FreeRADIUS with LDAP
Integrating FreeRADIUS with LDAP allows user authentication against an LDAP directory (e.g., OpenLDAP or Active Directory). This guide covers installation, configuration, and testing of FreeRADIUS with LDAP.
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
1. Install FreeRADIUS and LDAP Modules
Ubuntu/Debian
sudo apt update
sudo apt install -y freeradius freeradius-ldap ldap-utils
RHEL/CentOS/Fedora
sudo dnf install -y freeradius freeradius-ldap openldap-clients
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
2. Configure FreeRADIUS for LDAP Authentication
Edit the LDAP module configuration file:
sudo nano /etc/freeradius/3.0/mods-available/ldap
Modify the following settings:
ldap {
server = "ldap://127.0.0.1" # Change to your LDAP server IP/hostname
identity = "cn=admin,dc=example,dc=com" # Bind DN (LDAP Admin)
password = "your_admin_password" # LDAP Admin Password
base_dn = "dc=example,dc=com" # Base DN for user searches
filter = "(uid=%{User-Name})" # Adjust according to your LDAP schema
start_tls = yes # Enable StartTLS if required
tls_require_cert = "allow" # Allow non-verified TLS (for testing)
}
Enable the LDAP module:
sudo ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
3. Add LDAP to the Authentication Flow
Edit the sites-enabled/default file:
sudo nano /etc/freeradius/3.0/sites-enabled/default
Find the authorize section and add:
authorize {
preprocess
ldap
}
Find the authenticate section and add:
authenticate {
Auth-Type LDAP {
ldap
}
}
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
4. Test LDAP Authentication
Verify that FreeRADIUS can connect to LDAP:
sudo freeradius -X
Test LDAP authentication using radtest:
radtest testuser password 127.0.0.1 1812 testing123
Replace testuser with an actual LDAP user and password with their LDAP password.
If authentication succeeds, you should see Access-Accept in the debug output.
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
5. Debugging Issues
- If authentication fails, check FreeRADIUS logs:
sudo freeradius -X | grep ldap
- Verify LDAP connectivity:
ldapsearch -x -H ldap://127.0.0.1 -D "cn=admin,dc=example,dc=com" -w your_admin_password -b "dc=example,dc=com"
- If Access-Reject appears, check permissions on LDAP.
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
Conclusion
Integrating FreeRADIUS with LDAP provides a scalable, centralized authentication mechanism for network devices, VPNs, and enterprise applications. This guide walked through installation, configuration, and testing of FreeRADIUS with an LDAP directory (such as OpenLDAP or Active Directory), enabling seamless authentication of users stored in an LDAP database.
Key Takeaways
- FreeRADIUS Installation: Installed FreeRADIUS and LDAP modules (freeradius-ldap) on Linux distributions like Ubuntu, Debian, CentOS, and RHEL.
- LDAP Module Configuration: Configured the ldap module with the correct server address, base DN, bind credentials, and user search filter.
- Authentication Flow: Integrated LDAP authentication into the FreeRADIUS authorization and authentication process by modifying mods-available/ldap and sites-enabled/default.
- Testing LDAP Connectivity: Verified that FreeRADIUS could bind to the LDAP server and fetch user credentials using ldapsearch.
- FreeRADIUS Debugging: Used freeradius -X to troubleshoot authentication errors, TLS issues, and access permissions.
- User Authentication: Successfully tested authentication using radtest to confirm that FreeRADIUS accepts valid LDAP credentials.
Benefits of LDAP Integration with FreeRADIUS
Centralized User Management – All authentication requests are managed in one place, reducing redundancy and improving security.
Scalability – Works well in large environments with thousands of users across multiple services.
Security & Compliance – Ensures strong authentication policies, supports encrypted LDAP connections, and integrates with enterprise security solutions.
Multi-Service Compatibility – Allows organizations to use a single authentication source for VPN, Wi-Fi, Linux servers, and web applications.
Next Steps
Enable TLS for Secure LDAP Communication – Configure ldaps:// with proper certificates to encrypt communication between FreeRADIUS and LDAP.
Integrate with Active Directory (AD) – Use Samba + FreeRADIUS for Active Directory (AD) authentication.
Deploy FreeRADIUS in a High Availability (HA) Setup – Improve redundancy by running multiple FreeRADIUS servers with an LDAP backend.
Implement Group-Based Policies – Restrict access based on LDAP group memberships, improving access control.
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
Useful Links
https://sanchitgurukul.com/basic-networking
https://sanchitgurukul.com/network-security
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
Ultimate Guide to Seamlessly Integrate FreeRADIUS with LDAP for Secure Authentication
This article provided insights on the topic. For latest updates and detailed guides, stay connected with Sanchit Gurukul.
