| If using LXC container |
|
|---|
| how to create a container | LXC container on ProxMox |
| Update and Upgrade | root password: Juniper!1 ( in console, root disable for remote access ) |
|---|
| sudo apt update
sudo apt -y upgrade |
| sudo reboot |
| Install Apache Web Server and PHP |
|
|---|
| sudo apt -y install apache2 |
| sudo apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl} |
| Check installation | php -v |
|
|
| Install MariaDB and Create a database |
|
|---|
| sudo apt update
sudo apt install mariadb-server
|
| Code Block |
|---|
| title | installation MariaDB |
|---|
| collapse | true |
|---|
| me@server01:~$ sudo mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] n
... skipping.
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] n
... skipping.
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n
... skipping.
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] n
... skipping.
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
me@server01:~$
|
| sudo mysql_secure_installation
|
| $ sudo mysql -u root -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "Str0ngR@diusPass";
FLUSH PRIVILEGES;
QUIT |
| create a database | database name: radius database user: radius database user password: Str0ngR@diusPass |
| test access | sudo mysql -u <db userame> -p <database>
sudo mysql -u radius -p radius >>> then enter the password: Str0ngR@diusPass show grants;
| Code Block |
|---|
| root@server01:~# sudo mysql -u radius -p radius
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 227
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [radius]> show grants;
+---------------------------------------------------------------------------------------------------------------+
| Grants for radius@localhost |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `radius`@`localhost` IDENTIFIED BY PASSWORD '*CDFD06B87A8B800EC4B18B9CC06CAEE3A258611A' |
| GRANT ALL PRIVILEGES ON `radius`.* TO `radius`@`localhost` |
+---------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)
|
|
| Install and Configure FreeRADIUS on Ubuntu |
|
|---|
| sudo apt policy freeradius
freeradius:
Installed: (none)
Candidate: 3.0.20+dfsg-3build1
Version table:
3.0.20+dfsg-3build1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages
|
| sudo apt -y install freeradius freeradius-mysql freeradius-utils
|
| sudo -i
mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
mysql password: radius
|
|
| Code Block |
|---|
| title | show tables |
|---|
| collapse | true |
|---|
| root@server01:~# sudo mysql -u root -p -e "use radius;show tables;"
Enter password:
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
|
|
| sudo more /etc/freeradius/3.0/mods-available/sql | grep "#" -v | grep -v "^[[:space:]]*$"
| Code Block |
|---|
| title | default config sql |
|---|
| collapse | true |
|---|
| root@server01:/etc/freeradius/3.0/mods-enabled# more /etc/freeradius/3.0/mods-enabled/sql | grep "#" -v | grep -v "^[[:space:]]*$"
sql {
dialect = "sqlite"
driver = "rlm_sql_null"
sqlite {
filename = "/tmp/freeradius.db"
busy_timeout = 200
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
}
mysql {
tls {
ca_file = "/etc/ssl/certs/my_ca.crt"
ca_path = "/etc/ssl/certs/"
certificate_file = "/etc/ssl/certs/private/client.crt"
private_key_file = "/etc/ssl/certs/private/client.key"
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
tls_required = yes
tls_check_cert = no
tls_check_cert_cn = no
}
warnings = auto
}
postgresql {
send_application_name = yes
}
mongo {
appname = "freeradius"
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
client_table = "nas"
group_attribute = "SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
|
|
| Changes | dialect = "mysql" driver = "rlm_sql_${dialect}" server = "localhost"
port = 3306
login = "radius"
password = "Str0ngR@diusPass" read_clients = yes (un-hash this line ) >> hashed all the tls config
| Code Block |
|---|
| title | after changes |
|---|
| collapse | true |
|---|
| root@server01:/etc/freeradius/3.0/mods-enabled# more /etc/freeradius/3.0/mods-enabled/sql | grep "#" -v | grep -v "^[[:space:]]*$"
sql {
dialect = "mysql"
driver = "rlm_sql_${dialect}"
sqlite {
filename = "/tmp/freeradius.db"
busy_timeout = 200
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
}
mysql {
warnings = auto
}
postgresql {
send_application_name = yes
}
mongo {
appname = "freeradius"
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
server = "localhost"
port = 3306
login = "radius"
password = "Str0ngR@diusPass"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
read_clients = yes
client_table = "nas"
group_attribute = "SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
|
|
| ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/ |
| Change the group | sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql |
| restart and check status | sudo systemctl restart freeradius # may be could use: freeradius.service
sudo systemctl status freeradius |
| Test freeradius |
|
|---|
| Check freeradius database | mysql -u radius -p radius password: Str0ngR@diusPass |
| insert into radcheck (id,username,attribute,op,value) values("1", "demouser", "Cleartext-Password", ":=", "demopass"); |
| select * from radcheck where id="1"; |
|
| Code Block |
|---|
| root@container01:~# radtest demouser demopass localhost 10 testing123
Sent Access-Request Id 61 from 0.0.0.0:44968 to 127.0.0.1:1812 length 78
User-Name = "demouser"
User-Password = "demopass"
NAS-IP-Address = 192.168.0.21
NAS-Port = 10
Message-Authenticator = 0x00
Cleartext-Password = "demopass"
Received Access-Accept Id 61 from 127.0.0.1:1812 to 127.0.0.1:44968 length 20
root@container01:~# |
|
|
|
| Install and Configure Daloradius on Ubuntu |
|
|---|
| sudo apt -y install wget unzip
wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master daloradius
|
| cd daloradius
|
| sudo mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
sudo mysql -u root -p radius < contrib/db/mysql-daloradius.sql
|
| Configure daloRADIUS database connection details: | cd ..
sudo mv daloradius /var/www/html/
|
| cd /var/www/html/daloradius/library/
cp daloradius.conf.php.sample daloradius.conf.php |
| sudo chown -R www-data:www-data /var/www/html/daloradius/
sudo chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
|
| change the config file | sudo vim /var/www/html/daloradius/library/daloradius.conf.php
|
| $configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'Str0ngR@diusPass'; |
| sudo systemctl restart freeradius # may be could use: freeradius.service
sudo systemctl status freeradius |
| http://192.168.0.1021/daloradius/index.php |
|---|
| log into DaloRadius | Username: administrator
Password: radius |
| test and enable freeradius to start after boot up |
|
|---|
|
|
| systemctl enable --now freeradius |