The Summit Open Source Development Group

User Tools

Site Tools

You are here: Welcome! » Unifi Guides / Examples » FreeRADIUS EAP-TLS Example for 1x Authentication
unifi:freeradius

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
unifi:freeradius [2015/11/01 11:50] brielleunifi:freeradius [2017/09/25 10:05] (current) – [Set up the users file] brielle
Line 2: Line 2:
 These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system.  They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions. These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system.  They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions.
  
-**1)** Follow guide [[http://deployingradius.com/|here]] for creating certificates.  You'll need to put the ''ca.pem'', ''dh'', ''server.key'', and ''server.pem'' files in ''/etc/freeradius/certs''.+===== Create Necessary Certificates ===== 
 + 
 +Follow guide [[http://deployingradius.com/|here]] for creating certificates. 
 + 
 +You'll need to put the ''ca.pem'', ''dh'', ''server.key'', and ''server.pem'' files in ''/etc/freeradius/certs''. 
 + 
 +===== Set up eap.conf ===== 
 +Below is an example of what you need to put in ''/etc/freeradius/eap.conf'' to handle the proper authentication methods, as well as enable future functionality. 
 + 
 +<code># -*- text -*- 
 +## 
 +##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) 
 +## 
 + 
 + eap { 
 + default_eap_type = md5 
 + timer_expire     = 60 
 + ignore_unknown_eap_types = no 
 + cisco_accounting_username_bug = no 
 + max_sessions = ${max_requests} 
 + 
 + md5 { 
 +
 + 
 + leap { 
 +
 + 
 + gtc { 
 + #challenge = "Password:
 + auth_type = PAP 
 +
 + 
 + tls { 
 + certdir = ${confdir}/certs 
 + cadir = ${confdir}/certs 
 + private_key_password = whatever 
 + private_key_file = ${certdir}/server.key 
 + certificate_file = ${certdir}/server.pem 
 + CA_file = ${cadir}/ca.pem 
 + dh_file = ${certdir}/dh 
 + random_file = /dev/urandom 
 + #fragment_size = 1024 
 + #include_length = yes 
 + #check_crl = yes 
 + CA_path = ${cadir} 
 + #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" 
 + #check_cert_cn = %{User-Name} 
 + cipher_list = "DEFAULT" 
 + #virtual_server = check-eap-tls 
 + make_cert_command = "${certdir}/bootstrap" 
 + ecdh_curve = "prime256v1" 
 + cache { 
 +       enable = no 
 +       lifetime = 24 # hours 
 +       max_entries = 255 
 +
 + 
 + verify { 
 + #tmpdir = /tmp/radiusd 
 + #client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" 
 +
 + ocsp { 
 +       enable = no 
 +       override_cert_url = yes 
 +       url = "http://127.0.0.1/ocsp/" 
 +       # use_nonce = yes 
 +       # timeout = 0 
 +       # softfail = no 
 +
 +
 + 
 + ttls { 
 + default_eap_type = md5 
 + copy_request_to_tunnel = no 
 + use_tunneled_reply = yes 
 + virtual_server = "inner-tunnel" 
 + #include_length = yes 
 +
 + peap { 
 + default_eap_type = mschapv2 
 + copy_request_to_tunnel = no 
 + use_tunneled_reply = yes 
 + #proxy_tunneled_request_as_eap = yes 
 + virtual_server = "inner-tunnel" 
 + #soh = yes 
 + #soh_virtual_server = "soh-server" 
 +
 + 
 + mschapv2 { 
 + #send_error = no 
 +
 +
 +</code> 
 + 
 +===== Set up clients.conf ===== 
 +You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server. 
 + 
 +**Note:** //each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.// 
 + 
 +In ''/etc/freeradius/clients.conf'', add one group like: 
 +<code> 
 +client 192.168.0.0/24 { 
 +  secret = CHANGEME 
 +        nastype           = other 
 +
 +</code> 
 + 
 +You can use single IPs (''192.168.0.2'' or ''2001::beef'') or netblocks (''192.168.0.0/24'' or ''2001:beef::/64''), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'
 + 
 +===== Set up the users file ===== 
 +Users can be manually set up with entries in ''/etc/freeradius/users''
 + 
 +A basic user example is: 
 +<code>   
 +joeuser Cleartext-Password := "passwordhere" 
 +</code> 
 + 
 +A more complex one that also involves setting a VLAN that a user is part of: 
 +<code> 
 +joeuser Cleartext-Password := "passwordhere" 
 + Tunnel-Type = 13, 
 + Tunnel-Medium-Type = 6, 
 + Tunnel-Private-Group-Id = 2 
 +</code> 
 + 
 +''Tunnel-Private-Group-Id'' is set to the VLAN ID you wish the user to be assigned when they connect. 

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki