Using LDAP for AAA¶
To authenticate users against an LDAP server, such as Microsoft Active Directory, the Lantronix Control Center (CC) or Lantronix Local Manager (LM) must connect through a RADIUS server, which brokers the connection to the LDAP server. This document explains how to configure the FreeRADIUS service to run on a CC.
After FreeRADIUS is configured, the CC and LMs can be set to use the RADIUS / LDAP service for user authentication. The CC and LMs can also be configured to automatically create users and assign them to Lantronix groups that match their LDAP group membership.
Danger
The process described in this document is not compatible with LMS 6.2 due to an operating system upgrade that includes freeradius3. Please contact Lantronix Support for more information.
Requirements¶
- Lantronix Control Center running LMS version 5.4 or higher
- LDAP Server (Microsoft Server 2012 has been tested)
- Root access to the Control Center's Linux operating system
Control Center Configuration¶
Testing¶
During testing, you may want to use the following command to start FreeRADIUS in debug mode:
Clients¶
Edit /etc/raddb/clients.conf and add an entry to the bottom of the file with the IP address or network of the Control Center. In this example, the Control Center is 198.51.100.1.
client 198.51.100.1 {
# # secret and password are mapped through the "secrets" file.
secret = password
shortname = TESTCC
}
Or to just specify the network:
Lantronix Dictionary¶
Add the following lines to /usr/share/freeradius/dictionary.uplogix:
VENDOR Lantronix 10243
BEGIN-VENDOR Lantronix
ATTRIBUTE Lantronix-Version 1 string
ATTRIBUTE Lantronix-User-Groups 3 string
ATTRIBUTE Lantronix-CLI-Command 4 string
ATTRIBUTE Lantronix-Envoy-Serial 5 string
ATTRIBUTE Lantronix-Task-Id 6 string
ATTRIBUTE Lantronix-TEMP 98 string
ATTRIBUTE Lantronix-GROUP1 81 string
ATTRIBUTE Lantronix-GROUP2 82 string
ATTRIBUTE Lantronix-GROUP3 83 string
ATTRIBUTE Lantronix-GROUP4 84 string
ATTRIBUTE Lantronix-GROUP5 85 string
ATTRIBUTE Lantronix-GROUP6 81 string
ATTRIBUTE Lantronix-GROUP7 82 string
ATTRIBUTE Lantronix-GROUP8 83 string
ATTRIBUTE Lantronix-GROUP9 84 string
ATTRIBUTE Lantronix-GROUP10 85 string
ATTRIBUTE Lantronix-GROUP11 81 string
ATTRIBUTE Lantronix-GROUP12 82 string
ATTRIBUTE Lantronix-GROUP13 83 string
ATTRIBUTE Lantronix-GROUP14 84 string
ATTRIBUTE Lantronix-GROUP15 85 string
END-VENDOR Lantronix
Add the following line to /usr/share/freeradius/dictionary:
Attribute Map¶
Add the following lines to /etc/raddb/ldap.att
RADIUS Configuration¶
Replace the contents of /etc/raddb/radiusd.conf with the following.
You will need to update the following fields for your LDAP server:
- server
- identity
- password
- basedn
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${localstatedir}/lib/radiusd
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
#$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
ldap {
# With CentOS 6 (freeradius 2.2.6), if you use
# start_tls, you need to use the hostname, so it will
# match the certificate of the server
server = "203.0.113.14"
identity = "CN=Administrator,CN=Users,DC=doc,DC=lantronix,DC=com"
password = "strong_generated_password"
basedn = "CN=Users,DC=doc,DC=lantronix,DC=com"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
ldap_debug = 0xffff
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
}
instantiate {
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
}
accounting {
detail
}
session {
}
post-auth {
# strip DN, CN, etc... - AT
if ("%{reply:Lantronix-TEMP[0]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP1 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[1]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP2 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[2]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP3 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[3]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP4 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[4]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP5 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[5]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP6 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[6]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP7 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[7]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP8 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[8]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP9 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[9]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP10 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[10]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP11 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[11]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP12 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[12]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP13 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[13]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP14 := "%{1}"
}
}
}
if ("%{reply:Lantronix-TEMP[14]}" =~ /(.*),CN=Users,DC=doc,DC=lantronix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Lantronix-GROUP15 := "%{1}"
}
}
}
update reply {
Lantronix-User-Groups := " %{reply:Lantronix-GROUP1} , %{reply:Lantronix-GROUP2} , %{reply:Lantronix-GROUP3} , %{reply:Lantronix-GROUP4} , %{reply:Lantronix-GROUP5}"
Lantronix-TEMP !* ANY
Lantronix-GROUP1 !* ANY
Lantronix-GROUP2 !* ANY
Lantronix-GROUP3 !* ANY
Lantronix-GROUP4 !* ANY
Lantronix-GROUP5 !* ANY
Lantronix-GROUP6 !* ANY
Lantronix-GROUP7 !* ANY
Lantronix-GROUP8 !* ANY
Lantronix-GROUP9 !* ANY
Lantronix-GROUP10 !* ANY
Lantronix-GROUP11 !* ANY
Lantronix-GROUP12 !* ANY
Lantronix-GROUP13 !* ANY
Lantronix-GROUP14 !* ANY
Lantronix-GROUP15 !* ANY
}
}pre-proxy {
}
post-proxy {
}
TLS Configuration (optional)¶
To configure the FreeRADIUS server to use an encrypted connection, the /etc/raddb/radiusd.conf file must use a hostname to connect to the LDAP server, and it must have the following line changed to the following:
The next line after "start_tls = yes" must be the following:
Edit /etc/openldap/ldap.conf, comment out TLS_CACERTDIR and add the TLS_CACERT location as follows (replacing the example with the certificate to be used):
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/WIN-243G5KGAVTH.pm.doc.lantronix.com.pem
TLS_REQCERT DEMAND
View the LDAP server certificate with the following command, selecting the CA certificate that signed the certificate that will be used by the LDAP server for encryption, and putting the certificate in the file listed above (ie - /etc/openldap/certs/WIN-243G5KGAVTH.pm.doc.lantronix.com.pem):
Control Center AAA Settings Configuration¶
Navigate to Administration > AAA Settings on the Control Center and set the following values:
- Authentication Type: RADIUS
- Authentication Method: PAP
- Cache Passwords: Yes
- Fail over to Local: Yes
- Authentication Servers
- IP: IP Address of the CC
- Port: 1812
- Secret: same secret as above in Client Settings
Local Manager Configuration¶
If left unconfigured, Local Managers will authenticate users based on the passwords cached when the user last logged into the Control Center.
To have all Local Managers authenticate directly with the LDAP server via the FreeRADIUS proxy, return to the Administration > AAA Settings page and check the box at the bottom for Force settings to all appliances in hierarchy. Click Save.
Optionally, AAA Settings can be configured at both the Inventory Group or Local Manager level in the hierarchy. Use the same settings from Control Center AAA Settings Configuration above.
Finishing up¶
If FreeRADIUS is still running in debug mode, use the following command to clear the debug flag and run in normal mode:
[root@LantronixControlCenter ~]# service radiusd restart
Stopping radiusd: [ OK ]
Starting radiusd: [ OK ]
To configure FreeRADIUS service to start when the CC boots, use the chkconfig command:
[root@LantronixControlCenter ~]# chkconfig radiusd on
[root@LantronixControlCenter ~]# chkconfig --list | grep radiusd
radiusd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Congratulations! The Lantronix Control Center is now configured to work with LDAP.