LDAP Authentication in radiusdesk

[Richard Ansah]

Hello, Please I have compiled the ldap module with freeradius to be used in RADIUSdesk. Our users are in zimbra but configuraing the ldap module and default configuration in site-enbled to authenticate with ldap does not work, even with radtest in debugging mode. Please help.

[Dirk van der Walt]

Hi Richard,

I'm currently pushed to complete a deadline so my available time is very
limited.

I can however give 30 minutes just so see if I can find something obvious
which you missed.

Can you provide me ssh access to your server so I can help you troubleshoot.

Kind regards

On Mon, Feb 29, 2016 at 8:57 AM, Richard Ansah raymmedic@users.sf.net
wrote:

Hello, Please I have compiled the ldap module with freeradius to be used
in RADIUSdesk. Our users are in zimbra but configuraing the ldap module and
default configuration in site-enbled to authenticate with ldap does not
work, even with radtest in debugging mode. Please help.

---

LDAP Authentication in radiusdesk
https://sourceforge.net/p/radiusdesk/discussion/help/thread/db3a414d/?limit=25#5c0b

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/radiusdesk/discussion/help/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Richard Ansah]

Hello Dirk,
I have sent you the credentials. Best Regards

[Richard Ansah]

Hello Dirk,

Please I have been able get the scrip working and users from ldap are now in the radiusdesk and authentication works fine with accept response.

The problem now is that in the dynamic login pages when i click on connect i dont get the popup to enter username and password. Its blank with free access button at the bottom. I have a vlan interface for the dynamic login page and it redirects fine.

my configs:

/etc/chilli/defaults:
HS_LANIF=em2 # Subscriber Interface for client devices

HS_NETWORK=10.1.0.0 # HotSpot Network (must include HS_UAMLISTEN)

HS_NETMASK=255.255.255.0 # HotSpot Network Netmask

HS_UAMLISTEN=10.1.0.1 # HotSpot IP Address (on subscriber network)

HS_UAMPORT=3990 # HotSpot UAM Port (on subscriber network)

HS_UAMUIPORT=4990 # HotSpot UAM "UI" Port (on subscriber network, for embedded portal)

HS_DYNIP=

HS_DYNIP_MASK=255.255.255.0

HS_STATIP=

HS_STATIP_MASK=255.255.255.0

HS_DNS_DOMAIN=

OpenDNS Servers

HS_DNS1=208.67.222.222

HS_DNS2=208.67.220.220

HotSpot settings for simple Captive Portal

HS_NASID=nas01

HS_RADIUS=localhost
HS_RADIUS2=localhost
HS_UAMALLOW=www.knust.edu.gh,apps.knust.edu.gh,https://apps.knust.edu.gh,webapps.knust.edu.gh,vclass.knust.edu.gh,https://vclass.knust.edu.gh,mail.knust.edu.gh,https://mail.knust.edu.gh,stdmail.knust.edu.gh,https://stdmail.knust.edu.gh,helpdesk.knust.edu.gh
HS_RADSECRET=testing123 # Set to be your RADIUS shared secret
HS_UAMSECRET=Logical12 # Set to be your UAM secret
HS_UAMALIASNAME=chilli

HS_MACAUTH=on # To turn on MAC Authentication

HS_TCP_PORTS="80 443"

Standard configurations

HS_MODE=hotspot
HS_TYPE=chillispot
HS_RADAUTH=1812
HS_RADACCT=1813
HS_ADMUSR=chillispot
HS_ADMPWD=chillispot

Post-Auth proxy settings

HS_POSTAUTH_PROXY=<host or="" ip="">

HS_POSTAUTH_PROXYPORT=<port>

Directory specifying where internal web pages can be served

by chilli with url /www/<file name="">. Only extentions like .html

.jpg, .gif, .png, .js are allowed. See below for using .chi as a

CGI extension.

HS_WWWDIR=/etc/chilli/www

Using this option assumes 'haserl' is installed per-default

but, and CGI type program can ran from wwwsh to process requests

to chilli with url /www/filename.chi

HS_WWWBIN=/etc/chilli/wwwsh

Some configurations used in certain user interfaces

HS_PROVIDER=KNUST
HS_PROVIDER_LINK=http://knust.edu.gh/

WISPr RADIUS Attribute support

HS_LOC_NAME="KNUST WLAN" # WISPr Location Name and used in portal

WISPr settings (to form a proper WISPr-Location-Id)

HS_LOC_NETWORK="My Network" # Network name

HS_LOC_AC=408 # Phone area code

HS_LOC_CC=1 # Phone country code

HS_LOC_ISOCC=US # ISO Country code

Embedded miniportal

HS_REG_MODE="tos" # or self, other

HS_RAD_PROTO="pap" # or mschapv2, chap

/etc/chilli/em2.326/config:

HS_LANIF=em2.326 # WAN Interface toward the Internet
HS_NETWORK=10.26.0.0 # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.252.0 # HotSpot Network Netmask
HS_UAMLISTEN=10.26.0.7 # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3991 # HotSpot UAM Port (on subscriber network)
HS_UAMUIPORT=4991 # HotSpot UAM "UI" Port (on subscriber network, for embedded portal)

HS_DYNIP=10.26.0.11
HS_DYNIP_MASK=255.255.252.0
HS_STATIP=10.26.0.2
HS_STATIP_MASK=255.255.252.0
HS_DNS_DOMAIN=knust.edu.gh

OpenDNS Servers

HS_DNS1=192.168.1.94

HS_DNS2=8.8.8.8

HotSpot settings for simple Captive Portal

HS_NASID=agric-main

HS_RADIUS=localhost

HS_RADIUS2=localhost

HS_UAMALLOW=www.coova.org

HS_RADSECRET=testing123 # Set to be your RADIUS shared secret

HS_UAMSECRET=change-me # Set to be your UAM secret

HS_UAMALIASNAME=chilli

Configure RADIUS proxy support (for 802.1x + captive portal support)

HS_RADPROXY=on

HS_RADPROXY_LISTEN=127.0.0.1

HS_RADPROXY_CLIENT=127.0.0.1

HS_RADPROXY_PORT=1645

HS_RADPROXY_SECRET=$HS_RADSECRET

Example OpenWrt /etc/config/wireless entry for hostapd

option encryption wpa2

option server $HS_RADPROXY_LISTEN

option port $HS_RADPROXY_PORT

option key $HS_RADPROXY_SECRET

To alternatively use a HTTP URL for AAA instead of RADIUS:

HS_UAMAAAURL=http://my-site/script.php

Put entire domains in the walled-garden with DNS inspection

HS_UAMDOMAINS=".paypal.com,.paypalobjects.com"

Optional initial redirect and RADIUS settings

HS_SSID=agric-main # To send to the captive portal

HS_NASMAC=<mac address=""> # To explicitly set Called-Station-Id

HS_NASIP=<ip address=""> # To explicitly set NAS-IP-Address

The server to be used in combination with HS_UAMFORMAT to

create the final chilli 'uamserver' url configuration.

HS_UAMSERVER=$HS_UAMLISTEN

Use HS_UAMFORMAT to define the actual captive portal url.

Shell variable replacement takes place when evaluated, so here

HS_UAMSERVER is escaped and later replaced by the pre-defined

HS_UAMSERVER to form the actual "--uamserver" option in chilli.

HS_UAMFORMAT=http://\$HS_UAMLISTEN:\$HS_UAMUIPORT/www/login.chi

HS_UAMFORMAT=http://192.168.1.81/cake2/rd_cake/dynamic_details/chilli_browser_detect/

Same principal goes for HS_UAMHOMEPAGE.

HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html

[Richard Ansah]

I figured it out. Had to just unckeck only click to connect in dynamic login pages. My system is up and running. Thanks to Dirk, with the LDAP side i had to import only the users (without password) into rd and set the Auth Type to LDAP. The token and user_id for that token during the import was very important in the postData array.

Thanks Dirk ones again for the support and wonderful software.

I am expecting over 7,000 users at a time on the system. How does it hold with load? any suggestions with regards to hardware requirements? Am running on HP DL360P Gen8 with intel xeon quad core processor and 12GB of ram.

[Aleksandr Polovoy]

Hi, Richard.
I faced a similar problem. Old instructions from old_wiki https://www.radiusdesk.com/old_wiki/technical_discussions/radiusdesk_ldap are not suitable. I tried to configure it according to anology, authorization does not work, I imported the user from the LDAP as you suggested, but it did not help. Tell me which way to look, what did Dirk tell you please to change?