To install the Radius server on Ubuntu 12.04 LTS, follow these instructions:
- On the free-radius web page http://freeradius.org, download the latest package (currently 3.1), either from the main page or the download page.
- Extract the archive file by using the command line as shown below:
- To extract a tar.bz2 file, use the command (note the j option): tar -jxvf freeradius-server-x.x.x.tar.bz2
- To extract a tar.gz file, use the command (note the z option): tar -zxvf freeradius-server-x.x.x.tar.gz
- Once the files are extracted to a folder (cd freeradius-server-x.x.x), execute these commands:
sudo apt-get install libssl-dev
sudo apt-get install libtalloc-dev
./configure
make
make install
Configuring Free-radius server
To configure Free-Radius server, follow these steps:
|
IP address or subnet of the client must be configured in the clients.conf file. Ex. – For the examples listed in the document, the subnet of the external machine is 172.22.121.0 or 192.168.0.0. |
- For testing from external machines, edit /usr/local/etc/raddb/clients.conf and add an entry.
For example:
client 172.22.121.0/24 {
ipaddr = 172.22.121.0
netmask = 24
secret = cambium
proto = *
shortname = epmp1
}
client 127.0.0.0/24 {
ipaddr = 172.22.121.0
netmask = 24
secret = cambium
proto = *
shortname = epmp1
}
client 192.168.0.0/16 {
ipaddr = 192.168.0.0
netmask = 16
secret = cambium
proto = *
}
- To add EAP-TTLS Username and EAP-TTLS Password, edit usr/local/etc/raddb/user.
For example put this string at the end of file:
cambium-SubscriberModule Cleartext-Password := "cambium",
where cambium-SubscriberModule - EAP-TTLS Username and “cambium” - EAP-TTLS Password.
- To configure free-radius key and certificate, edit /usr/local/etc/raddb/mods-available/eap and add your certificates to folder /usr/local/etc/raddb/certs.
Locate a string such as default_eap_type, private_key_file, certificate_file in eap file and change the value to:
default_eap_type = ttls
private_key_password = *** - according to your certificate
private_key_file = ${certdir}/***.key
certificate_file = ${certdir}/***.crt
Under the ttls section, change the following:
copy_request_to_tunnel=yes
use_tunnel_reply=yes
|
Once these steps are performed, free-radius in debug mode can be initiated: $ radiusd –X. |
Configuring radius parameters on AP
To configure Radius parameters on the AP, follow these steps:
- Open the GUI and login as
- Navigate to Configure -> Security -> Wireless Security.
- Change the value to
- Add IP Address of your RADIUS Server in the Radius Servers
- Also configure Port (you may use default 1812) and Secret which has to be the same as in conf file.
- Click Save, to keep the changes.
Configuring radius parameters on SM
To configure Radius parameters on SM, follow these steps:
- Select Wireless Security as RADIUS.
- Configure EAP-TTLS Username and EAP-TTLS Password, as configured in file users.
- Choose the Default Root Certificate.
- Click Save, to keep the changes.
Configuring MIR profiles
To configure the MIR profiles, follow these steps:
- Create a dictionary file with the MIR Profiles:
# touch dictionary.cambium - Edit cambium according to the instructions that you can find under /usr/local/etc/raddb directory in file dictionary.
For example:
ATTRIBUTE Cambium-ePMP-ULMIR 110 integer #Max Burst Uplink Rate
ATTRIBUTE Cambium-ePMP-DLMIR 110 integer #Max Burst Downlink Rate
VENDOR Cambium 17713
#
# Cambium vendor-specific attributes.
#
BEGIN-VENDOR Cambium
ATTRIBUTE Cambium-ePMP-ULMIR 26 integer #Max Burst Uplink Rate
ATTRIBUTE Cambium-ePMP-DLMIR 27 integer #Max Burst Downlink Rate
-
Create link on your dictionary:
#ln -s dictionary.cambium dictionary.local
- To configure MIR profiles, edit usr/local/etc/raddb/users and add profiles for each client below users configuration :
SubscriberModule33 Cleartext-Password := "cambium33"
Cambium-ePMP-ULMIR = 100,
Cambium-ePMP-DLMIR = 100
SubscriberModule34 Cleartext-Password := "cambium34"
Cambium-ePMP-ULMIR = 110,
Cambium-ePMP-DLMIR = 110
SubscriberModule35 Cleartext-Password := "cambium35"
Cambium-ePMP-ULMIR = 120,
Cambium-ePMP-DLMIR = 120
Example scenarios of MIR and RADIUS configurations
Scenario |
Description |
No MIR control via Radius |
In a scenario where Radius is not in use for MIR profiles, the GUI will be the only place to configure MIR profiles and apply them to the corresponding SMs. Configure the MIR profiles in the Configure =-> Quality of Service menu option on the AP GUI and apply the corresponding profile # in the SM under the same menu option on SM. |
MIR control using only Radius |
In the case where only the Radius server is being used for MIR profiles, all settings in the GUI will be overridden for any SM being managed by the Radius Server. In this case, create the MIR profile with Subscriber Module usernames and password on the Radius server. At the time of registration, the AP uses the radius information and applies the corresponding profile to the SM. In the wireless statistics page ( => Wireless Status), the MIR profile # from the Radius server along with UL and DL rate information will show up. In this scenario the QOS profiles in the AP GUI are irrelevant. Multiple SMs across multiple APs can then be managed via Radius. |
Hybrid control using both Radius and MIR profile on the AP GUI |
The system also supports a hybrid mode where Radius and the GUI QOS profiles can be used simultaneously as long as the same SM does not have a profile # associated from the AP & Radius. In case where it is redundant, Radius server setting will override the MIR profile settings from the GUI. |
See attached for CREATING CERTIFICATE FOR RADIUS SERVER AND SM DEVICE.