CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
584265c22c6f472c7656969d85e778e0a4ab5742
notes/projects/gg/freeradius/homelab/20250726-test_environment-homelab.md
Petar Cubela 584265c22c 20250907
2025-09-07 13:07:01 +02:00

189 lines
4.8 KiB
Markdown
Raw Blame History

To configure your **FreeRADIUS server** for **LDAP authentication** (via LDAPS) in your home lab, follow these steps. The configuration will ensure the Unifi Access Point (AP) can authenticate users against your LDAP server (AD) via the FreeRADIUS server.
---
### **1. Install Required Packages**
Install **FreeRADIUS** and the necessary modules. Since you're using **FreeRADIUS 3.2.1**, ensure you install the correct version. On **Proxmox**, you can use `apt` or install via Docker.
#### **For Ubuntu/Debian (if using a VM or bare metal):**
```bash
sudo apt update
sudo apt install freeradius freeradius-ldap freeradius-mysql
```
#### **If using Docker (optional):**
```bash
docker run -d \
--name freeradius \
--network host \
--restart unless-stopped \
--volume /path/to/config:/etc/freeradius \
--volume /path/to/ldap-cert:/etc/ssl/certs \
--volume /path/to/mariadb:/var/lib/mysql \
freeradius/freeradius:3.2.1
```
---
### **2. Configure FreeRADIUS to Use LDAP (LDAPS)**
#### **2.1. Edit `radiusd.conf`**
Set the listening address to **IPv4 and IPv6**:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Update the following lines:
```ini
listen {
ipaddr = 0.0.0.0
port = 1812
instance = main
}
listen {
ipaddr = ::
port = 1812
instance = main
}
```
#### **2.2. Configure LDAP Backend in `ldap` Module**
Create or edit the LDAP configuration file:
```bash
sudo nano /etc/freeradius/ldap
```
Add the following (replace placeholders with your actual values):
```ini
ldap {
server = ad.reliyya.xyz
port = 6360
timeout = 5
bind = yes
base_dn = DC=reliyya,DC=xyz
filter = (objectClass=person)
start_tls = yes
ldap_tls_cafile = /etc/ssl/certs/ca-certificates.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_tls_certfile = /etc/ssl/certs/client-cert.pem
ldap_tls_keyfile = /etc/ssl/certs/client-key.pem
}
```
**Key Notes:**
- `server` = DNS entry for your LDAP server (`ad.reliyya.xyz`).
- `port` = LDAPS port (`6360`).
- `start_tls = yes` enables TLS (if your LDAP server uses LDAPS).
- If your LDAP server requires a certificate, specify `ldap_tls_cafile` or `ldap_tls_cacertdir`.
#### **2.3. Configure `ldap` Module in `radiusd.conf`**
Enable the LDAP module:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Add this line under `[modules]`:
```ini
ldap
```
#### **2.4. Configure `users` File (Optional)**
If you want to test without LDAP, you can use a static user:
```bash
sudo nano /etc/freeradius/users
```
Add:
```ini
testuser Cleartext-Password := "password"
```
---
### **3. Configure Clients in `clients.conf`**
Set up the Unifi controller as a client:
```bash
sudo nano /etc/freeradius/clients.conf
```
Add:
```ini
client unifi-controller {
ipaddr = 10.56.0.0/24
secret = your_shared_secret
require_client_certificate = no
}
```
Replace `your_shared_secret` with a secure password (same on Unifi controller).
---
### **4. Test LDAP Connectivity**
Verify the LDAP server is reachable:
```bash
ldapsearch -x -H ldaps://ad.reliyya.xyz:6360 -b "DC=reliyya,DC=xyz" -D "CN=testuser,DC=reliyya,DC=xyz" -w password
```
Replace `testuser` and `password` with a valid LDAP user.
---
### **5. Test FreeRADIUS Authentication**
Use `radtest` to test authentication:
```bash
radtest testuser password 10.56.1.251 0 testing123
```
If successful, you'll see:
```
Sending Access-Request of type Auth-Request
...
Access-Accept
```
---
### **6. Configure Unifi Controller to Use FreeRADIUS**
1. Log in to the Unifi controller web UI.
2. Navigate to **Network > Radius**.
3. Add a new RADIUS server:
- **Name**: `radius.reliyya.xyz`
- **IP Address**: `radius.reliyya.xyz` (DNS entry)
- **Port**: `1812` (Authentication), `1813` (Accounting)
- **Shared Secret**: `your_shared_secret`
- **NAS ID**: `unifi-controller`
4. Save and test the connection.
---
### **7. Optional: Set Up MariaDB for Session Tracking**
If you want to store session data:
1. Install MariaDB:
```bash
sudo apt install mariadb-server
```
2. Configure `radiusd.conf` to use MySQL:
```bash
sudo nano /etc/freeradius/radiusd.conf
```
Add:
```ini
mysql
```
3. Configure `sql` module in `radiusd.conf`:
```bash
sudo nano /etc/freeradius/sql.conf
```
Set the database connection details and table schema.
---
### **8. Security Considerations**
- Ensure **TLS is enforced** for LDAPS.
- Use **strong secrets** for RADIUS and LDAP.
- Restrict access to the FreeRADIUS server via OPNsense firewall.
---
### **Summary**
- **Packages**: `freeradius`, `freeradius-ldap`, `freeradius-mysql`
- **Key Config Files**: `radiusd.conf`, `ldap`, `clients.conf`, `users`
- **LDAP Server**: Use `ad.reliyya.xyz:6360` with TLS
- **Unifi Controller**: Point to `radius.reliyya.xyz` with shared secret
Let me know if you need help with certificate setup or advanced LDAP filters! 🚀
Reference in New Issue View Git Blame Copy Permalink