The Summit Open Source Development Group

User Tools

Site Tools

You are here: Welcome! » Unifi Guides / Examples » FreeRADIUS EAP-TLS Example for 1x Authentication
unifi:freeradius

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
unifi:freeradius [2015/11/01 11:50] brielleunifi:freeradius [2015/11/01 11:55] brielle
Line 2: Line 2:
 These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system.  They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions. These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system.  They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions.
  
-**1)** Follow guide [[http://deployingradius.com/|here]] for creating certificates.  You'll need to put the ''ca.pem'', ''dh'', ''server.key'', and ''server.pem'' files in ''/etc/freeradius/certs''.+===== Create Necessary Certificates ===== 
 + 
 +Follow guide [[http://deployingradius.com/|here]] for creating certificates. 
 + 
 +You'll need to put the ''ca.pem'', ''dh'', ''server.key'', and ''server.pem'' files in ''/etc/freeradius/certs''. 
 + 
 +===== Set up eap.conf ===== 
 +In ''/etc/freeradius'', you'll find ''eap.conf''
 + 
 +Below is an example of what you need to put in ''eap.conf'' to handle the proper authentication methods, as well as enable future functionality. 
 + 
 +<code># -*- text -*- 
 +## 
 +##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) 
 +## 
 + 
 + eap { 
 + default_eap_type = md5 
 + timer_expire     = 60 
 + ignore_unknown_eap_types = no 
 + cisco_accounting_username_bug = no 
 + max_sessions = ${max_requests} 
 + 
 + md5 { 
 +
 + 
 + leap { 
 +
 + 
 + gtc { 
 + #challenge = "Password:
 + auth_type = PAP 
 +
 + 
 + tls { 
 + certdir = ${confdir}/certs 
 + cadir = ${confdir}/certs 
 + private_key_password = whatever 
 + private_key_file = ${certdir}/server.key 
 + certificate_file = ${certdir}/server.pem 
 + CA_file = ${cadir}/ca.pem 
 + dh_file = ${certdir}/dh 
 + random_file = /dev/urandom 
 + #fragment_size = 1024 
 + #include_length = yes 
 + #check_crl = yes 
 + CA_path = ${cadir} 
 + #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" 
 + #check_cert_cn = %{User-Name} 
 + cipher_list = "DEFAULT" 
 + #virtual_server = check-eap-tls 
 + make_cert_command = "${certdir}/bootstrap" 
 + ecdh_curve = "prime256v1" 
 + cache { 
 +       enable = no 
 +       lifetime = 24 # hours 
 +       max_entries = 255 
 +
 + 
 + verify { 
 + #tmpdir = /tmp/radiusd 
 + #client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" 
 +
 + ocsp { 
 +       enable = no 
 +       override_cert_url = yes 
 +       url = "http://127.0.0.1/ocsp/" 
 +       # use_nonce = yes 
 +       # timeout = 0 
 +       # softfail = no 
 +
 +
 + 
 + ttls { 
 + default_eap_type = md5 
 + copy_request_to_tunnel = no 
 + use_tunneled_reply = yes 
 + virtual_server = "inner-tunnel" 
 + #include_length = yes 
 +
 + peap { 
 + default_eap_type = mschapv2 
 + copy_request_to_tunnel = no 
 + use_tunneled_reply = yes 
 + #proxy_tunneled_request_as_eap = yes 
 + virtual_server = "inner-tunnel" 
 + #soh = yes 
 + #soh_virtual_server = "soh-server" 
 +
 + 
 + mschapv2 { 
 + #send_error = no 
 +
 +
 +</code> 
 + 
 +===== Set up clients.conf ===== 

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki