Version 1.1 by Jean Franco on 2022/06/20 23:24
Show last authors
1 == Create Necessary Certificates ==
2
3 Follow guide [[here>>url:http://deployingradius.com/]] for creating certificates.
4
5 You'll need to put the ca.pem, dh, server.key, and server.pem files in /etc/freeradius/certs.
6
7 == Set up eap.conf ==
8
9 Below is an example of what you need to put in /etc/freeradius/eap.conf to handle the proper authentication methods, as well as enable future functionality.
10
11 {{{# -*- text -*-
12 ##
13 ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
14 ##
15
16 eap {
17 default_eap_type = md5
18 timer_expire = 60
19 ignore_unknown_eap_types = no
20 cisco_accounting_username_bug = no
21 max_sessions = ${max_requests}
22
23 md5 {
24 }
25
26 leap {
27 }
28
29 gtc {
30 #challenge = "Password: "
31 auth_type = PAP
32 }
33
34 tls {
35 certdir = ${confdir}/certs
36 cadir = ${confdir}/certs
37 private_key_password = whatever
38 private_key_file = ${certdir}/server.key
39 certificate_file = ${certdir}/server.pem
40 CA_file = ${cadir}/ca.pem
41 dh_file = ${certdir}/dh
42 random_file = /dev/urandom
43 #fragment_size = 1024
44 #include_length = yes
45 #check_crl = yes
46 CA_path = ${cadir}
47 #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
48 #check_cert_cn = %{User-Name}
49 cipher_list = "DEFAULT"
50 #virtual_server = check-eap-tls
51 make_cert_command = "${certdir}/bootstrap"
52 ecdh_curve = "prime256v1"
53 cache {
54 enable = no
55 lifetime = 24 # hours
56 max_entries = 255
57 }
58
59 verify {
60 #tmpdir = /tmp/radiusd
61 #client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
62 }
63 ocsp {
64 enable = no
65 override_cert_url = yes
66 url = "http://127.0.0.1/ocsp/"
67 # use_nonce = yes
68 # timeout = 0
69 # softfail = no
70 }
71 }
72
73 ttls {
74 default_eap_type = md5
75 copy_request_to_tunnel = no
76 use_tunneled_reply = yes
77 virtual_server = "inner-tunnel"
78 #include_length = yes
79 }
80 peap {
81 default_eap_type = mschapv2
82 copy_request_to_tunnel = no
83 use_tunneled_reply = yes
84 #proxy_tunneled_request_as_eap = yes
85 virtual_server = "inner-tunnel"
86 #soh = yes
87 #soh_virtual_server = "soh-server"
88 }
89
90 mschapv2 {
91 #send_error = no
92 }
93 }}}}
94
95 == Set up clients.conf ==
96
97 You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.
98
99 **Note:** //each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.//
100
101 In /etc/freeradius/clients.conf, add one group like:
102
103 {{{client 192.168.0.0/24 {
104 secret = CHANGEME
105 nastype = other
106 }}}}
107
108 You can use single IPs (192.168.0.2 or 2001::beef) or netblocks (192.168.0.0/24 or 2001:beef::/64), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.
109
110 == Set up the users file ==
111
112 Users can be manually set up with entries in /etc/freeradius/users.
113
114 A basic user example is:
115
116 {{{
117 joeuser Cleartext-Password := "passwordhere"}}}
118
119 A more complex one that also involves setting a VLAN that a user is part of:
120
121 {{{joeuser Cleartext-Password := "passwordhere"
122 Tunnel-Type = 13,
123 Tunnel-Medium-Type = 6,
124 Tunnel-Private-Group-Id = 2}}}
125
126 Tunnel-Private-Group-Id is set to the VLAN ID you wish the user to be assigned when they connect.
Maila Networks