outsource from india chennai india programmers freelance php coder freelance outsource scripts programming complicated perl patterns php module installation
outsource from india perl installation and configuration php installation linux system administration US$15,US$19,US$11,US$10 cheap programmer
india outsource outsource india chennai india programmers php perl mysql freelance freelance programmer
SHOWCASE of php and perl scripts CONTACT US for php custom perl scripts
HOME
 
LDAP Implementation HOWTO
PrevNext

3. Radius authentication using LDAP

A Radius Server, is a daemon for un*x operating systems which allows one to set up (guess what!) a radius protocol server, which is usually used for authentication and accounting of dial-up users. To use server, you also need a correctly setup client which will talk to it, usually a terminal server or a PC with appropriate which emulates it (PortSlave, radiusclient etc). [From the freeradius FAQ]

Radius has its own database of users, anyway, since this information is already contained in LDAP, it will be more convenient to use it!

There are several freeware Radius servers, the one that has good support for LDAP is the FreeRadius server (http://www.freeradius.org), it is still a development version, anyway the LDAP module works fine.

3.1. FreeRadius Radiusd configuration

Once you have installed the server you have to configure it using the configuration files, that are located under /etc/raddb (or /usr/local/etc/raddb)

In the radiusd.conf file edit : 

[...omissis]
# Uncomment this if you want to use ldap (Auth-Type = LDAP)
# Also uncomment it in the authenticate{} block below
        ldap {
                server   = ldap.yourorg.com
                #login    = "cn=admin,o=My Org,c=US"
                #password = mypass
                basedn   = "ou=users,dc=yourorg,dc=com"
                filter   = "(posixAccount)(uid=%u))"
        }

[...omissis]

# Authentication types, Auth-Type = System and PAM for now.
authenticate {
        pam
        unix
#       sql
#       sql2  
# Uncomment this if you want to use ldap (Auth-Type = LDAP)
        ldap
}
[...omissis]

Also edit the dictionary file:

[...omissis]
#
#       Non-Protocol Integer Translations
#

VALUE           Auth-Type               Local                   0
VALUE           Auth-Type               System                  1
VALUE           Auth-Type               SecurID                 2
VALUE           Auth-Type               Crypt-Local             3
VALUE           Auth-Type               Reject                  4
VALUE           Auth-Type               ActivCard               4
VALUE           Auth-Type               LDAP                    5
[...omissis]

And the users file to have a default authorization entry:

[...omissis]
DEFAULT        	Auth-Type := LDAP
		Fall-Through = 1
[...omissis]

If you alreay set up an LDAP server for Un*x accounts management, this is enough.

On the LDAP server ensure also that the radius server can read the all the posixAccount attributes (expecially uid and userpassword).

3.2. Testing Radius Authentication

To test everything server start radiusd in debugging mode:

/usr/local/sbin/radiusd  -X -A

Then use the radtest program whith a syntax like

radtest username "password" radius.yourorg.com 1 testing123

If everything went fine you should receive an Acces-Accept packet from the Radius server.

You can also use stunnel in client mode to provide SSL in the connection between the Radius server and the LDAPS server. For details on SSL refer to Section 10.

3.3. Sample CISCO IOS Configuration

Just for completeness, here is a sample Cisco IOS configuration. Anyway, this is outside the purpose of the HOWTO so it may not suit your needs.

[...omissis]
aaa new-model
aaa authentication login default radius enable
aaa authentication ppp default radius
aaa authorization network radius
[...omissis]
radius-server host 192.168.10.1
radius-server timeout 10
radius-server key cisco
[...omissis]

Note: Almost all NAS use port 1645 for radius, check it out and configure the server appropriately.

PrevHomeNext
LDAP authentication using pam_ldap and nss_ldap Samba

Linux HOWTO full list
   This document, LDP HOWTO-INDEX, is copyrighted (c) 1995 - 2002 by Tim Bynum, Guylhem Aznar, Joshua Drake and Greg Ferguson. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html. If you have questions, please contact the LDP.
Web Design Copyright © 1999-2003. Chrisranjana Software Solutions Pvt Ltd. syndicate rss feed