FreeRADIUS Guidance

Alan DeKok alan.dekok at inkbridge.io
Mon Jul 6 21:47:41 UTC 2026


On Jul 6, 2026, at 4:49 PM, Phillip Morley via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> We are looking for FreeRADIUS to work in conjunction with trusted and signed SSL/TLS certificates, so that when users connect to wireless on a Ubiquiti platform, they are NOT prompted to accept or "trust" the RADIUS server's certificate. That's the end goal......

  Android, Microsoft, and Apple disagree with this goal.

  As a result, what you want doesn't work.

> I need to better understand how to specify a wide range or a list of "client" IP addresses, which will be the Ubiquiti access points, in the FreeRADIUS configuration. Right now, I have 1 AP defined as our test AP.

  See the clients.conf file.  This is all documented.

> Right now, after putting SSL/TLS certificates on the RADIUS server, I cannot get the "server" to answer or process any requests for user authentication external to the server. I have disabled firewalld and rebooted. We are working with FQDNs as well and not sure if this has anything to do with this.....

  Is the AP sending packets to the server?  You can check with tcpdump or wireshark.

> In terms of the user file, this is great for very small environments, however this one is going to be several hundred user accounts, and where a VLAN ID needs to be specified along with their user account entry, so when they connect, they get placed on the VLAN they are supposed to by the RADIUS authentication request. For this level of credential storage, is there a standard MySQL DB that is canned and can be put up as the mechanism to store user credentials? A software developer in this environment can and I think we should have him develop a custom web page/portal for non-technical users to add/remove user credentials. What is the best recommended set of tools and stuff for this need?

  MySQL is fine.  You can use AI to create a simple UI for exactly what you want.

> Finally, we want to store user credentials in a secure fashion. I am reading there is a way to encrypt them on the server and in transit but requires some configuration and such. What are the components of getting this done, and then also storing them in whatever medium needed to address the immediately preceding question I made above about a database for them?

  It depends.  If the end user devices are using PEAP/MS-CHAP, then you have to store the passwords in the DB in clear-text.  Or, reconfigure the end user devices to use TTLS+PAP.

  If the end user devices are all using TTLS+PAP, then you can store the passwords in the DB in crypt'd form.

> Legal Disclaimer:

  That's meaningless.

  Alan DeKok.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260706/1db0c325/attachment.sig>


More information about the Freeradius-Users mailing list