgnoreIA5Match
388 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
392 ( 1.3.6.1.4.1.3317.4.3.1.45
393 NAME 'radiusClientIPAddress'
395 EQUALITY caseIgnoreIA5Match
396 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
401 ( 1.3.6.1.4.1.3317.4.3.1.9
402 NAME 'radiusFilterId'
404 EQUALITY caseIgnoreIA5Match
405 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
410 ( 1.3.6.1.4.1.3317.4.3.1.10
411 NAME 'radiusFramedAppleTalkLink'
413 EQUALITY caseIgnoreIA5Match
414 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
419 ( 1.3.6.1.4.1.3317.4.3.1.11
420 NAME 'radiusFramedAppleTalkNetwork'
422 EQUALITY caseIgnoreIA5Match
423 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
428 ( 1.3.6.1.4.1.3317.4.3.1.12
429 NAME 'radiusFramedAppleTalkZone'
431 EQUALITY caseIgnoreIA5Match
432 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
437 ( 1.3.6.1.4.1.3317.4.3.1.13
438 NAME 'radiusFramedCompression'
440 EQUALITY caseIgnoreIA5Match
441 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
446 ( 1.3.6.1.4.1.3317.4.3.1.14
447 NAME 'radiusFramedIPAddress'
449 EQUALITY caseIgnoreIA5Match
450 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
455 ( 1.3.6.1.4.1.3317.4.3.1.15
456 NAME 'radiusFramedIPNetmask'
458 EQUALITY caseIgnoreIA5Match
459 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
464 ( 1.3.6.1.4.1.3317.4.3.1.16
465 NAME 'radiusFramedIPXNetwork'
467 EQUALITY caseIgnoreIA5Match
468 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
473 ( 1.3.6.1.4.1.3317.4.3.1.17
474 NAME 'radiusFramedMTU'
476 EQUALITY caseIgnoreIA5Match
477 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
482 ( 1.3.6.1.4.1.3317.4.3.1.18
483 NAME 'radiusFramedProtocol'
485 EQUALITY caseIgnoreIA5Match
486 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
491 ( 1.3.6.1.4.1.3317.4.3.1.19
492 NAME 'radiusFramedRoute'
494 EQUALITY caseIgnoreIA5Match
495 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
499 ( 1.3.6.1.4.1.3317.4.3.1.20
500 NAME 'radiusFramedRouting'
502 EQUALITY caseIgnoreIA5Match
503 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
508 ( 1.3.6.1.4.1.3317.4.3.1.46
509 NAME 'radiusGroupName'
511 EQUALITY caseIgnoreIA5Match
512 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
516 ( 1.3.6.1.4.1.3317.4.3.1.47
519 EQUALITY caseIgnoreIA5Match
520 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
525 ( 1.3.6.1.4.1.3317.4.3.1.48
526 NAME 'radiusHuntgroupName'
528 EQUALITY caseIgnoreIA5Match
529 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
534 ( 1.3.6.1.4.1.3317.4.3.1.21
535 NAME 'radiusIdleTimeout'
537 EQUALITY caseIgnoreIA5Match
538 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
543 ( 1.3.6.1.4.1.3317.4.3.1.22
544 NAME 'radiusLoginIPHost'
546 EQUALITY caseIgnoreIA5Match
547 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
552 ( 1.3.6.1.4.1.3317.4.3.1.23
553 NAME 'radiusLoginLATGroup'
555 EQUALITY caseIgnoreIA5Match
556 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
561 ( 1.3.6.1.4.1.3317.4.3.1.24
562 NAME 'radiusLoginLATNode'
564 EQUALITY caseIgnoreIA5Match
565 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
570 ( 1.3.6.1.4.1.3317.4.3.1.25
571 NAME 'radiusLoginLATPort'
573 EQUALITY caseIgnoreIA5Match
574 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
579 ( 1.3.6.1.4.1.3317.4.3.1.26
580 NAME 'radiusLoginLATService'
582 EQUALITY caseIgnoreIA5Match
583 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
588 ( 1.3.6.1.4.1.3317.4.3.1.27
589 NAME 'radiusLoginService'
591 EQUALITY caseIgnoreIA5Match
592 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
597 ( 1.3.6.1.4.1.3317.4.3.1.28
598 NAME 'radiusLoginTCPPort'
600 EQUALITY caseIgnoreIA5Match
601 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
606 ( 1.3.6.1.4.1.3317.4.3.1.29
607 NAME 'radiusPasswordRetry'
609 EQUALITY caseIgnoreIA5Match
610 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
615 ( 1.3.6.1.4.1.3317.4.3.1.30
616 NAME 'radiusPortLimit'
618 EQUALITY caseIgnoreIA5Match
619 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
624 ( 1.3.6.1.4.1.3317.4.3.1.49
625 NAME 'radiusProfileDn'
627 EQUALITY distinguishedNameMatch
628 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
633 ( 1.3.6.1.4.1.3317.4.3.1.31
636 EQUALITY caseIgnoreIA5Match
637 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
642 ( 1.3.6.1.4.1.3317.4.3.1.50
643 NAME 'radiusProxyToRealm'
645 EQUALITY caseIgnoreIA5Match
646 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
651 ( 1.3.6.1.4.1.3317.4.3.1.51
652 NAME 'radiusReplicateToRealm'
654 EQUALITY caseIgnoreIA5Match
655 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
660 ( 1.3.6.1.4.1.3317.4.3.1.52
663 EQUALITY caseIgnoreIA5Match
664 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
669 ( 1.3.6.1.4.1.3317.4.3.1.32
670 NAME 'radiusServiceType'
672 EQUALITY caseIgnoreIA5Match
673 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
678 ( 1.3.6.1.4.1.3317.4.3.1.33
679 NAME 'radiusSessionTimeout'
681 EQUALITY caseIgnoreIA5Match
682 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
687 ( 1.3.6.1.4.1.3317.4.3.1.34
688 NAME 'radiusTerminationAction'
690 EQUALITY caseIgnoreIA5Match
691 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
696 ( 1.3.6.1.4.1.3317.4.3.1.35
697 NAME 'radiusTunnelAssignmentId'
699 EQUALITY caseIgnoreIA5Match
700 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
704 ( 1.3.6.1.4.1.3317.4.3.1.36
705 NAME 'radiusTunnelMediumType'
707 EQUALITY caseIgnoreIA5Match
708 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
712 ( 1.3.6.1.4.1.3317.4.3.1.37
713 NAME 'radiusTunnelPassword'
715 EQUALITY caseIgnoreIA5Match
716 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
721 ( 1.3.6.1.4.1.3317.4.3.1.38
722 NAME 'radiusTunnelPreference'
724 EQUALITY caseIgnoreIA5Match
725 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
729 ( 1.3.6.1.4.1.3317.4.3.1.39
730 NAME 'radiusTunnelPrivateGroupId'
732 EQUALITY caseIgnoreIA5Match
733 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
737 ( 1.3.6.1.4.1.3317.4.3.1.40
738 NAME 'radiusTunnelServerEndpoint'
740 EQUALITY caseIgnoreIA5Match
741 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
745 ( 1.3.6.1.4.1.3317.4.3.1.41
746 NAME 'radiusTunnelType'
748 EQUALITY caseIgnoreIA5Match
749 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
753 ( 1.3.6.1.4.1.3317.4.3.1.42
756 EQUALITY caseIgnoreIA5Match
757 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
761 ( 1.3.6.1.4.1.3317.4.3.1.43
762 NAME 'radiusTunnelClientEndpoint'
764 EQUALITY caseIgnoreIA5Match
765 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
769 #need to change asn1.id
771 ( 1.3.6.1.4.1.3317.4.3.1.53
772 NAME 'radiusSimultaneousUse'
774 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
779 ( 1.3.6.1.4.1.3317.4.3.1.54
780 NAME 'radiusLoginTime'
782 EQUALITY caseIgnoreIA5Match
783 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
788 ( 1.3.6.1.4.1.3317.4.3.1.55
789 NAME 'radiusUserCategory'
791 EQUALITY caseIgnoreIA5Match
792 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
797 ( 1.3.6.1.4.1.3317.4.3.1.56
798 NAME 'radiusStripUserName'
800 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
805 ( 1.3.6.1.4.1.3317.4.3.1.57
808 EQUALITY caseIgnoreIA5Match
809 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
814 ( 1.3.6.1.4.1.3317.4.3.1.58
815 NAME 'radiusExpiration'
817 EQUALITY caseIgnoreIA5Match
818 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
823 ( 1.3.6.1.4.1.3317.4.3.1.59
824 NAME 'radiusCheckItem'
826 EQUALITY caseIgnoreIA5Match
827 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
831 ( 1.3.6.1.4.1.3317.4.3.1.60
832 NAME 'radiusReplyItem'
834 EQUALITY caseIgnoreIA5Match
835 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
840 ( 1.3.6.1.4.1.3317.4.3.2.1
846 radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
847 radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
848 radiusCalledStationId $ radiusCallingStationId $ radiusClass $
849 radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $
850 radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
851 radiusFramedCompression $ radiusFramedIPAddress $
852 radiusFramedIPNetmask $ radiusFramedIPXNetwork $
853 radiusFramedMTU $ radiusFramedProtocol $
854 radiusCheckItem $ radiusReplyItem $
855 radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $
856 radiusGroupName $ radiusHint $ radiusHuntgroupName $
857 radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
858 radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
859 radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
860 radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $
861 radiusRealm $ radiusReplicateToRealm $ radiusServiceType $
862 radiusSessionTimeout $ radiusStripUserName $
863 radiusTerminationAction $ radiusTunnelAssignmentId $
864 radiusTunnelClientEndpoint $ radiusIdleTimeout $
865 radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
866 radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
867 radiusLoginTCPPort $ radiusPasswordRetry $ radiusPortLimit $
868 radiusPrompt $ radiusProfileDn $ radiusServiceType $
869 radiusSessionTimeout $ radiusSimultaneousUse $
870 radiusTerminationAction $ radiusTunnelAssignmentId $
871 radiusTunnelClientEndpoint $ radiusTunnelMediumType $
872 radiusTunnelPassword $ radiusTunnelPreference $
873 radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $
874 radiusTunnelType $ radiusUserCategory $ radiusVSA $
875 radiusExpiration $ dialupAccess $
876 radiusAscendRouteIP $ radiusAscendIdleLimit $
877 radiusAscendLinkCompression $
878 radiusAscendAssignIPPool $ radiusAscendMetric )
880 ----End RADIUS-LDAPv3.schema----
883 Now we need to setup the permissions on the ldap server. Notice above we
884 created three users in the admin ou. These users will be specific for billing,
885 freeradius, and replication.
887 On the master ldap server, we will set the following permissions::
889 access to attr=userPassword
891 by dn="cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com" write
897 by dn="cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com" write
901 This will give the billing user write access to add/delete users. For security
902 we will not give read access to any other users. You can easily add another
903 read-only user to this setup if you want to build some sort of web interface to
906 Now on the slave ldap servers (aka the radius servers) we will setup the
907 following permissions::
909 access to attr=userPassword
911 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
915 access to dn="ou=users,ou=radius,dc=mydomain,dc=com"
916 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
917 by dn="cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" read
923 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
928 This will give the replica user write access. This user will be discussed
929 below and it is involved in the process of replicating the master server to the
930 slaves. The freeradius user only needs read access to do the lookups for
933 Now we will want to setup indexes to speed up searches. At the minimum, below
934 will work. Since all radius lookups are currently using the uid, we will want
935 to index that. It is also a good idea to index the objectclass attribute.
937 # Indices to maintain
941 Now we need to setup the replication from the master to the slave servers. To
942 do this, we will add the following to the slapd.conf file on the master:
944 On the master LDAP server::
945 replica host=radius1.mydomain.com
946 binddn=cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
947 bindmethod=simple credentials=replica
949 replica host=radius2.mydomain.com
950 binddn=cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
951 bindmethod=simple credentials=replica
953 We will need to add a replica for each slave LDAP server. The binddn is the
954 name that is used to bind to the slave server, and the credentials is the
955 secret for that user.
957 On the slave LDAP servers::
959 updatedn cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
960 updateref ldap://ldapmaster.mydomain.com
962 Those will determine what name is allowed to update the LDAP server and if an
963 update is attempted directly, what server to refer the update to.
968 The radius server is setup to use LDAP for both Authorization and
969 Authentication. This section will describe what events will take place during
970 an AAA session with a NAS. When the NAS sends a access_request to the radius
971 server, the radius server will perform authorization and authentication based
972 on a series of modules that are defined in radiusd.conf. For example, the
973 module defined as ldap, will be used to make connections to the LDAP directory.
975 An example is seen in raddb/mods-config/ldap::
977 The first thing that is done is authorization of the user. The radius server
978 will process the modules in the order specified in the authorization section of
979 radiusd.conf. Currently, they are in the following order.
986 The first module will be preprocess. This will first check the huntgroups of
987 the user coming in. The huntgroups are defined in the file huntgroups and they
988 are a group listing of the NAS-IP-Addresses that make the access_request. This
989 is useful in creating specific actions based on the NAS-IP that the request is
990 made from. An example, is below::
992 isdncombo NAS-IP-Address == 10.10.10.1
993 dialup NAS-IP-Address == 10.10.10.2
994 dialup NAS-IP-Address == 10.10.10.3
996 We will have one NAS that is used for both ISDN and regular dialup customers,
997 the other NAS's will be only used for dialup.
999 The preprocess module may also use the hints file, to load hints to the radius
1000 server, and add additional hacks that are based on the type of request that
1001 comes in. This is to help with certain NAS's that don't conform to radius
1002 RFC's. Check the comments in radiusd.conf for an explanation on those.
1004 The second module is suffix. This event will determine which realm the user is
1005 in, based on the User-Name attribute. It is currently setup to split the
1006 username at the occurence of the @symbol. For example, the username of
1007 example@mydomain.com, will be split into example and mydomain.com. The realm
1008 is then checked against the file proxy.conf, which will determine what actions
1009 should be taken for that realm. Certain realms can be setup to be proxied to a
1010 different radius server or set to authenticate locally. Also, the username can
1011 be setup to be stripped from the realm or left intact. An example of
1012 proxy.conf, is listed below. If the realm is to be proxied, then a secret is
1013 needed, which is the secret of the radius server it is to be proxied to.
1014 By default the User-Name will be stripped, unless the nostrip option is set.
1016 Currently we will not be using realms with our users, but adding this ability
1017 in the future will be much easier with already incorporating proxy.conf into the
1025 servers_per_realm = 15
1026 default_fallback = yes
1033 #secret = testing123
1040 #secret = testing123
1043 The next module is files, which is commonly know as the users file. The users
1044 file will start with either a username to determine how to authorize a specific
1045 user, or a DEFAULT setting. In each line it will define what items must be
1046 present for there to be a match in the form of attribute == value. If all the
1047 required attributes are matched, then attributes specified with attribute :=
1048 value will be set for that user. If no match is found the users file will
1049 continue to be processed until there is a match. The last DEFAULT setting will
1050 be set as a catch-all, in case there is no previous match. If a match is made,
1051 the statement of Fall-Through determines if the users file should continue to
1052 be processed or if it should stop right there.
1054 The Ldap-Group corresponds to the LDAP attribute of radiusGroupName (see ldap
1055 configuration above). The user may be assigned multiple radiusGroupNames, one
1056 for each of the services that the user is authorized for. If the user does
1057 belong to the correct group, then the user will be authorized for that type of
1058 access. If the user does not belong to that group, then there will not be a
1059 match and the users file will continue to be processed. If a match is made and
1060 there is a User-Profile set, then the radius server will lookup the attributes
1061 that exist in that User-Profile in the LDAP directory. These are radius
1062 attributes that will be sent to the NAS as a reply-item.
1064 An example users file is below::
1066 DEFAULT Ldap-Group == disabled, Auth-Type := Reject
1067 Reply-Message = "Account disabled. Please call the helpdesk."
1069 DEFAULT Huntgroup-Name == isdncombo, NAS-Port-Type == Async, Ldap-Group == dial,
1070 User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
1073 DEFAULT Huntgroup-Name == isdncombo, NAS-Port-Type == ISDN, Ldap-Group == isdn,
1074 User-Profile := "uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com"
1077 DEFAULT Huntgroup-Name == dial, Ldap-Group == dial,
1078 User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
1081 DEFAULT Auth-Type := Reject
1082 Reply-Message = "Please call the helpdesk."
1084 Notice that the catchall DEFAULT is set to Reject the user. This will stop the
1085 authorization and immediately send back an access_reject message. Because
1086 business rules are applied above to each scenario where the user will be
1087 authorized for access, if no match is found, then we will want to stop the
1088 process immediately to save resources.
1090 By using the Ldap-Group feature we can limit user logins to only the services
1091 they are subscribed to. Some examples of possible user setups are below::
1093 #user with access to dial-up
1094 dn: uid=user1,ou=users,ou=radius,dc=mydomain,dc=com
1095 objectclass: radiusprofile
1097 userPassword: whatever
1098 radiusgroupname: dial
1100 #user with access to ISDN and dial
1101 dn: uid=user2,ou=users,ou=radius,dc=mydomain,dc=com
1102 objectclass: radiusprofile
1104 userPassword: whatever
1105 radiusgroupname: dial
1106 radiusgroupname: isdn
1108 #same user as above that was suspended for not paying
1109 dn: uid=user2,ou=users,ou=radius,dc=mydomain,dc=com
1110 objectclass: radiusprofile
1112 userPassword: whatever
1113 radiusgroupname: dial
1114 radiusgroupname: isdn
1115 radiusgroupname: disabled
1117 Now that we have authorized the user, the final piece is to authenticate the
1118 user. Authentication is currently done by checking if the password sent in the
1119 access_request packet is correct. This action will be done with an attempted
1120 bind to the LDAP server using the User-Name and User-Password attributes
1121 passed to it from the access_request. If the user is successfully authorized,
1122 then an access_accept message will be sent back to the NAS, with any reply
1123 items that were defined in the authorization section. If the user did not
1124 supply the correct password, then an access_reject message will be sent to the
1127 If the NAS is sent an access_accept packet then the user will be given access
1128 to the service and the NAS will then send an acct_request packet. This will be
1129 a request packet to start a radius accounting session. The way the server will
1130 log the accounting packets is determined in the detail module in the
1131 radiusd.conf file. Since we will be storing a local copy and forwarding on all
1132 accounting to the Accounting radius server, we will store two local copies on
1133 the machine. The first one is done in a regular detail file as defined in the
1137 filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
1139 dir_permissions = 0755
1142 The second detail file will be used by the program radrelay to relay a copy of
1143 all accounting packets to the Accounting radius server. This file is stored as
1144 a catchall for all accounting packets. The radrelay program will basically do
1145 a tail on that file and will then attempt to send a copy of each addition to it
1146 to the Accounting server. If the copy is successfully sent, then it will be
1147 deleted from this file. If the Accounting server were to go down, then this
1148 file will continue to build up entries. As soon as the Accounting server is
1149 back online, an attempt to re-send the packets to the Accounting server will
1150 made. This file is defined in the following section of radiusd.conf::
1153 filename = ${radacctdir}/detail-combined
1155 dir_permissions = 0755
1162 The new radius servers are currently built on Freebsd 4.8. As the version may
1163 eventually change, these instructions may no longer apply. The steps for
1164 building the server are the following:
1167 * Install other FreeBSD items
1168 * Install OpenLDAP *NOTE: this must be done before installing Freeradius*
1169 * Install FreeRadius
1171 Under the assumption that FreeBSD is already installed and the kernel rebuilt
1172 to the specifications needed for the machine, there are several other things
1173 that may be needed at this time and the purpose of this is just as a reminder.
1175 install cvsup-without-gui from the ports collection
1177 run cvsup on all to update the ports to the most recent versions
1179 might be a good idea to upgrade the src
1181 edit and run cvsup on /usr/share/examples/cvsup/standard-supfile
1183 cd /usr/src - vi Makefile and follow instructions
1185 install sendmail from ports to keep up to date with the most recent versions.
1186 In the ports collection /ports/mail/sendmail run make; make install; make
1187 mailer.conf. Then edit rc.conf and change to sendmail_enable=NO
1188 radius servers only need the local interface to send daily reports
1190 edit rc.conf to make sure inetd_enable=NO
1192 no reason to have extra services running
1194 if you rebuilt the kernel to add support for IPFIREWALL, then remember to add a
1195 firewall rule to rc.conf
1198 firewall_type=OPEN (or actually create a real firewall rule)
1200 add crontab to keep date accurate for accounting::
1202 15 03 * * * /usr/sbin/ntpdate -s thetimeserver.mydomain.com
1204 install openldap from ports
1206 download the freeradius source as the ports collection is often outdated
1207 the default settings are /usr/local/etc/raddb, /var/log/radius.log, /var/log/radacct
1209 since openldap was installed first, you should not need any special flags to
1212 Now its time to configure openlap and freeradius. First we will be looking at
1213 configuring OpenLDAP
1216 copy RADIUS-LDAPv3.schema to /usr/local/etc/openldap/schema
1218 edit /usr/local/etc/openldap/slapd.conf
1222 ----Begin slapd.conf----
1223 # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.7 2003/03/24 03:54:12
1226 # See slapd.conf(5) for details on configuration options.
1227 # This file should NOT be world readable.
1229 include /usr/local/etc/openldap/schema/core.schema
1230 include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
1232 # Define global ACLs to disable default read access.
1234 # Do not enable referrals until AFTER you have a working directory
1235 # service AND an understanding of referrals.
1236 #referral ldap://root.openldap.org
1240 pidfile /var/run/slapd.pid
1241 argsfile /var/run/slapd.args
1243 # Load dynamic backend modules:
1244 # modulepath /usr/local/libexec/openldap
1245 # moduleload back_bdb.la
1246 # moduleload back_ldap.la
1247 # moduleload back_ldbm.la
1248 # moduleload back_passwd.la
1249 # moduleload back_shell.la
1251 password-hash {SSHA}
1253 access to attr=userPassword
1255 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1259 access to dn="ou=users,ou=radius,dc=mydomain,dc=com"
1260 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1261 by dn="cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" read
1267 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1272 #######################################################################
1273 # ldbm database definitions
1274 #######################################################################
1277 suffix "dc=mydomain,dc=com"
1278 rootdn "cn=root,dc=mydomain,dc=com"
1279 # Cleartext passwords, especially for the rootdn, should
1280 # be avoid. See slappasswd(8) and slapd.conf(5) for details.
1281 # Use of strong authentication encouraged.
1282 rootpw {SSHA}Eu5EwPxTrwhEGrXQ9SaQZyfpu4iHt3NP
1283 # The database directory MUST exist prior to running slapd AND
1284 # should only be accessible by the slapd and slap tools.
1285 # Mode 700 recommended.
1286 directory /var/db/openldap-data
1287 # Indices to maintain
1288 index objectClass eq
1293 # replica one for each
1294 #replica host=radius1.mydomain.com
1295 # binddn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com"
1296 # bindmethod=simple credentials=secret
1298 replogfile /var/db/openldap-slurp/replog
1300 ## REMEMBER TO ADD THIS TO THE SLAVES
1301 updatedn "cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
1302 updateref ldap://ldapmaster.mydomain.com
1303 ----End slapd.conf----
1306 To create a rootdn that is not stored in plain text, enter the following command::
1310 it will ask for password and verification::
1313 Re-enter new password::
1315 while in the shell create the directory for the ldap database, this must be created before slapd can start::
1317 $ mkdir /var/db/openldap-data
1319 move the slapd.sh.sample file to slapd.sh in /usr/local/etc/rc.d::
1321 $ mv /usr/local/etc/rc.d/slapd.sh.sample slapd.sh
1323 enable logging in /etc/syslog.conf by adding the following::
1325 local4.* /var/log/ldap.log
1328 start it up on both the master and slave ldap servers::
1330 $ /usr/local/etc/rc.d/slapd start
1332 create the structural ldif, schema.ldif::
1334 ----Begin schema.ldif----
1335 dn: dc=mydomain,dc=com
1336 objectClass: dcObject
1337 objectClass: organizationUnit
1338 ou: Mydomain.com Radius
1341 dn: ou=radius,dc=mydomain,dc=com
1342 objectclass: organizationalunit
1345 dn: ou=profiles,ou=radius,dc=mydomain,dc=com
1346 objectclass: organizationalunit
1349 dn: ou=users,ou=radius,dc=mydomain,dc=com
1350 objectclass: organizationalunit
1353 dn: ou=admins,ou=radius,dc=mydomain,dc=com
1354 objectclass: organizationalunit
1357 dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
1358 objectclass: radiusprofile
1360 radiusServiceType: Framed-User
1361 radiusFramedProtocol: PPP
1362 radiusFramedIPNetmask: 255.255.255.0
1363 radiusFramedRouting: None
1365 dn: uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com
1366 objectclass: radiusprofile
1368 radiusServiceType: Framed-User
1369 radiusFramedProtocol: PPP
1370 radiusFramedIPNetmask: 255.255.255.0
1371 radiusFramedRouting: None
1373 dn: uid=example,ou=users,ou=radius,dc=mydomain,dc=com
1374 objectclass: radiusProfile
1377 radiusGroupName: dial
1378 radiusGroupName: isdn
1380 dn: cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
1384 userPassword: freeradius
1386 dn: cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com
1390 userPassword: billing
1392 dn: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
1396 userPassword: replica
1397 ----End schema.ldif----
1399 add the organizational structure to the master ldap database::
1401 $ ldapadd -D uid=billing,ou=admins,ou=radius,dc=mydomain,dc=com -w billing -f
1402 schema.ldif -h ldapmaster.mydomain.com
1404 run slapcat to see what the directory looks like::
1408 If all went well the LDAP directory should be up and running and propagated to
1409 the slaves. Now you can add your users to the master.
1411 Now its time to setup FreeRadius. First cd into /usr/local/etc/raddb and take
1412 a look at all the configuration files, they are heavily documented so you may
1413 wish to read through them all before making and changes.
1418 ----Begin radiusd.conf----
1420 ## radiusd.conf -- FreeRADIUS server configuration file.
1424 exec_prefix = ${prefix}
1425 sysconfdir = /usr/local/etc/raddb
1426 localstatedir = ${prefix}/var
1427 sbindir = ${exec_prefix}/sbin
1429 raddbdir = /usr/local/etc/raddb
1430 radacctdir = /var/log/radacct
1432 # Location of config and logfiles.
1433 confdir = ${raddbdir}
1434 run_dir = ${localstatedir}/run/radiusd
1435 log_file = ${logdir}/radius.log
1436 libdir = ${exec_prefix}/lib
1437 pidfile = ${run_dir}/radiusd.pid
1442 max_request_time = 30
1443 delete_blocked_requests = no
1448 hostname_lookups = no
1449 allow_core_dumps = no
1450 log_stripped_names = no
1452 log_auth_badpass = no
1453 log_auth_goodpass = no
1455 # The program to execute to do concurrency checks.
1456 #checkrad = ${sbindir}/checkrad
1459 max_attributes = 200
1464 proxy_requests = yes
1465 $INCLUDE ${confdir}/proxy.conf
1467 $INCLUDE ${confdir}/clients.conf
1472 min_spare_servers = 3
1473 max_spare_servers = 10
1474 max_requests_per_server = 0
1480 server = "localhost"
1481 identity = "uid=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
1483 basedn = "ou=users,ou=radius,dc=mydomain,dc=com"
1484 filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})
1485 (objectclass=radiusprofile)"
1488 #default_profile = "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
1489 #profile_attribute = "radiusProfileDn"
1490 dictionary_mapping = ${raddbdir}/ldap.attrmap
1491 ldap_cache_timeout = 120
1493 ldap_connections_number = 10
1494 #password_header = "{clear}"
1495 password_attribute = userPassword
1496 groupname_attribute = radiusGroupName
1497 groupmembership_filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
1498 (objectclass=radiusProfile)"
1499 groupmembership_attribute = radiusGroupName
1503 compare_check_items = no
1504 #access_attr_used_for_allow = yes
1513 huntgroups = ${confdir}/huntgroups
1514 #hints = ${confdir}/hints
1515 with_ascend_hack = no
1516 ascend_channels_per_line = 23
1517 with_ntdomain_hack = no
1518 with_specialix_jetstream_hack = no
1519 with_cisco_vsa_hack = no
1523 usersfile = ${confdir}/users
1524 #acctusersfile = ${confdir}/acct_users
1526 #use old style users
1528 # regular detail files
1530 filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
1532 dir_permissions = 0755
1534 # temp detail file to replicate to accountrad
1536 filename = ${radacctdir}/detail-combined
1538 dir_permissions = 0755
1543 # filename = ${logdir}/radutmp
1544 # permissions = 0600
1549 # filename = ${logdir}/sradutmp
1550 # permissions = 0644
1555 # attrsfile = ${confdir}/attrs
1559 # The "always" module is here for debugging purposes. Each
1560 # instance simply returns the same result, always, without
1575 # The 'expression' module current has no configuration.
1618 # Get an address from the IP Pool.
1621 ----End radiusd.conf----
1624 edit huntgroups to specify a NAS to a huntgroup::
1626 ----Begin huntgroups----
1628 isdncombo NAS-IP-Address == 10.10.10.1
1631 dialup NAS-IP-Address == 10.10.10.2
1632 dialup NAS-IP-Address == 10.10.10.3
1633 ----End huntgroups----
1635 * edit proxy.conf to setup the different realms::
1637 ----Begin proxy.conf----
1643 servers_per_realm = 15
1644 default_fallback = yes
1651 #secret = testing123
1658 #secret = testing123
1660 ----End proxy.conf----
1662 -edit clients.conf to setup the NAS's that can talk to it
1665 ----Begin clients.conf----
1668 shortname = localhost
1673 # isdn and dialup nas
1692 ----End clients.conf----
1695 You may wish to look at the other files, but they should all be OK by default.
1697 create startup files in /usr/local/etc/rc.d
1699 radiusd.sh - the radiusd startup file::
1701 ----Begin radiusd.sh----
1705 /usr/local/sbin/radiusd
1709 if [ -f /usr/local/var/run/radiusd/radiusd.pid ]; then
1710 kill -TERM `cat /usr/local/var/run/radiusd/radiusd.pid`
1711 rm -f /usr/local/var/run/radiusd/radiusd.pid
1716 if [ -f /usr/local/var/run/radiusd/radiusd.pid ]; then
1717 kill -HUP `cat /usr/local/var/run/radiusd/radiusd.pid`
1718 echo 'radiusd restarted'
1722 echo "Usage: ${0##*/}: { start | stop | restart }" 2>&1
1726 ----End radiusd.sh----
1728 radrelay.sh - the radrelay startup file::
1731 ----Begin radrelay.sh----
1736 /usr/local/bin/radrelay -a /var/log/radacct -d /usr/local/etc/raddb \
1737 -S /usr/local/etc/raddb/radrelay_secret -f -r accounting.mydomain.com:1813 \
1739 echo -n ' radrelay started'
1744 /usr/bin/killall radrelay
1745 echo ' radrelay stopped'
1749 echo "Usage: $[0##*/}: { start | stop }" 2>&1
1754 ----End radrelay.sh----
1756 create radrelay_secret in /usr/local/etc/radddb
1757 This file will contain the secret to connect to the Accounting radius server::
1759 ----Begin radrelay_secret----
1761 ----End radrelay_secret----
1764 $ /usr/local/etc/rc.d/radiusd.sh start
1765 $ /usr/local/etc/rc.d/radrelay.sh start
1767 You should be all set to start testing now.
1769 OTHER RANDOM NOTES AND THOUGHTS
1770 -------------------------------
1772 The client programs used to connect to the ldap directory are:
1781 to search for a record
1783 to show the entire directory
1785 to generate a crypted password
1787 Read the man pages on those commands, they tell you everything you
1790 They all follow this basic syntax::
1792 $ ldapwhatever -D "uid=someone,ou=admins,ou=radius,dc=mydomain,dc=com" -w thesecret -andthenotherstuff
1794 Finally, if you are having trouble with LDAP, run it in debug mode by
1795 changing the following in slapd.sh::
1803 There is a program included with freeradius to test the radius server,
1804 its called radclient. Typing it alone will tell you all the options.
1805 You will need to create a file that contains radius attributes, such
1809 User-Password = test
1810 Service-Type = Framed-User
1811 NAS-IP-Address = 10.10.10.1
1812 NAS-Port-Type = Async
1814 Then you fire that radius packet at the server by issuing::
1816 $ radclient -f testradiusfile localhost auth thesecret
1819 localhost is the server you are hitting
1820 auth or acct depending on the type of packet
1821 thesecret to connect to that server
1823 Finally, if you are having trouble you can run radius in debug mode
1824 and it will output everything that happens to the screen. To do that,
1825 kill the current process and run::
1836 * _`FreeRADIUS`: http://www.freeradius.org
1837 * _`FreeRADIUS Documentation`: http://www.freeradius.org/radiusd/doc
1838 * _`FreeRADIUS Wiki`: http://wiki.freeradius.org/
1843 * _`OpenLDAP`: http://www.openldap.org
1844 * _`OpenLDAP Administrator's Guide`: http://www.openldap.org/doc/admin21
1849 * _`RFC2865: RADIUS Authentication`: http://www.freeradius.org/radiusd/doc/rfc/rfc2865.txt
1850 * _`RFC2866: RADIUS Accounting`: http://www.freeradius.org/radiusd/doc/rfc/rfc2866.txt
1851 * _`RFC2869: RADIUS Extentions`: http://www.freeradius.org/radiusd/doc/rfc/rfc2869.txt
1852 * _`RFC2251: LDAP v3`: http://www.ietf.org/rfc/rfc2251.txt
1853 * _`RFC2252: LDAP v3 Attribute Syntax Definitions`: http://www.ietf.org/rfc/rfc2252.txt
1854 * _`RFC2253: LDAP UTF-8 String Representation of Distinguishe d Names (DNs)`: http://www.ietf.org/rfc/rfc2252.txt
1855 * _`RFC2849: LDAP Data Interchange Fromat (LDIFs)`: http://www.ietf.org/rfc/rfc2849.txt
1856 * _`RFC3377: LDAP v3 Technical Specs`: http://www.ietf.org/rfc/rfc3377.txt