Setting Up A FreeRadius Based AAA Server With MySQL & Management With Daloradius
This tutorial explains how you can set up a FreeRadius (1.1.7) server with Wifi authentication and accounting in conjunction with MySQL & web management with Daloradius on Ubuntu 8.04 LTS Server Edition This howto should work for a novice. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities if something goes wrong.
(For a basic how-to refer to the doc https://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5.)
And of-course if you feel your are not cut-out for all this, you can always use this turn-key solution https://www.howtoforge.com/how-to-set-up-an-aaa-server-with-ciitix-wifi )
Following steps are involved:
- Building Ubuntu 8.04 .debs (for eap/ttls support)
- Installing the binary packages
- Configuring the FR with MySQL
- Setting up web management with Daloradius
Step 1- Building Ubuntu 8.04. packages
Note: Those who don't need openssl/tls/ttls (certificates etc..) just fetch the FR packages from ubuntu repos with apt-get & skip to step 3.
Before building the FreeRadius Ubuntu 8.04 package we have to apt-get some packages, necessary for the build process.
sudo su -
apt-get install debhelper libltdl3-dev libpam0g-dev \
libmysqlclient15-dev build-essential libgdbm-dev \
libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev snmp \
autotools-dev dpatch libperl-dev libtool dpkg-dev libpq-dev \
libsnmp-dev libssl-dev
Get hold of the FreeRadius sources and start building the package like given below.
cd ~
apt-get source freeradius
Note: It is recommended that you carry this building process on a non-production server & move the final binary packages over to the production server. But it isn't mandatory if you know what you're doing.
cd freeradius-1.1.7/
Edit rule file (debian/rules):
vi debian/rules
Now search for these lines:
--without-rlm_eap_tls \ --without-rlm_eap_ttls \ --without-rlm_eap_peap \
and change them to look like this.
--with-rlm_eap_tls \ --with-rlm_eap_ttls \ --with-rlm_eap_peap \
Also in the same file replace the text " --without-openssl " with " --with-openssl "
Now search for these lines and delete them.
for pkg in $(shell grep ^Package debian/control | awk '{print $$2}') ; d o \ if dh_shlibdeps -p $$pkg -- -O | grep -q libssl; then \ echo "$$pkg links to openssl" ;\ exit 1 ;\ fi ;\ done
Save changes and quit vi. Now edit the control file (debian/control):
vi debian/control
Search for the line:
Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev, libtool, dpkg-dev (>= 1.13.19), libpq-dev, libsnmp-dev
and append libssl-dev to the end of this line so that it looks like this.
Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2), libperl-dev, libtool, dpkg-dev (>= 1.13.19), libpq-dev, libsnmp-dev, libssl-dev
Save the changes and quit vi.
Assuming you are here ~/freeradius-1.1.7. Start building packages:
dpkg-buildpackage -rfakeroot
Note: You still might require some packages for these. apt-get/aptitiude them & rerun the rebuild process.
After a while (depending on your system) you should have some .deb files in the home directory.
freeradius_1.1.7-1build4_i386.deb
freeradius-dbg_1.1.7-1build4_i386.deb
freeradius-dialupadmin_1.1.7-1build4_all.deb
freeradius-iodbc_1.1.7-1build4_i386.deb
freeradius-krb5_1.1.7-1build4_i386.deb
freeradius-ldap_1.1.7-1build4_i386.deb
freeradius-mysql_1.1.7-1build4_i386.deb
freeradius-postgresql_1.1.7-1build4_i386.deb
Move these to a production server if this is your development workstation. (In this setup you won't be needing the postgresql , ldap, krb5 , iodbc , dbg, dialupadmin binaries.)
Step 2- Installing the binary packages
dpkg -i freeradius_1.1.7-1build4_i386.deb
dpkg -i freeradius-mysql_1.1.7-1build4_i386.deb
After running with the out of the box configuration validate against a local user.
E.g: run radius in debug mode:
freeradius -X
From another shell run this while the freeradius -X is running:
radtest abc 123 localhost 1812 testing123
Make sure the user abc with password 123 is set in the /etc/freeradius/users file.
Setp 3- Configuring the FR with MySQL
First the MySQL bits (creating the db & its admin user). Do the following from your shell.
mysqladmin -u root password 123456
mysql -u root -p
On the MySQL shell type the following:
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
exit;
Import the the FreeRadius schema. The sample schema resides at this location: /usr/share/doc/freeradius/examples/mysql.sql.gz.
Gunzip it there:
gunzip -d /usr/share/doc/freeradius/examples/mysql.sql.gz
Do the following:
mysql -u root -p radius < /usr/share/doc/freeradius/examples/mysql.sql
To have a look at the db schema do the following:
mysql -u root -p
use database radius;
show tables;
quit;
Now edit your /etc/freeradius/sql.conf.
Reset the user/password/database parameters to reflect the changes (eg. radius/radpass/radius); to turn the NAS management from MySQL, search for the line
readclients = no
and change it to
readclients = yes
Edit the file /etc/freeradius/radius.conf and add a line saying 'sql' to the authorize{} section (which is towards the end of the file). Also add a line saying 'sql' to the accounting{} section to tell FreeRadius to store accounting records in SQL as well. Optionally add 'sql' to the session{} section if you want to do Simultaneous-Use detection. Optionally add 'sql' to the post-auth{} section if you want to log all authentication attempts to SQL.
Here is the authorize section:
authorize { preprocess chap mschap suffix eap sql pap }
And the accounting section:
accounting { detail sql }
To insert a test user in the database, go to the MySQL shell and run this:
mysql -u root -p
mysql> use database radius;
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');
mysql> select * from radcheck where UserName='sqltest';
mysql> exit
Fire up radius in debug mode:
freeradius -X
Go to another shell and run the test:
radtest sqltest testpwd localhost 1812 testing123
At this moment you should see a message containing something like ... Accept-Accept ... which is an indication that your user is getting authenticated just fine.
Congratulations! Your FreeRadius + MySQL setup is working.
4- Setting up web management with Daloradius
The latest stable release is version 0.9-7.
Get hold of the it from http://sourceforge.net/projects/daloradius.
tar -zxvf daloradius-0.9-7.tar.gz
cp daloradius-0.9-7/ /var/www -R
Download the following prerequisites packages:
apt-get install apache2
apt-get install php php-mysql php-pear php-gd php-pear-DB
Change permissions and ownership:
chown www-data:www-data /var/www/daloradius-0.9-7 -R
chmod 644 /var/www/daloradius-0.9-7/library/daloradius.conf
Daloradius needs to add a few more tables to the radius database we already created earlier.
mysql -u root -p radius < /var/www/daloradius-0.9-7/contrib/db/mysql-daloradius.sql
Now, simply adjust the MySQL database information in the DaloRadius config file.
vi /var/www/daloradius-0.9-7/library/daloradius.conf
Fill in the database details, a few important parameters are listed below:
........... ...................... CONFIG_DB_ENGINE = mysql CONFIG_DB_HOST = 127.0.0.1 CONFIG_DB_USER = radius CONFIG_DB_PASS = radpass CONFIG_DB_NAME = radius ....................... ............
Save the file and exit.
Set up the apache server.
Edit the /etc/apache2/apache2.conf file and append this to the end of the file (customize to your likings):
Alias /myradius "/var/www/daloradius-0.9-7/" <Directory /var/www/daloradius-0.9-7/> Options None order deny,allow deny from all allow from 127.0.0.1 allow from <my management system's ip which has a web-browser> </Directory>
Save and exit.
Restart the httpd server:
/etc/init.d/apache2 restart
Fire up Firefox (or any other borowser) and go to the URL http://<localhost or the managemet system's ip>/myradius.
Log in with the administrator for management:
username: administrator
password: radius
Change this information first for the sake of security (info is located in the operator table).
Take Daloradius for a spin. You should have created an sqltest user earlier. You can also try adding new users and testing the connectivity from within the Daloradius frontend.
Congratulations you are done.
Developers of FreeRadius, MySQL and Daloradius, do accept my humble appreciation for all your efforts. Open source community, you also rock, thanx.
(Note: I haven't mentioned anything regarding setting up eap/ttls in this article. For that, just follow the section of setting up certificates and eap.conf from the below mentioned HowtoForge link.)
References:
http://wiki.freeradius.org/SQL_HOWTO
http://sourceforge.net/projects/daloradius
https://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5
http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html