======FreeRadius on CentOS 7 with LDAP support======
=====Prerequisite=====
  * Download the WPA test script: {{:rad_eap_test.gz|}}
=====Installation======
  yum install freeradius-ldap freeradius-utils freeradius

  cd /etc/raddb/mods-enabled/
  ln -s ../mods-available/ldap

=====Configuration=====
====LDAP====
  vi ldap

In the ldap section change the following fields. In my example I stall radius on the same machine as the ldap server so I am going to connect to localhost. **The following config is not the complete config, only the changed part!**
<code>
ldap {
        server = "localhost"
        port = 389
        identity = "cn=manager,dc=helux,dc=nl"
        password = mypass
        base_dn = "dc=helux,dc=nl"

        update {
                control:Password-With-Header    += 'userPassword'
                control:NT-Password             := 'SambaNTPassword'
                reply:Reply-Message             := 'radiusReplyMessage'
                reply:Tunnel-Type               := 'radiusTunnelType'
                reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
                reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'
        }
        user {
                access_attribute = "dialupAccess"
                access_positive = yes
        }
}
</code>
====Clients====
  vi /etc/raddb/clients.conf

<code>
client private-network-1 {
	ipaddr		= 172.16.0.0/16
	secret		= testing123
}
client private-network-1-ipv6 {
        ipv6addr        = 2a02:22a0:bbb7:400::/56
        secret          = testing123
}
</code>

====TLS====
In this situation I already have a CA and a certificate created on the CA for this machine. So I move the old directory and create a new one!
  cd /etc/raddb
  mv certs certs.org
  mkdir certs
  chown root:radiusd certs
  chmod 770 certs
Now let's copy the necessary files.
  * the certificate and private key must be concatenated in server.pem
  * the CA certificate must have the name ca.pem
  * copy the dh file from the original certs directory
  * set the correct permissions
Result:
  cd /etc/raddb/certs
  ls -l
<code>
total 16
-rw-r-----. 1 root radiusd 1375 Jun 24 16:24 ca.pem
-rw-r-----. 1 root radiusd  245 Jun 24 16:24 dh
-rw-r-----. 1 root radiusd 6297 Jun 24 16:24 server.pem
</code>
  systemctl enable radiusd
  systemctl start radiusd
=====Firewall=====
  firewall-cmd --permanent --zone=management --add-service=radius
  firewall-cmd --permanent --zone=local --add-service=radius
  firewall-cmd --reload
=====Testing=====
Query user for normal access:
  radtest <USERNAME> <SECRET> localhost 2 testing123
Query user for WPA enterprise:
  ./rad_eap_test -H localhost -P 1812 -S testing123 -u <USERNAME> -p <SECRET> -m WPA-EAP -e PEAP -2 MSCHAPV2
  ./rad_eap_test -H localhost -P 1812 -S testing123 -u <USERNAME> -p <SECRET> -m WPA-EAP -e TTLS -2 PAP
=====Update to CentOS 7.4=====
The upgrade to CentOS 7.4 breaks FreeRadius with LDAP. I discovered some errors with dots (.) in the username. So I altered the filter file in /etc/raddb/policy.d

THIS CODE IS OBSOLETE
<code - /etc/raddb/policy.d/filter>
.
.
.
#               if (&User-Name =~ /\.\./ ) {
#                       update request {
#                               &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
#                       }
#                       reject
#               }
.
.
#               if (&User-Name =~ /\.$/)  {
#                       update request {
#                               &Module-Failure-Message += 'Rejected: Realm ends with a dot'
#                       }
#                       reject
#               }
.
.
.
</code>
===== Peap config change for radius assigned VLAN ====
<code - /etc/raddb/mods-available/eap>
.
.
peap {
.
.
                use_tunneled_reply = yes
.
.
</code>
{{tag>centos}}