### **FreeRADIUS Crash Course for a School Environment with AD Integration (IPv4-Only)** *(Softbox MSP Focus: IPv4-Only, No IPv6 Support)* --- ### **1. What is RADIUS?** **RADIUS (Remote Authentication Dial-In User Service)** is a network protocol for centralized authentication, authorization, and accounting (AAA). It’s used in: - **Wireless networks** (802.1X) - **DSL modems** - **VPN gateways** - **Switches/APs** **Key Components:** - **Client (NAS):** Network Access Server (e.g., switch, AP, firewall) that sends user credentials to the RADIUS server. - **Server (RADIUS):** Validates credentials against a backend (e.g., AD, LDAP, SQL). - **Protocol Flow:** 1. User authenticates (e.g., via Wi-Fi, SSH, or PPP). 2. NAS sends an **Access-Request** to the RADIUS server. 3. Server checks credentials against a backend (e.g., AD). 4. Server replies with **Access-Accept**, **Access-Reject**, or **Accounting-Request**. --- ### **2. Key Features of FreeRADIUS** FreeRADIUS is an open-source RADIUS server with: - **Modular architecture** (plugins for LDAP, SQL, EAP, etc.). - **IPv4 support** (standard for Softbox MSP). - **EAP (Extensible Authentication Protocol)** for secure 802.1X. - **Accounting** for usage tracking (e.g., bandwidth, login times). - **Proxying** for load balancing or multi-site setups. --- ### **3. Architecture for Your School Use Case** **Scenario:** - **MS DC/AD** handles user identities (e.g., `students`, `staff`, `guests`). - **FreeRADIUS** acts as the central AAA server. - **NAS devices** (e.g., Proxmox VMs, VMware ESXi hosts, APs) forward RADIUS requests. **Workflow:** 1. **User connects** to the network (e.g., via Wi-Fi). 2. **NAS** sends user credentials to **FreeRADIUS** (via IPv4). 3. **FreeRADIUS** queries **AD/LDAP** for authentication. 4. **FreeRADIUS** authorizes the user (e.g., assign VLANs, limit bandwidth). 5. **Accounting** logs are stored for billing/monitoring. --- ### **4. Step-by-Step Setup (IPv4-Only)** #### **A. Prerequisites** - **Linux Server** (e.g., Ubuntu/Debian/Proxmox VM). - **IPv4 connectivity** (ensure `ipv4` is enabled in kernel and network). - **AD/LDAP integration** (e.g., Microsoft Active Directory). - **TLS/SSL** for secure communication (required for RADIUS). --- #### **B. Install FreeRADIUS** ```bash # Debian/Ubuntu sudo apt update sudo apt install freeradius freeradius-utils ``` --- #### **C. Configure FreeRADIUS for AD Integration** 1. **LDAP Configuration (AD):** Edit `/etc/freeradius/3.0/sites-enabled/inner-tunnel` (or `default`): ```ini ldap { server = "ad.example.com" # AD DC IPv4 address base_dn = "DC=example,DC=com" bind_dn = "CN=radius,CN=Users,DC=example,DC=com" bind_password = "your-ad-password" filter = "(sAMAccountName=%{User-Name})" attribute = sAMAccountName timeout = 5 start_tls = yes } ``` **Note:** Use `ldapsearch` to test LDAP connectivity. 2. **Authentication Method:** In `/etc/freeradius/3.0/sites-enabled/inner-tunnel`, replace `auth` with: ```ini authenticate { ldap } ``` 3. **Authorization Rules:** Add policies to assign VLANs or bandwidth limits: ```ini authorize { ldap policy filter-ipv4 { if (User-Name =~ /^student/) { Tunnel-Type = VLAN Tunnel-Medium-Type = 6 Tunnel-Client-Endpoint = "ipv4" } } } ``` --- #### **D. Configure RADIUS Clients (NAS)** Edit `/etc/freeradius/3.0/clients.conf`: ```ini client NAS-IPv4-Address { ipaddr = 192.168.1.1 # Replace with NAS's IPv4 address secret = "your-shared-secret" short_name = "NAS-Name" require_message_integrity = yes nastype = other } ``` **Note:** Ensure NAS devices are configured with the same shared secret and IPv4 address. --- #### **E. TLS/SSL for Secure Communication** 1. **Generate Certificates (self-signed or CA-signed):** Use `openssl` to create a certificate chain. Store in `/etc/freeradius/3.0/certs/`. 2. **Configure TLS in `radiusd.conf`:** ```ini tls { ca_file = "/etc/freeradius/3.0/certs/ca.pem" cert_file = "/etc/freeradius/3.0/certs/server.pem" key_file = "/etc/freeradius/3.0/certs/server.key" dh_file = "/etc/freeradius/3.0/certs/dh2048.pem" verify_client = yes } ``` 3. **NAS Configuration:** Ensure NAS devices are configured to use TLS and trust the CA certificate. --- #### **F. Test the Setup** 1. **Simulate a RADIUS Request:** ```bash radtest user@example.com password 192.168.1.1 0 your-shared-secret ``` Check `/var/log/freeradius/radius.log` for output. 2. **Use Wireshark:** Capture IPv4 RADIUS packets (port 1812/1813) to debug. --- ### **5. Security Best Practices** - **Firewall Rules:** Ensure only trusted NAS devices can communicate with the RADIUS server on ports 1812 (authentication) and 1813 (accounting). - **Shared Secrets:** Use strong, unique shared secrets for each NAS device. - **TLS Enforcement:** Require TLS for all RADIUS communication to prevent eavesdropping. --- ### **6. Common Pitfalls** - **IP Address Mismatch:** Ensure the NAS's IP address in `clients.conf` matches its actual IPv4 address. - **LDAP Configuration Errors:** Double-check `bind_dn`, `base_dn`, and `filter` settings in the LDAP block. - **TLS Certificate Issues:** Verify the CA certificate is trusted by the NAS and the certificate chain is complete. --- ### **7. Next Steps for You** 1. **Provision a FreeRADIUS VM** in Proxmox with IPv4 support. 2. **Integrate with AD** using LDAP (test via `ldapsearch`). 3. **Secure TLS** and configure NAS devices. 4. **Monitor logs** and test with real users. Let me know if you need scripts for LDAP testing, TLS certificate generation, or IPv4 subnet planning! 🚀