# Assuming that HOSTNAME is enrolled to IPA realm already,# run the following o

1. # Assuming that HOSTNAME is enrolled to IPA realm already,
2. # run the following on HOSTNAME where RADIUS server will be deployed
3. # In FreeIPA 4.6+ host principal has permissions to create own services
4. kinit -k
5. ipa service-add 'radius/HOSTNAME'
6. # create keytab for radius user
7. ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
8. chown root:radiusd /etc/raddb/radius.keytab
9. chmod 640 /etc/raddb/radius.keytab
10.  
11. # Test daemon with the new keytab
12. KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X
13.  
14. # make radius use the keytab for SASL GSSAPI
15. mkdir -p /etc/systemd/system/radiusd.service.d
16. cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
17. [Service]
18. Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
19. ExecStartPre=-/usr/bin/kdestroy -A
20. ExecStopPost=-/usr/bin/kdestroy -A
21. EOF
22. systemctl daemon-reload
23.  
24. edit /etc/raddb/mods-enabled/ldap
25. ldap server = 'LDAP HOSTNAME'
26. ldap base_dn = 'cn=accounts,dc=example,dc=org'
27. ldpa sasl mech = 'GSSAPI'
28. ldpa sasl realm = 'YOUR REALM'
29. ldap sasl update control:NT-Password := 'ipaNTHash'
30.  
31. # How to request certificates from IPA server for RADIUS
32. mv /etc/raddb/certs /etc/raddb/certs.bak
33. mkdir /etc/raddb/certs
34. openssl dhparam 2048 -out /etc/raddb/certs/dh
35. ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
36.  
37. Edit /etc/raddb/mods-enabled/eap
38. tls-config tls-common {
39. private_key_file = /etc/pki/tls/private/radius.key
40. certificate_file = /etc/pki/tls/certs/radius.pem
41. ca_file = /etc/ipa/ca.crt
42.  
43. Make the files readable for radiusd
44. chmod 644 /etc/pki/tls/certs/radius.pem
45. chown root.radiusd /etc/pki/tls/private/radius.key
46. chmod 640 /etc/pki/tls/private/radius.key