Use certificates for radius auth

[ArrEssJay]

Is your feature request related to a problem? Please describe. The LE certificates can additionally be used for radius authentication.

Describe the solution you'd like Add an option to copy the certifcates:

# cp lego/certificates/cert.crt /mnt/data/udapi-config/raddb/certs/server.pem
# cp lego/certificates/cert.key /mnt/data/udapi-config/raddb/certs/server-key.pem

Describe alternatives you've considered Manually copying + rebooting works, but it would be nice to have this included in the cron update to survive updates/LE cert rolls.

I can submit a PR if you'd be happy to have this feature added.

[kchristensen]

Seems like a reasonable addition, I remember someone at some point in the past asked about this and part of me wants to say there was some caveat, like the radius daemon had to get restarted or it didn't like having the bundled certificate.

However if you've been doing this manually and it works (I'm not using radius as I could never get radius assigned vlans to work right early on and gave up) then by all means feel free to submit a PR!

[kchristensen]

I took a swing at this in this PR: https://github.com/kchristensen/udm-le/pull/46

Take note of the various changes in the env file as well as the on-boot file and let me know if this works for you.

[ArrEssJay]

This change does fundamentally work.

The issues I've found are:

• radiusd loads certs from /run/raddb//certs/. I presume ubios-udapi-server copies them at boot. Simply restarting radiusd after copying the certs to /mnt/data/udapi-config/raddb/certs isn't sufficient. Copying them manually works around this. I'm not sure why they're doing this rather than reading them from persistent storage.

• Certs in /mnt/data/udapi-config/raddb/certs do not necessarily survive an upgrade, if Ubiquiti upgrade their certs. I've seen this happen. I've tried making the certificates read only but I suspect this is not sufficient. The radiusd config is managed by ubios-udapi-server so I don't see any obvious way to avoid some contention over which certificates are used by radiusd.

Replacing the certificates at startup of Unifi might be an approach? I'm somewhat out of my depth here in my understanding of what happens during a Unifi upgrade.

[martintoreilly]

radiusd loads certs from /run/raddb//certs/. I presume ubios-udapi-server copies them at boot.

@ArrEssJay Looking at timestamps on the files in /run/raddb/certs/, I can confirm that these correspond to the last reboot of my UDM device earlier this week, with the original timestamps of the keys and certs in /mnt/data/udapi-config/raddb/certs being several months earlier. I've since restarted both unifi-os and rc.radiusd and neither of these have resulted in updated timestamps for the keys and certs in /run/raddb/certs/.

[kchristensen]

Hi all, we have had some generous users work on getting 2.x support finalized (including Radius support) please check out this PR and see how things are working for your use case: https://github.com/kchristensen/udm-le/pull/70

[kchristensen]

Closing this out -- the latest 2.x support has radius support, albeit slightly untested. Feel free to open issues related to that support in a new issue.