Enabling FreeRADIUS users by eDirectory group membership

  • Document ID:3002371
  • Creation Date:16-May-2006
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      eDirectory

Environment


Novell SUSE Linux
Novell eDirectory
FreeRADIUS

Situation

Enabling users to authenticate through RADIUS is simple to install.  However, it becomes complicated when  wanting to enable users based on group membership in eDirectory.

Resolution

Install and configure FreeRADIUS (See Technical Information Document 3857).  To alter the configuration for group-based authentication, follow these steps :
  1. Change the DEFAULT Auth-Type in the /etc/raddb/users file to Reject instead of LDAP
  2. Duplicate the DEFAULT section (order is important - see additional notes)
  3. On the first DEFAULT entry, change Auth-Type to LDAP
  4. On the first DEFAULT entry, change Fall-Through to "no" or 0
  5. On the first DEFAULT entry (and before the Auth-Type), insert a new parameter of"Ldap-Group == ", followed by the group name in quotes, followed by a comma.  This step is not necessary with freeradius version 1.1.7-21.7.7.1 or later.
  6. Remove the attribute mapping in the "LDAP Group - SERVER" object for "RADIUS:Enable Dial Access" to "dialupAccess"
  7. Restart the FreeRADIUS service (/etc/init.d/radiusd restart)
The users in the specified group should now be able to authenticate.

Additional Information

The order of the DEFAULT entries in the users' file is important.  If a DEFAULT with an Auth-Type of Reject is found, a rejection will be sent, marking subsequent entries as"unused".  This means that the last DEFAULT entry with an Auth-Type of Reject should be the last entry in the file.