Freeradius ldap
Zur Navigation springen
Zur Suche springen
groupofNames
# switch, groups, xinux.net dn: cn=switch,ou=groups,dc=xinux,dc=net objectClass: groupOfNames cn: switch description: Switch Admins member: cn=thomas will,ou=users,dc=xinux,dc=net
clients.conf
- cat /etc/freeradius/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = sysadm
nastype = other
}
client 192.168.0.0/16 {
secret = sysadm
nastype = other
}
client 172.16.0.0/12 {
secret = sysadm
nastype = other
}
client 10.0.0.0/8 {
secret = sysadm
nastype = other
}
radiusd.conf
- cat /etc/freeradius/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
ldap
- cat /etc/freeradius/modules/ldap
ldap {
server = "localhost"
identity = "cn=admin,dc=xinux,dc=net"
password = sysadm
basedn = "dc=xinux,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
max_uses = 0
timeout = 4
timelimit = 3
net_timeout = 1
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
keepalive {
idle = 60
probes = 3
interval = 3
}
}
default
- cat /etc/freeradius/sites-enabled/default
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
eap
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
inner-tunnel
cat /etc/freeradius/sites-enabled
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
users
- cat /etc/freeradius/users
DEFAULT Ldap-Group == "cn=switch,ou=groups,dc=xinux,dc=net"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "17"
DEFAULT Auth-Type := Reject
test
console 1
- freeradius -X
...
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
... adding new socket proxy address * port 40079
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
console 2
postiv
- radtest thomas.will suxer localhost 1812 sysadm
Sending Access-Accept of id 128 to 127.0.0.1 port 41246 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 128 with timestamp +52 Ready to process requests.