5.2 C
Amsterdam
Saturday, December 5, 2020

FreeRadius with mysql Backend

Must read

How to install SuiteCRM on Ubuntu 20.04?

Hello, friends. In this post, learn how to install SuiteCRM on Ubuntu 20.04 SuiteCRM is an application that loads the sales, markets, and services administration...

How To Install Docker Swarm On Ubuntu 20.04

In this tutorial, you'll learn that how to Install Docker Swarm on Ubuntu 20.04. Docker Swarm is most popular tool that can be used...

How To Install Keeweb Password Manager On Ubuntu 20.04

Today we are going to learn that how to install KeeWeb Passwrod Manager On Ubuntu 20.04. KeeWeb Password Manager provides the best and easy...

How to change the MAC address in Windows 10

Hello! How are you? Today we will see how to change the MAC address on a computer with Windows 10. In fact, it is...

What is Freeradius:

FreeRADIUS is a yet another service that we can setup on Linux and the protocol by which – the RADIUS – we can take advantage of providing functionalities of authentication, authorization and accounting. It has been developing very long time back and yet its very powerful and modern enough to provide authentication facility to systems & applications, specially in networking.

In this article we focus on its authentication ability and even beyond taking “mysql” database as the source of database to retrieve authentication credentials. However, there are other sources you could integrated as well, such as openLDAP, simple flat file and etc.

Now lets install FreeRadius with mysql Backend

Getting Started.

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Required Package Installation

# apt-get update
# apt-get install -y freeradius freeradius-mysql freeradius-utils php-common php-gd php-curl php-mysql mysql-server mysql-client

Step 02 — Setting up password for mysql own ROOT user

# mysql_secure_installation
Securing the MySQL server deployment.

Connecting to MySQL using a blank password.

VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: y

There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary                  file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 0
Please set the password for root here.

New password: 

Re-enter new password: 

Estimated strength of the password: 50 
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.


Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.


Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

All done! 

Step 03 — Create ‘radius’ database and import required Schema which already available.

# mysql -uroot -p
mysql> uninstall plugin validate_password;
mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
mysql> CREATE DATABASE radius;
mysql> exit
# cd /etc/freeradius/3.0/mods-config/sql/main/mysql/

# mysql -uroot -pYourMysqlPass radius < schema.sql
# mysql -uroot -pYourMysqlpass radius < setup.sql

 

Step 04 — Enable ‘sql’ module to be used with

# cd /etc/freeradius/3.0/mods-enabled
# ln -s ../mods-available/sql sql

Step 05 — Instruct freeRadius to use SQL as the backend store, rather local File

To achieve this, for all the below sections, remove the “file” directive and add the “sql” instead

authorize {
...
}
accounting {
...
}
post-auth {
...
}
session{
...
}

 

Step 06 — Reflect the correct details in Radius SQL module’s config

# vim /etc/freeradius/3.0/mods-available/sql
driver = "rlm_sql_mysql"
 
dialect = "mysql"
 
 server = "localhost"
 port = 3306
 login = "root"
 password = "password-which-we-setup-in-step2"
 radius_db = "radius"
read_clients = yes

Step 07 — Running freeRADIUS in foreground to check the status..

# freeradius -X
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 59791
Listening on proxy address :: port 36140
Ready to process requests

The output above is a good indication of a working configuration..

Step 08 — For a testing purpose, add basic authentication details, such as username, password, NAS ip address, etc..

# mysql -uroot -p
mysql> INSERT INTO nas VALUES (NULL , '0.0.0.0/0', 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client');
mysql> INSERT INTO radcheck (username, attribute, op, value) VALUES ('testuser', 'Cleartext-Password', ':=', 'testpassword');
mysql> INSERT INTO radusergroup (username, groupname, priority) VALUES ('testuser', 'testgroup', '1');
mysql> INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('testgroup', 'Service-Type', ':=', 'Framed-User'), ('testgroup', 'Framed-Protocol', ':=', 'PPP'), ('testgroup', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');

Lets check updated details by going through each mysql tables

mysql> select * from nas;
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+
| id | nasname   | shortname | type  | ports | secret   | server | community | description   |
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+
|  1 | 0.0.0.0/0 | myNAS     | other |  NULL | mysecret | NULL   | NULL      | RADIUS Client |
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+
mysql> select * from radcheck;
+----+----------+--------------------+----+--------------+
| id | username | attribute          | op | value        |
+----+----------+--------------------+----+--------------+
|  1 | testuser | Cleartext-Password | := | testpassword |
+----+----------+---------------+----+-------------------+
mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| testuser | testgroup |        1 |
+----------+-----------+----------+
mysql> select * from radgroupreply;
+----+-----------+--------------------+----+---------------------+
| id | groupname | attribute          | op | value               |
+----+-----------+--------------------+----+---------------------+
|  1 | testgroup | Service-Type       | := | Framed-User         |
|  2 | testgroup | Framed-Protocol    | := | PPP                 |
|  3 | testgroup | Framed-Compression | := | Van-Jacobsen-TCP-IP |
+----+-----------+--------------------+----+---------------------+

Step 09 — Ok. Finally lets verify the configured user using a “radclient” command

# echo "User-Name=testuser,User-Password=testpassword" | radclient 127.0.0.1:1812 auth mysecret
Sent Access-Request Id 65 from 0.0.0.0:43879 to 172.17.0.55:1812 length 48
Received Access-Accept Id 65 from 172.17.0.55:1812 to 0.0.0.0:0 length 38

Congradulations.! you have now working RADIUS service.

In order to run the service in background

# systemctl start freeradius
# systemctl enable freeradius

“I hope this has been informative”

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

-

Latest article

How to install SuiteCRM on Ubuntu 20.04?

Hello, friends. In this post, learn how to install SuiteCRM on Ubuntu 20.04 SuiteCRM is an application that loads the sales, markets, and services administration...

How To Install Docker Swarm On Ubuntu 20.04

In this tutorial, you'll learn that how to Install Docker Swarm on Ubuntu 20.04. Docker Swarm is most popular tool that can be used...

How To Install Keeweb Password Manager On Ubuntu 20.04

Today we are going to learn that how to install KeeWeb Passwrod Manager On Ubuntu 20.04. KeeWeb Password Manager provides the best and easy...

How to change the MAC address in Windows 10

Hello! How are you? Today we will see how to change the MAC address on a computer with Windows 10. In fact, it is...

How To Configure Slave BIND DNS Server On Ubuntu 20.04

In our previous guide we covered the setup of Master(Primary) DNS Server. Here we'll learn that how to configure slave bind dns server on...
x