Setup of Synology RADIUS server for EAP Authentication

This is the eighth and final of a series that documents the Tier 3 / Co-Managed IT work we did to setup a wireless test bed for a Linux based scientific device. The testing environment included two different wireless network hardware types (Ubiquiti and Cisco). There was also a Synology device used for various purposes including hosting the Ubiquiti controller inside a Kubernetes container, providing certificate services, providing LDAP authentication, and providing RADIUS authentication. Each article has detailed a separate piece of the project. This article shows the setup of Synology RADIUS server for EAP authentication via EAP-PEAP, EAP-TLS, and EAP-TTLS.

Setup Synology Radius for EAP-PEAP

Login to Synology IP via SSH
Use admin login credentials
Go to the Radius certificate directory
cd /var/packages/RadiusServer/target/etc/raddb/certs/
Radius must be configured on our certificates:
sudo vi ../mods-enabled/eap
Type i to start insert then paste the following:

    eap {
        default_eap_type = peap
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}

        #md5 {
        #}

        #leap {
        #}

        #gtc {
        #   auth_type = PAP
        #}

        tls-config tls-common {
            #private_key_password = whatever
            private_key_file = ${certdir}/server.key
            certificate_file = ${certdir}/server.crt
            #$INCLUDE /usr/local/synoradius/rad_ca_cert
            dh_file = ${certdir}/dh
            random_file = ${certdir}/random
            ca_file = ${certdir}/ca.crt
            ca_path = ${certdir}
            #INCLUDE /var/packages/RadiusServer/target/etc/cipher_list
            verify {
            }
        }

        #tls {
        #   tls = tls-common
        #}

        #ttls {
        #   tls = tls-common
        #   default_eap_type = mschapv2
        #   copy_request_to_tunnel = no
        #   use_tunneled_reply = no
        #   virtual_server = "inner-tunnel"
        #}

        peap {
           tls = tls-common
           default_eap_type = mschapv2
           copy_request_to_tunnel = yes
           use_tunneled_reply = yes
           virtual_server = "inner-tunnel"
        }

        #mschapv2 {
        #}
    }

Hit ESC to end insert then type :wq to exit
The radius service must be restarted in the Synology Package Center (Stop / Run)

Setup Synology Radius for EAP-TLS

Login to Synology IP via SSH
Use admin login credentials
Go to the Radius certificate directory
cd /var/packages/RadiusServer/target/etc/raddb/certs/
Radius must be configured on our certificates:
sudo vi ../mods-enabled/eap
Type i to start insert then paste the following:

       eap {
        default_eap_type = tls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}

        #md5 {
        #}

        #leap {
        #}

        #gtc {
        #   auth_type = PAP
        #}

        tls-config tls-common {
            #private_key_password = whatever
            private_key_file = ${certdir}/server.key.pem
            certificate_file = ${certdir}/server.crt.pem
            #$INCLUDE /usr/local/synoradius/rad_ca_cert
            dh_file = ${certdir}/dh
            random_file = ${certdir}/random
            ca_file = ${certdir}/ca.crt.pem
            ca_path = ${certdir}
            #INCLUDE /var/packages/RadiusServer/target/etc/cipher_list
            verify {
            }
        }

        tls {
            tls = tls-common
        }

        #ttls {
        #   tls = tls-common
        #   default_eap_type = mschapv2
        #   copy_request_to_tunnel = no
        #   use_tunneled_reply = no
        #   virtual_server = "inner-tunnel"
        #}

        #peap {
        #   tls = tls-common
        #   default_eap_type = mschapv2
        #   copy_request_to_tunnel = no
        #   use_tunneled_reply = no
        #   virtual_server = "inner-tunnel"
        #}

        #mschapv2 {
        #}
    }

Hit ESC to end insert then type :wq to exit
The radius service must be restarted in the Synology Package Center (Stop / Run)

Setup Synology Radius for EAP-TTLS

Login to Synology IP via SSH
Use admin login credentials
Go to the Radius certificate directory
cd /var/packages/RadiusServer/target/etc/raddb/certs/
Radius must be configured on our certificates:
sudo vi ../mods-enabled/eap
Type i to start insert then paste the following:

     eap {
        default_eap_type = ttls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}

        #md5 {
        #}

        #leap {
        #}

        #gtc {
        #   auth_type = PAP
        #}

        tls-config tls-common {
            #private_key_password = whatever
            private_key_file = ${certdir}/server.key
            certificate_file = ${certdir}/server.crt
            #$INCLUDE /usr/local/synoradius/rad_ca_cert
            dh_file = ${certdir}/dh
            random_file = ${certdir}/random
            ca_file = ${certdir}/ca.crt
            ca_path = ${certdir}
            #INCLUDE /var/packages/RadiusServer/target/etc/cipher_list
            verify {
            }
        }

        #tls {
        #    tls = tls-common
        #}

        ttls {
           tls = tls-common
           default_eap_type = mschapv2
           copy_request_to_tunnel = no
           use_tunneled_reply = no
           virtual_server = "inner-tunnel"
        }

        #peap {
        #   tls = tls-common
        #   default_eap_type = mschapv2
        #   copy_request_to_tunnel = yes
        #   use_tunneled_reply = yes
        #   virtual_server = "inner-tunnel"
        #}

        #mschapv2 {
        #}
    }

Hit ESC to end insert then type :wq to exit
The radius service must be restarted in the Synology Package Center (Stop / Run)

If your company has highly customized setup requirements that you need consulting for, then contact us for assistance.

Posted in : Certificates, Co-Managed IT, Network Security, Networking, RADIUS, Tier 3 IT Support, Wireless

2 thoughts on “Setup of Synology RADIUS server for EAP Authentication”

KatBl 06 Jun 25 at 12:09 am

Thank you for your step by step tutorial. It’s very helpful.
1. Is the simplified GUI of Synology Radius insufficient to properly set up EAP?
2. Which certificate(s) need to be installed in the Synology Radius Server?
3. Which certificate(s) need to be installed in the UniFi Network Controller?
4. And which certificate(s) need to be installed in the end user/supplicant?

Thank you again!

FarmhouseNetworking 06 Jun 25 at 4:33 pm

1. Is the simplified GUI of Synology Radius insufficient to properly set up EAP?
This is a basic setup, if you need more security then you need to import certificates from your AD Certificate Service or Certificate provider.

2. Which certificate(s) need to be installed in the Synology Radius Server?
See above

3. Which certificate(s) need to be installed in the UniFi Network Controller?
None, unless you want the web portal to be more secure then you would need to add a certificate from a Certificate provider

4. And which certificate(s) need to be installed in the end user/supplicant?
It depends on the method for connection, but generally the server certificate is added to a wireless profile.