• Download the WPA test script: rad_eap_test.gz

yum install freeradius-ldap freeradius-utils freeradius

cd /etc/raddb/mods-enabled/
ln -s ../mods-available/ldap

vi ldap

In the ldap section change the following fields. In my example I stall radius on the same machine as the ldap server so I am going to connect to localhost. The following config is not the complete config, only the changed part!

ldap {
        server = "localhost"
        port = 389
        identity = "cn=manager,dc=helux,dc=nl"
        password = mypass
        base_dn = "dc=helux,dc=nl"

        update {
                control:Password-With-Header    += 'userPassword'
                control:NT-Password             := 'SambaNTPassword'
                reply:Reply-Message             := 'radiusReplyMessage'
                reply:Tunnel-Type               := 'radiusTunnelType'
                reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
                reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'
        }
        user {
                access_attribute = "dialupAccess"
                access_positive = yes
        }
}

vi /etc/raddb/clients.conf

client private-network-1 {
	ipaddr		= 172.16.0.0/16
	secret		= testing123
}
client private-network-1-ipv6 {
        ipv6addr        = 2a02:22a0:bbb7:400::/56
        secret          = testing123
}

In this situation I already have a CA and a certificate created on the CA for this machine. So I move the old directory and create a new one!

cd /etc/raddb
mv certs certs.org
mkdir certs
chown root:radiusd certs
chmod 770 certs

Now let's copy the necessary files.

• the certificate and private key must be concatenated in server.pem
• the CA certificate must have the name ca.pem
• copy the dh file from the original certs directory
• set the correct permissions

Result:

cd /etc/raddb/certs
ls -l

total 16
-rw-r-----. 1 root radiusd 1375 Jun 24 16:24 ca.pem
-rw-r-----. 1 root radiusd  245 Jun 24 16:24 dh
-rw-r-----. 1 root radiusd 6297 Jun 24 16:24 server.pem

systemctl enable radiusd
systemctl start radiusd

firewall-cmd --permanent --zone=management --add-service=radius
firewall-cmd --permanent --zone=local --add-service=radius
firewall-cmd --reload

Query user for normal access:

radtest <USERNAME> <SECRET> localhost 2 testing123

Query user for WPA enterprise:

./rad_eap_test -H localhost -P 1812 -S testing123 -u <USERNAME> -p <SECRET> -m WPA-EAP -e PEAP -2 MSCHAPV2
./rad_eap_test -H localhost -P 1812 -S testing123 -u <USERNAME> -p <SECRET> -m WPA-EAP -e TTLS -2 PAP

The upgrade to CentOS 7.4 breaks FreeRadius with LDAP. I discovered some errors with dots (.) in the username. So I altered the filter file in /etc/raddb/policy.d

THIS CODE IS OBSOLETE

/etc/raddb/policy.d/filter

.
.
.
#               if (&User-Name =~ /\.\./ ) {
#                       update request {
#                               &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
#                       }
#                       reject
#               }
.
.
#               if (&User-Name =~ /\.$/)  {
#                       update request {
#                               &Module-Failure-Message += 'Rejected: Realm ends with a dot'
#                       }
#                       reject
#               }
.
.
.

/etc/raddb/mods-available/eap

.
.
peap {
.
.
                use_tunneled_reply = yes
.
.