20250907

2025-09-07 13:07:01 +02:00
parent c83d178b77
commit 584265c22c
92 changed files with 3011 additions and 100 deletions
--- a/projects/gg/freeradius/homelab/20250726-test_environment-homelab.md
+++ b/projects/gg/freeradius/homelab/20250726-test_environment-homelab.md
@@ -0,0 +1,189 @@
+
+To configure your **FreeRADIUS server** for **LDAP authentication** (via LDAPS) in your home lab, follow these steps. The configuration will ensure the Unifi Access Point (AP) can authenticate users against your LDAP server (AD) via the FreeRADIUS server.
+
+---
+
+### **1. Install Required Packages**
+Install **FreeRADIUS** and the necessary modules. Since you're using **FreeRADIUS 3.2.1**, ensure you install the correct version. On **Proxmox**, you can use `apt` or install via Docker.
+
+#### **For Ubuntu/Debian (if using a VM or bare metal):**
+```bash
+sudo apt update
+sudo apt install freeradius freeradius-ldap freeradius-mysql
+```
+
+#### **If using Docker (optional):**
+```bash
+docker run -d \
+  --name freeradius \
+  --network host \
+  --restart unless-stopped \
+  --volume /path/to/config:/etc/freeradius \
+  --volume /path/to/ldap-cert:/etc/ssl/certs \
+  --volume /path/to/mariadb:/var/lib/mysql \
+  freeradius/freeradius:3.2.1
+```
+
+---
+
+### **2. Configure FreeRADIUS to Use LDAP (LDAPS)**
+
+#### **2.1. Edit `radiusd.conf`**
+Set the listening address to **IPv4 and IPv6**:
+```bash
+sudo nano /etc/freeradius/radiusd.conf
+```
+Update the following lines:
+```ini
+listen { 
+    ipaddr = 0.0.0.0
+    port = 1812
+    instance = main
+}
+
+listen {
+    ipaddr = ::
+    port = 1812
+    instance = main
+}
+```
+
+#### **2.2. Configure LDAP Backend in `ldap` Module**
+Create or edit the LDAP configuration file:
+```bash
+sudo nano /etc/freeradius/ldap
+```
+Add the following (replace placeholders with your actual values):
+```ini
+ldap {
+    server = ad.reliyya.xyz
+    port = 6360
+    timeout = 5
+    bind = yes
+    base_dn = DC=reliyya,DC=xyz
+    filter = (objectClass=person)
+    start_tls = yes
+    ldap_tls_cafile = /etc/ssl/certs/ca-certificates.crt
+    ldap_tls_cacertdir = /etc/ssl/certs
+    ldap_tls_certfile = /etc/ssl/certs/client-cert.pem
+    ldap_tls_keyfile = /etc/ssl/certs/client-key.pem
+}
+```
+
+**Key Notes:**
+- `server` = DNS entry for your LDAP server (`ad.reliyya.xyz`).
+- `port` = LDAPS port (`6360`).
+- `start_tls = yes` enables TLS (if your LDAP server uses LDAPS).
+- If your LDAP server requires a certificate, specify `ldap_tls_cafile` or `ldap_tls_cacertdir`.
+
+#### **2.3. Configure `ldap` Module in `radiusd.conf`**
+Enable the LDAP module:
+```bash
+sudo nano /etc/freeradius/radiusd.conf
+```
+Add this line under `[modules]`:
+```ini
+ldap
+```
+
+#### **2.4. Configure `users` File (Optional)**
+If you want to test without LDAP, you can use a static user:
+```bash
+sudo nano /etc/freeradius/users
+```
+Add:
+```ini
+testuser Cleartext-Password := "password"
+```
+
+---
+
+### **3. Configure Clients in `clients.conf`**
+Set up the Unifi controller as a client:
+```bash
+sudo nano /etc/freeradius/clients.conf
+```
+Add:
+```ini
+client unifi-controller {
+    ipaddr = 10.56.0.0/24
+    secret = your_shared_secret
+    require_client_certificate = no
+}
+```
+Replace `your_shared_secret` with a secure password (same on Unifi controller).
+
+---
+
+### **4. Test LDAP Connectivity**
+Verify the LDAP server is reachable:
+```bash
+ldapsearch -x -H ldaps://ad.reliyya.xyz:6360 -b "DC=reliyya,DC=xyz" -D "CN=testuser,DC=reliyya,DC=xyz" -w password
+```
+Replace `testuser` and `password` with a valid LDAP user.
+
+---
+
+### **5. Test FreeRADIUS Authentication**
+Use `radtest` to test authentication:
+```bash
+radtest testuser password 10.56.1.251 0 testing123
+```
+If successful, you'll see:
+```
+Sending Access-Request of type Auth-Request
+...
+Access-Accept
+```
+
+---
+
+### **6. Configure Unifi Controller to Use FreeRADIUS**
+1. Log in to the Unifi controller web UI.
+2. Navigate to **Network > Radius**.
+3. Add a new RADIUS server:
+   - **Name**: `radius.reliyya.xyz`
+   - **IP Address**: `radius.reliyya.xyz` (DNS entry)
+   - **Port**: `1812` (Authentication), `1813` (Accounting)
+   - **Shared Secret**: `your_shared_secret`
+   - **NAS ID**: `unifi-controller`
+4. Save and test the connection.
+
+---
+
+### **7. Optional: Set Up MariaDB for Session Tracking**
+If you want to store session data:
+1. Install MariaDB:
+   ```bash
+   sudo apt install mariadb-server
+   ```
+2. Configure `radiusd.conf` to use MySQL:
+   ```bash
+   sudo nano /etc/freeradius/radiusd.conf
+   ```
+   Add:
+   ```ini
+   mysql
+   ```
+3. Configure `sql` module in `radiusd.conf`:
+   ```bash
+   sudo nano /etc/freeradius/sql.conf
+   ```
+   Set the database connection details and table schema.
+
+---
+
+### **8. Security Considerations**
+- Ensure **TLS is enforced** for LDAPS.
+- Use **strong secrets** for RADIUS and LDAP.
+- Restrict access to the FreeRADIUS server via OPNsense firewall.
+
+---
+
+### **Summary**
+- **Packages**: `freeradius`, `freeradius-ldap`, `freeradius-mysql`
+- **Key Config Files**: `radiusd.conf`, `ldap`, `clients.conf`, `users`
+- **LDAP Server**: Use `ad.reliyya.xyz:6360` with TLS
+- **Unifi Controller**: Point to `radius.reliyya.xyz` with shared secret
+
+Let me know if you need help with certificate setup or advanced LDAP filters! 🚀