Setup freeradius agar bisa otentifikasi dengan LDAP

Sebagai tahap integrasi antara radius dan LDAP yang mendukung One Account Policy, maka langkah ini merupakan langkah yang paling vital.

Fitur yang diinginkan dari otentifikasi LDAP ini yaitu :

1. LDAP berada di server lain
2. Semua akun menggunakan Nomor Induk Mahasiswa/Pegawai untuk akses (yaitu uid)
3. Semua akun otomatis bisa akses ke hotspot melalui otentifikasi radius
4. Pengaturan response atau output radius bukan dari LDAP tetapi dari script lain yang disesuaikan dengan manajemen voucher

1. Sesuaikan radius.conf

# vi /etc/radius.conf
Cari bagian seperti point a,b dan c dibawah ini dan disesuaikan
a.    Seting ldap server

ldap {
server = “192.168.0.4″
identity = “cn=manager,dc=uii,dc=ac,dc=id”
password = password
basedn = “dc=uii,dc=ac,dc=id”
#filter = “(uid=%{Stripped-User-Name:-%{User-Name}})”
filter = “(uid=%u)”
# base_filter = “(objectclass=radiusprofile)”
# set this to ‘yes’ to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile        = /path/to/cacert.pem
# tls_cacertdir         = /path/to/ca/dir/
# tls_certfile          = /path/to/radius.crt
# tls_keyfile           = /path/to/radius.key
# tls_randfile          = /path/to/rnd
# tls_require_cert      = “demand”
# default_profile = “cn=radprofile,ou=dialup,o=My Org,c=UA”
# profile_attribute = “radiusProfileDn”
access_attr = “uid”
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}

b.    authorize dengan ldap

#
#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set
ldap

c.    authenticate dengan ldap

# Uncomment it if you want to use ldap for authentication
#
# Note that this means “check plain-text password against
# the ldap database”, which means that EAP won’t work,
# as it does not supply a plain-text password.
Auth-Type LDAP {
ldap
}

2.    Sesuaikan users

# vi /etc/raddb/users
Ubah Auth-Type dari system ke LDAP

#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULT        Auth-Type = System
#       Fall-Through = 1
DEFAULT Auth-Type := LDAP
Fall-Through = 1

3.    Uji coba

a.    LDAP

# radtest 999999 pwd 127.0.0.1 1812 radiusuii
Sending Access-Request of id 43 to 127.0.0.1 port 1812
User-Name = “999999″
User-Password = “pwd”
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=43, length=20

b.    MySQL

# radtest prayitna prayitna 127.0.0.1 1812 radiusuii
Sending Access-Request of id 47 to 127.0.0.1 port 1812
User-Name = “prayitna”
User-Password = “password1″
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=44
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1500

c.    file

# radtest user1 password1 127.0.0.1 1812 radiusuii
Sending Access-Request of id 52 to 127.0.0.1 port 1812
User-Name = “user1″
User-Password = “password1″
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=52, length=20

Berhasil

Share this post