[Linux] – FreeRadius on Centos

Install FreeRADIUS and Daloradius on CentOS 7 and RHEL 7
Prerequisites:
Install httpd server
# yum -y update

# yum groupinstall “Development Tools” -y

# yum -y install httpd httpd-devel
Start and enable httpd server
# systemctl enable httpd

# systemctl start httpd

Installing and Configuring MariaDB
We’ll install and configure MariaDB 10, using steps below:
Add MariaDB official repo content to CentOS 7 system
# vim /etc/yum.repos.d/MariaDB.repo
Add the following contents to the file
[mariadb]

 name = MariaDB

 baseurl = http://yum.mariadb.org/10.1/centos7-amd64
 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
 gpgcheck=1
Update system and install MariaDB to configure Database server
# yum -y update
# yum install -y mariadb-server mariadb

Start and enable MariaDB to run on boot
# systemctl start mariadb
# systemctl enable mariadb

Check if running and if enabled
[root@radius ~]# systemctl status mariadb

[root@radius ~]# systemctl is-enabled mariadb.service

enabled
Configure initial MariaDB settings to secure it. Here you’ll set root password. For security purposes, consider removing anonymous users and disallowing remote root login. See sample configuration shown below. Key choices are marked with red.
[root@freeradius ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB

S
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we’ll need the current

 password for the root user. If you’ve just installed MariaDB, and

 you haven’t set the root password yet, the password will be blank,

 so you should just press enter here.

Enter current password for root (enter for none):

 OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MariaDB

 root user without the proper authorisation.

Set root password? [Y/n] Y
 New password:

 Re-enter new password:

 Password updated successfully!

 Reloading privilege tables..

 … Success!

By default, a MariaDB installation has an anonymous user, allowing anyone

 to log into MariaDB without having to have a user account created for

 them. This is intended only for testing, and to make the installation

 go a bit smoother. You should remove them before moving into a

 production environment.

Remove anonymous users? [Y/n] y
 … Success!

Normally, root should only be allowed to connect from ‘localhost’. This

 ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 … Success!

By default, MariaDB comes with a database named ‘test’ that anyone can

 access. This is also intended only for testing, and should be removed

 before moving into a production environment.

Remove test database and access to it? [Y/n] y
 – Dropping test database…

 … Success!

 – Removing privileges on test database…

 … Success!

Reloading the privilege tables will ensure that all changes made so far

 will take effect immediately.

Reload privilege tables now? [Y/n] y
 … Success!

Cleaning up…

All done! If you’ve completed all of the above steps, your MariaDB

 installation should now be secure.

Thanks for using MariaDB!

Allow only local connection to mysql server. This is a security mechanism.
# vim /etc/my.cnf

  [mysqld]

bind-address=127.0.0.1

Configure Database for freeradius
# mysql -u root -p -e ” CREATE DATABASE radius”
#
# mysql -u root -p -e “show databases”
#
# mysql -u root -p
M
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY “radiuspassword”;
M
MariaDB [(none)]> FLUSH PRIVILEGES;
M
MariaDB [(none)]> \q
B
Bye
Installing php 7 on CentOS 7
cd ~

 curl ‘https://setup.ius.io/’ -o setup-ius.sh

 sudo bash setup-ius.sh

 sudo yum remove php-cli mod_php php-common

 sudo yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear

 sudo apachectl restart

Check php version to confirm
# php -v
 PHP 7.0.9 (cli) (built: Jul 21 2016 11:48:03) ( NTS )

 Copyright (c) 1997-2016 The PHP Group

 Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
If php 7 fails to work for you, try installing php 5 by running below commands. You’ll have to first uninstall php 7.
yum -y install php-pear php-devel php-mysql php-common php-gd php-mbstring php-mcrypt php php-xml
Installing FreeRADIUS
# yum -y install freeradius freeradius-utils freeradius-mysql

You have to start and enable freeradius to start at boot up.
# systemctl start radiusd.service

# systemctl enable radiusd.service

Also, configure firewalld to allow radius and httpd packets in and out
– Radius server uses udp ports 1812 and 1813. This can be confirmed by viewing the contents of the file /usr/lib/firewalld/services/radius.xml
# cat /usr/lib/firewalld/services/radius.xml
First start and enable firewalld for security
# systemctl enable firewalld
#
# systemctl start firewalld
#
# systemctl status firewalld
Confirm firewalld is running
# firewall-cmd –state

  running
Add permanent rules to default zone to allow http,https and radius services
# firewall-cmd –get-services | egrep ‘http|https|radius’
#
# firewall-cmd –add-service={http,https,radius} –permanent

  success
Reload firewalld for changes to take effect
# firewall-cmd –reload
Confirm that services were successfully added to default zone
# firewall-cmd –get-default-zone

  public

# firewall-cmd –list-services –zone=public

dhcpv6-client http https radius ssh

We can see the three services present hence we’re good to proceed.
Test radius server by running it in debug mode with option -X
# ss -tunlp | grep radiusd

If it’s running, debug mode will fail to bind to ports, you may have to kill radius server daemon first
# pkill radius
Then start radius server in debugging mode to see if it runs successfully:
# radiusd -X

Configure FreeRADIUS
To Configure FreeRADIUS to use MariaDB, follow steps below.
Import the Radius database scheme to populate radius database
# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
Configure Radius at this point
– First you have to create a soft link for SQL under /etc/raddb/mods-enabled
# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/

Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:
# vim /etc/raddb/mods-available/sql

sql section should look similar to below.
sql {

d
driver = “rlm_sql_mysql”

dialect = “mysql”

#
# Connection info:

server = “localhost”

port = 3306

 login = “radius”

 password = “radiuspassword”

#
# Database table configuration for everything except Oracle

radius_db = “radius”
}
}

#
# Set to ‘yes’ to read radius clients from the database (‘nas’ table)

# Clients will ONLY be read on server startup.
r
read_clients = yes

#
# Table to keep radius client info
c
client_table = “nas”

Then change group right of /etc/raddb/mods-enabled/sql to radiusd:
# chgrp -h radiusd /etc/raddb/mods-enabled/sql

Installing and Configuring Daloradius
Installing Daloradius
You can use Daloradius to manage radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github or sourceforge
Github method:
# wget https://github.com/lirantal/daloradius/archive/master.zip

# unzip master.zip
#
# mv daloradius-master/ daloradius
Sourceforge way:
# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz

# tar zxvf daloradius-0.9-9.tar.gz

# mv daloradius-0.9-9 daloradius

Change directory for configuration
# cd daloradius
Configuring daloradius
Now import Daloradius mysql tables
# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql

# mysql -u root -p radius < contrib/db/mysql-daloradius.sql
Configure daloRADIUS database connection details:
# cd ..

# mv daloradius /var/www/html/

Then change permissions for http folder and set the right permissions for daloradius configuration file.
# chown -R apache:apache /var/www/html/daloradius/

# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

You should now modify daloradius.conf.php file to adjust the MySQL database information . Therefore, open the daloradius.conf.php and add the database username, password and db name.
# vim /var/www/html/daloradius/library/daloradius.conf.php
Especially relevant variables to configure are:
CONFIG_DB_USER
C
CONFIG_DB_PASS
C
CONFIG_DB_NAME

To be sure everything works, restart radiusd,httpd and mysql:
# systemctl restart radiusd.service

# systemctl restart mariadb.service
# systemctl restart httpd

Up to this point, we’ve covered complete installation and configuration of daloradius and freeradius, to access daloradius, open the link using your IP address:
http://192.168.1.20/daloradius/login.php
Default login details are:
Username: administrator
Password: radius

If raise error like:
Forbidden
You don’t have permission to access /daloradius/on this server.
==> Fixed:
# restorecon -Rv /var/www/html/daloradius/*
# yum install php-pear-DB

Advertisements

One thought on “[Linux] – FreeRadius on Centos

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s