FreeRadius Integration with OpenLDAP and Dynamic Vlan Assignment with Meraki (CentOS v7)

alemabrahao
Kind of a big deal
Kind of a big deal

FreeRadius Integration with OpenLDAP and Dynamic Vlan Assignment with Meraki (CentOS v7)

Hello guys,

This is a guide I created about how to perform FreeRadius integration with OpenLDAP and Dynamic Vlan Assignment with Meraki Wifi(CentOS v7).
I hope it helps you.

 

OpenLDAP installation and configuration

 

  • Install OpenLDAP with the installation packages:

 

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

 

  • Start and enable the SLAPD service:

 

service slapd start

systemctl enable slapd.service

 

  • Generating the LDAP administrative password:

 

slappasswd

 

We will have something like the following after the password is generated: {SSHA}w2XBxT9foe5cfJz11SZiwaXaNwRmrCSG

Note: Copy the generated hash as it will be necessary for the following configurations.

 

  • The configuration that we must change is located in the following file /etc/openldap/slapd.d/cn=config/cn\=config/olcDatabase\={2}hdb.ldif, however it is not recommended to edit this file directly, to this lets create the database.ldif file and insert the following parameters as in the example:

 

cd /etc/openldap/slapd.d/

vi database.ldif

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=local,dc=br

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,dc=local,dc=br

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootPW

olcRootPW: {SSHA}w2XBxT9foe5cfJz11SZiwaXaNwRmrCSG //Senha gerada no passo anterior

 

 Change the LDAP database using the following command:

 

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/database.ldif

 

We should have an output similar to the example:

 

ASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={2}hdb,cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

 

 

  • Next we have to change the /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file, as in the previous step it is not recommended to edit this file directly, for that we will create the file monitor.ldif and enter the following parameters:

 

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=local,dc=br" read by * none

 

Make the changes using the following command:

 

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/monitor.ldif

 

We should have an output similar to the example:

 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}monitor,cn=config"

 

  • Create a self-signed SSL certificate, which will be used by our LDAP server. Use the following command:

 

openssl req -new -sha256 -nodes -out /etc/openldap/certs/local-cert.pem -keyout /etc/openldap/certs/local-key.pem -days 365

 

We must fill in the information as in the example below:

alemabrahao_0-1665770222965.png

 

After generating the certificate, we will adjust the user and group permissions with the following command:

 

chown ldap: /etc/openldap/certs/*.pem

 

  • Then we must insert the certificate information in the following file /etc/openldap/spad.d/cn=config.ldif, which also must not be directly edited, so let's create the certificates.ldif file with the following information:

 

dn: cn=config

changetype: modify

replace: olcTLSCertificateFile

olcTLSCertificateFile: /etc/openldap/certs/local-cert.pem

 

dn: cn=config

changetype: modify

replace: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/openldap/certs/local-key.pem

 

Make the changes using the following command:

 

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/certificates.ldif

 

 

Check current settings with the command:

 

slaptest -u

 

We should have the output like the example below:

 

config file testing succeeded

 

  • Now we will copy the example database provided by OpenLDAP to /var/lib/ldap and change the user and group permissions:

 

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap: /var/lib/ldap/*

 

  • Once this is done, we will add the following LDAP schemas:

 

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 

  • Now let's create the base.ldif file in /etc/openldap/spapd.d and insert the following parameters:

 

dn: dc=local,dc=br

dc: local

objectClass: top

objectClass: domain

 

dn: cn=Manager,dc=local,dc=br

objectClass: organizationalRole

cn: Manager

description: LDAP Administrator

 

dn: ou=People,dc=local,dc=br

objectClass: organizationalUnit

ou: People

 

dn: ou=Group,dc=local,dc=br

objectClass: organizationalUnit

ou: Group

 

 

Make the changes with the following command:

 

ldapadd -x -W -D "cn=Manager,dc=local,dc=br" -f /etc/openldap/slapd.d/base.ldif

Note that you will be prompted for the previously generated root password (in our case, the "Manager" user, which we used in our examples and which we generated at the beginning with slappasswd):

 

If everything is correct, we will have output similar to the following example:

 

Enter LDAP Password:

adding new entry "dc=local,dc=br"

 

adding new entry "cn=Manager,dc=local,dc=br"

 

adding new entry "ou=People,dc=local,dc=br"

 

adding new entry "ou=Group,dc=local,dc=br"

 

  • Now we will add the following services to the Firewall configuration, for that we will execute the following commands:

 

firewall-cmd --permanent --add-service=ldap

firewall-cmd --permanent --add-service=radius

firewall-cmd --permanent --add-service=http

firewall-cmd --reload

 

Install and configure the OpenLDAP Client:

 

yum install -y openldap-clients nss-pam-ldapd

 

Add the client IP (in this case our server IP) and restart nslcd with the following commands:

 

authconfig --enableldap --enableldapauth --ldapserver= Server IP --ldapbasedn="dc=local,dc=br" --enablemkhomedir –update

 

systemctl restart nslcd

 

FreeRadius Integration with OpenLDAP and Dynamic Vlan Assignment

 

The following settings are a complement to the FreeRadius v3 file and Dynamic Vlan Assignment with Meraki v1.0.

 

  • Create a symbolic link from the LDAP module to the active modules:

 

ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/

 

  • Enable LDAP support in /etc/raddb/sites-available/default and /etc/raddb/sites-available/inner-tunnel files, for that we must leave both files configured as follows:

 

authorize {

 ldap //Uncomment

}

 

authenticate {

  Auth-Type LDAP {  //Uncomment

                Ldap //Uncomment

        } //Uncomment

}

 

  • Now we must configure the /etc/raddb/mods-enabled/ldap file as follows:

 

ldap {

server = 'Ip_Servidor'

port = 389

identity = 'cn=Manager,dc=local,dc=br'

password = senha_usuário_ldap

base_dn = 'dc=local,dc=br'

 

group {

               name_attribute = cn //Uncomment

 

                membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" // Uncomment

 

 

  • Change the following configuration in the /etc/raddb/mods-enabled/eap file:

 

#default_eap_type = md5 //Comment

        default_eap_type = peap // Insert below

 

Change the following line from no to yes so that the RADIUS server injects the information into the end client:

 

use_tunneled_reply = yes

 

 

  •  Edit the /etc/raddb/users file, comment out all lines and insert the following lines:

 

DEFAULT Ldap-Group == "cn=ti,ou=Group,dc=local,dc=br"

        Tunnel-Medium-Type = 6,

        Tunnel-Private-Group-ID = "VLAN ID",

        Tunnel-Type = VLAN

 

After that restart the OpenLDAP and FreeRadius services:

 

service slapd restart

service radiusd restart

 

With the services running and integrated, we can test the user with the following command:

 

radtest -x username password localhost 0 testing123

 

If everything is correct, we should have the result as shown below:

alemabrahao_1-1665770276919.png

 

 

Note: First we need to create the group and after that create the user linking it to the created group so that we can run the test.

 

 

  • Commands for Log:

 

tail -f /var/log/radius/radius.log

tail -f /var/log/ldap.log

 

Last but not least, configure on Meraki's Dashboard, so that APs accept VLAN attributes sent by RADIUS server. On Wireless > Configure > Access Control, select the WLAN and in "Radius Override" enable the option "RADIUS Response Can Override VLAN tag".

alemabrahao_2-1665771114495.png

Note: It is necessary to configure the ports on the switch where the APs are connected in trunk mode, specifying the VLANs that will be used.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
1 REPLY 1
BlakeRichardson
Kind of a big deal
Kind of a big deal

Awesome, thanks for sharing!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels