11.6. RADIUS#

The RADIUS app increases the security for UCS managed IT infrastructures by controlling the access to the wireless network for users, groups and endpoint devices via RADIUS protocol. The configuration is done via deny and allow lists and directly at user, group and endpoint device objects in the UCS management system. Registered users are authenticated with their usual domain credentials or, alternatively, with a specifically for RADIUS generated password, which, among others, also allows bring your own device concepts.

11.6.1. Installation#

RADIUS is available through the App Center (see Univention App Center) and can be installed using the UMC module App Center. It can be installed on multiple machines. After the installation it runs a FreeRADIUS server. Authenticators (e.g. access points) can contact via RADIUS to check network access requests.

The RADIUS app can also be installed on UCS@school systems. In this case, the network access can be given to users or groups regardless of the internet rule or computer room settings.

11.6.2. Configuration#

11.6.2.1. Allowed users#

By default no user is allowed to access the network. Enabling the checkbox for network access on the RADIUS tab, gives the user access to the network. The checkbox can also be set on groups, which allows all users in this group access.

Example for a group allowing network access to its users

Fig. 11.4 Example for a group allowing network access to its users#

11.6.2.2. Service specific password#

By default, users authenticate with their domain password. By setting the Univention Configuration Registry Variable radius/use-service-specific-password to true, a dedicated password for RADIUS will be used. Through the Self Service app, users can get such a password. The system will generate a random password for users to use. If needed, a new password can be generated at any time. This also invalidates the old password. To enable this page in the Self Service, the Univention Configuration Registry Variable umc/self-service/service-specific-passwords/backend/enabled has to be set to true on the Self Service Backend.

The page in the Self Service to get a RADIUS specific password

Fig. 11.5 The page in the Self Service to get a RADIUS specific password#

The parameters used to generate the passwords can be adjusted. On a Primary Directory Node some Univention Configuration Registry Variables have to be set:

$ ucr search password/radius/quality

11.6.2.3. MAC filtering#

By default access to the network is allowed for every device (assuming the used username has access). It can be restricted to only allow specific devices. This can be enabled by setting the Univention Configuration Registry Variable radius/mac/whitelisting to true. When enabled, the device used to access the network is looked up via the LDAP attribute macAddress and the resulting computer object must have network access granted (either directly or via one of its groups), too.

11.6.2.4. Access point administration#

All access points must be known to the RADIUS server. An access point can either be configured in the file /etc/freeradius/3.0/clients.conf or through the UMC module Computers. For each access point a random shared secret should be created (e.g. by using the command makepasswd). The shortname can be chosen at will.

Example entry for an access point:

client AP01 {
    secret = a9RPAeVG
    ipaddr = 192.0.2.101
}

To configure an access point using the UMC module Computers create or select a computer object and activate the RADIUS-Authenticator option (RADIUS option). An IP client is a good choice as a computer object for access points. The RADIUS settings can be edited on the RADIUS tab of the object (RADIUS authenticator options). At least the IP address and the shared secret must be configured. The virtual server and NAS type options usually do not need to be changed.

Access points that are configured via the UMC module Computers are available to all RADIUS servers in the domain. To achieve this, the Univention Directory Listener will write them into the file /etc/freeradius/3.0/clients.univention.conf and restart the RADIUS server. In order to merge multiple changes in one restart, this happens with a slight delay (around 15 seconds). New access points can only access the RADIUS server after this restart.

RADIUS option

Fig. 11.6 RADIUS option#

RADIUS authenticator options

Fig. 11.7 RADIUS authenticator options#

11.6.2.5. Access point and client configuration#

The access points must then be configured to use 802.1x (“WPA Enterprise”) authentication. And the RADIUS server address should be set to the address of the server, where the RADIUS app is installed. The password must be set to the secret from the clients.conf entry for that access point.

Wireless clients have to be configured to use WPA with PEAP and MSCHAPv2 for authentication.

11.6.2.6. VLAN IDs#

Virtual Local Area Networks (VLANs) can be used to separate the traffic of users at the network level. UCS can be configured to return a VLAN ID in the Radius response of the Radius authentication process according to RFC 3580 / IEEE 802.1X. You find further information in Configure VLAN.

The VLAN ID for a user can be configured by assigning the user to a group with a VLAN ID.

Assigning VLAN ID to a user group

Fig. 11.8 Assigning VLAN ID to a user group#

A default VLAN ID can be configured in the Univention Configuration Registry Variable freeradius/vlan-id. This default VLAN ID will be returned if the user is not a member of a group with a VLAN ID. The Radius response will not contain any VLAN ID in case the user is not a member of a group with VLAN ID and no default VLAN ID is defined.

11.6.3. Debugging#

The RADIUS app has a log file under /var/log/univention/radius_ntlm_auth.log. The log verbosity can the controlled via the Univention Configuration Registry Variable freeradius/auth/helper/ntlm/debug. The FreeRADIUS server uses the log file: /var/log/freeradius/radius.log.

The tool univention-radius-check-access can be used to evaluate the current access policy for a given user and/or station ID (MAC address). It can be executed as root on the server where univention-radius its installed:

root@primary211:~# univention-radius-check-access --username=stefan
DENY 'uid=stefan,cn=users,dc=ucs,dc=example'
'uid=stefan,cn=users,dc=ucs,dc=example'
-> DENY 'cn=Domain Users,cn=groups,dc=ucs,dc=example'
-> 'cn=Domain Users,cn=groups,dc=ucs,dc=example'
-> -> DENY 'cn=Users,cn=Builtin,dc=ucs,dc=example'
-> -> 'cn=Users,cn=Builtin,dc=ucs,dc=example'
Thus access is DENIED.

root@primary211:~# univention-radius-check-access --username=janek
DENY 'uid=janek,cn=users,dc=ucs,dc=example'
'uid=janek,cn=users,dc=ucs,dc=example'
-> DENY 'cn=Domain Users,cn=groups,dc=ucs,dc=example'
-> ALLOW 'cn=Network Access,cn=groups,dc=ucs,dc=example'
-> 'cn=Domain Users,cn=groups,dc=ucs,dc=example'
-> -> DENY 'cn=Users,cn=Builtin,dc=ucs,dc=example'
-> -> 'cn=Users,cn=Builtin,dc=ucs,dc=example'
-> 'cn=Network Access,cn=groups,dc=ucs,dc=example'
Thus access is ALLOWED.
root@primary211:~#

It prints a detailed explanation and sets the exit code depending on the result of the access check (0 for access granted, 1 for access denied).