To configure your **FreeRADIUS server** for **LDAP authentication** (via LDAPS) in your home lab, follow these steps. The configuration will ensure the Unifi Access Point (AP) can authenticate users against your LDAP server (AD) via the FreeRADIUS server. --- ### **1. Install Required Packages** Install **FreeRADIUS** and the necessary modules. Since you're using **FreeRADIUS 3.2.1**, ensure you install the correct version. On **Proxmox**, you can use `apt` or install via Docker. #### **For Ubuntu/Debian (if using a VM or bare metal):** ```bash sudo apt update sudo apt install freeradius freeradius-ldap freeradius-mysql ``` #### **If using Docker (optional):** ```bash docker run -d \ --name freeradius \ --network host \ --restart unless-stopped \ --volume /path/to/config:/etc/freeradius \ --volume /path/to/ldap-cert:/etc/ssl/certs \ --volume /path/to/mariadb:/var/lib/mysql \ freeradius/freeradius:3.2.1 ``` --- ### **2. Configure FreeRADIUS to Use LDAP (LDAPS)** #### **2.1. Edit `radiusd.conf`** Set the listening address to **IPv4 and IPv6**: ```bash sudo nano /etc/freeradius/radiusd.conf ``` Update the following lines: ```ini listen { ipaddr = 0.0.0.0 port = 1812 instance = main } listen { ipaddr = :: port = 1812 instance = main } ``` #### **2.2. Configure LDAP Backend in `ldap` Module** Create or edit the LDAP configuration file: ```bash sudo nano /etc/freeradius/ldap ``` Add the following (replace placeholders with your actual values): ```ini ldap { server = ad.reliyya.xyz port = 6360 timeout = 5 bind = yes base_dn = DC=reliyya,DC=xyz filter = (objectClass=person) start_tls = yes ldap_tls_cafile = /etc/ssl/certs/ca-certificates.crt ldap_tls_cacertdir = /etc/ssl/certs ldap_tls_certfile = /etc/ssl/certs/client-cert.pem ldap_tls_keyfile = /etc/ssl/certs/client-key.pem } ``` **Key Notes:** - `server` = DNS entry for your LDAP server (`ad.reliyya.xyz`). - `port` = LDAPS port (`6360`). - `start_tls = yes` enables TLS (if your LDAP server uses LDAPS). - If your LDAP server requires a certificate, specify `ldap_tls_cafile` or `ldap_tls_cacertdir`. #### **2.3. Configure `ldap` Module in `radiusd.conf`** Enable the LDAP module: ```bash sudo nano /etc/freeradius/radiusd.conf ``` Add this line under `[modules]`: ```ini ldap ``` #### **2.4. Configure `users` File (Optional)** If you want to test without LDAP, you can use a static user: ```bash sudo nano /etc/freeradius/users ``` Add: ```ini testuser Cleartext-Password := "password" ``` --- ### **3. Configure Clients in `clients.conf`** Set up the Unifi controller as a client: ```bash sudo nano /etc/freeradius/clients.conf ``` Add: ```ini client unifi-controller { ipaddr = 10.56.0.0/24 secret = your_shared_secret require_client_certificate = no } ``` Replace `your_shared_secret` with a secure password (same on Unifi controller). --- ### **4. Test LDAP Connectivity** Verify the LDAP server is reachable: ```bash ldapsearch -x -H ldaps://ad.reliyya.xyz:6360 -b "DC=reliyya,DC=xyz" -D "CN=testuser,DC=reliyya,DC=xyz" -w password ``` Replace `testuser` and `password` with a valid LDAP user. --- ### **5. Test FreeRADIUS Authentication** Use `radtest` to test authentication: ```bash radtest testuser password 10.56.1.251 0 testing123 ``` If successful, you'll see: ``` Sending Access-Request of type Auth-Request ... Access-Accept ``` --- ### **6. Configure Unifi Controller to Use FreeRADIUS** 1. Log in to the Unifi controller web UI. 2. Navigate to **Network > Radius**. 3. Add a new RADIUS server: - **Name**: `radius.reliyya.xyz` - **IP Address**: `radius.reliyya.xyz` (DNS entry) - **Port**: `1812` (Authentication), `1813` (Accounting) - **Shared Secret**: `your_shared_secret` - **NAS ID**: `unifi-controller` 4. Save and test the connection. --- ### **7. Optional: Set Up MariaDB for Session Tracking** If you want to store session data: 1. Install MariaDB: ```bash sudo apt install mariadb-server ``` 2. Configure `radiusd.conf` to use MySQL: ```bash sudo nano /etc/freeradius/radiusd.conf ``` Add: ```ini mysql ``` 3. Configure `sql` module in `radiusd.conf`: ```bash sudo nano /etc/freeradius/sql.conf ``` Set the database connection details and table schema. --- ### **8. Security Considerations** - Ensure **TLS is enforced** for LDAPS. - Use **strong secrets** for RADIUS and LDAP. - Restrict access to the FreeRADIUS server via OPNsense firewall. --- ### **Summary** - **Packages**: `freeradius`, `freeradius-ldap`, `freeradius-mysql` - **Key Config Files**: `radiusd.conf`, `ldap`, `clients.conf`, `users` - **LDAP Server**: Use `ad.reliyya.xyz:6360` with TLS - **Unifi Controller**: Point to `radius.reliyya.xyz` with shared secret Let me know if you need help with certificate setup or advanced LDAP filters! 🚀