PEAP configuration for freeradius and opendirectory

 in Open Source systems by

Only the parameters which are changing listed, the other parts of the file should be leaved intact.

 

/private/etc/raddb/attrs

DEFAULT

Tunnel-Type == VLAN,

Tunnel-Medium-Type == IEEE-802,

Tunnel-Private-Group-Id =* ANY,

 

/private/etc/raddb/radiusd.conf

max_request = 16384

proxy_requests = no

$INCLUDE clients.conf

 

 

/private/etc/raddb/eap.conf

default_eap_type = peap

#gtc

#leap

peap {

use_tunneled_reply = yes

}

 

/private/etc/raddb/sites-enabled/default

#unix

#files

#opendirectory

 

#   Auth-Type opendirectory {

#     opendirectory

#   }

#unix

}

 

/private/etc/raddb/sites-enabled/inner-tunnel

authorize {

#pap

#chap

#unix

#files

ldap

}

 

authenticate {

 

#       Auth-Type PAP {

#               pap

#       }

 

#       Auth-Type CHAP {

#               chap

#       }

#unix

 

post-auth {

if (“%{ldap:ldap:///dc=uni,dc=edu?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=%{User-Name}))}” != “”){

update reply {

Tunnel-Type = VLAN

Tunnel-Medium-Type = IEEE-802

Tunnel-Private-Group-Id = “%{ldap:ldap:/// dc=uni,dc=edu?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=%{User-Name}))}”

}

}

else {

update reply {

Tunnel-Type = VLAN

Tunnel-Medium-Type = IEEE-802

Tunnel-Private-Group-Id = “80”

}

}

}

 

If a successful authentication occurred, supplicant’s  radiusTunnelPrivateGroupId  attribute is used to decide which VLAN would be assigned. In case of an unsuccessful authentication, supplicant’s port would be assingned to VLAN 80 (unauthenticated VLAN) statically.

Leave a comment

Your email address will not be published.