![\"\"](\"https:\/\/buunk.org\/wp-content\/uploads\/2026\/03\/IMG_4084-1024x576.jpeg\")
The RADIUS server itself runs in an LXC container on my production cluster, making it fully integrated with my infrastructure. This setup ensures it\u2019s always on, highly available, and easy to maintain. I also ensured that the container has access to my existing LDAP directory ( The Archer AX55 is used purely as an access point. It points to my main OPNsense router, which handles DHCP, routing, and forwards RADIUS requests to the FreeRADIUS container. Seeing a client connect for the first time is satisfying: FreeRADIUS looks up the user in LDAP, verifies the password, checks that the user is in the The group check policy is particularly neat. FreeRADIUS evaluates the Here\u2019s a snippet from that policy:<\/p>\n\n\n\n Clients connect via the AX55, which is configured for WPA2 Enterprise. The OPNsense router handles DHCP and dynamic DNS, and I can watch the logs as authentication occurs. The EAP-PEAP tunnel is established, credentials are verified, and access is granted all while keeping passwords secure.<\/p>\n\n\n\n Overall, this project gave my homelab Wi-Fi access that feels enterprise-grade. By combining my production cluster LXC container running FreeRADIUS, LDAP for user management, OPNsense as the main router, and the Archer AX55 as a managed access point, I now have a secure, auditable, and flexible network.<\/p>\n\n\n\n Next, I plan to experiment with dynamic VLAN assignment based on group membership. This will give me more control over what guest accounts and IoT devices can access. For now, it\u2019s already incredibly satisfying to see per-user authentication working perfectly in my home lab environment.<\/p>\n\n\n\n <\/p>\n\n\n\n If you are interested in the technologies used to build this network, here are some links for more information:<\/p>\n\n\n\n FreeRADIUS<\/strong> \u2013 RADIUS server for secure authentication: https:\/\/freeradius.org<\/a><\/p>\n\n\n\n LLDAP<\/strong> \u2013 Lightweight LDAP for user and group management: https:\/\/github.com\/lldap\/lldap<\/a><\/p>\n\n\n\n OPNsense<\/strong> \u2013 Firewall and router: https:\/\/opnsense.org<\/a><\/p>\n\n\n\nou=people,dc=buunk,dc=org<\/code>), so it can verify user credentials and check group membership.<\/p>\n\n\n\nwifi-users<\/code> group, and grants access.<\/p>\n\n\n\n![\"\"](\"https:\/\/buunk.org\/wp-content\/uploads\/2026\/03\/image-1.png\")
ldap: User object found at DN \"uid=jurre,ou=people,dc=buunk,dc=org\"\nldap: Processing memberOf value \"cn=wifi-users,ou=groups,dc=buunk,dc=org\" as a DN\nif (Ldap-Group == \"cn=wifi-users,ou=groups,dc=buunk,dc=org\") -> TRUE\nReply-Message := \"User is in wifi-users group\"<\/code><\/pre>\n\n\n\ncheck_group<\/code> policy to ensure the user belongs to wifi-users<\/code>. This allows me to separate access based on LDAP groups and makes it easy to extend later\u2014for example, to assign VLANs or enforce more granular policies. <\/p>\n\n\n\npolicy check_group {
if (Ldap-Group == \"cn=wifi-users,ou=groups,dc=buunk,dc=org\") {
update reply {
Reply-Message := \"User is in wifi-users group\"
}
}
}<\/code><\/pre>\n\n\n\neap_peap: Session established. Decoding tunneled attributes
eap_peap: Success
eap_peap: Using saved attributes from the original Access-Accept<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/buunk.org\/wp-content\/uploads\/2026\/03\/image-2-edited.png\")