3. Radius authentication using LDAP

A Radius Server, is a daemon for un*x operating systems which allows one to set up (guess what!) a radius protocol server, which is usually used for authentication and accounting of dial-up users. To use server, you also need a correctly setup client which will talk to it, usually a terminal server or a PC with appropriate which emulates it (PortSlave, radiusclient etc). [From the freeradius FAQ]

Radius has its own database of users, anyway, since this information is already contained in LDAP, it will be more convenient to use it!

There are several freeware Radius servers, the one that has good support for LDAP is the FreeRadius server (http://www.freeradius.org), it is still a development version, anyway the LDAP module works fine.

3.1. FreeRadius Radiusd configuration

Once you have installed the server you have to configure it using the configuration files, that are located under /etc/raddb (or /usr/local/etc/raddb)

In the radiusd.conf file edit :

# Uncomment this if you want to use ldap (Auth-Type = LDAP)
# Also uncomment it in the authenticate{} block below
        ldap {
                server   = ldap.yourorg.com
                #login    = "cn=admin,o=My Org,c=US"
                #password = mypass
                basedn   = "ou=users,dc=yourorg,dc=com"
                filter   = "(posixAccount)(uid=%u))"


# Authentication types, Auth-Type = System and PAM for now.
authenticate {
#       sql
#       sql2  
# Uncomment this if you want to use ldap (Auth-Type = LDAP)

Also edit the dictionary file:

#       Non-Protocol Integer Translations

VALUE           Auth-Type               Local                   0
VALUE           Auth-Type               System                  1
VALUE           Auth-Type               SecurID                 2
VALUE           Auth-Type               Crypt-Local             3
VALUE           Auth-Type               Reject                  4
VALUE           Auth-Type               ActivCard               4
VALUE           Auth-Type               LDAP                    5

And the users file to have a default authorization entry:

DEFAULT        	Auth-Type := LDAP
		Fall-Through = 1

If you alreay set up an LDAP server for Un*x accounts management, this is enough.

On the LDAP server ensure also that the radius server can read the all the posixAccount attributes (expecially uid and userpassword).

3.2. Testing Radius Authentication

To test everything server start radiusd in debugging mode:

/usr/local/sbin/radiusd  -X -A

Then use the radtest program whith a syntax like

radtest username "password" radius.yourorg.com 1 testing123 

If everything went fine you should receive an Acces-Accept packet from the Radius server.

You can also use stunnel in client mode to provide SSL in the connection between the Radius server and the LDAPS server. For details on SSL refer to Section 10.

3.3. Sample CISCO IOS Configuration

Just for completeness, here is a sample Cisco IOS configuration. Anyway, this is outside the purpose of the HOWTO so it may not suit your needs.

aaa new-model
aaa authentication login default radius enable
aaa authentication ppp default radius
aaa authorization network radius
radius-server host
radius-server timeout 10
radius-server key cisco

Note: Almost all NAS use port 1645 for radius, check it out and configure the server appropriately.