1 Freeradius, OpenLDAP, Freebsd documentation
6 This document describes how to setup Freeradius on a Freebsd machine
7 using LDAP as a backend. This is by no means complete and your
8 mileage may vary. If you are having any problems with the setup of
9 your freeradius installation, please read the documentation that comes
10 with Freeradius first as that is where all the information for this
11 project came from. If you find any bugs, typos, alternative ideas, or
12 just plain wrong information, please let me know by sending an email
15 The radius servers in this document are built on Freebsd 4.8, using
16 Freeradius .81 with OpenLDAP 2.0.27 as the backend. The servers are
17 designed to support customers for multiple services. In this document
18 we will use regular dialup and dialup ISDN as examples of two
19 different services using the same radius server for authentication.
23 The radius servers are to be provisioned by a some sort of system we
24 will call Billing. Billing could simply be a script, a web front-end,
25 or an actual integration into a billing system. Billing will provision
26 to the master LDAP server. The master LDAP server is running slurpd,
27 which will replicate all changes to the other radius servers. Each
28 radius server will run a local instance of LDAP.
30 The radius servers will be accepting Radius auth packets and Radius
31 acct packets. The accounting packets will be stored locally on each
32 radius server and then forwarded to the Accounting radius server,
33 using radrelay. The Accounting radius server will store all the
34 radius information in some sort of database such as MySQL, Postgres,
35 or Oracle. The configuration of the actual Accounting radius server
36 is outside the scope of this document. Please refer to the freeradius
37 documentation for setting up that server.
39 The Accounting radius server will help to provide a searchable
40 interface to the accounting data for billing and usage purposes and
41 could allow a web front-end to be built for helpdesk/customer service
42 usage. If that is not needed for your purposes, then disregard all
43 details about the Accounting radius server.
45 In order to make sure no data is lost in the event of the Accounting
46 radius server going down, the replication of data will take place
47 using radrelay. Radrelay will do the equivalent of a tail on the
48 detail file and will continually attempt to duplicate each radius
49 packet that is stored in the detail file and send it off to the
50 recipient(s) specified. Upon receipt of an accounting_response packet
51 radrelay will consider that packet completed and continue working on
52 the others. Each radius server will also be storing its own copy of
53 all accounting packets that are sent to it.
55 Each NAS will be setup with a primary radius server and a failover
56 radius server. We will spread the load among the group of radius
57 servers that we have so some are acting as a primary to some NAS's and
58 acting as a secondary to others. In the event of a radius failure,
59 the NAS should failover to the backup radius server. How to configure
60 this is dependent on the particular NAS being used.
63 Will use Radius acct data Billing will provision
64 for real-time billing out to the Master LDAP
67 | Accounting | +---------+
68 | Radius | | Billing |
69 +------------+ +----+----+
82 | +------------------| LDAP Master|
85 | Slurpd Slurpd Replication
91 The Radius servers | | | LDAP Slave |
92 will create a local | \|/ +------------+
93 copy of all acct +-------------+
94 packets and then | Radius1 |
95 fwd a copy back | LDAP Slave | All Radius servers run a
96 to accounting +-------------+ local copy of LDAP for
97 /|\ /|\ Authorization and Authentication
115 The NAS will be setup to
116 use one of the Radius servers
117 as primary and the others as failover
122 The LDAP directory is designed to start with the top level of
123 dc=mydomain,dc=com. The next level of the tree contains the different
124 services that will be stored within the ldap server. For the radius
125 users, it will be specified as ou=radius. Below ou=radius, will be
126 the different types of accounts. For example, ou=users will store the
127 users and ou=profiles will store the default radius profiles. The
128 profiles are entries that will be used to store group-wide radius
129 profiles. The group ou=admins will be a place to enter the users for
130 Billing, Freeradius, and any other administrative accounts that are
135 +---------------------+
137 | Dc=mydomain,dc=com |Objectclass:organizationalUnit
138 | |Objectclass:dcObject
139 +---------------------+
145 | Ou=radius | Objectclass:organizationalUnit
149 +-----------------------+-------------------------|
152 +---------+ +---------------+ +-------------+
154 |Ou=users | | Ou=profiles | | Ou=admins |
156 +---------+ +---------------+ +------|------+
160 ----- Objectclass: | ----- Objectclass:
161 // \\ radiusprofile | // \\ person
164 ----- \|/ ----- Dn:cn=freeradius
165 Dn: uid=example,ou=users, ----- ObjectClass: ou=admins,ou=radius
166 dc=mydomain,dc=com // \\ radiusprofile dc=mydomain,dc=com
171 Dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
174 An example LDIF file is below.
175 NOTE: There are unique radius attribute types and objectclasses, these will be
176 explained in the configuration section.
178 dn: dc=mydomain,dc=com
179 objectClass: dcObject
180 objectClass: organizationUnit
181 ou: Mydomain.com Radius
184 dn: ou=radius,dc=mydomain,dc=com
185 objectclass: organizationalunit
188 dn: ou=profiles,ou=radius,dc=mydomain,dc=com
189 objectclass: organizationalunit
192 dn: ou=users,ou=radius,dc=mydomain,dc=com
193 objectclass: organizationalunit
196 dn: ou=admins,ou=radius,dc=mydomain,dc=com
197 objectclass: organizationalunit
200 dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
201 objectclass: radiusprofile
203 radiusServiceType: Framed-User
204 radiusFramedProtocol: PPP
205 radiusFramedIPNetmask: 255.255.255.0
206 radiusFramedRouting: None
208 dn: uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com
209 objectclass: radiusprofile
211 radiusServiceType: Framed-User
212 radiusFramedProtocol: PPP
213 radiusFramedIPNetmask: 255.255.255.0
214 radiusFramedRouting: None
216 dn: uid=example,ou=users,ou=radius,dc=mydomain,dc=com
217 objectclass: radiusProfile
220 radiusGroupName: dial
221 radiusGroupName: isdn
223 dn: cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
227 userPassword: freeradius
229 dn: cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com
233 userPassword: billing
235 dn: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
239 userPassword: replica
241 In order to configure the ldap server to understand the radius schema that we
242 are using, the attribute types and objectclasses must be defined in slapd.conf.
243 The file is included with the following line in slapd.conf:
245 include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
247 Below is the complete Schema
249 ----Begin RADIUS-LDAPv3.schema----
251 #################################################
252 ##### custom radius attributes ##################
254 objectIdentifier myOID 1.1
255 objectIdentifier mySNMP myOID:1
256 objectIdentifier myLDAP myOID:2
257 objectIdentifier myRadiusFlag myLDAP:1
258 objectIdentifier myObjectClass myLDAP:2
262 NAME 'radiusAscendRouteIP'
263 DESC 'Ascend VSA Route IP'
264 EQUALITY caseIgnoreIA5Match
265 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
271 NAME 'radiusAscendIdleLimit'
272 DESC 'Ascend VSA Idle Limit'
273 EQUALITY caseIgnoreIA5Match
274 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
280 NAME 'radiusAscendLinkCompression'
281 DESC 'Ascend VSA Link Compression'
282 EQUALITY caseIgnoreIA5Match
283 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
289 NAME 'radiusAscendAssignIPPool'
290 DESC 'Ascend VSA AssignIPPool'
291 EQUALITY caseIgnoreIA5Match
292 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
299 NAME 'radiusAscendMetric'
300 DESC 'Ascend VSA Metric'
301 EQUALITY caseIgnoreIA5Match
302 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
306 #################################################
309 ( 1.3.6.1.4.1.3317.4.3.1.1
310 NAME 'radiusArapFeatures'
312 EQUALITY caseIgnoreIA5Match
313 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
318 ( 1.3.6.1.4.1.3317.4.3.1.2
319 NAME 'radiusArapSecurity'
321 EQUALITY caseIgnoreIA5Match
322 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
327 ( 1.3.6.1.4.1.3317.4.3.1.3
328 NAME 'radiusArapZoneAccess'
330 EQUALITY caseIgnoreIA5Match
331 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
336 ( 1.3.6.1.4.1.3317.4.3.1.44
337 NAME 'radiusAuthType'
339 EQUALITY caseIgnoreIA5Match
340 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
345 ( 1.3.6.1.4.1.3317.4.3.1.4
346 NAME 'radiusCallbackId'
348 EQUALITY caseIgnoreIA5Match
349 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
354 ( 1.3.6.1.4.1.3317.4.3.1.5
355 NAME 'radiusCallbackNumber'
357 EQUALITY caseIgnoreIA5Match
358 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
363 ( 1.3.6.1.4.1.3317.4.3.1.6
364 NAME 'radiusCalledStationId'
366 EQUALITY caseIgnoreIA5Match
367 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
372 ( 1.3.6.1.4.1.3317.4.3.1.7
373 NAME 'radiusCallingStationId'
375 EQUALITY caseIgnoreIA5Match
376 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
381 ( 1.3.6.1.4.1.3317.4.3.1.8
384 EQUALITY caseIgnoreIA5Match
385 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
389 ( 1.3.6.1.4.1.3317.4.3.1.45
390 NAME 'radiusClientIPAddress'
392 EQUALITY caseIgnoreIA5Match
393 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
398 ( 1.3.6.1.4.1.3317.4.3.1.9
399 NAME 'radiusFilterId'
401 EQUALITY caseIgnoreIA5Match
402 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
407 ( 1.3.6.1.4.1.3317.4.3.1.10
408 NAME 'radiusFramedAppleTalkLink'
410 EQUALITY caseIgnoreIA5Match
411 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
416 ( 1.3.6.1.4.1.3317.4.3.1.11
417 NAME 'radiusFramedAppleTalkNetwork'
419 EQUALITY caseIgnoreIA5Match
420 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
425 ( 1.3.6.1.4.1.3317.4.3.1.12
426 NAME 'radiusFramedAppleTalkZone'
428 EQUALITY caseIgnoreIA5Match
429 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
434 ( 1.3.6.1.4.1.3317.4.3.1.13
435 NAME 'radiusFramedCompression'
437 EQUALITY caseIgnoreIA5Match
438 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
443 ( 1.3.6.1.4.1.3317.4.3.1.14
444 NAME 'radiusFramedIPAddress'
446 EQUALITY caseIgnoreIA5Match
447 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
452 ( 1.3.6.1.4.1.3317.4.3.1.15
453 NAME 'radiusFramedIPNetmask'
455 EQUALITY caseIgnoreIA5Match
456 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
461 ( 1.3.6.1.4.1.3317.4.3.1.16
462 NAME 'radiusFramedIPXNetwork'
464 EQUALITY caseIgnoreIA5Match
465 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
470 ( 1.3.6.1.4.1.3317.4.3.1.17
471 NAME 'radiusFramedMTU'
473 EQUALITY caseIgnoreIA5Match
474 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
479 ( 1.3.6.1.4.1.3317.4.3.1.18
480 NAME 'radiusFramedProtocol'
482 EQUALITY caseIgnoreIA5Match
483 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
488 ( 1.3.6.1.4.1.3317.4.3.1.19
489 NAME 'radiusFramedRoute'
491 EQUALITY caseIgnoreIA5Match
492 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
496 ( 1.3.6.1.4.1.3317.4.3.1.20
497 NAME 'radiusFramedRouting'
499 EQUALITY caseIgnoreIA5Match
500 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
505 ( 1.3.6.1.4.1.3317.4.3.1.46
506 NAME 'radiusGroupName'
508 EQUALITY caseIgnoreIA5Match
509 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
513 ( 1.3.6.1.4.1.3317.4.3.1.47
516 EQUALITY caseIgnoreIA5Match
517 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
522 ( 1.3.6.1.4.1.3317.4.3.1.48
523 NAME 'radiusHuntgroupName'
525 EQUALITY caseIgnoreIA5Match
526 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
531 ( 1.3.6.1.4.1.3317.4.3.1.21
532 NAME 'radiusIdleTimeout'
534 EQUALITY caseIgnoreIA5Match
535 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
540 ( 1.3.6.1.4.1.3317.4.3.1.22
541 NAME 'radiusLoginIPHost'
543 EQUALITY caseIgnoreIA5Match
544 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
549 ( 1.3.6.1.4.1.3317.4.3.1.23
550 NAME 'radiusLoginLATGroup'
552 EQUALITY caseIgnoreIA5Match
553 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
558 ( 1.3.6.1.4.1.3317.4.3.1.24
559 NAME 'radiusLoginLATNode'
561 EQUALITY caseIgnoreIA5Match
562 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
567 ( 1.3.6.1.4.1.3317.4.3.1.25
568 NAME 'radiusLoginLATPort'
570 EQUALITY caseIgnoreIA5Match
571 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
576 ( 1.3.6.1.4.1.3317.4.3.1.26
577 NAME 'radiusLoginLATService'
579 EQUALITY caseIgnoreIA5Match
580 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
585 ( 1.3.6.1.4.1.3317.4.3.1.27
586 NAME 'radiusLoginService'
588 EQUALITY caseIgnoreIA5Match
589 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
594 ( 1.3.6.1.4.1.3317.4.3.1.28
595 NAME 'radiusLoginTCPPort'
597 EQUALITY caseIgnoreIA5Match
598 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
603 ( 1.3.6.1.4.1.3317.4.3.1.29
604 NAME 'radiusPasswordRetry'
606 EQUALITY caseIgnoreIA5Match
607 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
612 ( 1.3.6.1.4.1.3317.4.3.1.30
613 NAME 'radiusPortLimit'
615 EQUALITY caseIgnoreIA5Match
616 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
621 ( 1.3.6.1.4.1.3317.4.3.1.49
622 NAME 'radiusProfileDn'
624 EQUALITY distinguishedNameMatch
625 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
630 ( 1.3.6.1.4.1.3317.4.3.1.31
633 EQUALITY caseIgnoreIA5Match
634 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
639 ( 1.3.6.1.4.1.3317.4.3.1.50
640 NAME 'radiusProxyToRealm'
642 EQUALITY caseIgnoreIA5Match
643 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
648 ( 1.3.6.1.4.1.3317.4.3.1.51
649 NAME 'radiusReplicateToRealm'
651 EQUALITY caseIgnoreIA5Match
652 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
657 ( 1.3.6.1.4.1.3317.4.3.1.52
660 EQUALITY caseIgnoreIA5Match
661 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
666 ( 1.3.6.1.4.1.3317.4.3.1.32
667 NAME 'radiusServiceType'
669 EQUALITY caseIgnoreIA5Match
670 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
675 ( 1.3.6.1.4.1.3317.4.3.1.33
676 NAME 'radiusSessionTimeout'
678 EQUALITY caseIgnoreIA5Match
679 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
684 ( 1.3.6.1.4.1.3317.4.3.1.34
685 NAME 'radiusTerminationAction'
687 EQUALITY caseIgnoreIA5Match
688 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
693 ( 1.3.6.1.4.1.3317.4.3.1.35
694 NAME 'radiusTunnelAssignmentId'
696 EQUALITY caseIgnoreIA5Match
697 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
701 ( 1.3.6.1.4.1.3317.4.3.1.36
702 NAME 'radiusTunnelMediumType'
704 EQUALITY caseIgnoreIA5Match
705 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
709 ( 1.3.6.1.4.1.3317.4.3.1.37
710 NAME 'radiusTunnelPassword'
712 EQUALITY caseIgnoreIA5Match
713 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
718 ( 1.3.6.1.4.1.3317.4.3.1.38
719 NAME 'radiusTunnelPreference'
721 EQUALITY caseIgnoreIA5Match
722 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
726 ( 1.3.6.1.4.1.3317.4.3.1.39
727 NAME 'radiusTunnelPrivateGroupId'
729 EQUALITY caseIgnoreIA5Match
730 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
734 ( 1.3.6.1.4.1.3317.4.3.1.40
735 NAME 'radiusTunnelServerEndpoint'
737 EQUALITY caseIgnoreIA5Match
738 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
742 ( 1.3.6.1.4.1.3317.4.3.1.41
743 NAME 'radiusTunnelType'
745 EQUALITY caseIgnoreIA5Match
746 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
750 ( 1.3.6.1.4.1.3317.4.3.1.42
753 EQUALITY caseIgnoreIA5Match
754 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
758 ( 1.3.6.1.4.1.3317.4.3.1.43
759 NAME 'radiusTunnelClientEndpoint'
761 EQUALITY caseIgnoreIA5Match
762 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
766 #need to change asn1.id
768 ( 1.3.6.1.4.1.3317.4.3.1.53
769 NAME 'radiusSimultaneousUse'
771 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
776 ( 1.3.6.1.4.1.3317.4.3.1.54
777 NAME 'radiusLoginTime'
779 EQUALITY caseIgnoreIA5Match
780 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
785 ( 1.3.6.1.4.1.3317.4.3.1.55
786 NAME 'radiusUserCategory'
788 EQUALITY caseIgnoreIA5Match
789 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
794 ( 1.3.6.1.4.1.3317.4.3.1.56
795 NAME 'radiusStripUserName'
797 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
802 ( 1.3.6.1.4.1.3317.4.3.1.57
805 EQUALITY caseIgnoreIA5Match
806 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
811 ( 1.3.6.1.4.1.3317.4.3.1.58
812 NAME 'radiusExpiration'
814 EQUALITY caseIgnoreIA5Match
815 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
820 ( 1.3.6.1.4.1.3317.4.3.1.59
821 NAME 'radiusCheckItem'
823 EQUALITY caseIgnoreIA5Match
824 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
828 ( 1.3.6.1.4.1.3317.4.3.1.60
829 NAME 'radiusReplyItem'
831 EQUALITY caseIgnoreIA5Match
832 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
837 ( 1.3.6.1.4.1.3317.4.3.2.1
843 radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
844 radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
845 radiusCalledStationId $ radiusCallingStationId $ radiusClass $
846 radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $
847 radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
848 radiusFramedCompression $ radiusFramedIPAddress $
849 radiusFramedIPNetmask $ radiusFramedIPXNetwork $
850 radiusFramedMTU $ radiusFramedProtocol $
851 radiusCheckItem $ radiusReplyItem $
852 radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $
853 radiusGroupName $ radiusHint $ radiusHuntgroupName $
854 radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
855 radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
856 radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
857 radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $
858 radiusRealm $ radiusReplicateToRealm $ radiusServiceType $
859 radiusSessionTimeout $ radiusStripUserName $
860 radiusTerminationAction $ radiusTunnelAssignmentId $
861 radiusTunnelClientEndpoint $ radiusIdleTimeout $
862 radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
863 radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
864 radiusLoginTCPPort $ radiusPasswordRetry $ radiusPortLimit $
865 radiusPrompt $ radiusProfileDn $ radiusServiceType $
866 radiusSessionTimeout $ radiusSimultaneousUse $
867 radiusTerminationAction $ radiusTunnelAssignmentId $
868 radiusTunnelClientEndpoint $ radiusTunnelMediumType $
869 radiusTunnelPassword $ radiusTunnelPreference $
870 radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $
871 radiusTunnelType $ radiusUserCategory $ radiusVSA $
872 radiusExpiration $ dialupAccess $
873 radiusAscendRouteIP $ radiusAscendIdleLimit $
874 radiusAscendLinkCompression $
875 radiusAscendAssignIPPool $ radiusAscendMetric )
877 ----End RADIUS-LDAPv3.schema----
880 Now we need to setup the permissions on the ldap server. Notice above we
881 created three users in the admin ou. These users will be specific for billing,
882 freeradius, and replication.
884 On the master ldap server, we will set the following permissions.
886 access to attr=userPassword
888 by dn="cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com" write
894 by dn="cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com" write
898 This will give the billing user write access to add/delete users. For security
899 we will not give read access to any other users. You can easily add another
900 read-only user to this setup if you want to build some sort of web interface to
903 Now on the slave ldap servers (aka the radius servers) we will setup the
904 following permissions.
906 access to attr=userPassword
908 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
912 access to dn="ou=users,ou=radius,dc=mydomain,dc=com"
913 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
914 by dn="cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" read
920 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
925 This will give the replica user write access. This user will be discussed
926 below and it is involved in the process of replicating the master server to the
927 slaves. The freeradius user only needs read access to do the lookups for
930 Now we will want to setup indexes to speed up searches. At the minimum, below
931 will work. Since all radius lookups are currently using the uid, we will want
932 to index that. It is also a good idea to index the objectclass attribute.
934 # Indices to maintain
938 Now we need to setup the replication from the master to the slave servers. To
939 do this, we will add the following to the slapd.conf file on the master:
941 On the master LDAP server:
942 replica host=radius1.mydomain.com
943 binddn=cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
944 bindmethod=simple credentials=replica
946 replica host=radius2.mydomain.com
947 binddn=cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
948 bindmethod=simple credentials=replica
950 We will need to add a replica for each slave LDAP server. The binddn is the
951 name that is used to bind to the slave server, and the credentials is the
952 secret for that user.
954 On the slave LDAP servers:
955 updatedn cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
956 updateref ldap://ldapmaster.mydomain.com
958 Those will determine what name is allowed to update the LDAP server and if an
959 update is attempted directly, what server to refer the update to.
963 The radius server is setup to use LDAP for both Authorization and
964 Authentication. This section will describe what events will take place during
965 an AAA session with a NAS. When the NAS sends a access_request to the radius
966 server, the radius server will perform authorization and authentication based
967 on a series of modules that are defined in radiusd.conf. For example, the
968 module defined as ldap, will be used to make connections to the LDAP directory.
970 An example is listed below.
974 identity = cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
976 #this is the basedn to do searches on a user
977 basedn = ou=users,ou=radius,dc=mydomain,dc=com
978 #notice the username is the stripped user-name or user-name
979 filter = (uid=%{Stripped-User-Name:-{User-Name}})
982 #this maps ldap attributetypes to radius attributes
983 dictionary_mapping = ${raddbdir}/ldap.attrmap
984 ldap_cache_timeout = 120
986 ldap_connections_number = 10
987 #password_header = {clear}
988 #While integrating FreeRADIUS with Novell eDirectory, set
989 #'password_attribute = nspmpassword' in order to use the universal password
990 #of the eDirectory users for RADIUS authentication. This will work only if
991 #FreeRADIUS is configured to build with --with-edir option.
992 password_attribute = userPassword
993 #Comment out the following to disable the eDirectory account policy check and
994 #intruder detection. This will work only if FreeRADIUS is configured to build
995 #with --with-edir option.
996 #edir_account_policy_check=no
997 groupname_attribute = radiusGroupName
998 groupmembership_filter = (&(uid=%{Stripped-User-Name:-%{User-Name}})
999 (objectclass=radiusprofile))
1000 groupmembership_attribute = radiusGroupName
1004 compare_check_items = no
1005 #access_attr_used_for_allow = yes
1008 The first thing that is done is authorization of the user. The radius server
1009 will process the modules in the order specified in the authorization section of
1010 radiusd.conf. Currently, they are in the following order.
1017 The first module will be preprocess. This will first check the huntgroups of
1018 the user coming in. The huntgroups are defined in the file huntgroups and they
1019 are a group listing of the NAS-IP-Addresses that make the access_request. This
1020 is useful in creating specific actions based on the NAS-IP that the request is
1021 made from. An example, is below:
1023 isdncombo NAS-IP-Address == 10.10.10.1
1024 dialup NAS-IP-Address == 10.10.10.2
1025 dialup NAS-IP-Address == 10.10.10.3
1027 We will have one NAS that is used for both ISDN and regular dialup customers,
1028 the other NAS's will be only used for dialup.
1030 The preprocess module may also use the hints file, to load hints to the radius
1031 server, and add additional hacks that are based on the type of request that
1032 comes in. This is to help with certain NAS's that don't conform to radius
1033 RFC's. Check the comments in radiusd.conf for an explanation on those.
1035 The second module is suffix. This event will determine which realm the user is
1036 in, based on the User-Name attribute. It is currently setup to split the
1037 username at the occurence of the @symbol. For example, the username of
1038 example@mydomain.com, will be split into example and mydomain.com. The realm
1039 is then checked against the file proxy.conf, which will determine what actions
1040 should be taken for that realm. Certain realms can be setup to be proxied to a
1041 different radius server or set to authenticate locally. Also, the username can
1042 be setup to be stripped from the realm or left intact. An example of
1043 proxy.conf, is listed below. If the realm is to be proxied, then a secret is
1044 needed, which is the secret of the radius server it is to be proxied to.
1045 By default the User-Name will be stripped, unless the nostrip option is set.
1047 Currently we will not be using realms with our users, but adding this ability
1048 in the future will be much easier with already incorporating proxy.conf into the
1056 servers_per_realm = 15
1057 default_fallback = yes
1064 #secret = testing123
1071 #secret = testing123
1074 The next module is files, which is commonly know as the users file. The users
1075 file will start with either a username to determine how to authorize a specific
1076 user, or a DEFAULT setting. In each line it will define what items must be
1077 present for there to be a match in the form of attribute == value. If all the
1078 required attributes are matched, then attributes specified with attribute :=
1079 value will be set for that user. If no match is found the users file will
1080 continue to be processed until there is a match. The last DEFAULT setting will
1081 be set as a catch-all, in case there is no previous match. If a match is made,
1082 the statement of Fall-Through determines if the users file should continue to
1083 be processed or if it should stop right there.
1085 The Ldap-Group corresponds to the LDAP attribute of radiusGroupName (see ldap
1086 configuration above). The user may be assigned multiple radiusGroupNames, one
1087 for each of the services that the user is authorized for. If the user does
1088 belong to the correct group, then the user will be authorized for that type of
1089 access. If the user does not belong to that group, then there will not be a
1090 match and the users file will continue to be processed. If a match is made and
1091 there is a User-Profile set, then the radius server will lookup the attributes
1092 that exist in that User-Profile in the LDAP directory. These are radius
1093 attributes that will be sent to the NAS as a reply-item.
1095 An example users file is below.
1097 DEFAULT Ldap-Group == disabled, Auth-Type := Reject
1098 Reply-Message = "Account disabled. Please call the helpdesk."
1100 DEFAULT Huntgroup-Name == isdncombo, NAS-Port-Type == Async, Ldap-Group == dial,
1101 User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
1104 DEFAULT Huntgroup-Name == isdncombo, NAS-Port-Type == ISDN, Ldap-Group == isdn,
1105 User-Profile := "uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com"
1108 DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := "uid=dial,ou
1109 =profiles,ou=radius,dc=mydomain,dc=com"
1112 DEFAULT Auth-Type := Reject
1113 Reply-Message = "Please call the helpdesk."
1115 Notice that the catchall DEFAULT is set to Reject the user. This will stop the
1116 authorization and immediately send back an access_reject message. Because
1117 business rules are applied above to each scenario where the user will be
1118 authorized for access, if no match is found, then we will want to stop the
1119 process immediately to save resources.
1121 By using the Ldap-Group feature we can limit user logins to only the services
1122 they are subscribed to. Some examples of possible user setups are below.
1124 #user with access to dial-up
1125 dn: uid=user1,ou=users,ou=radius,dc=mydomain,dc=com
1126 objectclass: radiusprofile
1128 userPassword: whatever
1129 radiusgroupname: dial
1131 #user with access to ISDN and dial
1132 dn: uid=user2,ou=users,ou=radius,dc=mydomain,dc=com
1133 objectclass: radiusprofile
1135 userPassword: whatever
1136 radiusgroupname: dial
1137 radiusgroupname: isdn
1139 #same user as above that was suspended for not paying
1140 dn: uid=user2,ou=users,ou=radius,dc=mydomain,dc=com
1141 objectclass: radiusprofile
1143 userPassword: whatever
1144 radiusgroupname: dial
1145 radiusgroupname: isdn
1146 radiusgroupname: disabled
1148 Now that we have authorized the user, the final piece is to authenticate the
1149 user. Authentication is currently done by checking if the password sent in the
1150 access_request packet is correct. This action will be done with an attempted
1151 bind to the LDAP server using the User-Name and User-Password attributes
1152 passed to it from the access_request. If the user is successfully authorized,
1153 then an access_accept message will be sent back to the NAS, with any reply
1154 items that were defined in the authorization section. If the user did not
1155 supply the correct password, then an access_reject message will be sent to the
1158 If the NAS is sent an access_accept packet then the user will be given access
1159 to the service and the NAS will then send an acct_request packet. This will be
1160 a request packet to start a radius accounting session. The way the server will
1161 log the accounting packets is determined in the detail module in the
1162 radiusd.conf file. Since we will be storing a local copy and forwarding on all
1163 accounting to the Accounting radius server, we will store two local copies on
1164 the machine. The first one is done in a regular detail file as defined in the
1168 detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
1173 The second detail file will be used by the program radrelay to relay a copy of
1174 all accounting packets to the Accounting radius server. This file is stored as
1175 a catchall for all accounting packets. The radrelay program will basically do
1176 a tail on that file and will then attempt to send a copy of each addition to it
1177 to the Accounting server. If the copy is successfully sent, then it will be
1178 deleted from this file. If the Accounting server were to go down, then this
1179 file will continue to build up entries. As soon as the Accounting server is
1180 back online, an attempt to re-send the packets to the Accounting server will
1181 made. This file is defined in the following section of
1185 detailfile= ${radacctdir}/detail-combined
1193 The new radius servers are currently built on Freebsd 4.8. As the version may
1194 eventually change, these instructions may no longer apply. The steps for
1195 building the server are the following:
1198 Install other FreeBSD items
1199 Install OpenLDAP *NOTE: this must be done before installing Freeradius
1202 Under the assumption that FreeBSD is already installed and the kernel rebuilt
1203 to the specifications needed for the machine, there are several other things
1204 that may be needed at this time and the purpose of this is just as a reminder.
1206 install cvsup-without-gui from the ports collection
1207 -run cvsup on all to update the ports to the most recent versions
1209 might be a good idea to upgrade the src
1210 -edit and run cvsup on /usr/share/examples/cvsup/standard-supfile
1211 -cd /usr/src - vi Makefile and follow instructions
1213 install sendmail from ports to keep up to date with the most recent versions.
1214 In the ports collection /ports/mail/sendmail run make; make install; make
1215 mailer.conf. Then edit rc.conf and change to sendmail_enable=NO
1216 -radius servers only need the local interface to send daily reports
1218 edit rc.conf to make sure inetd_enable=NO
1219 -no reason to have extra services running
1221 if you rebuilt the kernel to add support for IPFIREWALL, then remember to add a
1222 firewall rule to rc.conf
1223 -firewall_enable=YES
1224 -firewall_type=OPEN (or actually create a real firewall rule)
1226 add crontab to keep date accurate for accounting
1227 15 03 * * * /usr/sbin/ntpdate -s thetimeserver.mydomain.com
1229 install openldap from ports
1231 download the freeradius source as the ports collection is often outdated
1232 -the default settings are /usr/local/etc/raddb, /var/log/radius.log,
1234 -since openldap was installed first, you should not need any special flags to
1238 Now its time to configure openlap and freeradius. First we will be looking at
1239 configuring OpenLDAP
1242 -copy RADIUS-LDAPv3.schema to /usr/local/etc/openldap/schema
1244 -edit /usr/local/etc/openldap/slapd.conf
1247 ----Begin slapd.conf----
1248 # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.7 2003/03/24 03:54:12
1251 # See slapd.conf(5) for details on configuration options.
1252 # This file should NOT be world readable.
1254 include /usr/local/etc/openldap/schema/core.schema
1255 include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
1257 # Define global ACLs to disable default read access.
1259 # Do not enable referrals until AFTER you have a working directory
1260 # service AND an understanding of referrals.
1261 #referral ldap://root.openldap.org
1265 pidfile /var/run/slapd.pid
1266 argsfile /var/run/slapd.args
1268 # Load dynamic backend modules:
1269 # modulepath /usr/local/libexec/openldap
1270 # moduleload back_bdb.la
1271 # moduleload back_ldap.la
1272 # moduleload back_ldbm.la
1273 # moduleload back_passwd.la
1274 # moduleload back_shell.la
1276 password-hash {SSHA}
1278 access to attr=userPassword
1280 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1284 access to dn="ou=users,ou=radius,dc=mydomain,dc=com"
1285 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1286 by dn="cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com" read
1292 by dn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com" write
1297 #######################################################################
1298 # ldbm database definitions
1299 #######################################################################
1302 suffix "dc=mydomain,dc=com"
1303 rootdn "cn=root,dc=mydomain,dc=com"
1304 # Cleartext passwords, especially for the rootdn, should
1305 # be avoid. See slappasswd(8) and slapd.conf(5) for details.
1306 # Use of strong authentication encouraged.
1307 rootpw {SSHA}Eu5EwPxTrwhEGrXQ9SaQZyfpu4iHt3NP
1308 # The database directory MUST exist prior to running slapd AND
1309 # should only be accessible by the slapd and slap tools.
1310 # Mode 700 recommended.
1311 directory /var/db/openldap-data
1312 # Indices to maintain
1313 index objectClass eq
1318 # replica one for each
1319 #replica host=radius1.mydomain.com
1320 # binddn="cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com"
1321 # bindmethod=simple credentials=secret
1323 replogfile /var/db/openldap-slurp/replog
1325 ## REMEMBER TO ADD THIS TO THE SLAVES
1326 updatedn "cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
1327 updateref ldap://ldapmaster.mydomain.com
1328 ----End slapd.conf----
1331 To create a rootdn that is not stored in plain text, enter the following
1334 it will ask for password and verification
1336 Re-enter new password::
1338 -while in the shell create the directory for the ldap database, this must be
1339 created before slapd can start
1340 $ mkdir /var/db/openldap-data
1342 -move the slapd.sh.sample file to slapd.sh in /usr/local/etc/rc.d
1343 $ mv /usr/local/etc/rc.d/slapd.sh.sample slapd.sh
1345 -enable logging in /etc/syslog.conf by adding the following:
1346 local4.* /var/log/ldap.log
1349 -start it up on both the master and slave ldap servers
1350 $ /usr/local/etc/rc.d/slapd start
1352 -create the structural ldif, schema.ldif
1354 ----Begin schema.ldif----
1355 dn: dc=mydomain,dc=com
1356 objectClass: dcObject
1357 objectClass: organizationUnit
1358 ou: Mydomain.com Radius
1361 dn: ou=radius,dc=mydomain,dc=com
1362 objectclass: organizationalunit
1365 dn: ou=profiles,ou=radius,dc=mydomain,dc=com
1366 objectclass: organizationalunit
1369 dn: ou=users,ou=radius,dc=mydomain,dc=com
1370 objectclass: organizationalunit
1373 dn: ou=admins,ou=radius,dc=mydomain,dc=com
1374 objectclass: organizationalunit
1377 dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
1378 objectclass: radiusprofile
1380 radiusServiceType: Framed-User
1381 radiusFramedProtocol: PPP
1382 radiusFramedIPNetmask: 255.255.255.0
1383 radiusFramedRouting: None
1385 dn: uid=isdn,ou=profiles,ou=radius,dc=mydomain,dc=com
1386 objectclass: radiusprofile
1388 radiusServiceType: Framed-User
1389 radiusFramedProtocol: PPP
1390 radiusFramedIPNetmask: 255.255.255.0
1391 radiusFramedRouting: None
1393 dn: uid=example,ou=users,ou=radius,dc=mydomain,dc=com
1394 objectclass: radiusProfile
1397 radiusGroupName: dial
1398 radiusGroupName: isdn
1400 dn: cn=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com
1404 userPassword: freeradius
1406 dn: cn=billing,ou=admins,ou=radius,dc=mydomain,dc=com
1410 userPassword: billing
1412 dn: cn=replica,ou=admins,ou=radius,dc=mydomain,dc=com
1416 userPassword: replica
1417 ----End schema.ldif----
1419 -add the organizational structure to the master ldap database
1420 $ ldapadd -D uid=billing,ou=admins,ou=radius,dc=mydomain,dc=com -w billing -f
1421 schema.ldif -h ldapmaster.mydomain.com
1423 -run slapcat to see what the directory looks like
1426 If all went well the LDAP directory should be up and running and propagated to
1427 the slaves. Now you can add your users to the master.
1429 Now its time to setup FreeRadius. First cd into /usr/local/etc/raddb and take
1430 a look at all the configuration files, they are heavily documented so you may
1431 wish to read through them all before making and changes.
1436 ----Begin radiusd.conf----
1438 ## radiusd.conf -- FreeRADIUS server configuration file.
1442 exec_prefix = ${prefix}
1443 sysconfdir = /usr/local/etc/raddb
1444 localstatedir = ${prefix}/var
1445 sbindir = ${exec_prefix}/sbin
1447 raddbdir = /usr/local/etc/raddb
1448 radacctdir = /var/log/radacct
1450 # Location of config and logfiles.
1451 confdir = ${raddbdir}
1452 run_dir = ${localstatedir}/run/radiusd
1453 log_file = ${logdir}/radius.log
1454 libdir = ${exec_prefix}/lib
1455 pidfile = ${run_dir}/radiusd.pid
1460 max_request_time = 30
1461 delete_blocked_requests = no
1466 hostname_lookups = no
1467 allow_core_dumps = no
1468 regular_expressions = yes
1469 extended_expressions = yes
1470 log_stripped_names = no
1472 log_auth_badpass = no
1473 log_auth_goodpass = no
1475 # The program to execute to do concurrency checks.
1476 #checkrad = ${sbindir}/checkrad
1479 max_attributes = 200
1484 proxy_requests = yes
1485 $INCLUDE ${confdir}/proxy.conf
1487 $INCLUDE ${confdir}/clients.conf
1492 min_spare_servers = 3
1493 max_spare_servers = 10
1494 max_requests_per_server = 0
1500 server = "localhost"
1501 identity = "uid=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
1503 basedn = "ou=users,ou=radius,dc=mydomain,dc=com"
1504 filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})
1505 (objectclass=radiusprofile)"
1508 #default_profile = "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
1509 #profile_attribute = "radiusProfileDn"
1510 dictionary_mapping = ${raddbdir}/ldap.attrmap
1511 ldap_cache_timeout = 120
1513 ldap_connections_number = 10
1514 #password_header = "{clear}"
1515 password_attribute = userPassword
1516 groupname_attribute = radiusGroupName
1517 groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}))
1518 (objectclass=radiusProfile)"
1519 groupmembership_attribute = radiusGroupName
1523 compare_check_items = no
1524 #access_attr_used_for_allow = yes
1533 huntgroups = ${confdir}/huntgroups
1534 #hints = ${confdir}/hints
1535 with_ascend_hack = no
1536 ascend_channels_per_line = 23
1537 with_ntdomain_hack = no
1538 with_specialix_jetstream_hack = no
1539 with_cisco_vsa_hack = no
1543 usersfile = ${confdir}/users
1544 #acctusersfile = ${confdir}/acct_users
1546 #use old style users
1548 # regular detail files
1550 detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
1554 # temp detail file to replicate to accountrad
1556 detailfile= ${radacctdir}/detail-combined
1563 key = "User-Name, Acct-Session-Id, NAS-IP-Address,
1564 Client-IP-Address, NAS-Port-Id"
1569 # filename = ${logdir}/radutmp
1575 # filename = ${logdir}/sradutmp
1581 # attrsfile = ${confdir}/attrs
1585 # The "always" module is here for debugging purposes. Each
1586 # instance simply returns the same result, always, without
1601 # The 'expression' module current has no configuration.
1644 # Get an address from the IP Pool.
1647 ----End radiusd.conf----
1650 -edit huntgroups to specify a NAS to a huntgroup
1652 ----Begin huntgroups----
1654 isdncombo NAS-IP-Address == 10.10.10.1
1657 dialup NAS-IP-Address == 10.10.10.2
1658 dialup NAS-IP-Address == 10.10.10.3
1659 ----End huntgroups----
1661 -edit proxy.conf to setup the different realms
1663 ----Begin proxy.conf----
1669 servers_per_realm = 15
1670 default_fallback = yes
1677 #secret = testing123
1684 #secret = testing123
1686 ----End proxy.conf----
1688 -edit clients.conf to setup the NAS's that can talk to it
1691 ----Begin clients.conf----
1694 shortname = localhost
1699 # isdn and dialup nas
1718 ----End clients.conf----
1721 You may wish to look at the other files, but they should all be OK by default.
1723 -create startup files in /usr/local/etc/rc.d
1724 -radiusd.sh - the radiusd startup file
1726 ----Begin radiusd.sh----
1730 /usr/local/sbin/radiusd
1734 if [ -f /usr/local/var/run/radiusd/radiusd.pid ]; then
1735 kill -TERM `cat /usr/local/var/run/radiusd/radiusd.pid`
1736 rm -f /usr/local/var/run/radiusd/radiusd.pid
1741 if [ -f /usr/local/var/run/radiusd/radiusd.pid ]; then
1742 kill -HUP `cat /usr/local/var/run/radiusd/radiusd.pid`
1743 echo 'radiusd restarted'
1747 echo "Usage: ${0##*/}: { start | stop | restart }" 2>&1
1751 ----End radiusd.sh----
1753 -radrelay.sh - the radrelay startup file
1756 ----Begin radrelay.sh----
1761 /usr/local/bin/radrelay -a /var/log/radacct -d /usr/local/etc/raddb \
1762 -S /usr/local/etc/raddb/radrelay_secret -f -r accounting.mydomain.com:1813 \
1764 echo -n ' radrelay started'
1769 /usr/bin/killall radrelay
1770 echo ' radrelay stopped'
1774 echo "Usage: $[0##*/}: { start | stop }" 2>&1
1779 ----End radrelay.sh----
1781 -create radrelay_secret in /usr/local/etc/radddb
1782 This file will contain the secret to connect to the Accounting radius server
1784 ----Begin radrelay_secret----
1786 ----End radrelay_secret----
1789 $ /usr/local/etc/rc.d/radiusd.sh start
1790 $ /usr/local/etc/rc.d/radrelay.sh start
1792 You should be all set to start testing now.
1794 OTHER RANDOM NOTES AND THOUGHTS
1796 The client programs used to connect to the ldap directory are:
1797 -ldapadd to add a record
1798 -ldapmodify to modify a record
1799 -ldapdelete to delete a record
1800 -ldapsearch to search for a record
1801 -slapcat to show the entire directory
1802 -slappaswd to generate a crypted password
1804 Read the man pages on those commands, they tell you everything you
1807 They all follow this basic syntax.
1809 $ ldapwhatever -D "uid=someone,ou=admins,ou=radius,dc=mydomain,dc=com" -w
1810 thesecret -andthenotherstuff
1812 Finally, if you are having trouble with LDAP, run it in debug mode by
1813 changing the following in slapd.sh:
1819 There is a program included with freeradius to test the radius server,
1820 its called radclient. Typing it alone will tell you all the options.
1821 You will need to create a file that contains radius attributes, such
1825 User-Password = test
1826 Service-Type = Framed-User
1827 NAS-IP-Address = 10.10.10.1
1828 NAS-Port-Type = Async
1830 Then you fire that radius packet at the server by issuing:
1831 $ radclient -f testradiusfile localhost auth thesecret
1834 localhost is the server you are hitting
1835 auth or acct depending on the type of packet
1836 thesecret to connect to that server
1838 Finally, if you are having trouble you can run radius in debug mode
1839 and it will output everything that happens to the screen. To do that,
1840 kill the current process and run:
1849 -http://www.freeradius.org
1851 -http://www.freeradius.org/radiusd/doc
1855 -http://www.openldap.org
1856 Documentation: Administrator's Guide
1857 -http://www.openldap.org/doc/admin21
1860 RFC2865: RADIUS Authentication
1861 -http://www.freeradius.org/radiusd/doc/rfc/rfc2865.txt
1862 RFC2866: RADIUS Accounting
1863 -http://www.freeradius.org/radiusd/doc/rfc/rfc2866.txt
1864 RFC2869: RADIUS Extentions
1865 -http://www.freeradius.org/radiusd/doc/rfc/rfc2869.txt
1867 -http://www.ietf.org/rfc/rfc2251.txt
1868 RFC2252: LDAP v3 Attribute Syntax Definitions
1869 -http://www.ietf.org/rfc/rfc2252.txt
1870 RFC2253: LDAP UTF-8 String Representation of Distinguishe d Names (DNs)
1871 -http://www.ietf.org/rfc/rfc2252.txt
1872 RFC2849: LDAP Data Interchange Fromat (LDIFs)
1873 -http://www.ietf.org/rfc/rfc2849.txt
1874 RFC3377: LDAP v3 Technical Specs
1875 -http://www.ietf.org/rfc/rfc3377.txt