Versions Compared

Old Version 17

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Better installation:   https://kifarunix.com/install-freeradius-with-daloradius-on-ubuntu-20-04/

...

https://sourceforge.net/projects/daloradius/files/daloradius/


Update and Upgrade
If using LXC container
how to create a containerLXC container on ProxMox
Update and Upgraderoot password:   Juniper!1   ( in console,  root disable for remote access )

sudo apt update
sudo apt -y upgrade

sudo reboot
Install Apache Web Server and PHP

sudo apt -y install apache2

sudo apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl}
Check installation
php -v


Install MariaDB and Create a database

sudo apt update
sudo apt install mariadb-server


Code Block
titleinstallation MariaDB
collapsetrue
me@server01:~$ sudo mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] n
 ... skipping.

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] n
 ... skipping.

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] n
 ... skipping.

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
me@server01:~$




sudo mysql_secure_installation


$ sudo mysql -u root -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "Str0ngR@diusPass";
FLUSH PRIVILEGES;
QUIT
create a database database name: radius database user: radius database user password: Str0ngR@diusPass
test access

sudo mysql -u <db userame> -p <database>


sudo mysql -u radius -p radius

>>> then enter the password:   Str0ngR@diusPass

show grants;



Code Block
titletest db
root@server01:~# sudo mysql -u radius -p radius
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 227
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [radius]> show grants;
+---------------------------------------------------------------------------------------------------------------+
| Grants for radius@localhost                                                                                   |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `radius`@`localhost` IDENTIFIED BY PASSWORD '*CDFD06B87A8B800EC4B18B9CC06CAEE3A258611A' |
| GRANT ALL PRIVILEGES ON `radius`.* TO `radius`@`localhost`                                                    |
+---------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)


Install and Configure FreeRADIUS on Ubuntu

sudo apt policy freeradius
freeradius:
  Installed: (none)
  Candidate: 3.0.20+dfsg-3build1
  Version table:
     3.0.20+dfsg-3build1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages

sudo apt -y install freeradius freeradius-mysql freeradius-utils

sudo -i
mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

mysql password: radius



Code Block
titleshow tables
collapsetrue
root@server01:~# sudo  mysql -u root -p -e "use radius;show tables;"
Enter password:
+------------------+
| Tables_in_radius |
+------------------+
| nas              |
| radacct          |
| radcheck         |
| radgroupcheck    |
| radgroupreply    |
| radpostauth      |
| radreply         |
| radusergroup     |
+------------------+



sudo  more /etc/freeradius/3.0/mods-

enabled

available/sql | grep "#" -v | grep -v "^[[:space:]]*$"


Code Block
titledefault config sql
collapsetrue
root@server01:/etc/freeradius/3.0/mods-enabled# more /etc/freeradius/3.0/mods-enabled/sql | grep "#" -v | grep -v "^[[:space:]]*$"
sql {
        dialect = "sqlite"
        driver = "rlm_sql_null"
        sqlite {
                filename = "/tmp/freeradius.db"
                busy_timeout = 200
                bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
        }
        mysql {
                tls {
                        ca_file = "/etc/ssl/certs/my_ca.crt"
                        ca_path = "/etc/ssl/certs/"
                        certificate_file = "/etc/ssl/certs/private/client.crt"
                        private_key_file = "/etc/ssl/certs/private/client.key"
                        cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
                        tls_required = yes
                        tls_check_cert = no
                        tls_check_cert_cn = no
                }
                warnings = auto
        }
        postgresql {
                send_application_name = yes
        }
        mongo {
                appname = "freeradius"
                tls {
                        certificate_file = /path/to/file
                        certificate_password = "password"
                        ca_file = /path/to/file
                        ca_dir = /path/to/directory
                        crl_file = /path/to/file
                        weak_cert_validation = false
                        allow_invalid_hostname = false
                }
        }
        radius_db = "radius"
        acct_table1 = "radacct"
        acct_table2 = "radacct"
        postauth_table = "radpostauth"
        authcheck_table = "radcheck"
        groupcheck_table = "radgroupcheck"
        authreply_table = "radreply"
        groupreply_table = "radgroupreply"
        usergroup_table = "radusergroup"
        delete_stale_sessions = yes
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 0
                idle_timeout = 60
        }
        client_table = "nas"
        group_attribute = "SQL-Group"
        $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf


Changes

dialect = "mysql"

driver = "rlm_sql_${dialect}"

server = "localhost"
port = 3306
login = "radius"
password = "Str0ngR@diusPass"

read_clients = yes     (un-hash this line )

>> hashed all the tls config


Code Block
titleafter changes
collapsetrue
root@server01:/etc/freeradius/3.0/mods-enabled# more /etc/freeradius/3.0/mods-enabled/sql | grep "#" -v | grep -v "^[[:space:]]*$"
sql {
        dialect = "
sqlite
mysql"
        driver = "rlm_sql_${dialect}"
        sqlite {
                filename = "/tmp/freeradius.db"
                busy_timeout = 200
                bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
        }
        mysql {
                warnings
tls
=
{
auto
        }
        postgresql {
ca_file
= "/etc/ssl/certs/my_ca.crt"
          send_application_name = yes
        }
        mongo {
ca_path
=
"/etc/ssl/certs/"
       appname = "freeradius"
certificate_file
= "/etc/ssl/certs/private/client.crt"
tls {
private_key
certificate_file =
"
/
etc
path/
ssl/certs/private/client.key"
to/file
cipher
certificate_password = "
DHE-RSA-AES256-SHA:AES128-SHA
password"
tls
ca_
required
file =
yes
/path/to/file
tls
ca_
check_cert
dir =
no
/path/to/directory
tls_check_cert_cn
crl_file =
no
/path/to/file
}
        weak_cert_validation = false
warnings
=
auto
}
       allow_invalid_hostname =
postgresql
false
{
                }
send_application_name
=
yes
     }
}
     server = "localhost"
mongo
{
      port = 3306
appname
login = "
freeradius
radius"
        password = "Str0ngR@diusPass"
tls
{
  radius_db = "radius"
        acct_table1 = "radacct"
certificate
acct_
file
table2 =
/path/to/file
"radacct"
        
postauth_table = "radpostauth"
certificate_password
authcheck_table = "
password
radcheck"
        groupcheck_table = "radgroupcheck"
        authreply_table = "radreply"
ca_file
=
/path/to/file
   groupreply_table = "radgroupreply"
        usergroup_table = "radusergroup"
ca
delete_stale_
dir
sessions =
/path/to/directory
 yes
        pool {
crl_file
start =
/path/to/file
${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
weak_cert_validation
=
false
         max = ${thread[pool].max_servers}
allow_invalid_hostname
=
false
 spare = ${thread[pool].max_spare_servers}
}
   uses = 0
}
server
=
"localhost"
  retry_delay = 30
port
=
3306
login
lifetime =
"radius"
0
password
=
"Str0ngR@diusPass"
radius_db
idle_timeout =
"radius"
60
acct_table1
}
=
"radacct"
acct
read_
table2
clients =
"radacct"
yes
postauth
client_table = "
radpostauth
nas"
authcheck
group_
table
attribute = "
radcheck
SQL-Group"
groupcheck_table = "radgroupcheck" authreply_table = "radreply" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" delete_stale_sessions = yes pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}





ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Change the group
sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
restart and check status
sudo systemctl restart freeradius
retry_delay
#
=
may
30
be could use:   freeradius.service
sudo systemctl status freeradius
Test freeradius
Check freeradius database

mysql -u radius -p radius

password:   Str0ngR@diusPass


insert into radcheck (id,username,attribute,op,value) values("1",
lifetime = 0 idle_timeout = 60 }
"demouser", "Cleartext-Password", ":=", "demopass");

select * from radcheck where id="1";


Code Block
titleradtest
root@container01:~# radtest demouser demopass localhost 10 testing123
Sent Access-Request Id 61 from 0.0.0.0:44968 to 127.0.0.1:1812 length 78
read_clients 
User-Name =
yes
"demouser"
client_table
User-Password = "
nas
demopass"
group_attribute = "SQL-Group"
NAS-IP-Address = 192.168.0.21
        NAS-Port = 10
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf } Change the group
sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
restart
sudo systemctl restart freeradius.service
systemctl enable --now freeradius
       Message-Authenticator = 0x00
        Cleartext-Password = "demopass"
Received Access-Accept Id 61 from 127.0.0.1:1812 to 127.0.0.1:44968 length 20
root@container01:~#




Install and Configure Daloradius on Ubuntu

sudo apt -y install wget unzip
wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master daloradius

cd daloradius

sudo mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql 
sudo mysql -u root -p radius < contrib/db/mysql-daloradius.sql
Configure daloRADIUS database connection details:
cd ..
sudo mv daloradius /var/www/html/

cd /var/www/html/daloradius/library/

cp daloradius.conf.php.sample daloradius.conf.php


sudo chown -R www-data:www-data /var/www/html/daloradius/
sudo chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
change the config file
sudo vim /var/www/html/daloradius/library/daloradius.conf.php

$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'Str0ngR@diusPass';

sudo systemctl restart freeradius # may be could use: freeradius.service
sudo systemctl status freeradius

http://192.168.0.
10
21/daloradius/index.php
log into DaloRadius
Username: administrator
Password: radius
test and enable freeradius to start after boot up



systemctl enable --now freeradius