This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
unifi:freeradius [2015/11/01 11:50] – brielle | unifi:freeradius [2015/11/01 12:06] – brielle | ||
---|---|---|---|
Line 2: | Line 2: | ||
These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system. | These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system. | ||
- | **1)** | + | ===== Create Necessary Certificates ===== |
+ | |||
+ | Follow guide [[http:// | ||
+ | |||
+ | You'll need to put the '' | ||
+ | |||
+ | ===== Set up eap.conf ===== | ||
+ | Below is an example of what you need to put in ''/ | ||
+ | |||
+ | < | ||
+ | ## | ||
+ | ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) | ||
+ | ## | ||
+ | |||
+ | eap { | ||
+ | default_eap_type = md5 | ||
+ | timer_expire | ||
+ | ignore_unknown_eap_types = no | ||
+ | cisco_accounting_username_bug = no | ||
+ | max_sessions = ${max_requests} | ||
+ | |||
+ | md5 { | ||
+ | } | ||
+ | |||
+ | leap { | ||
+ | } | ||
+ | |||
+ | gtc { | ||
+ | # | ||
+ | auth_type = PAP | ||
+ | } | ||
+ | |||
+ | tls { | ||
+ | certdir = ${confdir}/ | ||
+ | cadir = ${confdir}/ | ||
+ | private_key_password = whatever | ||
+ | private_key_file = ${certdir}/ | ||
+ | certificate_file = ${certdir}/ | ||
+ | CA_file = ${cadir}/ | ||
+ | dh_file = ${certdir}/ | ||
+ | random_file = / | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | CA_path = ${cadir} | ||
+ | # | ||
+ | # | ||
+ | cipher_list = " | ||
+ | # | ||
+ | make_cert_command = " | ||
+ | ecdh_curve = " | ||
+ | cache { | ||
+ | enable = no | ||
+ | lifetime = 24 # hours | ||
+ | max_entries = 255 | ||
+ | } | ||
+ | |||
+ | verify { | ||
+ | #tmpdir = / | ||
+ | #client = "/ | ||
+ | } | ||
+ | ocsp { | ||
+ | enable = no | ||
+ | override_cert_url = yes | ||
+ | url = " | ||
+ | # use_nonce = yes | ||
+ | # timeout = 0 | ||
+ | # softfail = no | ||
+ | } | ||
+ | } | ||
+ | |||
+ | ttls { | ||
+ | default_eap_type = md5 | ||
+ | copy_request_to_tunnel = no | ||
+ | use_tunneled_reply = yes | ||
+ | virtual_server = " | ||
+ | # | ||
+ | } | ||
+ | peap { | ||
+ | default_eap_type = mschapv2 | ||
+ | copy_request_to_tunnel = no | ||
+ | use_tunneled_reply = yes | ||
+ | # | ||
+ | virtual_server = " | ||
+ | #soh = yes | ||
+ | # | ||
+ | } | ||
+ | |||
+ | mschapv2 { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ===== Set up clients.conf ===== | ||
+ | You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server. | ||
+ | |||
+ | **Note:** //each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.// | ||
+ | |||
+ | In ''/ | ||
+ | < | ||
+ | client 192.168.0.0/ | ||
+ | | ||
+ | nastype | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | You can use single IPs ('' | ||
+ | |||
+ | ===== Set up the users file ===== | ||
+ | Users can be manually set up with entries in ''/ | ||
+ | |||
+ | A basic user example is: | ||
+ | < | ||
+ | joeuser Cleartext-Password := " | ||
+ | </ | ||
+ | |||
+ | A more complex one that also involves setting a VLAN that a user is part of: | ||
+ | < | ||
+ | joeuser Cleartext-Password := " | ||
+ | Tunnel-Type = 13, | ||
+ | Tunnel-Medium-Type = 6, | ||
+ | Tunnel-Private-Group-Id = 2 | ||
+ | </ | ||
+ | |||
+ | '' | ||
+ | |||
+ | //**Please note that RADIUS assigned VLANs is not currently supported by the Unifi Access Points. |