RADIUS (Remote Authentication Dial-In User Service) is a central component of UCS and enables you to control access to WLAN networks for users, groups, and devices. In January we published a blog post with a short introduction to RADIUS, and in this article I’m going to explain how to set up RADIUS for your UCS domain. This article also covers the new features in UCS 4.4.
What is RADIUS?
RADIUS handles the authentication of users and their authorization after logging in (i.e. access to certain data or services). It also takes care of creating log files. Advantages of this solution are that the users’ credentials (their domain passwords) are stored and managed at a central location (in the directory service). RADIUS enhances security for your networks and is therefore a good idea when you’re planning to set up a BYOD (Bring Your Own Device) environment, for example in companies or schools.
It’s easy to install RADIUS via the Univention App Center. In order to connect WLAN clients (such as laptops, smartphones, or tablets), the corresponding access point (AP) must support the IEEE 802.1x standard, i.e. WPA Enterprise. Store the RADIUS server’s information in the AP configuration, and users can now connect with the same usernames/passwords they use in the UCS domain.
New Features for RADIUS in UCS 4.4
UCS 4.3 (and previous versions) included the package. After installing it, for example via the App Center, you had to adjust the configuration on the command-line. The new version in UCS 4.4 makes things a lot easier. We’ve added a standard configuration for the RADIUS server and it’s possible to customize it via the graphical Univention Management Console (UMC).
In UCS@school 4.3 (and previous versions) you had to install an additional RADIUS package (ucs-school-radius-802.1x) that provided you with the necessary configuration snippets for schools. We’ve included this functionality in the univention-radius package, and the UCS@school package for 4.4 has been revised. It now includes an add-on for the RADIUS app (proxy setup) and depends on the univention-radius package.
For more information, please have a look at the release notes for UCS 4.4 and UCS@school 4.4.
Migrating UCS 4.3 to UCS 4.4
During the upgrade from UCS 4.3 to version 4.4, existing configuration files are not being migrated automatically. An existing clients.conf file (AP configuration) is not overwritten or deleted. Configuring RADIUS via the Univention Management Console of UCS 4.4 results in a clients.univention.conf file. It’s a good idea to either use UMC or the command-line – don’t mix up both methods.
Configuring RADIUS via the UMC
After installing RADIUS in the Univention App Center, the FreeRADIUS software is good to go. Next, you need to configure WLAN access for users or groups. Open the configuration of a user object, click on the RADIUS tab on the left, and enable the checkbox “Allow network access”. This checkbox also exists in the configuration dialog for groups, so that all members automatically have access to the WLAN.
All Access Points must be known to the RADIUS server. In the Univention Management Console create a new computer object for each AP, select Options from the menu, and activate the checkbox RADIUS Authenticator. Click RADIUS on the left side and enter the IP address and the Shared secret.
All APs configured through the UMC are known to the RADIUS servers of the domain. After you’ve clicked Save, the Univention Directory Listener writes the file /etc/freeradius/3.0/clients.univention.conf and the RADIUS server is being restarted (after about 15 seconds). Newly added access points have access to the RADIUS server after the restart.
Troubleshooting the RADIUS Server
UCS 4.4 includes improved troubleshooting features. The command-line tool univention-radius-check-access checks current access rules for users and MAC addresses. Simply enter the command as user root in a terminal on your UCS server.
The log file of the RADIUS server is /var/log/univention/radius_ntlm_auth.log. The Univention Configuration Registry variable freeradius/auth/helper/ntlm/debug determines how detailed the messages in the log file are. The log file of the FreeRADIUS server is stored in /var/log/freeradius/radius.log. Fore more information, please refer to the UCS manual.