4.8 KiB
To configure your FreeRADIUS server for LDAP authentication (via LDAPS) in your home lab, follow these steps. The configuration will ensure the Unifi Access Point (AP) can authenticate users against your LDAP server (AD) via the FreeRADIUS server.
1. Install Required Packages
Install FreeRADIUS and the necessary modules. Since you're using FreeRADIUS 3.2.1, ensure you install the correct version. On Proxmox, you can use apt or install via Docker.
For Ubuntu/Debian (if using a VM or bare metal):
sudo apt update
sudo apt install freeradius freeradius-ldap freeradius-mysql
If using Docker (optional):
docker run -d \
--name freeradius \
--network host \
--restart unless-stopped \
--volume /path/to/config:/etc/freeradius \
--volume /path/to/ldap-cert:/etc/ssl/certs \
--volume /path/to/mariadb:/var/lib/mysql \
freeradius/freeradius:3.2.1
2. Configure FreeRADIUS to Use LDAP (LDAPS)
2.1. Edit radiusd.conf
Set the listening address to IPv4 and IPv6:
sudo nano /etc/freeradius/radiusd.conf
Update the following lines:
listen {
ipaddr = 0.0.0.0
port = 1812
instance = main
}
listen {
ipaddr = ::
port = 1812
instance = main
}
2.2. Configure LDAP Backend in ldap Module
Create or edit the LDAP configuration file:
sudo nano /etc/freeradius/ldap
Add the following (replace placeholders with your actual values):
ldap {
server = ad.reliyya.xyz
port = 6360
timeout = 5
bind = yes
base_dn = DC=reliyya,DC=xyz
filter = (objectClass=person)
start_tls = yes
ldap_tls_cafile = /etc/ssl/certs/ca-certificates.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_tls_certfile = /etc/ssl/certs/client-cert.pem
ldap_tls_keyfile = /etc/ssl/certs/client-key.pem
}
Key Notes:
server= DNS entry for your LDAP server (ad.reliyya.xyz).port= LDAPS port (6360).start_tls = yesenables TLS (if your LDAP server uses LDAPS).- If your LDAP server requires a certificate, specify
ldap_tls_cafileorldap_tls_cacertdir.
2.3. Configure ldap Module in radiusd.conf
Enable the LDAP module:
sudo nano /etc/freeradius/radiusd.conf
Add this line under [modules]:
ldap
2.4. Configure users File (Optional)
If you want to test without LDAP, you can use a static user:
sudo nano /etc/freeradius/users
Add:
testuser Cleartext-Password := "password"
3. Configure Clients in clients.conf
Set up the Unifi controller as a client:
sudo nano /etc/freeradius/clients.conf
Add:
client unifi-controller {
ipaddr = 10.56.0.0/24
secret = your_shared_secret
require_client_certificate = no
}
Replace your_shared_secret with a secure password (same on Unifi controller).
4. Test LDAP Connectivity
Verify the LDAP server is reachable:
ldapsearch -x -H ldaps://ad.reliyya.xyz:6360 -b "DC=reliyya,DC=xyz" -D "CN=testuser,DC=reliyya,DC=xyz" -w password
Replace testuser and password with a valid LDAP user.
5. Test FreeRADIUS Authentication
Use radtest to test authentication:
radtest testuser password 10.56.1.251 0 testing123
If successful, you'll see:
Sending Access-Request of type Auth-Request
...
Access-Accept
6. Configure Unifi Controller to Use FreeRADIUS
- Log in to the Unifi controller web UI.
- Navigate to Network > Radius.
- Add a new RADIUS server:
- Name:
radius.reliyya.xyz - IP Address:
radius.reliyya.xyz(DNS entry) - Port:
1812(Authentication),1813(Accounting) - Shared Secret:
your_shared_secret - NAS ID:
unifi-controller
- Name:
- Save and test the connection.
7. Optional: Set Up MariaDB for Session Tracking
If you want to store session data:
- Install MariaDB:
sudo apt install mariadb-server - Configure
radiusd.confto use MySQL:Add:sudo nano /etc/freeradius/radiusd.confmysql - Configure
sqlmodule inradiusd.conf:Set the database connection details and table schema.sudo nano /etc/freeradius/sql.conf
8. Security Considerations
- Ensure TLS is enforced for LDAPS.
- Use strong secrets for RADIUS and LDAP.
- Restrict access to the FreeRADIUS server via OPNsense firewall.
Summary
- Packages:
freeradius,freeradius-ldap,freeradius-mysql - Key Config Files:
radiusd.conf,ldap,clients.conf,users - LDAP Server: Use
ad.reliyya.xyz:6360with TLS - Unifi Controller: Point to
radius.reliyya.xyzwith shared secret
Let me know if you need help with certificate setup or advanced LDAP filters! 🚀