This is an old revision of the document!
These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system. They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions.
Follow guide here for creating certificates.
You'll need to put the ca.pem
, dh
, server.key
, and server.pem
files in /etc/freeradius/certs
.
Below is an example of what you need to put in /etc/freeradius/eap.conf
to handle the proper authentication methods, as well as enable future functionality.
# -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { #challenge = "Password: " auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom #fragment_size = 1024 #include_length = yes #check_crl = yes CA_path = ${cadir} #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" #check_cert_cn = %{User-Name} cipher_list = "DEFAULT" #virtual_server = check-eap-tls make_cert_command = "${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { #tmpdir = /tmp/radiusd #client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" # use_nonce = yes # timeout = 0 # softfail = no } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "inner-tunnel" #include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = yes #proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" #soh = yes #soh_virtual_server = "soh-server" } mschapv2 { #send_error = no } }
You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.
Note: each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.
In /etc/freeradius/clients.conf
, add one group like:
client 192.168.0.0/24 { secret = CHANGEME nastype = other }
You can use single IPs (192.168.0.2
or 2001::beef
) or netblocks (192.168.0.0/24
or 2001:beef::/64
), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.
Users can be manually set up with entries in /etc/freeradius/users
.
A basic user example is:
joeuser Cleartext-Password := "passwordhere"
A more complex one that also involves setting a VLAN that a user is part of:
joeuser Cleartext-Password := "passwordhere" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2
Tunnel-Private-Group-Id
is set to the VLAN ID you wish the user to be assigned when they connect.
Please note that RADIUS assigned VLANs is not currently supported by the Unifi Access Points. It may be implemented at a later date.