Freeradius Authentication against OpenLDAP via CHAP
If you happen to run a freeradius-NAS, and you do not only want to support PAP but also CHAP, here's how I did it:
ldap-module-config:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
ldap {
server = "localhost"
identity = "cn=radius,ou=systemUsers,dc=yourdomain,dc=com"
password = xxx
basedn = "ou=users,dc=yourdomain,dc=com"
filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(userRight=VPDN))"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
access_attr = "uid"
dictionary_mapping = ${confdir}/ldap.attrmap
set_auth_type = yes
}
The set_auth_type = yes
is important, without this directive freeradius won't
do the auth_type auto-find-out (PAP, CHAP, whatever). Now for chap to work, it
is important to know that is only works if you have your password in clear-text
in the ldap-database. This configuration supports either PAP or CHAP, whatever
the client reqests. This is achieved by NOT setting the AUTH_TYPE in the
users-File, but letting the modules decide on their own. This is my
sites-enabled/default file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
authorize {
preprocess
chap
suffix
files
ldap
expiration
logintime
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Here comes the important, rather undocumented part: Your ldap.attrmap must have an additional attribute mapping, called Cleartext-Password:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
checkItem LM-Password dBCSPwd
checkitem Password-With-Header userPassword
checkitem Cleartext-Password userPassword
checkItem SMB-Account-CTRL-TEXT acctFlags
checkItem Expiration radiusExpiration
checkItem NAS-IP-Address radiusNASIpAddress
replyItem Service-Type radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol
replyItem Framed-IP-Address radiusFramedIPAddress
replyItem Framed-IP-Netmask radiusFramedIPNetmask
replyItem Framed-Route radiusFramedRoute
replyItem Framed-Routing radiusFramedRouting
replyItem Filter-Id radiusFilterId
replyItem Framed-MTU radiusFramedMTU
replyItem Framed-Compression radiusFramedCompression
replyItem Login-IP-Host radiusLoginIPHost
replyItem Login-Service radiusLoginService
replyItem Login-TCP-Port radiusLoginTCPPort
replyItem Callback-Number radiusCallbackNumber
replyItem Callback-Id radiusCallbackId
replyItem Framed-IPX-Network radiusFramedIPXNetwork
replyItem Class radiusClass
replyItem Session-Timeout radiusSessionTimeout
replyItem Idle-Timeout radiusIdleTimeout
replyItem Termination-Action radiusTerminationAction
replyItem Login-LAT-Service radiusLoginLATService
replyItem Login-LAT-Node radiusLoginLATNode
replyItem Login-LAT-Group radiusLoginLATGroup
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
replyItem Port-Limit radiusPortLimit
replyItem Login-LAT-Port radiusLoginLATPort
replyItem Reply-Message radiusReplyMessage
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
And for the pap-module I recommend setting the auto_header to yes, so it knows how to deal with the ldap-entries if they are hashed passwords and so on:
1
2
3
pap {
auto_header = yes
}
Now this is basically it. Of course you also have to do the standard-setup like clients.conf, but this is already documented very whell somewhere else.