Freeradius AD LDAP Authentication
From falz.net
FreeRadius2 LDAP auth to Win2k12 AD for Cisco/Juniper login authentication.
- Have an existing AD. Create a few groups for read-write or read-only access. Let's use:
- network-operators: router login permitted, read only
- network-administrators: full admin/config access
- Install freeradius packages on your centos-ey server:
- yum install freeradius freeradius-ldap
- Create an AD user for freeradius application to bind to LDAP. Let's call it 'freeradius'.
- /etc/raddb/modules/ldap:
ldap {
server = "ad.yourcompany.com"
port = 389
start_tls = yes
identity = "CN=freeradius,OU=Applications,DC=ad,DC=yourcompany,DC=com"
password = password_goes_here
basedn = "DC=ad,DC=yourcompany,DC=com"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
edir_account_policy_check=no
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
chase_referrals = yes
rebind = yes
}
- Modifications to sites-enabled/default:
- In the authorize {} section:
- uncomment 'ldap'
- comment 'files' (which refers to the users plain text file)
- In the authenticate {} section, uncomment:
- In the authorize {} section:
Auth-Type LDAP {
ldap
}
- in the post-auth {} section add this section to do LDAP group to radius reply item mapping:
if (LDAP-Group == "network-administrators") {
update reply {
cisco-avpair = "shell:priv-lvl=15",
Juniper-Local-User-Name = "superuser"
}
}
elsif (LDAP-Group == "network-operators") {
update reply {
cisco-avpair = "shell:priv-lvl=1",
#Juniper-Local-User-Name = "op"
Juniper-Local-User-Name = "readonly"
}
}
else {
reject
}