Es tut mir leid, diese Seite wurde nicht ins Deutsche übersetzt.

Freeradius Authentication against OpenLDAP via CHAP

If you happen to run a freeradius-NAS, and you do not only want to support PAP but also CHAP, here's how I did it:

ldap-module-config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
ldap {
 server = "localhost"
 identity = "cn=radius,ou=systemUsers,dc=yourdomain,dc=com"
 password = xxx
 basedn = "ou=users,dc=yourdomain,dc=com"
 filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(userRight=VPDN))"
 ldap_connections_number = 5
 timeout = 4
 timelimit = 3
 net_timeout = 1
 tls {
 start_tls = no
 }
 access_attr = "uid"
 dictionary_mapping = ${confdir}/ldap.attrmap
 set_auth_type = yes
}

The set_auth_type = yes is important, without this directive freeradius won't do the auth_type auto-find-out (PAP, CHAP, whatever). Now for chap to work, it is important to know that is only works if you have your password in clear-text in the ldap-database. This configuration supports either PAP or CHAP, whatever the client reqests. This is achieved by NOT setting the AUTH_TYPE in the users-File, but letting the modules decide on their own. This is my sites-enabled/default file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
authorize {
 preprocess
 chap
 suffix
 files
 ldap
 expiration
 logintime
}
authenticate {
 Auth-Type CHAP {
 chap
 }
 Auth-Type LDAP {
 ldap
 }
}
preacct {
 preprocess
 acct_unique
 suffix
 files
}
accounting {
 detail
 unix
 radutmp
 exec
 attr_filter.accounting_response
}
session {
 radutmp
}
post-auth {
 exec
 Post-Auth-Type REJECT {
 attr_filter.access_reject
 }
}
pre-proxy {
}
post-proxy {
 eap
}

Here comes the important, rather undocumented part: Your ldap.attrmap must have an additional attribute mapping, called Cleartext-Password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem

checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
checkItem LM-Password dBCSPwd
checkitem Password-With-Header userPassword
checkitem Cleartext-Password userPassword
checkItem SMB-Account-CTRL-TEXT acctFlags
checkItem Expiration radiusExpiration
checkItem NAS-IP-Address radiusNASIpAddress

replyItem Service-Type radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol
replyItem Framed-IP-Address radiusFramedIPAddress
replyItem Framed-IP-Netmask radiusFramedIPNetmask
replyItem Framed-Route radiusFramedRoute
replyItem Framed-Routing radiusFramedRouting
replyItem Filter-Id radiusFilterId
replyItem Framed-MTU radiusFramedMTU
replyItem Framed-Compression radiusFramedCompression
replyItem Login-IP-Host radiusLoginIPHost
replyItem Login-Service radiusLoginService
replyItem Login-TCP-Port radiusLoginTCPPort
replyItem Callback-Number radiusCallbackNumber
replyItem Callback-Id radiusCallbackId
replyItem Framed-IPX-Network radiusFramedIPXNetwork
replyItem Class radiusClass
replyItem Session-Timeout radiusSessionTimeout
replyItem Idle-Timeout radiusIdleTimeout
replyItem Termination-Action radiusTerminationAction
replyItem Login-LAT-Service radiusLoginLATService
replyItem Login-LAT-Node radiusLoginLATNode
replyItem Login-LAT-Group radiusLoginLATGroup
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
replyItem Port-Limit radiusPortLimit
replyItem Login-LAT-Port radiusLoginLATPort
replyItem Reply-Message radiusReplyMessage
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId

And for the pap-module I recommend setting the auto_header to yes, so it knows how to deal with the ldap-entries if they are hashed passwords and so on:

1
2
3
pap {
 auto_header = yes
}

Now this is basically it. Of course you also have to do the standard-setup like clients.conf, but this is already documented very whell somewhere else.