FreeRadius configuration for WiFi WPA2/3 Enterprise EAP TLS

radiusd.conf

name = radiusd
prefix = ""
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
debug_level = 2
proxy_requests = no

raddbdir = "/etc/raddb"
certdir = "${raddbdir}/certs"
cadir = "${raddbdir}/certs"

log {
    file = ${logdir}/radiusd.log
}

security {
    user = "radiusd"
    group = "radiusd"
}

modules {

  eap {

    default_eap_type = tls

    tls-config tls-common {

      private_key_file = ${certdir}/server.key
      private_key_password = <CHANGE-TO-something-not-whatever>
      certificate_file = ${certdir}/server.pem
      ca_file = ${cadir}/ca.pem
      ca_path = ${cadir}
      random_file = /dev/urandom
      check_crl = no
      check_cert_cn = %{User-Name}
      cipher_list = "HIGH"
      require_client_cert = yes
      ecdh_curve = ""
      tls_max_version = "1.2"
      tls_min_version = "1.2"

      # TODO: write OCSP setup HOWTO
      #ocsp {
      #  enable = yes
      #  override_cert_url = yes
      #  url = http://127.0.0.1/ocsp/"
      #}

    }

    tls {
      tls = "tls-common"
    }

  }

  realm suffix {
    format = suffix
    delimiter = "@"
  }

}

server default {
    listen {
        type = auth
        ipaddr = *
        port = 0
        # TODO: configure RadSec with a valid letsencrypt certificate?
        #tls {
        #    private_key_password = whatever
        #    private_key_file = ${certdir}/server.key
        #    certificate_file = ${certdir}/server.pem
        #    tls_min_version = "1.3"
        #    tls_max_version = "1.3"
        #    require_client_cert = no
        #}
    }
    authorize {
        suffix
        eap
    }
    authenticate {
        eap
    }
}

client ap1 {
    ipaddr = <ip-address-of-ap>
    secret = <some-secret>
}

# change example.org to domain from your certs CN
realm example.org {
}