CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250907

Browse Source
This commit is contained in:
Petar Cubela
2025-09-07 13:07:01 +02:00
parent c83d178b77
commit 584265c22c
92 changed files with 3011 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

189
projects/gg/freeradius/homelab/20250726-test_environment-homelab.md Normal file
View File

@@ -0,0 +1,189 @@
To configure your **FreeRADIUS server** for **LDAP authentication** (via LDAPS) in your home lab, follow these steps. The configuration will ensure the Unifi Access Point (AP) can authenticate users against your LDAP server (AD) via the FreeRADIUS server.
---
### **1. Install Required Packages**
Install **FreeRADIUS** and the necessary modules. Since you're using **FreeRADIUS 3.2.1**, ensure you install the correct version. On **Proxmox**, you can use `apt` or install via Docker.
#### **For Ubuntu/Debian (if using a VM or bare metal):**
```bash
sudo apt update
sudo apt install freeradius freeradius-ldap freeradius-mysql
```
#### **If using Docker (optional):**
```bash
docker run -d \
--name freeradius \
--network host \
--restart unless-stopped \
--volume /path/to/config:/etc/freeradius \
--volume /path/to/ldap-cert:/etc/ssl/certs \
--volume /path/to/mariadb:/var/lib/mysql \
freeradius/freeradius:3.2.1
```
---
### **2. Configure FreeRADIUS to Use LDAP (LDAPS)**
#### **2.1. Edit `radiusd.conf`**
Set the listening address to **IPv4 and IPv6**:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Update the following lines:
```ini
listen {
ipaddr = 0.0.0.0
port = 1812
instance = main
}
listen {
ipaddr = ::
port = 1812
instance = main
}
```
#### **2.2. Configure LDAP Backend in `ldap` Module**
Create or edit the LDAP configuration file:
```bash
sudo nano /etc/freeradius/ldap
```
Add the following (replace placeholders with your actual values):
```ini
ldap {
server = ad.reliyya.xyz
port = 6360
timeout = 5
bind = yes
base_dn = DC=reliyya,DC=xyz
filter = (objectClass=person)
start_tls = yes
ldap_tls_cafile = /etc/ssl/certs/ca-certificates.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_tls_certfile = /etc/ssl/certs/client-cert.pem
ldap_tls_keyfile = /etc/ssl/certs/client-key.pem
}
```
**Key Notes:**
- `server` = DNS entry for your LDAP server (`ad.reliyya.xyz`).
- `port` = LDAPS port (`6360`).
- `start_tls = yes` enables TLS (if your LDAP server uses LDAPS).
- If your LDAP server requires a certificate, specify `ldap_tls_cafile` or `ldap_tls_cacertdir`.
#### **2.3. Configure `ldap` Module in `radiusd.conf`**
Enable the LDAP module:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Add this line under `[modules]`:
```ini
ldap
```
#### **2.4. Configure `users` File (Optional)**
If you want to test without LDAP, you can use a static user:
```bash
sudo nano /etc/freeradius/users
```
Add:
```ini
testuser Cleartext-Password := "password"
```
---
### **3. Configure Clients in `clients.conf`**
Set up the Unifi controller as a client:
```bash
sudo nano /etc/freeradius/clients.conf
```
Add:
```ini
client unifi-controller {
ipaddr = 10.56.0.0/24
secret = your_shared_secret
require_client_certificate = no
}
```
Replace `your_shared_secret` with a secure password (same on Unifi controller).
---
### **4. Test LDAP Connectivity**
Verify the LDAP server is reachable:
```bash
ldapsearch -x -H ldaps://ad.reliyya.xyz:6360 -b "DC=reliyya,DC=xyz" -D "CN=testuser,DC=reliyya,DC=xyz" -w password
```
Replace `testuser` and `password` with a valid LDAP user.
---
### **5. Test FreeRADIUS Authentication**
Use `radtest` to test authentication:
```bash
radtest testuser password 10.56.1.251 0 testing123
```
If successful, you'll see:
```
Sending Access-Request of type Auth-Request
...
Access-Accept
```
---
### **6. Configure Unifi Controller to Use FreeRADIUS**
1. Log in to the Unifi controller web UI.
2. Navigate to **Network > Radius**.
3. Add a new RADIUS server:
- **Name**: `radius.reliyya.xyz`
- **IP Address**: `radius.reliyya.xyz` (DNS entry)
- **Port**: `1812` (Authentication), `1813` (Accounting)
- **Shared Secret**: `your_shared_secret`
- **NAS ID**: `unifi-controller`
4. Save and test the connection.
---
### **7. Optional: Set Up MariaDB for Session Tracking**
If you want to store session data:
1. Install MariaDB:
```bash
sudo apt install mariadb-server
```
2. Configure `radiusd.conf` to use MySQL:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Add:
```ini
mysql
```
3. Configure `sql` module in `radiusd.conf`:
```bash
sudo nano /etc/freeradius/sql.conf
```
Set the database connection details and table schema.
---
### **8. Security Considerations**
- Ensure **TLS is enforced** for LDAPS.
- Use **strong secrets** for RADIUS and LDAP.
- Restrict access to the FreeRADIUS server via OPNsense firewall.
---
### **Summary**
- **Packages**: `freeradius`, `freeradius-ldap`, `freeradius-mysql`
- **Key Config Files**: `radiusd.conf`, `ldap`, `clients.conf`, `users`
- **LDAP Server**: Use `ad.reliyya.xyz:6360` with TLS
- **Unifi Controller**: Point to `radius.reliyya.xyz` with shared secret
Let me know if you need help with certificate setup or advanced LDAP filters! 🚀

134
projects/gg/freeradius/homelab/20250726-tls_certs_peap.md Normal file
View File

@@ -0,0 +1,134 @@
The error **"TLS Alert: fatal: unknown CA"** indicates that the client (your phone) is trying to establish a **TLS connection** with the FreeRADIUS server, but it **cannot verify the server's certificate** because the **CA (Certificate Authority)** is not trusted. This is a **common issue when using PEAP (Protected Extensible Authentication Protocol)** with TLS. Let's fix it step by step.
---
### **1. Understand the Root Cause**
- **PEAP (PEAP-MSCHAPv2)** requires **TLS** for secure communication.
- Your phone is trying to connect to the FreeRADIUS server using **PEAP**, but the server is not presenting a **trusted certificate**.
- The client (phone) is not trusting the **CA** that signed the server's certificate.
---
### **2. Fix: Configure TLS for PEAP on FreeRADIUS**
You need to **set up a valid TLS certificate** for the FreeRADIUS server. Here's how:
#### **A. Generate a Self-Signed Certificate (For Testing)**
If you're in a testing environment, you can create a **self-signed certificate**. This will work for testing but won't be trusted by phones (unless manually added).
1. **Generate a private key and certificate:**
```bash
openssl req -x509 -newkey rsa:2048 -keyout /etc/freeradius/certs/your_radius_server.key -out /etc/freeradius/certs/your_radius_server.crt -days 365 -nodes
```
- Replace `your_radius_server.crt` and `your_radius_server.key` with your server's certificate and key.
2. **Set correct permissions:**
```bash
chown -R freeradius:freeradius /etc/freeradius/certs/
chmod 600 /etc/freeradius/certs/your_radius_server.key
chmod 644 /etc/freeradius/certs/your_radius_server.crt
```
#### **B. Configure FreeRADIUS to Use the Certificate**
Update `/etc/freeradius/eap.conf` to use the certificate:
```ini
eap {
default_eap_type = peap
timer_expire = 60
max_sessions = 256
peap {
# Path to your certificate and key
certificate = /etc/freeradius/certs/your_radius_server.crt
private_key = /etc/freeradius/certs/your_radius_server.key
ca_list = /etc/freeradius/certs/ca.crt # Optional: If you're using a chain
dh_file = /etc/freeradius/certs/dh2048.pem # Optional: Diffie-Hellman parameters
}
}
```
- If you're using a **self-signed certificate**, skip the `ca_list` line.
- If you're using a **trusted CA**, ensure the `ca_list` contains the CA's certificate.
#### **C. Generate Diffie-Hellman Parameters (Optional)**
For stronger TLS security:
```bash
openssl dhparam -out /etc/freeradius/certs/dh2048.pem 2048
```
---
### **3. Ensure the Client (Phone) Trusts the Certificate**
If you're using a **self-signed certificate**, the phone must trust it manually. Here's how:
#### **A. Export the Server's Certificate**
1. Use `openssl` to extract the certificate from the `.crt` file:
```bash
openssl x509 -in /etc/freeradius/certs/your_radius_server.crt -outform der -out /path/to/cert.der
```
2. Convert it to PEM format (optional):
```bash
openssl x509 -in your_radius_server.crt -out your_radius_server.pem
```
#### **B. Install the Certificate on the Phone**
- **Android**:
1. Go to **Settings > Security > Trusted Credentials > User Certificates**.
2. Import the `.der` or `.pem` file.
- **iOS**:
1. Go to **Settings > General > About > Certificate Trust Settings**.
2. Add the certificate to the trusted list (may require a certificate from a trusted CA).
#### **C. Use a Trusted CA (Recommended for Production)**
If you're using a certificate from a **trusted CA** (e.g., Let's Encrypt), ensure:
- The certificate is correctly installed.
- The **CA chain** is complete (e.g., intermediate certificates are included).
- The phone's trust store includes the CA's certificate.
---
### **4. Verify FreeRADIUS TLS Configuration**
1. **Restart FreeRADIUS**:
```bash
systemctl restart freeradius
```
2. **Check Logs for TLS Errors**:
```bash
tail -f /var/log/freeradius/radius.log
```
Look for:
- `TLS: Server certificate is not trusted`
- `TLS: No trusted certificate found`
3. **Test with `radtest`** (Ensure PEAP is working):
```bash
radtest testuser password 10.56.1.251 0 YOUR_SHARED_SECRET
```
---
### **5. Advanced: Debug TLS Handshake**
If the issue persists, enable **TLS debugging** in `eap.conf`:
```ini
eap {
debug = yes
...
}
```
Then check the logs for detailed TLS handshake errors.
---
### **Summary of Fixes**
| Step | Action |
|------|--------|
| 1 | Generate a valid TLS certificate (self-signed or trusted CA) |
| 2 | Configure FreeRADIUS to use the certificate in `eap.conf` |
| 3 | Install the certificate on the phone (or ensure the CA is trusted) |
| 4 | Restart FreeRADIUS and verify TLS is working |
| 5 | Debug with `debug = yes` if issues persist |
After these steps, the **"unknown CA"** error should resolve, and your phone should be able to connect securely via PEAP. Let me know if you need help with certificate chains or CA trust setup! 🚀