Setting Up A FreeRadius Based AAA Server With MySQL & Management With Daloradius

This tutorial explains how you can set up a FreeRadius (1.1.7) server with Wifi authentication and accounting in conjunction with MySQL & web management with Daloradius on Ubuntu 8.04 LTS Server Edition This howto should work for a novice. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities if something goes wrong.

(For a basic how-to refer to the doc http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5.)

Following steps are involved:

1. Building Ubuntu 8.04 .debs (for eap/ttls support)
2. Installing the binary packages
3. Configuring the FR with MySQL
4. Setting up web management with Daloradius

 

Step 1- Building Ubuntu 8.04. packages

 Note: Those who don't need openssl/tls/ttls (certificates etc..) just fetch the FR packages from ubuntu repos with apt-get & skip to step 3.

Before building the FreeRadius Ubuntu 8.04 package we have to apt-get some packages, necessary for the build process.

sudo su -

apt-get install   debhelper  libltdl3-dev libpam0g-dev \
libmysqlclient15-dev build-essential libgdbm-dev \
libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev snmp \
autotools-dev dpatch  libperl-dev libtool dpkg-dev libpq-dev \
libsnmp-dev libssl-dev 

Get hold of the FreeRadius sources and start building the package like given below.

cd ~
apt-get source freeradius

Note: It is recommended that you carry this building process on a non-production server & move the final binary packages over to the production server. But it isn't mandatory if you know what you're doing.

cd  freeradius-1.1.7/

Edit rule file (debian/rules):

vi debian/rules

Now search for these lines:

        --without-rlm_eap_tls \
                --without-rlm_eap_ttls \
                --without-rlm_eap_peap \

and change them to look like this.

 --with-rlm_eap_tls \
                   --with-rlm_eap_ttls \
                   --with-rlm_eap_peap \ 
 

Also in the same file replace the text " --without-openssl  " with " --with-openssl  "

Now search for these lines and delete them.

for pkg in $(shell grep ^Package debian/control | awk '{print $$2}') ; d
   o \
     if dh_shlibdeps -p $$pkg -- -O | grep -q libssl; then \
       echo "$$pkg links to openssl" ;\
       exit 1 ;\
     fi ;\
   done  

Save changes and quit vi. Now edit the control file (debian/control):

vi debian/control

Search for the line:

Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev, libtool, dpkg-dev (>= 1.13.19), libpq-dev, libsnmp-dev

 and append libssl-dev to the end of this line so that it looks like this.

Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev, libtool, dpkg-dev (>= 1.13.19), libpq-dev, libsnmp-dev, libssl-dev

Save the changes and quit vi.

Assuming you are here  ~/freeradius-1.1.7. Start building packages:

dpkg-buildpackage -rfakeroot

Note: You still might require some packages for these. apt-get/aptitiude them & rerun the rebuild process.

After a while (depending on your system) you should have some .deb files in the home directory.

freeradius_1.1.7-1build4_i386.deb
freeradius-dbg_1.1.7-1build4_i386.deb
freeradius-dialupadmin_1.1.7-1build4_all.deb
freeradius-iodbc_1.1.7-1build4_i386.deb
freeradius-krb5_1.1.7-1build4_i386.deb
freeradius-ldap_1.1.7-1build4_i386.deb
freeradius-mysql_1.1.7-1build4_i386.deb
freeradius-postgresql_1.1.7-1build4_i386.deb

Move these to a production server if this is your development workstation. (In this setup you won't be needing the postgresql , ldap, krb5 , iodbc , dbg, dialupadmin binaries.)

 

Step 2- Installing the binary packages

dpkg -i  freeradius_1.1.7-1build4_i386.deb

dpkg -i freeradius-mysql_1.1.7-1build4_i386.deb

After running with the out of the box configuration validate against a local user.

E.g: run radius in debug mode:

freeradius -X

From another shell run this while the freeradius -X is running:

radtest abc 123 localhost 1812 testing123

Make sure the user abc with password 123 is set in the /etc/freeradius/users file.

Setp 3- Configuring the FR with MySQL

First the MySQL bits (creating the db & its admin user). Do the following from your shell.

mysqladmin -u root password 123456

mysql -u root -p

On the MySQL shell type the following:

CREATE DATABASE radius;

GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";

exit;

Import the the FreeRadius schema. The sample schema resides at this location: /usr/share/doc/freeradius/examples/mysql.sql.gz.

Gunzip it there:

gunzip -d /usr/share/doc/freeradius/examples/mysql.sql.gz

Do the following:

mysql -u root -p radius < /usr/share/doc/freeradius/examples/mysql.sql

To have a look  at the db schema do the following:

mysql -u root -p

use database radius;

show tables;

quit;

Now edit your /etc/freeradius/sql.conf.

Reset the user/password/database parameters to reflect the changes (eg. radius/radpass/radius); to turn the NAS management from MySQL, search for the line

readclients = no

and change it to

readclients = yes

Edit the file /etc/freeradius/radius.conf and add a line saying 'sql' to the authorize{} section (which is towards the end of the file). Also add a line saying 'sql' to the accounting{} section to tell FreeRadius to store accounting records in SQL as well. Optionally add 'sql' to the session{} section if you want to do Simultaneous-Use detection. Optionally add 'sql' to the post-auth{} section if you want to log all authentication attempts to SQL.

Here is the authorize section:

  authorize {
          preprocess
          chap
          mschap
          suffix
          eap
          sql
          pap
} 

And the accounting section:

  accounting {
          detail
          sql
 }

To insert a test user in the database, go to the MySQL shell and run this:

mysql -u root -p

mysql> use database radius;

mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');

mysql> select * from radcheck where UserName='sqltest';

mysql> exit

Fire up radius in debug mode:

freeradius -X

Go to another shell and run the test:

radtest sqltest testpwd localhost 1812 testing123

At this moment you should see a message containing something like ... Accept-Accept ... which is an indication that your user is getting authenticated just fine.

Congratulations! Your FreeRadius + MySQL setup is working.

 

4- Setting up web management with Daloradius

The latest stable release is version 0.9-7.

Get hold of the it from http://sourceforge.net/projects/daloradius.

tar -zxvf daloradius-0.9-7.tar.gz

cp daloradius-0.9-7/ /var/www -R

Download the following prerequisites packages:

apt-get install apache2

apt-get install php php-mysql php-pear php-gd php-pear-DB

Change permissions and ownership:

chown www-data:www-data /var/www/daloradius-0.9-7 -R

chmod 644 /var/www/daloradius-0.9-7/library/daloradius.conf

Daloradius needs to add a few more tables to the radius database we already created earlier.

mysql -u root -p radius < /var/www/daloradius-0.9-7/contrib/db/mysql-daloradius.sql

Now, simply adjust the MySQL database information in  the DaloRadius config file.

vi /var/www/daloradius-0.9-7/library/daloradius.conf

Fill in the database details, a few important parameters are listed below:

    ...........
       ......................
       CONFIG_DB_ENGINE = mysql
       CONFIG_DB_HOST = 127.0.0.1
       CONFIG_DB_USER = radius
       CONFIG_DB_PASS = radpass
       CONFIG_DB_NAME = radius
       .......................
     ............

Save the file and exit.

Set up the apache server.

Edit the /etc/apache2/apache2.conf file and append this to the end of the file (customize to your likings):

  Alias /myradius "/var/www/daloradius-0.9-7/"
   <Directory /var/www/daloradius-0.9-7/>
      Options None
      order deny,allow
      deny from all
      allow from 127.0.0.1 
      allow from <my management system's ip which has a web-browser>
 </Directory>

Save and exit.

Restart the httpd server:

/etc/init.d/apache2 restart

Fire up Firefox (or any other borowser) and go to the URL http://<localhost or the managemet system's ip>/myradius.

Log in with the administrator for management:

    username: administrator
    password: radius

Change this information first for the sake of security (info is located in the operator table).

Take Daloradius for a spin. You should have created an sqltest user earlier. You can also try adding new users and testing the connectivity from within the Daloradius frontend.

Congratulations you are done.

Developers of  FreeRadius, MySQL and Daloradius, do accept my humble appreciation for all your efforts. Open source community, you also rock, thanx.

(Note: I haven't mentioned anything regarding setting up eap/ttls in this article. For that, just follow the section of setting up certificates and eap.conf from the below mentioned HowtoForge link.)

 

References:

http://freeradius.org/

http://wiki.freeradius.org/SQL_HOWTO

http://sourceforge.net/projects/daloradius

http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5

http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html