Home
Random
Recent changes
Special pages
Community portal
Preferences
About Commons
Disclaimers
Commons
Search
User menu
Talk
Contributions
Create account
Log in
Editing
FreedomTunnel/DeploymentNotes
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Source material == Here are links to various howtos I referenced to put this wiki page together. http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form http://techpubs.spinlocksolutions.com/dklar/kerberos.html http://techpubs.spinlocksolutions.com/dklar/ldap.html http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS http://www.eduroamus.org/node/45 http://serverfault.com/questions/206054/how-to-integrate-radius-with-kerberos << highly relevant Copy/paste of relevant bits Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf: modules { krb5 { keytab = ${confdir}/radius.keytab service_principal = radius/radius.example.com } ldap { cache = no server = "ldap" identity = "uid=freeradius,ou=Accounts,dc=example,dc=com" password = secret basedn = "dc=com" filter = "(krbPrincipalName=%{User-Name})" base_filter = "(objectClass=radiusprofile)" tls { start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" } default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com" profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" #groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # set_auth_type = yes } } This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames). Radius / krb integration http://wiki.freeradius.org/Rlm_krb5 http://danieljamesscott.org/index.php << various java/apache/ldap/krb resources === 802.1x/RADIUS/WiFi Setup === The whole kit and kaboodle from the looks of things: * http://www.readmespot.com/question/f/47815/setting-up-radius---ldap-for-wpa2-on-ubuntu * http://vuksan.com/linux/dot1x/802-1x-LDAP.html * http://vuksan.com/linux/LDAP_authentication_under_Linux.html * http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html * http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius
Summary:
Please note that all contributions to Commons may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Commons:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)