FreeRADIUS EAP-TLS Example for 1x Authentication

These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system. They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions.

Follow guide here for creating certificates.

You'll need to put the ca.pem, dh, server.key, and server.pem files in /etc/freeradius/certs.

Below is an example of what you need to put in /etc/freeradius/eap.conf to handle the proper authentication methods, as well as enable future functionality.

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##

	eap {
		default_eap_type = md5
		timer_expire     = 60
		ignore_unknown_eap_types = no
		cisco_accounting_username_bug = no
		max_sessions = ${max_requests}

		md5 {
		}

		leap {
		}

		gtc {
			#challenge = "Password: "
			auth_type = PAP
		}

		tls {
			certdir = ${confdir}/certs
			cadir = ${confdir}/certs
			private_key_password = whatever
			private_key_file = ${certdir}/server.key
			certificate_file = ${certdir}/server.pem
			CA_file = ${cadir}/ca.pem
			dh_file = ${certdir}/dh
			random_file = /dev/urandom
			#fragment_size = 1024
			#include_length = yes
			#check_crl = yes
			CA_path = ${cadir}
			#check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
			#check_cert_cn = %{User-Name}
			cipher_list = "DEFAULT"
			#virtual_server = check-eap-tls
			make_cert_command = "${certdir}/bootstrap"
			ecdh_curve = "prime256v1"
			cache {
			      enable = no
			      lifetime = 24 # hours
			      max_entries = 255
			}

			verify {
				#tmpdir = /tmp/radiusd
				#client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
			}
			ocsp {
			      enable = no
			      override_cert_url = yes
			      url = "http://127.0.0.1/ocsp/"
			      # use_nonce = yes
			      # timeout = 0
			      # softfail = no
			}
		}

		ttls {
			default_eap_type = md5
			copy_request_to_tunnel = no
			use_tunneled_reply = yes
			virtual_server = "inner-tunnel"
			#include_length = yes
		}
		peap {
			default_eap_type = mschapv2
			copy_request_to_tunnel = no
			use_tunneled_reply = yes
			#proxy_tunneled_request_as_eap = yes
			virtual_server = "inner-tunnel"
			#soh = yes
			#soh_virtual_server = "soh-server"
		}

		mschapv2 {
			#send_error = no
		}
	}

You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.

Note: each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.

In /etc/freeradius/clients.conf, add one group like:

client 192.168.0.0/24 {
 	secret		= CHANGEME
        nastype           = other
}

You can use single IPs (192.168.0.2 or 2001::beef) or netblocks (192.168.0.0/24 or 2001:beef::/64), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.

Users can be manually set up with entries in /etc/freeradius/users.

A basic user example is:

  
joeuser 	Cleartext-Password := "passwordhere"

A more complex one that also involves setting a VLAN that a user is part of:

joeuser 	Cleartext-Password := "passwordhere"
		Tunnel-Type = 13,
		Tunnel-Medium-Type = 6,
		Tunnel-Private-Group-Id = 2

Tunnel-Private-Group-Id is set to the VLAN ID you wish the user to be assigned when they connect.

  • unifi/freeradius.txt
  • Last modified: 2017/09/25 10:05
  • by brielle