In this tutorial, we provide a step-by-step guide on how to install FreeRADIUS with daloRADIUS on Ubuntu 20.04. FreeRADIUS is an open source high performance and highly configurable RADIUS suite that provides centralized network authentication on systems such as 802.1x (WiFi), dialup, PPPoE, VPN’s, VoIP, etc. daloRADIUS on the other hand is an advanced web application for managing FreeRADIUS server.
FreeRADIUS supports a wide array of database backends including OpenLDAP, MySQL, Redis, Microsoft AD, Apache Cassandra, PostgreSQL etc.
Installing FreeRADIUS with daloRADIUS on Ubuntu 20.04
In this demo, we are going to setup FreeRADIUS with MySQL as the backend database. Therefore, ensure that the prerequisites below are met before you can proceed.
Prerequisites
Update and upgrade your system packages;
apt update
apt upgradeInstall LAMP Stack on Ubuntu 20.04 by following the link below;
Install LAMP Stack on Ubuntu 20.04
Install other required PHP Modules;
apt install php-gd php-mail php-mail-mime php-mysql php-pear php-db php-mbstring php-xml php-curlInstall and Configure FreeRADIUS on Ubuntu 20.04
Installing FreeRADIUS
Once all the prerequisites above are met, proceed to install FreeRADIUS on Ubuntu 20.04. FreeRADIUS 3.0.x is the latest stable release versions as of this writing and are available on the default Ubuntu 20.04 repos.
To install FreeRADIUS and other FreeRADIUS utilities including MySQL database backend utilities on Ubuntu 20.04, execute the command below;
apt install freeradius freeradius-mysql freeradius-utilsRunning FreeRADIUS in Debug Mode
Usually, FreeRADIUS is expected to run well with the default configuration settings after the installation is done. To verify the same, run FreeRADIUS in debugging mode to confirm that is ready to process request.
Before you can run FreeRADIUS in debugging mode, you need to stop its service first (started automatically after install);
systemctl stop freeradiusOnce that is done, run FreeRADIUS in debugging mode;
freeradius -XIf FreeRADIUS is running as expected, you should see a line, Ready to process requests.
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 59191
Listening on proxy address :: port 33772
Ready to process requests
Stop the debugging mode by pressing ctrl+c.
Start and enable FreeRADIUS to run on system boot;
systemctl enable --now freeradiusOpen FreeRADIUS on Firewall
FreeRADIUS uses UDP port 1812 for authentication and authorization and UDP port 1813 as the accouting port. Therefore, if UFW is running, open these ports;
ufw allow to any port 1812 proto udp
ufw allow to any port 1813 proto udpconfirm port opening by running the command below;
ss -alun4 | grep -E ':1812|:1813'UNCONN 0 0 127.0.0.1:18120 0.0.0.0:*
UNCONN 0 0 0.0.0.0:1812 0.0.0.0:*
UNCONN 0 0 0.0.0.0:1813 0.0.0.0:*Create FreeRADIUS MySQL Database and Database User
Login to MySQL server and create FreeRADIUS database;
mysql -u root -pcreate database radiusdb;Create FreeRADIUS database user and grant all privileges on the database created above;
create user radiusadmin@localhost identified by 'myStr0nP@ssW0rd';grant all on radiusdb.* to radiusadmin@localhost;Reload the privileges tables to affect the changes and exit the database.
flush privileges;
quitCreate FreeRADIUS SQL Schema
FreeRADIUS ships with the default database schema located under /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql. Import this schema to FreeRADIUS database created above;
mysql -u root -p radiusdb < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sqlConfiguring FreeRADIUS to use SQL
To configure FreeRADIUS to use SQL modules, open the SQL module configuration file;
vim /etc/freeradius/3.0/mods-available/sqlSet the SQL dialect to mysql, and define the FreeRADIUS database connection settings as created above.
...
sql {
#
# The dialect of SQL being used.
#
# Allowed dialects are:
#
# mssql
...
dialect = "mysql"
# The driver module used to execute the queries.
#driver = "rlm_sql_null"
driver = "rlm_sql_${dialect}"
...
# Connection info:
#
server = "localhost"
port = 3306
login = "radiusadmin"
password = "myStr0nP@ssW0rd"
...
# Database table configuration for everything except Oracle
radius_db = "radiusdb"
...
The use of MySQL database enforces use of TLS certs by default. In this demo, we do not use the TLS certs, hence commenting out the MYSQL TLS section;
...
mysql {
# If any of the files below are set, TLS encryption is enabled
#tls {
# ca_file = "/etc/ssl/certs/my_ca.crt"
# ca_path = "/etc/ssl/certs/"
# certificate_file = "/etc/ssl/certs/private/client.crt"
# private_key_file = "/etc/ssl/certs/private/client.key"
# cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
#
# tls_required = yes
# tls_check_cert = no
# tls_check_cert_cn = no
#}
...Enable FreeRADIUS server to read clients from database, by uncommenting (removing hash) on the line #read_clients = yes.
...
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup.
read_clients = yes
...Next, enable the SQL module by creating a symbolic link of SQL mods-available to mods-enabled;
ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/Change the ownership user and group of the enabled SQL module (symbolic link) to freerad as shown below.
chown -h freerad.freerad /etc/freeradius/3.0/mods-enabled/sqlRestart the FreeRADIUS service,
systemctl restart freeradiusVerify FreeRADIUS use of SQL Database
To verify that FreeRADIUS can now work with MySQL database properly, populate the FreeRADIUS database with some dummy data. Login to FreeRADIUS database as FreeRADIUS database user created above;
mysql -u radiusadmin -puse radiusdb;Create a dummy user entry in radcheck table;
insert into radcheck (id,username,attribute,op,value) values("1", "demouser", "Cleartext-Password", ":=", "demopass");To verify the same;
select * from radcheck where id="1";+----+----------+--------------------+----+----------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+----------+
| 1 | demouser | Cleartext-Password | := | demopass |
+----+----------+--------------------+----+----------+
1 row in set (0.01 sec)Exit the database, stop FreeRADIUS and run it again on debug mode to verify if it is working well.
systemctl stop freeradiusfreeradius -XFreeRADIUS provides a simple test tool, radtest, which send packets to a RADIUS server and show the reply. The syntax of using the radtest command line tool is;
radtest {username} {password} {hostname} 10 {radius_secret}Read man pages, man radtest, for more info on options used.
So while FreeRADIUS is running in a debug mode, open another terminal and run the test command below. Note: testing123 is the shared secret for the localhost client, check clients.conf.
radtest demouser demopass localhost 10 testing123If you get the Access-Accept, response upon authenticating, then the POC is done.
Sent Access-Request Id 129 from 0.0.0.0:40930 to 127.0.0.1:1812 length 78
User-Name = "demouser"
User-Password = "demopass"
NAS-IP-Address = 10.0.2.15
NAS-Port = 10
Message-Authenticator = 0x00
Cleartext-Password = "demopass"
Received Access-Accept Id 129 from 127.0.0.1:1812 to 127.0.0.1:40930 length 20Stop FreeRADIUS debugging mode and start the service.
systemctl start freeradiusInstall and Configure daloRADIUS on Ubuntu 20.04
daloRADIUS is an advanced web application for managing FreeRADIUS server. daloRADIUS homepage is hosted on sourceforge, https://sourceforge.net/projects/daloradius. To download the latest release version, simply grab it from sourceforge homepage.
Once you downloaded the daloRADIUS zip file, extract it to your web root directory;
unzip daloradius-1.1-2.zip 'daloradius/*' -d /var/www/html/ls /var/www/html/
daloradiusdaloRADIUS ships with its default MySQL tables. Import these tables to the FreeRADIUS database created above.
mysql -u root -p radiusdb < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sqlmysql -u root -p radiusdb < /var/www/html/daloradius/contrib/db/mysql-daloradius.sqlConfigure ownership of the daloRADIUS web configuration files to Apache web user as shown below;
chown -R www-data.www-data /var/www/html/daloradius/Configure the permissions of the daloRADIUS main configuration file to 664 as shown below;
chmod 664 /var/www/html/daloradius/library/daloradius.conf.phpConfigure daloRADIUS database connection settings;
vim /var/www/html/daloradius/library/daloradius.conf.phpSet the connection settings as per your setup.
...
$configValues['DALORADIUS_VERSION'] = '1.1-2';
$configValues['DALORADIUS_DATE'] = '08 Aug 2019';
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysqli';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radiusadmin';
$configValues['CONFIG_DB_PASS'] = 'myStr0nP@ssW0rd';
$configValues['CONFIG_DB_NAME'] = 'radiusdb';
...Save and exit the configuration file and restart FreeRADIUS.
systemctl restart freeradiusAccess daloRADIUS from Web
You can now access daloRADIUS from web so can administer FreeRADIUS with ease. Use the address, http://server-IP-Or-Hostname/daloradius.
Login with the default credentials: Username: administrator Password: radius
And there you go. you have successfully installed FreeRADIUS with daloRADIUS on Ubuntu 20.04. Explore the RADIUS…
Reference
Install FreeRADIUS 3.x on Debian/Ubuntu
Related Tutorials
Install FreeRADIUS with daloRADIUS on Debian 9
Install and Configure FreeRADIUS with daloRADIUS on Fedora 29
koromicha followed your tutorial to setup freeradius with mysql server and everything works perfect with my Router enabled for WPA2-Enterprise. I havent used DaloRADIUS as I dont need for simple setup. Thank you very for your time.
Hi Koromicha
I hope you are well.
THank you for sharing this tutorial
btw, I had an issue,
my Radius can give Access – Accept for user that listed on etc/3.0/mods-config/filez/authorize
but reject the user that listed in radcheck table.
the error when I testes the connectivity via dalloRadius are below
Executed:
echo User-Name=’a’,User-Password=’a’ | radclient -c ‘1’ -n ‘3’ -r ‘3’ -t ‘3’ -x ‘127.0.0.1:1812’ ‘auth’ ‘testing123’ 2>&1
Results:
(0) -: Expected Access-Accept got Access-Reject
Sent Access-Request Id 88 from 0.0.0.0:40939 to 127.0.0.1:1812 length 41
User-Name = “a”
User-Password = “a”
Cleartext-Password = “a”
Received Access-Reject Id 88 from 127.0.0.1:1812 to 127.0.0.1:40939 length 20
Could you please advise, how to force the radius to read the user from radiusdb ?
THank you
You have done well so thank you for this great job.
Hi , How I can configure external openldap authentication? Thanks
A step here is wrong, this should not be done:
mysql -u root -p radiusdb < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
If you do that it will replace the freeradius 3.x schema with a freeradius 2.x schema which is not compatible and can result in duplicate data in the radacct table and other issues
/etc/freeradius/3.0/mods-enabled/sql[341]: Reference “${dialect}” not found
Errors reading or parsing /etc/freeradius/3.0/radiusd.conf
Hi Kaylan,
dialect is enabled/defined on the mods-enabled/sql file?
… finally a manual that really works. Thank you for this, great job.
Reinald
Hi Reinald. Glad you found the tutorial working. Enjoy