Configuring the FreeRADIUS Server

Configuring the RADIUS server involves configuring the RADIUS server and the RADIUS client (for authentication and authorization). FreeRADIUS configuration files are usually stored in the /etc/raddb folder. The following example demonstrates how to configure the FreeRADIUS server for authentication and LDAP support:

  1. Modify the radiusd.conf file global settings:
    log_auth = yes              (log authentication requests to the log file)
    log_auth_badpass = no       (don't log passwords if request rejected)
    log_auth_goodpass = no      (don't log passwords if request accepted)
    
  2. Modify LDAP Settings:
    modules {
    	        ldap {
                    server = "ldaptest.extremenetworks.com"
                    basedn = "o=ldaptestdemo,dc=extremenetworks,dc=com"
                    filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
                    base_filter = "(objectclass=radiusprofile)"
                    start_tls = no
                    dictionary_mapping = ${raddbdir}/ldap.attrmap
                    authtype = ldap
                    ldap_connections_number = 5
                    timeout = 4
            timelimit = 3
            net_timeout = 1
    		        }
    }
    
  3. Uncomment LDAP from the authorize section:
    				authorize {
    			preprocess
    			chap
    			mschap
    			suffix
    			ldap
    			eap
    			files
    				}
    
  4. Uncomment LDAP from the authenticate section:
    		authenticate {
    		Auth-Type PAP {
    		pap
    			}
    		Auth-Type CHAP {
    		chap
    			}
    		Auth-Type MS-CHAP {
    		mschap
    			}
    			unix
    		ldap
    			eap
    

    An Extreme Networks edge switch serves as a network access server (NAS) for workstations and as a RADIUS client for the RADIUS server.

    RADIUS clients are configured in /etc/raddb/clients.conf. There are two ways to configure RADIUS clients. Either group the NAS by IP subnet or list the NAS by host name or IP address.
  5. Configure the RADIUS client using the second method.
    client 192.168.1.1 {
              secret = extreme1
              shortname = ldap-demo
    }