Last modified by Jean Franco on 2022/06/23 22:09
Show last authors
1 == Create Necessary Certificates ==
2
3 Follow guide [[here>>url:http://deployingradius.com/]] for creating certificates.
4
5 You'll need to put the ca.pem, dh, server.key, and server.pem files in /etc/freeradius/certs.
6
7 == Set up eap.conf ==
8
9 Below is an example of what you need to put in /etc/freeradius/eap.conf to handle the proper authentication methods, as well as enable future functionality.
10
11 {{code language="none"}}
12 # -*- text -*-
13 ##
14 ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
15 ##
16
17 eap {
18 default_eap_type = md5
19 timer_expire = 60
20 ignore_unknown_eap_types = no
21 cisco_accounting_username_bug = no
22 max_sessions = ${max_requests}
23
24 md5 {
25 }
26
27 leap {
28 }
29
30 gtc {
31 #challenge = "Password: "
32 auth_type = PAP
33 }
34
35 tls {
36 certdir = ${confdir}/certs
37 cadir = ${confdir}/certs
38 private_key_password = whatever
39 private_key_file = ${certdir}/server.key
40 certificate_file = ${certdir}/server.pem
41 CA_file = ${cadir}/ca.pem
42 dh_file = ${certdir}/dh
43 random_file = /dev/urandom
44 #fragment_size = 1024
45 #include_length = yes
46 #check_crl = yes
47 CA_path = ${cadir}
48 #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
49 #check_cert_cn = %{User-Name}
50 cipher_list = "DEFAULT"
51 #virtual_server = check-eap-tls
52 make_cert_command = "${certdir}/bootstrap"
53 ecdh_curve = "prime256v1"
54 cache {
55 enable = no
56 lifetime = 24 # hours
57 max_entries = 255
58 }
59
60 verify {
61 #tmpdir = /tmp/radiusd
62 #client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
63 }
64 ocsp {
65 enable = no
66 override_cert_url = yes
67 url = "http://127.0.0.1/ocsp/"
68 # use_nonce = yes
69 # timeout = 0
70 # softfail = no
71 }
72 }
73
74 ttls {
75 default_eap_type = md5
76 copy_request_to_tunnel = no
77 use_tunneled_reply = yes
78 virtual_server = "inner-tunnel"
79 #include_length = yes
80 }
81 peap {
82 default_eap_type = mschapv2
83 copy_request_to_tunnel = no
84 use_tunneled_reply = yes
85 #proxy_tunneled_request_as_eap = yes
86 virtual_server = "inner-tunnel"
87 #soh = yes
88 #soh_virtual_server = "soh-server"
89 }
90
91 mschapv2 {
92 #send_error = no
93 }
94 }
95 {{/code}}
96
97 == Set up clients.conf ==
98
99 You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.
100
101 **Note:** //each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.//
102
103 In /etc/freeradius/clients.conf, add one group like:
104
105 {{code language="none"}}
106 client 192.168.0.0/24 {
107 secret = CHANGEME
108 nastype = other
109 }
110 {{/code}}
111
112 You can use single IPs (192.168.0.2 or 2001::beef) or netblocks (192.168.0.0/24 or 2001:beef::/64), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.
113
114 == Set up the users file ==
115
116 Users can be manually set up with entries in /etc/freeradius/users.
117
118 A basic user example is:
119
120 {{{
121 joeuser Cleartext-Password := "passwordhere"}}}
122
123 A more complex one that also involves setting a VLAN that a user is part of:
124
125 {{{joeuser Cleartext-Password := "passwordhere"
126 Tunnel-Type = 13,
127 Tunnel-Medium-Type = 6,
128 Tunnel-Private-Group-Id = 2}}}
129
130 Tunnel-Private-Group-Id is set to the VLAN ID you wish the user to be assigned when they connect.
Maila Networks