FreeRadius 3.X installation/configuration for PMP450x

Summary:

This article demonstrates how to configure the FreeRadius 3.x(3.0.13) for AP(User authentication) and SM(User authentication and Registration).

Cause:

With the newer version of the radius server, there are minor changes to the configuration procedure and firewall rules of the Radius Server.

Solution: Installation of FreeRadius 3.X

The user is free to use any installation methods on any OS. However, in the following example, Free Radius 3.0.13 is installed on CentOS 7.9. The 2 main directories that you need to work with are:

/usr/share/freeradius – contains the default dictionary (VSA) files from other vendors. The Cambium’s VSA dictionary.canopy is not included by default.

/etc/raddb – the main directory where you will be configuring the FreeRadius.

/etc/raddb/clients.conf – PMP450x AP IP address as a trusted server.

/etc/raddb/certs – certifications and key where FreeRadius will be using, be using by /etc/raddb/mods-available/eap file.

/etc/raddb/users – define profiles (via VSA from dictionary file) AP/SM UI login users and SM registration.

/etc/raddb/dictionary – define the dictionary (VSA) file that is not included or not existed in /usr/share/freeradius.

/etc/raddb/mods-available/eap – FreeRadius’s cert/key and authentication methods configuration.

Configuration – FreeRadius 3.0.13

  1. Add a trusted PMP450x AP IP address(es) by editing /etc/raddb/clients.conf. For instance, PMP450x AP with IP=10.120.130.52
    1

Note: Depending upon the OS where FreeRadius installed, adding the PMP450 AP IP address into the clients.conf file, may not be working due to firewall setting. Be sure to check firewall setting to allow processing of incoming Access-X messages. For instance, on CentOS 7.9, after the installation, firewall is blocking the incoming messages. The following 2 commands are used to unblock the firewall on the FreeRadius public interface = ens192,

firewall-cmd --zone=trusted --add-interface=ens192

firewall-cmd --permanent --zone=trusted --add-interface=ens192

  1. Edit the /etc/raddb/dictionary and add Cambium PMP450x dictionary.canopy (https://support.cambiumnetworks.com/file/c73b92e64bbea7239e19f59c4e29dff361d2cf6a).

    For instance,
    2

  2. Upload Cambium default cetificates/key for FreeRadius(if you are planning to use the default Cambium’s, it can downloaded from Log In / Cambium Networks Support) and add to /etc/raddb/certs.

    For instance,
    3

  3. a. Edit /etc/raddb/mods-available/eap file to add FreeRadius certifications/key.

    • Certificates/key – make sure that you have a correct path for the certificates/key.

    • Also, be sure to change the following 2 flags from no → yes as well:
      5

      6

    b. Add UI login user and SM registration via FreeRadius, edit /etc/raddb/users. For instance,

    • UI user login
      7

    • SM registration with MIR setting via Cambium VSA
      8

Note : Above users file configurations for UI login and SM registration are just example. For other VSA configuration, please refer to PMP450 Cambium’s VSA dictionary.canopy file.

PMP450 AP configuration for UI user login

Based on the above FreeRadius configuration the changes required on the AP are under,

AP UIAccounts.

Again, assuming that AP/SM has the default AAA certificates installed.

  1. PMP450 SM Registration via FreeRadius

    a. AP UIConfigurationSecurity

    b. SM UIConfigurationSecurity