FreeRADIUS EAP-TLS Example for 1x Authentication

Version 1.1 by Jean Franco on 2022/06/20 23:24

Create Necessary Certificates

Follow guide here for creating certificates.

You'll need to put the ca.pem, dh, server.key, and server.pem files in /etc/freeradius/certs.

Set up eap.conf

Below is an example of what you need to put in /etc/freeradius/eap.conf to handle the proper authentication methods, as well as enable future functionality.

# -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { #challenge = "Password: " auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom #fragment_size = 1024 #include_length = yes #check_crl = yes CA_path = ${cadir} #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" #check_cert_cn = %{User-Name} cipher_list = "DEFAULT" #virtual_server = check-eap-tls make_cert_command = "${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { #tmpdir = /tmp/radiusd #client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" # use_nonce = yes # timeout = 0 # softfail = no } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "inner-tunnel" #include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = yes #proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" #soh = yes #soh_virtual_server = "soh-server" } mschapv2 { #send_error = no } }

Set up clients.conf

You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.

Note: each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.

In /etc/freeradius/clients.conf, add one group like:

client 192.168.0.0/24 { secret = CHANGEME nastype = other }

You can use single IPs (192.168.0.2 or 2001::beef) or netblocks (192.168.0.0/24 or 2001:beef::/64), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.

Set up the users file

Users can be manually set up with entries in /etc/freeradius/users.

A basic user example is:

  
joeuser  Cleartext-Password := "passwordhere"

A more complex one that also involves setting a VLAN that a user is part of:

joeuser  Cleartext-Password := "passwordhere"
  Tunnel-Type = 13,
  Tunnel-Medium-Type = 6,
  Tunnel-Private-Group-Id = 2

Tunnel-Private-Group-Id is set to the VLAN ID you wish the user to be assigned when they connect.

Marcadores:
    
Maila Networks