FreeRADIUS EAP-TLS Example for 1x Authentication

Last modified by Jean Franco on 2022/06/23 22:09

Create Necessary Certificates

Follow guide here for creating certificates.

You'll need to put the ca.pem, dh, server.key, and server.pem files in /etc/freeradius/certs.

Set up eap.conf

Below is an example of what you need to put in /etc/freeradius/eap.conf to handle the proper authentication methods, as well as enable future functionality.

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##

 eap {
  default_eap_type = md5
  timer_expire     = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = ${max_requests}

  md5 {
  }

  leap {
  }

  gtc {
   #challenge = "Password: "
   auth_type = PAP
  }

  tls {
   certdir = ${confdir}/certs
   cadir = ${confdir}/certs
   private_key_password = whatever
   private_key_file = ${certdir}/server.key
   certificate_file = ${certdir}/server.pem
   CA_file = ${cadir}/ca.pem
   dh_file = ${certdir}/dh
   random_file = /dev/urandom
   #fragment_size = 1024
   #include_length = yes
   #check_crl = yes
   CA_path = ${cadir}
   #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
   #check_cert_cn = %{User-Name}
   cipher_list = "DEFAULT"
   #virtual_server = check-eap-tls
   make_cert_command = "${certdir}/bootstrap"
   ecdh_curve = "prime256v1"
   cache {
         enable = no
         lifetime = 24 # hours
         max_entries = 255
   }

   verify {
    #tmpdir = /tmp/radiusd
    #client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
   }
   ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1/ocsp/"
         # use_nonce = yes
         # timeout = 0
         # softfail = no
   }
  }

  ttls {
   default_eap_type = md5
   copy_request_to_tunnel = no
   use_tunneled_reply = yes
   virtual_server = "inner-tunnel"
   #include_length = yes
  }
  peap {
   default_eap_type = mschapv2
   copy_request_to_tunnel = no
   use_tunneled_reply = yes
   #proxy_tunneled_request_as_eap = yes
   virtual_server = "inner-tunnel"
   #soh = yes
   #soh_virtual_server = "soh-server"
  }

  mschapv2 {
   #send_error = no
  }
 }

Set up clients.conf

You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.

Note: each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.

In /etc/freeradius/clients.conf, add one group like:

client 192.168.0.0/24 {
  secret  = CHANGEME
        nastype           = other
}

You can use single IPs (192.168.0.2 or 2001::beef) or netblocks (192.168.0.0/24 or 2001:beef::/64), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.

Set up the users file

Users can be manually set up with entries in /etc/freeradius/users.

A basic user example is:

  
joeuser  Cleartext-Password := "passwordhere"

A more complex one that also involves setting a VLAN that a user is part of:

joeuser  Cleartext-Password := "passwordhere"
  Tunnel-Type = 13,
  Tunnel-Medium-Type = 6,
  Tunnel-Private-Group-Id = 2

Tunnel-Private-Group-Id is set to the VLAN ID you wish the user to be assigned when they connect.

Tags:
    
Maila Networks