![]() ![]() ![]() ![]() The freeRADIUS deployment with docker provides a quick and robust way to deploy a radius server with capabilities to authenticate Azure AD joined devices. View Radius logs: tail opt/var/log/radius/radius.log.Connect into container: docker exec -it aad-freeradius-8021x-radius-1 bin/bash.This prints all client connection requests and server activity to the console.ĭuring testing and for troubleshooting during the operation it can be helpful to connect into the docker container to view the logs: To test the radius functionality you can also extend your docker-compose file to launch the freeRADIUS server in foreground mode by adding: Create a DNS record that points to the docker host (A or CNAME): and also the configured server name of the Wi-Fi profile.Deployed the Wi-Fi profile for my previously created lab SSID/Network.For the ADCS based deployment the root and issuing CA certificates need to be deployed anyway to allow issuance of certificates for SCEP clients.I distributed the self-signed certificate of the RADIUS server via Intune as trusted certificate.Created a lab network and corresponding Wi-Fi SSID with WP2 Enterprise authentication.On my unifi router I added a new RADIUS Profile (I also added the accounting parts, this is not necessary, though): # the certificate, the URL can be defined here.īecause the github repos contains a docker-compose and Dockerfile we can automatically build the image (basically just copying config) and sping up a container - that’s awesome, isn’t it?Ĭreating a Wi-Fi network with 802.1x authentication # # If the OCSP Responder address is not extracted from Link to GitHub Repo (nicolonsky/AAD-FreeRadius-802.1x) Issue self-signed certificate #Ī self signed certificate can be issued with: You can find all mentioned configuration files as a GitHub template to easily deploy the solution: Get a certificate (clients will validate the server certificate during EAP-TLS)įortunately freeRADIUS is providing official docker images, therefore only custom configurations need to be copied into the image before starting a container and providing a port mapping to forward traffic from the docker host into the freeRADIUS container.The required freeRADIUS server configuration is actually quite simple and only consists of the following high level tasks: The complete architecture with SCEPman looks like this for my environment: I actually did the deployment of this solution twice, once with my on-premises CA based on ADCS with NDES server for my lab and another based on SCEPman cloud CA where I run the free community edition (see Azure Marketplace offer). Approach #īecause I very like the idea of docker being able to separate configurations from the actual runtime environment I decided that I want to approach the freeRADIUS deployment with docker which allows me to basically deploy the solution anywhere (raspberry pi, developer workstation, Azure container instance, remote linux server). on a raspberry pi) and also to PaaS offerings like Azure. freeRADIUS supports EAP-TLS for 802.1x authentication out of the box and is well documented.Īdditionally, I was looking for a solution that can be deployed to both locallly in my network (e.g. Important is, that the solution supports certificate revocation checks either via CRLs or OCSP to ensure network access is blocked when a client certificate is revoked.įor my home and lab setup I wanted to leverage a free or open source solution and decided to use freeRADIUS, probably the most popular open source radius server. Well known commercial Network Access Control (NAC) solutions like CISCO ISE or Aruba Clearpass often ship with an integrated RADIUS server and the possibility to configure wheter LDAP lookups for computer accounts should happen. Furthermore you should be familiar with docker, network topics, dns and Intune. This post describes my setup and does not cover prerequisites like certification authority, certificate revocation and client certificate deployment via SCEP. For my home setup and lab I wanted to build a radius solution to enable 802.1x authentication on my Wi-Fi network. NPS always checks for the existence of a corresponding computer object in AD. A common pitfall in environments where Windows server is used for radius authentication is that Microsoft network policy server (NPS) does currently not support device based authentication for Azure AD joined devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |