11.6. RADIUS#
The RADIUS app increases the security for UCS managed IT infrastructures by controlling the access to the wireless network for users, groups and endpoint devices via RADIUS protocol. The configuration is done via deny and allow lists and directly at user, group and endpoint device objects in the UCS management system. Registered users are authenticated with their usual domain credentials or, alternatively, with a specifically for RADIUS generated password, which, among others, also allows bring your own device concepts.
11.6.1. Installation#
RADIUS is available through the App Center (see Univention App Center) and can be installed using the UMC module App Center. It can be installed on multiple machines. After the installation it runs a FreeRADIUS server. Authenticators (e.g. access points) can contact via RADIUS to check network access requests.
The RADIUS app can also be installed on UCS@school systems. In this case, the network access can be given to users or groups regardless of the internet rule or computer room settings.
11.6.2. Configuration#
11.6.2.1. Allowed users#
By default no user is allowed to access the network. Enabling the checkbox for network access on the RADIUS tab, gives the user access to the network. The checkbox can also be set on groups, which allows all users in this group access.

Fig. 11.4 Example for a group allowing network access to its users#
11.6.2.2. Service specific password#
By default, users authenticate with their domain password. By setting the
Univention Configuration Registry Variable radius/use-service-specific-password
to true
, a dedicated
password for RADIUS will be used. Through the Self Service app, users can get such a password. The
system will generate a random password for users to use. If needed, a new
password can be generated at any time. This also invalidates the old password.
To enable this page in the Self Service, the Univention Configuration Registry Variable
umc/self-service/service-specific-passwords/backend/enabled
has to be
set to true
on the Self Service Backend.

Fig. 11.5 The page in the Self Service to get a RADIUS specific password#
The parameters used to generate the passwords can be adjusted. On a Primary Directory Node some Univention Configuration Registry Variables have to be set:
$ ucr search password/radius/quality
11.6.2.3. MAC filtering#
By default access to the network is allowed for every device (assuming the used
username has access). It can be restricted to only allow specific devices. This
can be enabled by setting the Univention Configuration Registry Variable radius/mac/whitelisting
to
true
. When enabled, the device used to access the network is looked up via
the LDAP attribute macAddress
and the resulting computer object must have
network access granted (either directly or via one of its groups), too.
11.6.2.4. Access point administration#
All access points must be known to the RADIUS server. An access point can either
be configured in the file /etc/freeradius/3.0/clients.conf
or through
the UMC module Computers. For each access point a random shared
secret should be created (e.g. by using the command makepasswd). The
shortname
can be chosen at will.
Example entry for an access point:
client AP01 {
secret = a9RPAeVG
ipaddr = 192.0.2.101
}
To configure an access point using the UMC module Computers create or select a computer object and activate the RADIUS-Authenticator option (RADIUS option). An IP client is a good choice as a computer object for access points. The RADIUS settings can be edited on the RADIUS tab of the object (RADIUS authenticator options). At least the IP address and the shared secret must be configured. The virtual server and NAS type options usually do not need to be changed.
Access points that are configured via the UMC module Computers are
available to all RADIUS servers in the domain. To achieve this, the Univention Directory Listener
will write them into the file
/etc/freeradius/3.0/clients.univention.conf
and restart the RADIUS
server. In order to merge multiple changes in one restart, this happens with a
slight delay (around 15 seconds). New access points can only access the RADIUS
server after this restart.

Fig. 11.6 RADIUS option#

Fig. 11.7 RADIUS authenticator options#
11.6.2.5. Access point and client configuration#
The access points must then be configured to use 802.1x (“WPA Enterprise”)
authentication. And the RADIUS server address should be set to the address of
the server, where the RADIUS app is installed. The password must be set to the
secret
from the clients.conf
entry for that access point.
Wireless clients have to be configured to use WPA with PEAP and MSCHAPv2 for authentication.
11.6.2.6. VLAN IDs#
Virtual Local Area Networks (VLANs) can be used to separate the traffic of users at the network level. UCS can be configured to return a VLAN ID in the Radius response of the Radius authentication process according to RFC 3580 / IEEE 802.1X. You find further information in Configure VLAN.
The VLAN ID for a user can be configured by assigning the user to a group with a VLAN ID.

Fig. 11.8 Assigning VLAN ID to a user group#
A default VLAN ID can be configured in the Univention Configuration Registry Variable freeradius/vlan-id
. This default
VLAN ID will be returned if the user is not a member of a group with a VLAN ID. The Radius
response will not contain any VLAN ID in case the user is not a member of a group with
VLAN ID and no default VLAN ID is defined.
11.6.3. Debugging#
The RADIUS app has a log file under
/var/log/univention/radius_ntlm_auth.log
. The log verbosity can the
controlled via the Univention Configuration Registry Variable freeradius/auth/helper/ntlm/debug
. The
FreeRADIUS server uses the log file:
/var/log/freeradius/radius.log
.
The tool univention-radius-check-access can be used to evaluate the current access policy for a given user and/or station ID (MAC address). It can be executed as root on the server where univention-radius its installed:
root@primary211:~# univention-radius-check-access --username=stefan
DENY 'uid=stefan,cn=users,dc=ucs,dc=example'
'uid=stefan,cn=users,dc=ucs,dc=example'
-> DENY 'cn=Domain Users,cn=groups,dc=ucs,dc=example'
-> 'cn=Domain Users,cn=groups,dc=ucs,dc=example'
-> -> DENY 'cn=Users,cn=Builtin,dc=ucs,dc=example'
-> -> 'cn=Users,cn=Builtin,dc=ucs,dc=example'
Thus access is DENIED.
root@primary211:~# univention-radius-check-access --username=janek
DENY 'uid=janek,cn=users,dc=ucs,dc=example'
'uid=janek,cn=users,dc=ucs,dc=example'
-> DENY 'cn=Domain Users,cn=groups,dc=ucs,dc=example'
-> ALLOW 'cn=Network Access,cn=groups,dc=ucs,dc=example'
-> 'cn=Domain Users,cn=groups,dc=ucs,dc=example'
-> -> DENY 'cn=Users,cn=Builtin,dc=ucs,dc=example'
-> -> 'cn=Users,cn=Builtin,dc=ucs,dc=example'
-> 'cn=Network Access,cn=groups,dc=ucs,dc=example'
Thus access is ALLOWED.
root@primary211:~#
It prints a detailed explanation and sets the exit code depending on the result
of the access check (0
for access granted, 1
for access denied).