Wireless Authentication Using Radius Server

Wireless Authentication using Radius Server

Radius Server: RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol – a system that defines rules and conventions for communication between network devices – for remote user authentication and accounting. RADIUS is normally used to provide AAA services; Authorization, Authentication and Accounting.

FreeRADIUS is the most deployed RADIUS server since it supports all common authentication protocols, being open source and simplified user administration made possible by its dialupadmin web GUI. The server also comes with modules for LDAP and database systems integration like MySQL,PostgreSQL,Oracle e.t.c.

Install FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

Prerequisites:

Step-01: Install httpd server:

# yum -y install httpd httpd-devel

Start and enable httpd server

# systemctl enable httpd # systemctl start httpd

Check status of httpd server to make sure it’s running [root@freeradius ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:33:03 EDT; 7s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 7147 (httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ├─7147 /usr/sbin/httpd -DFOREGROUND ├─7194 /usr/sbin/httpd -DFOREGROUND ├─7195 /usr/sbin/httpd -DFOREGROUND ├─7196 /usr/sbin/httpd -DFOREGROUND ├─7197 /usr/sbin/httpd -DFOREGROUND └─7199 /usr/sbin/httpd -DFOREGROUND

Aug 20 02:33:00 ns1.mahedi.net systemd[1]: Starting The Apache HTTP Server... Aug 20 02:33:01 ns1.mahedi.net httpd[7147]: gethostby*.getanswer: asked for ..." Aug 20 02:33:01 ns1.mahedi.net httpd[7147]: AH00558: httpd: Could not reliab...e Aug 20 02:33:02 ns1.mahedi.net httpd[7147]: gethostby*.getanswer: asked for ..." Aug 20 02:33:03 ns1.mahedi.net systemd[1]: Started The Apache HTTP Server. Hint: Some lines were ellipsized, use -l to show in full.

Installing and Configuring MariaDB # yum install -y mariadb-server mariadb

Start and enable MariaDB to run on boot

# systemctl start mariadb # systemctl enable mariadb

Check if running and if enabled

[root@radius ~]# systemctl status mariadb ● mariadb.service - MariaDB database server Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:35:18 EDT; 12s ago Process: 7724 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=0/SUCCESS) Process: 7695 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS) Main PID: 7723 (mysqld_safe) CGroup: /system.slice/mariadb.service ├─7723 /bin/sh /usr/bin/mysqld_safe --basedir=/usr └─7882 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql - -plugin-dir=/usr/lib64/my...

Aug 20 02:35:16 ns1.mahedi.net systemd[1]: Starting MariaDB database server... Aug 20 02:35:16 ns1.mahedi.net mysqld_safe[7723]: 170820 02:35:16 mysqld_safe Logging to '/var/log/ma...g'. Aug 20 02:35:16 ns1.mahedi.net mysqld_safe[7723]: 170820 02:35:16 mysqld_safe Starting mysqld daemon ...sql Aug 20 02:35:18 ns1.mahedi.net systemd[1]: Started MariaDB database server. Hint: Some lines were ellipsized, use -l to show in full.

[root@radius ~]# systemctl is-enabled mariadb.service enabled

Configure Database for freeradius # mysql -u root -p Password: MariaDB [(none)]> MariaDB [(none)]> CREATE DATABASE radius; MariaDB [(none)]> show databases; MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpassword"; Query OK, 0 rows affected (0.05 sec) MariaDB [(none)]> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> quit Bye

Installing php # yum -y install php-pear php-devel php-mysql php-common php-gd php- mbstring php-mcrypt php php-xml

Installing FreeRADIUS # yum -y install freeradius freeradius-utils freeradius-mysql

You have to start and enable freeradius to start at boot up.

# systemctl start radiusd.service # systemctl enable radiusd.service

Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.

Now you can check the status:

[root@ns1 ~]# systemctl status radiusd.service ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:42:40 EDT; 22s ago Main PID: 8283 (radiusd) CGroup: /system.slice/radiusd.service └─8283 /usr/sbin/radiusd -d /etc/raddb

Aug 20 02:42:39 ns1.mahedi.net systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Aug 20 02:42:40 ns1.mahedi.net systemd[1]: Started FreeRADIUS high performance RADIUS server..

Configure FreeRADIUS

To Configure FreeRADIUS to use MariaDB, follow steps below.

Import the Radius database scheme to populate radius database

# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql

Configure Radius at this point

– First you have to create a soft link for SQL under /etc/raddb/mods-enabled

# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/

Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:

# vim /etc/raddb/mods-available/sql

sql section should look similar to below. sql {

driver = "rlm_sql_mysql" dialect = "mysql"

# Connection info: server = "localhost" port = 3306 login = "radius" password = "radpassword"

# Database table configuration for everything except Oracle radius_db = "radius" }

# Set to ‘yes’ to read radius clients from the database (‘nas’ table) # Clients will ONLY be read on server startup. read_clients = yes

# Table to keep radius client info client_table = "nas"

Then change group right of /etc/raddb/mods-enabled/sql to radiusd:

# chgrp -h radiusd /etc/raddb/mods-enabled/sql

You have to restart freeradius

# systemctl restart radiusd.service

Now you can check the status:

# systemctl status radiusd.service

Test radius server by running it in debug mode with option -X

# ss -tunlp | grep radiusd

Installing and Configuring Daloradius

Installing Daloradius

You can use Daloradius to manage radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github or sourceforge

Github method:

# cd /var/www/html/ # wget https://github.com/lirantal/daloradius/archive/master.zip # unzip master.zip # mv daloradius-master/ daloradius

Sourceforge way:

# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/d aloradius0.9-9/daloradius-0.9-9.tar.gz # tar zxvf daloradius-0.9-9.tar.gz # mv daloradius-0.9-9 daloradius

Change directory for configuration

# cd daloradius

Configuring daloradius

Now import Daloradius mysql tables

# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql # mysql -u root -p radius < contrib/db/mysql-daloradius.sql

Configure daloRADIUS database connection details:

# cd ..

Then change permissions for http folder and set the right permissions for daloradius configuration file.

# chown -R apache:apache /var/www/html/daloradius/ # chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

You should now modify daloradius.conf.php file to adjust the MySQL database information . Therefore, open the daloradius.conf.php and add the database username, password and db name.

# vim /var/www/html/daloradius/library/daloradius.conf.php

Especially relevant variables to configure are:

CONFIG_DB_USER CONFIG_DB_PASS CONFIG_DB_NAME

To be sure everything works, restart radiusd,httpd and mysql:

# systemctl restart radiusd.service # systemctl restart mariadb.service # systemctl restart httpd

Up to this point, we’ve covered complete installation and configuration of daloradius and freeradius, to access daloradius, open the link using your IP address: http://192.168.0.24/daloradius/login.php

Default login details are: Username: administrator Password: radius

If login screen does not appear stop firewall and retry:

[root@ns1 daloradius]# service firewalld stop Redirecting to /bin/systemctl stop firewalld.service

Create User:

Configure FreeRadius for MySql user:

# cd /etc/raddb/sites-enabled/ # vim default

Uncomment sql line# 372, 602, 650, 676, 779

# cd /etc/raddb/sites-enabled/ # vim inner-tunnel

Uncomment sql line# 132, 249, 282, 306

Now Configure clients on the bottom of /etc/raddb/clients.conf file:

# vim /etc/raddb/clients.conf client Ap-1 { ipaddr = 192.168.0.150/24 secret = RadSec123 }

Now restart the radius service

# systemctl restart radiusd.service

Let check the connectivity with radtest

[root@ns1]# radtest [email protected] Mahedi123 localhost 0 testing123

Sending Access-Request Id 204 from 0.0.0.0:44538 to 127.0.0.1:1812 User-Name = '[email protected]' User-Password = 'Mahedi123' NAS-IP-Address = 218.93.250.18 NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Accept Id 204 from 127.0.0.1:1812 to 127.0.0.1:44538 length 20

Wireless Access Point Configuration

Configure LAN:

Configure SSID:

Configure Wireless Security:

Select Radius server for wireless security:

Check Log:

[root@ns1 raddb]# tail -f /var/log/radius/radius.log

Sun Aug 20 04:39:57 2017 : Auth: (7) Login OK: [[email protected]/] (from client Ap-1 port 0 via TLS tunnel) Sun Aug 20 04:39:57 2017 : Auth: (7) Login OK: [[email protected]/] (from client Ap-1 port 0 cli 00-EC-0A-CC-29-02)

For enable user log, you have to change in /etc/raddb/radiusd.conf

# vim /etc/raddb/radiusd.conf

auth = yes

auth_badpass = yes auth_goodpass = yes