Installing Freeradius to work with Fusion Directory onto Centos 6

This is a continuation from the tutorial "Installing the Fusion Directory LDAP/OpenLDAP frontend onto Centos 6" where I will now be installing Freeradius so that it will use the ldap directory for it's authentication backend. This tutorial is very sparse because it is really just a text repository for the tutorial that is on youtube which you can view at:

https://www.youtube.com/watch?v=AMUzVdsVZUM

First you have to log into the machine that was prepared in the first tutorial and then install Freeradius.

yum install freeradius-ldap freeradius-utils freeradius


You then have to edit /etc/raddb/modules/ldap so that it contains the changes as in the below diff, which you can copy from between the dashed lines.

---------------------
--- modules/ldap.orig    2016-08-18 14:28:11.928007138 +0100
+++ modules/ldap    2016-08-18 14:37:45.272984810 +0100
@@ -30,10 +30,10 @@
     #
     #  Note that this needs to match the name in the LDAP
     #  server certificate, if you're using ldaps.
-    server = "ldap.your.domain"
-    #identity = "cn=admin,o=My Org,c=UA"
-    #password = mypass
-    basedn = "o=My Org,c=UA"
+    server = "ldap-radius.localdomain"
+    identity = "uid=fd-admin,ou=people,dc=ldap-radius,dc=localdomain"
+    password = centos
+    basedn = "ou=people,dc=ldap-radius,dc=localdomain"
     filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
     #base_filter = "(objectclass=radiusprofile)"
 
@@ -105,7 +105,7 @@
 
     # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
     # profile_attribute = "radiusProfileDn"
-    # access_attr = "dialupAccess"
+    access_attr = "radiusTunnelType"
 
     # Mapping of RADIUS dictionary attributes to LDAP
     # directory attributes.
-----------------------


You then also have to edit /etc/raddb/clients.conf so that it contains the changes as in the below diff, which you can copy from between the dashed lines.

-----------------------
--- clients.conf.orig    2015-09-22 16:27:45.000000000 +0100
+++ clients.conf    2016-08-18 14:54:52.914997164 +0100
@@ -205,10 +205,10 @@
 #  When a client request comes in, the BEST match is chosen.
 #  i.e. The entry from the smallest possible network.
 #
-#client 192.168.0.0/24 {
-#    secret        = testing123-1
-#    shortname    = private-network-1
-#}
+client 192.168.10.0/24 {
+    secret        = testing123
+    shortname    = private-network-1
+}
 #
 #client 192.168.0.0/16 {
 #    secret        = testing123-2
 -----------------------

You then finally have to edit /etc/raddb/sites-available/default so that it contains the changes as in the below diff, which you can copy from between the dashed lines.
-----------------------
--- sites-available/default.orig    2016-08-18 15:11:46.640999419 +0100
+++ sites-available/default    2016-08-18 15:15:24.134003548 +0100
@@ -185,7 +185,7 @@
     #
     #  The ldap module will set Auth-Type to LDAP if it has not
     #  already been set
-#    ldap
+    ldap
 
     #
     #  Enforce daily limits on time spent logged in.
@@ -301,9 +301,9 @@
     # Note that this means "check plain-text password against
     # the ldap database", which means that EAP won't work,
     # as it does not supply a plain-text password.
-#    Auth-Type LDAP {
-#        ldap
-#    }
+    Auth-Type LDAP {
+        ldap
+    }
 
     #
     #  Allow EAP authentication.
-----------------------

If you now run:

radiusd -X

you should get an output that has the ldap details listed and at the end it should say "Ready to process requests" . If this is the case then you can stop the process by pressing Ctrl-C, while if it errors out then there is probably a mistake in the config files.

Run:

ntsysv

and then enable the radiusd service by putting a star i its box, then exit ntsysv and run:

service radiusd start

to which you should get a green OK.


In order to specify that only certain users can log in via Freeradius, you can now install a plugin into fusion directory, which will allow you to add certain extra attributes to each user.  You can install them with these commands:

yum install fusiondirectory-plugin-freeradius fusiondirectory-plugin-freeradius-schema
fusiondirectory-insert-schema -i /etc/openldap/schema/fusiondirectory/freeradius.schema

and you then have to log into the fusion directory interface to enable the option for your users

You can now test the radius server is working by testing if it can retrieve the account information from the ldap server:

radtest jbloggs centos localhost 1812 testing123
radtest jbloggs centos 192.168.10.224 1812 testing123

and if the above commands say "Access-Accept" when Freeradius is enabled in the Fusion Directory interface then you have completed the setup.

Attached below are the config files that I had to edit for Freeradius to get it to connect to the ldap service. You only have to remove the .text extension, then change the ldap credentials and the ip addresses used, to get it to work in your own configuration.