Configuring FreeRADIUS for eduroam-US

FreeRADIUS is a robust open-source RADIUS server which runs on a variety of platforms.  The following assumes you have a compatible system with all necessary dependencies, have procured, complied, and installed the application on your system, and have at least glanced at the configuration files in the raddb directory in the installation path.  For further help with those steps please see the Installation section of Other Resources section at the bottom of this document.

There are four files that define the majority of the customization required to configure your system:  eap.conf, proxy.conf, clients.conf, and sites-enabled/inner-tunnel.  In addition, if you plan on using MS-CHAPv2 (for Active Directory integration) you will need to edit modules/mschap.

Note: Before getting started please be aware that it is often easier to start with a default FreeRADIUS installation and build-up to a working eduroam configuration unless you have extensive experience in FreeRADIUS.  It may be easiest to stand-up an experimental server for eduroam, and once it is working with your 802.1x infrastructure, port the changes to your production FreeRADIUS instance.

In eap.conf (ActiveDirectory, Kerberos) you must setup the EAP methods (TTLS, PEAP, or both) that you plan on supporting at your institution.  In your eap configuration block specify which EAP outer methods you plan on supporting (TTLS and/or PEAP) with the default_eap_type directive.  The TLS configuration is required to define the certificate presented to your users when they create their encrypted tunnel back to the eduroam RADIUS server. For testing it is easiest to simply use the certificates shipped with FreeRADIUS (since the certificate configuration is often the hardest part of this process), so during that time you can leave the tls configuration block alone in the tls section.

proxy.conf (ActiveDirectory, Kerberos) needs to define various radius proxies to route users by realm.

You must also configure your clients.conf to match the and define clients for each server defined in proxy.conf

Other Resources: