====== FreeRADIUS EAP-TLS Example for 1x Authentication ======
These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system. They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions.
===== Create Necessary Certificates =====
Follow guide [[http://deployingradius.com/|here]] for creating certificates.
You'll need to put the ''ca.pem'', ''dh'', ''server.key'', and ''server.pem'' files in ''/etc/freeradius/certs''.
===== Set up eap.conf =====
Below is an example of what you need to put in ''/etc/freeradius/eap.conf'' to handle the proper authentication methods, as well as enable future functionality.
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
#challenge = "Password: "
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
#fragment_size = 1024
#include_length = yes
#check_crl = yes
CA_path = ${cadir}
#check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
#virtual_server = check-eap-tls
make_cert_command = "${certdir}/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
#tmpdir = /tmp/radiusd
#client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
# use_nonce = yes
# timeout = 0
# softfail = no
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
#include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = yes
#proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
#soh = yes
#soh_virtual_server = "soh-server"
}
mschapv2 {
#send_error = no
}
}
===== Set up clients.conf =====
You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.
**Note:** //each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.//
In ''/etc/freeradius/clients.conf'', add one group like:
client 192.168.0.0/24 {
secret = CHANGEME
nastype = other
}
You can use single IPs (''192.168.0.2'' or ''2001::beef'') or netblocks (''192.168.0.0/24'' or ''2001:beef::/64''), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.
===== Set up the users file =====
Users can be manually set up with entries in ''/etc/freeradius/users''.
A basic user example is:
joeuser Cleartext-Password := "passwordhere"
A more complex one that also involves setting a VLAN that a user is part of:
joeuser Cleartext-Password := "passwordhere"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 2
''Tunnel-Private-Group-Id'' is set to the VLAN ID you wish the user to be assigned when they connect.