Installation of freeradius
Step 1: update system
	sudo apt-get update
Step 2: updrade system
	sudo apt-get upgrade
Step 3: install pre-requisites
	sudo apt-get install build-essential openssl libnl-utils libnl-3-dev libssl-dev
Step 4: Install freeradius
	sudo apt-get install freeradius freeradius-common freeradius-config freeradius-utils freeradius-ldap 
Step 5: Confirm that freeradius had been installed
	freeradius -v

Configuration of radius
Step 1: Generate certificates
Edit ca.cnf 
	vim /etc/freeradius/3.0/certs/ca.cnf
	changes to be made
	default_days = 3650 
	default_crl_days = 300 

	input_password = your-ca-password 
	output_password = your-ca-password

	countryName = UG 
	stateOrProvinceName = Radius 
	localityName = YOUR-INSTITUTION 
	organizationName = Your Institution 
	emailAddress = admin@your.institution.domain 
	commonName = "Your Institution Certificate Authority"

Edit client.cnf
	vim /etc/freeradius/3.0/certs/client.cnf
	changes to be made
	default_days = 3650 
	default_crl_days = 300 

	input_password = your-ca-password 
	output_password = your-ca-password

	countryName = UG 
	stateOrProvinceName = Radius 
	localityName = YOUR-INSTITUTION 
	organizationName = Your Institution 
	emailAddress = admin@your.institution.domain 
	commonName = "Your Institution Certificate Authority"
Edit server.cnf
	vim /etc/freeradius/3.0/certs/server.cnf
	changes to be made
	default_days = 3650 
	default_crl_days = 300 

	input_password = your-ca-password 
	output_password = your-ca-password

	countryName = UG 
	stateOrProvinceName = Radius 
	localityName = YOUR-INSTITUTION 
	organizationName = Your Institution 
	emailAddress = admin@your.institution.domain 
	commonName = "Your Institution Certificate Authority"
cd /etc/freeradius/3.0/certs
	sudo -u freeradius make
	
Step 2: Edit clients.conf file/ Add clients 
	vim /etc/freeradius/3.0/clients.conf
	Format - Local clients 
		client LAN-1 {
			ipaddr = X.X.X.X/Y
			secret = <secret>
			virtual_server = eduroam
			}
		client LAN-2 {
			ipaddr = Y.Y.Y.Y/x
			secret = <secret>
			virtual_server = eduroam
			}
	NRO radius servers
		client NRO-1 {
			ipaddr = X.X.X.X
			netmask = 32
			secret = <secret>
			require_message_authenticator = no
			nastype = other
			virtual_server = eduroam
			}
		client NRO-2 {
			ipaddr = Y.Y.Y.Y
			netmask = 32
			secret = <secret>
			require_message_authenticator = no
			nastype = other
			virtual_server = eduroam
			}
Step 3: To federate your institution's radius server
	vim /etc/freeradius/3.0/proxy.conf
	Add home servers for NRO and your institution's realm
	home_server NRO-1 {
			type = auth+acct
			ipaddr = X.X.X.X
			secret = <secret>
			port = 1812
			status_check = status-server
			}
	home_server NRO-2 {
			type = auth+acct
			ipaddr = Y.Y.Y.Y
			secret = <secret>
			port = 1812
			status_check = status-server			
			}
	home_server_pool EDUROAM { 
	type = fail-over 
	home_server = NRO-1
	home_server = NRO-2
} 
	realm LOCAL {
	}
	realm NULL {
		nostrip
		}
	realm your.institution.zm {
	}
	realm "~.+\\.your\\.institution\\.zm5" {
	}
	realm "~\\.3gppnetwork.org$" {
	}
	realm "~.+$" {
		pool = EDUROAM
		nostrip
		}
	realm DEFAULT {
		pool = EDUROAM
		nostrip
		}
		
User database setup and configuration - depends on the technology the institution is using
sudo -u freerad vi /etc/freeradius/3.0/mods-available/eap 
default_eap_type = peap
private_key_password = your-ca-password 
private_key_file = ${certdir}/server.key 
certificate_file = ${certdir}/server.pem
random_file = /dev/urandom 

ttls {
tls = tls-common
default_eap_type = peap
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}

peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}

mschapv2 {
send_error = yes
identity = "YOUR-INSTITUTION RADIUS"
}

Enable EAP module
cd /etc/freeradius/3.0/mods-enabled/
sudo -u freerad ln -s ../mods-available/eap .

To setup AAA in your radius server
cd /etc/freeradius/3.0/sites-available/
sudo -u freerad cp default eduroam
sudo -u freerad cp inner-tunnel eduroam-inner-tunnel

sudo -u freerad vi /etc/freeradius/3.0/sites-avaliable/eduroam
sudo -u freerad vi /etc/freeradius/3.0/sites-avaliable/eduroam-inner-tunnel

Changes
eduroam 
listen - type auth 
max_connections = 0
lifetime = 0
idle_timeout = 0

authorize 
update request {
Operator-Name := "1your.institution.domain"
}
eap {
ok = return
}
authenticate 
eap

eduroam-inner-tunnel
authorize 
eap
authenticate 
eap

cd /etc/freeradius/3.0/sites-enabled/
sudo -u freerad rm *
sudo -u freerad ln -s ../sites-available/eduroam .
sudo -u freerad ln -s ../sites-available/eduroam-inner-tunnel .

Testing
radtest -t mschap test@your.institution.zm <password> localhost testing123

