Install FreeRADIUS with daloRADIUS on Ubuntu 20.04

4
2916

In this tutorial, we provide a step-by-step guide on how to install FreeRADIUS with daloRADIUS on Ubuntu 20.04. FreeRADIUS is an open source high performance and highly configurable RADIUS suite that provides centralized network authentication on systems such as 802.1x (WiFi), dialup, PPPoE, VPN’s, VoIP, etc. daloRADIUS on the other hand is an advanced web application for managing FreeRADIUS server.

FreeRADIUS supports a wide array of database backends including OpenLDAP, MySQL, Redis, Microsoft AD, Apache Cassandra, PostgreSQL etc.

Install FreeRADIUS with daloRADIUS on Ubuntu 20.04

In this demo, we are going to setup FreeRADIUS with MySQL as the backend database. Therefore, ensure that the prerequisites below are met before you can proceed.

Prerequisites

Update and upgrade your system packages;

apt update
apt upgrade

Install LAMP Stack on Ubuntu 20.04 by following the link below;

Install LAMP Stack on Ubuntu 20.04

Install other required PHP Modules;

apt install php-gd php-mail php-mail-mime php-mysql php-pear php-db php-mbstring php-xml php-curl

Install and Configure FreeRADIUS on Ubuntu 20.04

Installing FreeRADIUS

Once all the prerequisites above are met, proceed to install FreeRADIUS on Ubuntu 20.04. FreeRADIUS 3.0.x is the latest stable release versions as of this writing and are available on the default Ubuntu 20.04 repos.

To install FreeRADIUS and other FreeRADIUS utilities including MySQL database backend utilities on Ubuntu 20.04, execute the command below;

apt install freeradius freeradius-mysql freeradius-utils

Running FreeRADIUS in Debug Mode

Usually, FreeRADIUS is expected to run well with the default configuration settings after the installation is done. To verify the same, run FreeRADIUS in debugging mode to confirm that is ready to process request.

Before you can run FreeRADIUS in debugging mode, you need to stop its service first (started automatically after install);

systemctl stop freeradius

Once that is done, run FreeRADIUS in debugging mode;

freeradius -X

If FreeRADIUS is running as expected, you should see a line, Ready to process requests.

   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 59191
Listening on proxy address :: port 33772
Ready to process requests

Stop the debugging mode by pressing ctrl+c.

Start and enable FreeRADIUS to run on system boot;

systemctl enable --now freeradius

Open FreeRADIUS on Firewall

FreeRADIUS uses UDP port 1812 for authentication and authorization and UDP port 1813 as the accouting port. Therefore, if UFW is running, open these ports;

ufw allow to any port 1812 proto udp
ufw allow to any port 1813 proto udp

confirm port opening by running the command below;

ss -alun4 | grep -E ':1812|:1813'
UNCONN  0       0               127.0.0.1:18120          0.0.0.0:*              
UNCONN  0       0                 0.0.0.0:1812           0.0.0.0:*              
UNCONN  0       0                 0.0.0.0:1813           0.0.0.0:*

Create FreeRADIUS MySQL Database and Database User

Login to MySQL server and create FreeRADIUS database;

mysql -u root -p
create database radiusdb;

Create FreeRADIUS database user and grant all privileges on the database created above;

create user [email protected] identified by '[email protected]';
grant all on radiusdb.* to [email protected];

Reload the privileges tables to affect the changes and exit the database.

flush privileges;
quit

Create FreeRADIUS SQL Schema

FreeRADIUS ships with the default database schema located under /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql. Import this schema to FreeRADIUS database created above;

mysql -u root -p radiusdb < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

Configuring FreeRADIUS to use SQL

To configure FreeRADIUS to use SQL modules, open the SQL module configuration file;

vim /etc/freeradius/3.0/mods-available/sql

Set the SQL dialect to mysql, and define the FreeRADIUS database connection settings as created above.

...
sql {
        #
        #  The dialect of SQL being used.
        #
        #  Allowed dialects are:
        #
        #       mssql
...
        dialect = "mysql"

        # The driver module used to execute the queries.
        #driver = "rlm_sql_null"
        driver = "rlm_sql_${dialect}"
...
        # Connection info:
        #
        server = "localhost"
        port = 3306
        login = "radiusadmin"
        password = "[email protected]"
...
        # Database table configuration for everything except Oracle
        radius_db = "radiusdb"
...

The use of MySQL database enforces use of TLS certs by default. In this demo, we do not use the TLS certs, hence commenting out the MYSQL TLS section;

...
        mysql {
                # If any of the files below are set, TLS encryption is enabled
                #tls {
                #       ca_file = "/etc/ssl/certs/my_ca.crt"
                #       ca_path = "/etc/ssl/certs/"
                #       certificate_file = "/etc/ssl/certs/private/client.crt"
                #       private_key_file = "/etc/ssl/certs/private/client.key"
                #       cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
                #
                #       tls_required = yes
                #       tls_check_cert = no
                #       tls_check_cert_cn = no
                #}

...

Enable FreeRADIUS server to read clients from database, by uncommenting (removing hash) on the line #read_clients = yes.

...
        # Set to 'yes' to read radius clients from the database ('nas' table)
        # Clients will ONLY be read on server startup.
        read_clients = yes
...

Next, enable the SQL module by creating a symbolic link of SQL mods-available to mods-enabled;

ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

Change the ownership user and group of the enabled SQL module (symbolic link) to freerad as shown below.

chown -h freerad.freerad /etc/freeradius/3.0/mods-enabled/sql

Restart the FreeRADIUS service,

systemctl restart freeradius

Verify FreeRADIUS use of SQL Database

To verify that FreeRADIUS can now work with MySQL database properly, populate the FreeRADIUS database with some dummy data. Login to FreeRADIUS database as FreeRADIUS database user created above;

mysql -u radiusadmin -p
use radiusdb;

Create a dummy user entry in radcheck table;

insert into radcheck (id,username,attribute,op,value) values("1", "demouser", "Cleartext-Password", ":=", "demopass");

To verify the same;

select * from radcheck where id="1";
+----+----------+--------------------+----+----------+
| id | username | attribute          | op | value    |
+----+----------+--------------------+----+----------+
|  1 | demouser | Cleartext-Password | := | demopass |
+----+----------+--------------------+----+----------+
1 row in set (0.01 sec)

Exit the database, stop FreeRADIUS and run it again on debug mode to verify if it is working well.

systemctl stop freeradius
freeradius -X

FreeRADIUS provides a simple test tool, radtest, which send packets to a RADIUS server and show the reply. The syntax of using the radtest command line tool is;

radtest {username} {password} {hostname} 10 {radius_secret}

Read man pages, man radtest, for more info on options used.

So while FreeRADIUS is running in a debug mode, open another terminal and run the test command below. Note: testing123 is the shared secret for the localhost client, check clients.conf.

radtest demouser demopass localhost 10 testing123

If you get the Access-Accept, response upon authenticating, then the POC is done.

Sent Access-Request Id 129 from 0.0.0.0:40930 to 127.0.0.1:1812 length 78
	User-Name = "demouser"
	User-Password = "demopass"
	NAS-IP-Address = 10.0.2.15
	NAS-Port = 10
	Message-Authenticator = 0x00
	Cleartext-Password = "demopass"
Received Access-Accept Id 129 from 127.0.0.1:1812 to 127.0.0.1:40930 length 20

Stop FreeRADIUS debugging mode and start the service.

systemctl start freeradius

Install and Configure daloRADIUS on Ubuntu 20.04

daloRADIUS is an advanced web application for managing FreeRADIUS server. daloRADIUS homepage is hosted on sourceforge, https://sourceforge.net/projects/daloradius. To download the latest release version, simply grab it from sourceforge homepage.

Once you downloaded the daloRADIUS zip file, extract it to your web root directory;

unzip daloradius-1.1-2.zip 'daloradius/*' -d /var/www/html/
ls /var/www/html/
daloradius

daloRADIUS ships with its default MySQL tables. Import these tables to the FreeRADIUS database created above.

mysql -u root -p radiusdb < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p radiusdb < /var/www/html/daloradius/contrib/db/mysql-daloradius.sql

Configure ownership of the daloRADIUS web configuration files to Apache web user as shown below;

chown -R www-data.www-data /var/www/html/daloradius/

Configure the permissions of the daloRADIUS main configuration file to 664 as shown below;

chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

Configure daloRADIUS database connection settings;

vim /var/www/html/daloradius/library/daloradius.conf.php

Set the connection settings as per your setup.

...
$configValues['DALORADIUS_VERSION'] = '1.1-2';
$configValues['DALORADIUS_DATE'] = '08 Aug 2019';
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysqli';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radiusadmin'; 
$configValues['CONFIG_DB_PASS'] = '[email protected]';
$configValues['CONFIG_DB_NAME'] = 'radiusdb';
...

Save and exit the configuration file and restart FreeRADIUS.

systemctl restart freeradius

Access daloRADIUS from Web

You can now access daloRADIUS from web so can administer FreeRADIUS with ease. Use the address, http://server-IP-Or-Hostname/daloradius.

Install FreeRADIUS with daloRADIUS on Ubuntu 20.04

Login with the default credentials: Username: administrator Password: radius

Install FreeRADIUS with daloRADIUS on Ubuntu 20.04

And there you go. you have successfully installed FreeRADIUS with daloRADIUS on Ubuntu 20.04. Explore the RADIUS…

Reference

Install FreeRADIUS 3.x on Debian/Ubuntu

Related Tutorials

Install FreeRADIUS with daloRADIUS on Debian 9

Install and Configure FreeRADIUS with daloRADIUS on Fedora 29

Install phpLDAPadmin on CentOS 8

Install and Setup OpenLDAP on CentOS 8

4 COMMENTS

  1. koromicha followed your tutorial to setup freeradius with mysql server and everything works perfect with my Router enabled for WPA2-Enterprise. I havent used DaloRADIUS as I dont need for simple setup. Thank you very for your time.

  2. Hi Koromicha

    I hope you are well.

    THank you for sharing this tutorial

    btw, I had an issue,
    my Radius can give Access – Accept for user that listed on etc/3.0/mods-config/filez/authorize

    but reject the user that listed in radcheck table.

    the error when I testes the connectivity via dalloRadius are below
    Executed:
    echo User-Name=’a’,User-Password=’a’ | radclient -c ‘1’ -n ‘3’ -r ‘3’ -t ‘3’ -x ‘127.0.0.1:1812’ ‘auth’ ‘testing123’ 2>&1

    Results:
    (0) -: Expected Access-Accept got Access-Reject
    Sent Access-Request Id 88 from 0.0.0.0:40939 to 127.0.0.1:1812 length 41
    User-Name = “a”
    User-Password = “a”
    Cleartext-Password = “a”
    Received Access-Reject Id 88 from 127.0.0.1:1812 to 127.0.0.1:40939 length 20

    Could you please advise, how to force the radius to read the user from radiusdb ?

    THank you

LEAVE A REPLY

Please enter your comment!
Please enter your name here