Differences

This shows you the differences between two versions of the page.

--- unifi:freeradius [2015/11/01 11:50] – brielle
+++ unifi:freeradius [2015/11/01 12:02] – brielle
@@ Line 2: / Line 2: @@
 These are example configuration files for use with FreeRADIUS 2.2.5 on a Debian Jessie system.  They may be usable on other versions of FreeRADIUS, as well as other UNIX/Linux distributions.
-**1)** Follow guide [[http://deployingradius.com/|here]] for creating certificates.  You'll need to put the ''ca.pem'', ''dh'', ''server.key'', and ''server.pem'' files in ''/etc/freeradius/certs''.
+===== Create Necessary Certificates =====
+Follow guide [[http://deployingradius.com/|here]] for creating certificates.
+You'll need to put the ''ca.pem'', ''dh'', ''server.key'', and ''server.pem'' files in ''/etc/freeradius/certs''.
+===== Set up eap.conf =====
+Below is an example of what you need to put in ''/etc/freeradius/eap.conf'' to handle the proper authentication methods, as well as enable future functionality.
+<code># -*- text -*-
+##
+##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
+##
+	eap {
+		default_eap_type = md5
+		timer_expire     = 60
+		ignore_unknown_eap_types = no
+		cisco_accounting_username_bug = no
+		max_sessions = ${max_requests}
+		md5 {
+		}
+		leap {
+		}
+		gtc {
+			#challenge = "Password: "
+			auth_type = PAP
+		}
+		tls {
+			certdir = ${confdir}/certs
+			cadir = ${confdir}/certs
+			private_key_password = whatever
+			private_key_file = ${certdir}/server.key
+			certificate_file = ${certdir}/server.pem
+			CA_file = ${cadir}/ca.pem
+			dh_file = ${certdir}/dh
+			random_file = /dev/urandom
+			#fragment_size = 1024
+			#include_length = yes
+			#check_crl = yes
+			CA_path = ${cadir}
+			#check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+			#check_cert_cn = %{User-Name}
+			cipher_list = "DEFAULT"
+			#virtual_server = check-eap-tls
+			make_cert_command = "${certdir}/bootstrap"
+			ecdh_curve = "prime256v1"
+			cache {
+			      enable = no
+			      lifetime = 24 # hours
+			      max_entries = 255
+			}
+			verify {
+				#tmpdir = /tmp/radiusd
+				#client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+			}
+			ocsp {
+			      enable = no
+			      override_cert_url = yes
+			      url = "http://127.0.0.1/ocsp/"
+			      # use_nonce = yes
+			      # timeout = 0
+			      # softfail = no
+			}
+		}
+		ttls {
+			default_eap_type = md5
+			copy_request_to_tunnel = no
+			use_tunneled_reply = yes
+			virtual_server = "inner-tunnel"
+			#include_length = yes
+		}
+		peap {
+			default_eap_type = mschapv2
+			copy_request_to_tunnel = no
+			use_tunneled_reply = yes
+			#proxy_tunneled_request_as_eap = yes
+			virtual_server = "inner-tunnel"
+			#soh = yes
+			#soh_virtual_server = "soh-server"
+		}
+		mschapv2 {
+			#send_error = no
+		}
+	}
+</code>
+===== Set up clients.conf =====
+You'll need a client configuration for each Unifi device (or device group) that will be querying the FreeRADIUS server.
+**Note:** //each device (such as a UAP) will need to have to connectivity to the FreeRADIUS server - this includes both a network route, and TCP/UDP ports 1812 and 1813.//
+In ''/etc/freeradius/clients.conf'', add one group like:
+<code>
+client 192.168.0.0/24 {
+ 	secret		= CHANGEME
+        nastype           = other
+}
+</code>
+You can use single IPs (''192.168.0.2'' or ''2001::beef'') or netblocks (''192.168.0.0/24'' or ''2001:beef::/64''), and the device with that single IP or devices within that netblock will use the password specified as 'CHANGEME'.

The Summit Open Source Development Group

User Tools

Site Tools

Differences

Page Tools