Table of Contents

FreeRADIUS EAP-TLS Example for 1x Authentication

These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system. They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions.

Create Necessary Certificates

Follow guide here for creating certificates.

You'll need to put the ca.pem, dh, server.key, and server.pem files in /etc/freeradius/certs.

Set up eap.conf

Below is an example of what you need to put in /etc/freeradius/eap.conf to handle the proper authentication methods, as well as enable future functionality.

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##

	eap {
		default_eap_type = md5
		timer_expire     = 60
		ignore_unknown_eap_types = no
		cisco_accounting_username_bug = no
		max_sessions = ${max_requests}

		md5 {
		}

		leap {
		}

		gtc {
			#challenge = "Password: "
			auth_type = PAP
		}

		tls {
			certdir = ${confdir}/certs
			cadir = ${confdir}/certs
			private_key_password = whatever
			private_key_file = ${certdir}/server.key
			certificate_file = ${certdir}/server.pem
			CA_file = ${cadir}/ca.pem
			dh_file = ${certdir}/dh
			random_file = /dev/urandom
			#fragment_size = 1024
			#include_length = yes
			#check_crl = yes
			CA_path = ${cadir}
			#check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
			#check_cert_cn = %{User-Name}
			cipher_list = "DEFAULT"
			#virtual_server = check-eap-tls
			make_cert_command = "${certdir}/bootstrap"
			ecdh_curve = "prime256v1"
			cache {
			      enable = no
			      lifetime = 24 # hours
			      max_entries = 255
			}

			verify {
				#tmpdir = /tmp/radiusd
				#client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
			}
			ocsp {
			      enable = no
			      override_cert_url = yes
			      url = "http://127.0.0.1/ocsp/"
			      # use_nonce = yes
			      # timeout = 0
			      # softfail = no
			}
		}

		ttls {
			default_eap_type = md5
			copy_request_to_tunnel = no
			use_tunneled_reply = yes
			virtual_server = "inner-tunnel"
			#include_length = yes
		}
		peap {
			default_eap_type = mschapv2
			copy_request_to_tunnel = no
			use_tunneled_reply = yes
			#proxy_tunneled_request_as_eap = yes
			virtual_server = "inner-tunnel"
			#soh = yes
			#soh_virtual_server = "soh-server"
		}

		mschapv2 {
			#send_error = no
		}
	}

Set up clients.conf

You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.

Note: each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.

In /etc/freeradius/clients.conf, add one group like:

client 192.168.0.0/24 {
 	secret		= CHANGEME
        nastype           = other
}

You can use single IPs (192.168.0.2 or 2001::beef) or netblocks (192.168.0.0/24 or 2001:beef::/64), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.

Set up the users file

Users can be manually set up with entries in /etc/freeradius/users.

A basic user example is:

  
joeuser 	Cleartext-Password := "passwordhere"

A more complex one that also involves setting a VLAN that a user is part of:

joeuser 	Cleartext-Password := "passwordhere"
		Tunnel-Type = 13,
		Tunnel-Medium-Type = 6,
		Tunnel-Private-Group-Id = 2

Tunnel-Private-Group-Id is set to the VLAN ID you wish the user to be assigned when they connect.