Hello guys,
This is a guide I created about how to perform FreeRadius integration with OpenLDAP and Dynamic Vlan Assignment with Meraki Wifi(CentOS v7).
I hope it helps you.
OpenLDAP installation and configuration
- Install OpenLDAP with the installation packages:
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel |
- Start and enable the SLAPD service:
service slapd start systemctl enable slapd.service |
- Generating the LDAP administrative password:
slappasswd |
We will have something like the following after the password is generated: {SSHA}w2XBxT9foe5cfJz11SZiwaXaNwRmrCSG
Note: Copy the generated hash as it will be necessary for the following configurations.
- The configuration that we must change is located in the following file /etc/openldap/slapd.d/cn=config/cn\=config/olcDatabase\={2}hdb.ldif, however it is not recommended to edit this file directly, to this lets create the database.ldif file and insert the following parameters as in the example:
cd /etc/openldap/slapd.d/ vi database.ldif
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=local,dc=br
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=local,dc=br
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}w2XBxT9foe5cfJz11SZiwaXaNwRmrCSG //Senha gerada no passo anterior |
Change the LDAP database using the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/database.ldif |
We should have an output similar to the example:
ASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config" |
|
- Next we have to change the /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file, as in the previous step it is not recommended to edit this file directly, for that we will create the file monitor.ldif and enter the following parameters:
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=local,dc=br" read by * none |
Make the changes using the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/monitor.ldif |
We should have an output similar to the example:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" |
- Create a self-signed SSL certificate, which will be used by our LDAP server. Use the following command:
openssl req -new -sha256 -nodes -out /etc/openldap/certs/local-cert.pem -keyout /etc/openldap/certs/local-key.pem -days 365 |
We must fill in the information as in the example below:
After generating the certificate, we will adjust the user and group permissions with the following command:
chown ldap: /etc/openldap/certs/*.pem |
- Then we must insert the certificate information in the following file /etc/openldap/spad.d/cn=config.ldif, which also must not be directly edited, so let's create the certificates.ldif file with the following information:
dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/local-cert.pem
dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/local-key.pem |
Make the changes using the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/slapd.d/certificates.ldif |
Check current settings with the command:
slaptest -u |
We should have the output like the example below:
config file testing succeeded |
- Now we will copy the example database provided by OpenLDAP to /var/lib/ldap and change the user and group permissions:
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap: /var/lib/ldap/* |
- Once this is done, we will add the following LDAP schemas:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif |
- Now let's create the base.ldif file in /etc/openldap/spapd.d and insert the following parameters:
dn: dc=local,dc=br dc: local objectClass: top objectClass: domain
dn: cn=Manager,dc=local,dc=br objectClass: organizationalRole cn: Manager description: LDAP Administrator
dn: ou=People,dc=local,dc=br objectClass: organizationalUnit ou: People
dn: ou=Group,dc=local,dc=br objectClass: organizationalUnit ou: Group |
Make the changes with the following command:
ldapadd -x -W -D "cn=Manager,dc=local,dc=br" -f /etc/openldap/slapd.d/base.ldif |
Note that you will be prompted for the previously generated root password (in our case, the "Manager" user, which we used in our examples and which we generated at the beginning with slappasswd):
If everything is correct, we will have output similar to the following example:
Enter LDAP Password: adding new entry "dc=local,dc=br"
adding new entry "cn=Manager,dc=local,dc=br"
adding new entry "ou=People,dc=local,dc=br"
adding new entry "ou=Group,dc=local,dc=br" |
- Now we will add the following services to the Firewall configuration, for that we will execute the following commands:
firewall-cmd --permanent --add-service=ldap firewall-cmd --permanent --add-service=radius firewall-cmd --permanent --add-service=http firewall-cmd --reload |
Install and configure the OpenLDAP Client:
yum install -y openldap-clients nss-pam-ldapd |
Add the client IP (in this case our server IP) and restart nslcd with the following commands:
authconfig --enableldap --enableldapauth --ldapserver= Server IP --ldapbasedn="dc=local,dc=br" --enablemkhomedir –update
systemctl restart nslcd |
FreeRadius Integration with OpenLDAP and Dynamic Vlan Assignment
The following settings are a complement to the FreeRadius v3 file and Dynamic Vlan Assignment with Meraki v1.0.
- Create a symbolic link from the LDAP module to the active modules:
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ |
- Enable LDAP support in /etc/raddb/sites-available/default and /etc/raddb/sites-available/inner-tunnel files, for that we must leave both files configured as follows:
authorize { ldap //Uncomment }
authenticate { Auth-Type LDAP { //Uncomment Ldap //Uncomment } //Uncomment } |
- Now we must configure the /etc/raddb/mods-enabled/ldap file as follows:
ldap { server = 'Ip_Servidor' port = 389 identity = 'cn=Manager,dc=local,dc=br' password = senha_usuário_ldap base_dn = 'dc=local,dc=br'
group { name_attribute = cn //Uncomment
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" // Uncomment
|
- Change the following configuration in the /etc/raddb/mods-enabled/eap file:
#default_eap_type = md5 //Comment default_eap_type = peap // Insert below
Change the following line from no to yes so that the RADIUS server injects the information into the end client:
use_tunneled_reply = yes
|
- Edit the /etc/raddb/users file, comment out all lines and insert the following lines:
DEFAULT Ldap-Group == "cn=ti,ou=Group,dc=local,dc=br" Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = "VLAN ID", Tunnel-Type = VLAN |
After that restart the OpenLDAP and FreeRadius services:
service slapd restart service radiusd restart |
With the services running and integrated, we can test the user with the following command:
radtest -x username password localhost 0 testing123 |
If everything is correct, we should have the result as shown below:
Note: First we need to create the group and after that create the user linking it to the created group so that we can run the test.
- Commands for Log:
tail -f /var/log/radius/radius.log tail -f /var/log/ldap.log |
Last but not least, configure on Meraki's Dashboard, so that APs accept VLAN attributes sent by RADIUS server. On Wireless > Configure > Access Control, select the WLAN and in "Radius Override" enable the option "RADIUS Response Can Override VLAN tag".
Note: It is necessary to configure the ports on the switch where the APs are connected in trunk mode, specifying the VLANs that will be used.
