Authentication, Authorization & Accounting With FreeRadius & MySQL Backend & Web Based Management with Daloradius
This tutorial explains how to set up a FreeRadius 2.x server for wifi authentication, authorization and accounting in conjunction with mysql & web based management with Daloradius on CentOS 5.x. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities.
(For basic how-to refer to the doc https://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5.
And of-course for the faint-hearted this turn-key solution can always be employed. https://www.howtoforge.com/how-to-set-up-an-aaa-server-with-ciitix-wifi )
The following steps are involved:
1- Building Centos 5.x binary rpms
2- Installing the binary packages
3- Configuring the FR with mysql
4- Setting up web management with Daloradius
Step 1- Building Centos 5.X packages
Get hold of src.rpms from http://rpmfind.net//linux/RPM/fedora/devel/src/freeradius-2.0.5-1.fc10.src.html.
rpm -Uvh freeradius-2.0.5-1.fc10.src
Note: It is recommended that you carry this building process on a non-production server & move over the final binary rpms over to the produtions server. But it isn't mandatory if you know what you're doing.
cd /usr/src/redhat/RPMS/SPECS
rpmbuild -bb freeradius.spec
Note: You might require some package for these. yum them & rerun the rebuild process. (I got prompted for the following)
beecrypt-devel, sqlite-devel, unixODBC, unixODBC-devel,
python-devel, pam-devel, elfutils-libelf-devel,
elfutils-libelf-devel-static, rpm-devel, elfutils-devel,
elfutils-devel-static, net-snmp-devel, mysql, cyrus-sasl-devel,
mysql-devel, openldap-devel, gdbm-devel, libtool-ltdl-devel,
postgresql, postgresql-devel
After a while (depending on your system specs) you should have rpms built at the following locations (if using x86):
cd /usr/src/redhat/RPMS/i386
Move these to a production server if this is your development workstation.
Step 2- Installing the binary packages
rpm -Uvh freeradius-libs-2.0.5-1.i386.rpm
rpm -Uvh freeradius-2.0.5-1.i386.rpm
rpm -Uvh freeradius-utils-2.0.5-1.i386.rpm
rpm -Uvh freeradius-mysql-2.0.5-1.i386.rpm
After running with the out of the box configuration, validate against a local user.
E.g: run radius in debug mode:
radiusd -X
From another shell run this while the radius -X is running:
radtest abc 123 localhost 1812 testing123
Make sure the user 'abc' with password '123' is set in the /etc/raddb/users file.
Step 3- Configuring the FR with MySQL
Turn on the sql authentication in the radiusd.conf
vi /etc/raddb/radiusd.conf
Search & uncomment this line $INCLUDE sql.conf
Save & quit.
Now the MySQL bits (creating the db & its admin user). Do the following from your shell.
mysqladmin -u root password 123456
mysql -u root -p
On the MySQL shell type the following:
CREATE DATABASE radiusdb;
GRANT ALL ON radiusdb.* TO radius@localhost IDENTIFIED BY "radpass";
exit;
Now import the file mysql-dalo-and-fr2x.sql schema into the radiusdb from the following zipped file which also contains daloradius.conf file for daloradius which is discussed later in the web management section.
Download sql_schema & daloradius.conf zipped
unzip daloradius.zip
mysql -u root -p radiusdb < /root/mysql-dalo-fr2x.sql
To have a look at the db schema do the following:
mysql -u root -p
use database radiusdb;
show tables;
quit;
Now edit your /etc/raddb/sql.conf.
Reset the user/password/database parameters to reflect the changes (eg. login = radius, password=radpass & radius_db=radiusdb); to turn the NAS management from MySQL, search for the line
readclients = no
and change it to:
readclients = yes
Edit the file /etc/raddb/sites-enabled/default and add a line saying 'sql' to the authorize{} section (which is towards the end of the file). Also add a line saying 'sql' to the accounting{} section to tell FreeRadius to store accounting records in SQL as well. Optionally add 'sql' to the session{} section if you want to do Simultaneous-Use detection. Optionally add 'sql' to the post-auth{} section if you want to log all authentication attempts to SQL.
Here is the authorize section:
authorize { preprocess chap mschap suffix eap sql pap }
And the accounting section:
accounting { detail sql }
To insert a test user in the database, go to the MySQL shell and run this:
mysql -u root -p
mysql> use database radiusdb;
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');
mysql> select * from radcheck where UserName='sqltest';
mysql> exit
Fire up radius in debug mode:
radiusd -X
Go to another shell and run the test:
radtest sqltest testpwd localhost 1812 testing123
At this moment you should see a message containing something like ... Accept-Accept ... which is an indication that your user is getting authenticated just fine.
Congratulations! Your FreeRadius + MySQL setup is working.
4- Setting up web management with Daloradius
The latest stable release is version 0.9-7.
Get hold of the it from http://sourceforge.net/projects/daloradius.
tar -zxvf daloradius-0.9-7.tar.gz
Download the following prerequisite packages:
yum install install httpd -y
yum install php php-mysql php-pear php-gd php-pear-DB -y
cp daloradius-0.9-7/ /var/www -vr
Change ownership:
chown apache:apache /var/www/daloradius-0.9-7 -R
A few tables that are needed by Daloradius, have already been created earlier.
Copy over the already unzippedfile daloradius.conf from the downloaded zipped file.
cp /root/daloradius.conf /var/www/daloradius-0.9-7/library/
Note: This file daloradius.conf has been modified for freeradius 2.x which, as of yet, is not being packaged by daloradius.
Now, simply adjust the MySQL database information in the DaloRadius config file.
vi /var/www/daloradius-0.9-7/library/daloradius.conf
Fill in the database details, few important parameters are listed below:
........... ...................... CONFIG_DB_ENGINE = mysql CONFIG_DB_HOST = 127.0.0.1 CONFIG_DB_USER = radius CONFIG_DB_PASS = radpass CONFIG_DB_NAME = radiusdb ....................... ............
Change ownership & permission:
chown apache.apache /var/ww/daloradius-0.9-7/library/daloradius.conf
chmod 644 /var/www/daloradius-0.9-7/library/daloradius.conf
touch /tmp/daloradius.log
chown apache.apache /tmp/daloradius.log
Set up the apache server.
Edit the /etc/httpd/conf/httpd.conf file and append this to the end of the file (customize to your likings):
Alias /myradius "/var/www/daloradius-0.9-7/" <Directory /var/www/daloradius-0.9-7/> Options None order deny,allow deny from all allow from 127.0.0.1 allow from <my management system's ip which has a web-browser> </Directory>
Save and exit.
Restart the httpd server:
/etc/init.d/httpd restart
Fire up Firefox (or any other borowser) and go to the URL http://<localhost or the managemet system's ip>/myradius.
Log in with the administrator for management:
username: administrator
password: radius
Change this information first for the sake of security (info is located in the operator table).
Take Daloradius for a spin. You should have created an sqltest user earlier. You can also try adding new users and testing the connectivity from within the Daloradius frontend.
Congratulations you are done.
Again developers of FreeRadius, MySQL and Daloradius, do accept my humble appreciation for all your efforts. Open source community, as always you rock, thanx.
(Note: I haven't mentioned anything regarding setting up eap/ttls in this article. For that, just follow the section of setting up certificates and eap.conf from the below mentioned HowtoForge link.)
References:
http://wiki.freeradius.org/SQL_HOWTO
http://sourceforge.net/projects/daloradius
https://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5
http://rpmfind.net//linux/RPM/fedora/devel/src/freeradius-2.0.5-1.fc10.src.html