Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Image Removed

https://computingforgeeks.com/how-to-install-freeradius-and-daloradius-on-ubuntu/

Image Added


Better installation:   https://kifarunix.com/install-freeradius-with-daloradius-on-ubuntu-20-04/


to be checked again:   https://computingforgeeks.com/how-to-install-freeradius-and-daloradius-on-ubuntu/


Download DaloRadius:

https://sourceforge.net/projects/daloradius/files/daloradius/


Update and Upgrade
If using LXC container
how to create a containerLXC container on ProxMox
Update and Upgraderoot password:   Juniper!1   ( in console,  root disable for remote access )

sudo apt update
sudo apt -y upgrade

sudo reboot
Install Apache Web Server and PHP

sudo apt -y install apache2

sudo apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl}
Check installation
php -v


Install MariaDB and Create a database

sudo apt update
sudo apt install mariadb-server


Code Block
titleinstallation MariaDB
collapsetrue
me@server01:~$ sudo mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] n
 ... skipping.

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] n
 ... skipping.

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] n
 ... skipping.

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
me@server01:~$


sudo mysql_secure_installation


$ sudo mysql -u root -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "Str0ngR@diusPass";
FLUSH PRIVILEGES;
QUIT
create a database database name: radius database user: radius database user password: Str0ngR@diusPass
test access

sudo mysql -u <db userame> -p <database>


sudo mysql -u radius -p radius

>>> then enter the password:   Str0ngR@diusPass

sudo mysql -u <db userame> -p <database>

show grants;



Code Block
titletest db
root@server01:~# sudo mysql -u radius -p radius
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 227
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [radius]> 
Install and Configure FreeRADIUS on Ubuntusudo apt
show grants;
+---------------------------------------------------------------------------------------------------------------+
| Grants for radius@localhost                                                                                   |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `radius`@`localhost` IDENTIFIED BY PASSWORD '*CDFD06B87A8B800EC4B18B9CC06CAEE3A258611A' |
| GRANT ALL PRIVILEGES ON `radius`.* TO `radius`@`localhost`                                                    |
+---------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)


Install and Configure FreeRADIUS on Ubuntu

sudo apt policy freeradius
freeradius:
  Installed: (none)
  Candidate: 3.0.20+dfsg-3build1
  Version table:
     3.0.20+dfsg-3build1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages

sudo apt -y install freeradius freeradius-mysql freeradius-utils

sudo -i
mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

mysql password: radius



Code Block
titleshow tables
collapsetrue
root@server01:~# sudo  mysql -u root -p -e "use radius;show tables;"
Enter password:
+------------------+
| Tables_in_radius |
+------------------+
| nas              |
| radacct          |
| radcheck         |
| radgroupcheck    |
| radgroupreply    |
| radpostauth      |
| radreply         |
| radusergroup     |
+------------------+



sudo  more /etc/freeradius/3.0/mods-

enabled

available/sql | grep "#" -v | grep -v "^[[:space:]]*$"


Code Block
titledefault config sql
collapsetrue
root@server01:/etc/freeradius/3.0/mods-enabled# more /etc/freeradius/3.0/mods-enabled/sql | grep "#" -v | grep -v "^[[:space:]]*$"
sql {
        dialect = "sqlite"
        driver = "rlm_sql_null"
        sqlite {
                filename = "/tmp/freeradius.db"
                busy_timeout = 200
                bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
        }
        mysql {
                tls {
                        ca_file = "/etc/ssl/certs/my_ca.crt"
                        ca_path = "/etc/ssl/certs/"
                        certificate_file = "/etc/ssl/certs/private/client.crt"
                        private_key_file = "/etc/ssl/certs/private/client.key"
                        cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
                        tls_required = yes
                        tls_check_cert = no
                        tls_check_cert_cn = no
                }
                warnings = auto
        }
        postgresql {
                send_application_name = yes
        }
        mongo {
                appname = "freeradius"
                tls {
                        certificate_file = /path/to/file
                        certificate_password = "password"
                        ca_file = /path/to/file
                        ca_dir = /path/to/directory
                        crl_file = /path/to/file
                        weak_cert_validation = false
                        allow_invalid_hostname = false
                }
        }
        radius_db = "radius"
        acct_table1 = "radacct"
        acct_table2 = "radacct"
        postauth_table = "radpostauth"
        authcheck_table = "radcheck"
        groupcheck_table = "radgroupcheck"
        authreply_table = "radreply"
        groupreply_table = "radgroupreply"
        usergroup_table = "radusergroup"
        delete_stale_sessions = yes
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max
= ${thread[pool].max_servers}
 
spare
= ${thread[pool].max_
spare_
servers}
uses = 0

                
retry_delay
spare = 
30
${thread[pool].max_spare_servers}
                
lifetime
uses = 0
                
idle
retry_
timeout
delay = 
60
30
        
}
        lifetime 
client_table
= 
"nas"
0
    
group_attribute
 
= "SQL-Group" $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf Changes

dialect = "mysql"

driver = "rlm_sql_${dialect}"

server = "localhost"
port = 3306
login = "radius"
password = "Str0ngR@diusPass"

Code Block
titleafter changes
collapsetrue
root@server01:/etc/freeradius/3.0/mods-enabled# more /etc/freeradius/3.0/mods-enabled/sql | grep "#" -v | grep -v "^[[:space:]]*$" sql {
           idle_timeout = 60
        }
        client_table = "nas"
        
dialect
group_attribute = "
sqlite
SQL-Group"
        $INCLUDE 
driver =
${modconfdir}/${.:name}/main/${dialect}/queries.conf


Changes

dialect = "mysql"

driver = "rlm_sql_${dialect}

" sqlite { filename = "/tmp/freeradius.db" busy_timeout = 200 bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql" } mysql

"

server = "localhost"
port = 3306
login = "radius"
password = "Str0ngR@diusPass"

read_clients = yes     (un-hash this line )

>> hashed all the tls config


Code Block
titleafter changes
collapsetrue
root@server01:/etc/freeradius/3.0/mods-enabled# more /etc/freeradius/3.0/mods-enabled/sql | grep "#" -v | grep -v "^[[:space:]]*$"
sql {
        dialect = "mysql"
     
tls
 
{
  driver = "rlm_sql_${dialect}"
        sqlite {
  
ca_file = "/etc/ssl/certs/my_ca.crt"
              filename = "/tmp/freeradius.db"
        
ca_path
 
=
 
"/etc/ssl/certs/"
      busy_timeout = 200
                
certificate_file
bootstrap = "
/etc/ssl/certs/private/client.crt
${modconfdir}/${..:name}/main/sqlite/schema.sql"
        }
        mysql {
                warnings = auto
 
private_key_file
 
=
 
"/etc/ssl/certs/private/client.key"
     }
        postgresql {
         
cipher
 
=
 
"DHE-RSA-AES256-SHA:AES128-SHA"
     send_application_name = yes
        }
        
tls_required
mongo 
=
{
yes
                appname = "freeradius"
      
tls_check_cert
 
=
 
no
        tls {
               
tls_check_cert_cn
 
=
 
no
       certificate_file = /path/to/file
       
}
                 
warnings
certificate_password = 
auto
"password"
             
}
         
postgresql
 
{
 ca_file = /path/to/file
             
send_application_name
 
=
 
yes
         
}
ca_dir = /path/to/directory
      
mongo
 
{
                 
appname
crl_file = 
"freeradius"
/path/to/file
               
tls
 
{
        weak_cert_validation = false
              
certificate_file
 
=
 
/path/to/file
        allow_invalid_hostname = false
              
certificate_password
 
=
 
"password"
}
        }
        server = "localhost"
    
ca_file
 
=
 
/path/to/file
  port = 3306
        login = "radius"
        password 
ca_dir
=
/path/to/directory
 "Str0ngR@diusPass"
        radius_db = "radius"
        
crl
acct_
file
table1 = 
/path/to/file
"radacct"
        acct_table2 = "radacct"
        
weak_cert_validation
postauth_table = 
false
"radpostauth"
        authcheck_table = "radcheck"
        groupcheck_table = "radgroupcheck"
 
allow_invalid_hostname
 
=
 
false
     authreply_table = "radreply"
        groupreply_table 
}
= "radgroupreply"
       
}
 usergroup_table = "radusergroup"
     
server
 
=
 
"localhost"
 delete_stale_sessions = yes
     
port
 
=
 
3306
 pool {
      
login =
 
"radius"
         
password
start = 
"Str0ngR@diusPass"
${thread[pool].start_servers}
        
radius_db
 
=
 
"radius"
      min 
acct_table1 = "radacct"
= ${thread[pool].min_spare_servers}
          
acct_table2
 
=
 
"radacct"
    max 
postauth_table = "radpostauth"
= ${thread[pool].max_servers}
          
authcheck_table
 
=
 
"radcheck"
    spare = ${thread[pool].max_spare_servers}
  
groupcheck_table
 
=
 
"radgroupcheck"
         
authreply_table
 
=
 
"radreply"
 uses = 0
     
groupreply_table
 
=
 
"radgroupreply"
         
usergroup
retry_
table
delay = 
"radusergroup"
30
        
delete_stale_sessions
 
=
 
yes
      lifetime = 
pool
0
{
                idle_timeout 
start
= 
${thread[pool].start_servers}
60
        }
       
min = ${thread[pool].min_spare_servers}
 read_clients = yes
        
max = ${thread[pool].max_servers}
client_table = "nas"
        group_attribute = "SQL-Group"
       
spare
 
= ${thread[pool].max_spare_servers} uses = 0
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}



ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Change the group
sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
restart and check status
sudo systemctl restart freeradius              
retry_delay
 
=
# 
30
may be could use:   freeradius.service
sudo systemctl status freeradius
Test freeradius
Check freeradius database

mysql -u radius -p radius

password:   Str0ngR@diusPass


insert into radcheck (id,username,attribute,op,value) values("1", 
lifetime = 0 idle_timeout = 60 }
"demouser", "Cleartext-Password", ":=", "demopass");

select * from radcheck where id="1";


Code Block
titleradtest
root@container01:~# radtest demouser demopass localhost 10 testing123
Sent Access-Request Id 61 from 0.0.0.0:44968 to 127.0.0.1:1812 length 78
        
read_clients = yes
User-Name = "demouser"
        
client_table
User-Password = "
nas
demopass"
        
group_attribute = "SQL-Group"
NAS-IP-Address = 192.168.0.21
        NAS-Port = 
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf } Change the group
sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
restartsudo systemctl restart freeradius.service
10
        Message-Authenticator = 0x00
        Cleartext-Password = "demopass"
Received Access-Accept Id 61 from 127.0.0.1:1812 to 127.0.0.1:44968 length 20
root@container01:~#




Install and Configure Daloradius on Ubuntu

sudo apt -y install wget unzip
wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master daloradius

cd daloradius

sudo mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql 
sudo mysql -u root -p radius < contrib/db/mysql-daloradius.sql
Configure daloRADIUS database connection details:
cd ..
sudo mv daloradius /var/www/html/

cd /var/www/html/daloradius/library/

cp daloradius.conf.php.sample daloradius.conf.php


sudo chown -R www-data:www-data /var/www/html/daloradius/
sudo chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
change the config file
sudo vim /var/www/html/daloradius/library/daloradius.conf.php

$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_USER'] = 'radius'; $configValues['CONFIG_DB_PASS'] = 'Str0ngR@diusPass';

sudo systemctl restart freeradius # may be could use: freeradius.service
sudo systemctl status freeradius

http://192.168.0.
10
21/daloradius/index.php
log into DaloRadius
Username: administrator
Password: radius
test and enable freeradius to start after boot up



systemctl enable --now freeradius