Wireless Authentication using Radius Server
Radius Server: RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol – a system that defines rules and conventions for communication between network devices – for remote user authentication and accounting. RADIUS is normally used to provide AAA services; Authorization, Authentication and Accounting.
FreeRADIUS is the most deployed RADIUS server since it supports all common authentication protocols, being open source and simplified user administration made possible by its dialupadmin web GUI. The server also comes with modules for LDAP and database systems integration like MySQL,PostgreSQL,Oracle e.t.c.
Install FreeRADIUS and Daloradius on CentOS 7 and RHEL 7
Prerequisites:
Step-01: Install httpd server:
# yum -y install httpd httpd-devel
Start and enable httpd server
# systemctl enable httpd # systemctl start httpd
Check status of httpd server to make sure it’s running [root@freeradius ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:33:03 EDT; 7s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 7147 (httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ├─7147 /usr/sbin/httpd -DFOREGROUND ├─7194 /usr/sbin/httpd -DFOREGROUND ├─7195 /usr/sbin/httpd -DFOREGROUND ├─7196 /usr/sbin/httpd -DFOREGROUND ├─7197 /usr/sbin/httpd -DFOREGROUND └─7199 /usr/sbin/httpd -DFOREGROUND
Aug 20 02:33:00 ns1.mahedi.net systemd[1]: Starting The Apache HTTP Server... Aug 20 02:33:01 ns1.mahedi.net httpd[7147]: gethostby*.getanswer: asked for ..." Aug 20 02:33:01 ns1.mahedi.net httpd[7147]: AH00558: httpd: Could not reliab...e Aug 20 02:33:02 ns1.mahedi.net httpd[7147]: gethostby*.getanswer: asked for ..." Aug 20 02:33:03 ns1.mahedi.net systemd[1]: Started The Apache HTTP Server. Hint: Some lines were ellipsized, use -l to show in full.
1 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
Installing and Configuring MariaDB # yum install -y mariadb-server mariadb
Start and enable MariaDB to run on boot
# systemctl start mariadb # systemctl enable mariadb
Check if running and if enabled
[root@radius ~]# systemctl status mariadb ● mariadb.service - MariaDB database server Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:35:18 EDT; 12s ago Process: 7724 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=0/SUCCESS) Process: 7695 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS) Main PID: 7723 (mysqld_safe) CGroup: /system.slice/mariadb.service ├─7723 /bin/sh /usr/bin/mysqld_safe --basedir=/usr └─7882 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql - -plugin-dir=/usr/lib64/my...
Aug 20 02:35:16 ns1.mahedi.net systemd[1]: Starting MariaDB database server... Aug 20 02:35:16 ns1.mahedi.net mysqld_safe[7723]: 170820 02:35:16 mysqld_safe Logging to '/var/log/ma...g'. Aug 20 02:35:16 ns1.mahedi.net mysqld_safe[7723]: 170820 02:35:16 mysqld_safe Starting mysqld daemon ...sql Aug 20 02:35:18 ns1.mahedi.net systemd[1]: Started MariaDB database server. Hint: Some lines were ellipsized, use -l to show in full.
[root@radius ~]# systemctl is-enabled mariadb.service enabled
Configure Database for freeradius # mysql -u root -p Password: MariaDB [(none)]> MariaDB [(none)]> CREATE DATABASE radius; MariaDB [(none)]> show databases; MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpassword"; Query OK, 0 rows affected (0.05 sec) MariaDB [(none)]> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> quit Bye
2 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
Installing php # yum -y install php-pear php-devel php-mysql php-common php-gd php- mbstring php-mcrypt php php-xml
Installing FreeRADIUS # yum -y install freeradius freeradius-utils freeradius-mysql
You have to start and enable freeradius to start at boot up.
# systemctl start radiusd.service # systemctl enable radiusd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.
Now you can check the status:
[root@ns1 ~]# systemctl status radiusd.service ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:42:40 EDT; 22s ago Main PID: 8283 (radiusd) CGroup: /system.slice/radiusd.service └─8283 /usr/sbin/radiusd -d /etc/raddb
Aug 20 02:42:39 ns1.mahedi.net systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Aug 20 02:42:40 ns1.mahedi.net systemd[1]: Started FreeRADIUS high performance RADIUS server..
Configure FreeRADIUS
To Configure FreeRADIUS to use MariaDB, follow steps below.
Import the Radius database scheme to populate radius database
# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
Configure Radius at this point
– First you have to create a soft link for SQL under /etc/raddb/mods-enabled
# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:
# vim /etc/raddb/mods-available/sql
3 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
sql section should look similar to below. sql {
driver = "rlm_sql_mysql" dialect = "mysql"
# Connection info: server = "localhost" port = 3306 login = "radius" password = "radpassword"
# Database table configuration for everything except Oracle radius_db = "radius" }
# Set to ‘yes’ to read radius clients from the database (‘nas’ table) # Clients will ONLY be read on server startup. read_clients = yes
# Table to keep radius client info client_table = "nas"
Then change group right of /etc/raddb/mods-enabled/sql to radiusd:
# chgrp -h radiusd /etc/raddb/mods-enabled/sql
You have to restart freeradius
# systemctl restart radiusd.service
Now you can check the status:
# systemctl status radiusd.service
Test radius server by running it in debug mode with option -X
# ss -tunlp | grep radiusd
Installing and Configuring Daloradius
Installing Daloradius
You can use Daloradius to manage radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github or sourceforge
4 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
Github method:
# cd /var/www/html/ # wget https://github.com/lirantal/daloradius/archive/master.zip # unzip master.zip # mv daloradius-master/ daloradius
Sourceforge way:
# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/d aloradius0.9-9/daloradius-0.9-9.tar.gz # tar zxvf daloradius-0.9-9.tar.gz # mv daloradius-0.9-9 daloradius
Change directory for configuration
# cd daloradius
Configuring daloradius
Now import Daloradius mysql tables
# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql # mysql -u root -p radius < contrib/db/mysql-daloradius.sql
Configure daloRADIUS database connection details:
# cd ..
Then change permissions for http folder and set the right permissions for daloradius configuration file.
# chown -R apache:apache /var/www/html/daloradius/ # chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
You should now modify daloradius.conf.php file to adjust the MySQL database information . Therefore, open the daloradius.conf.php and add the database username, password and db name.
# vim /var/www/html/daloradius/library/daloradius.conf.php
Especially relevant variables to configure are:
CONFIG_DB_USER CONFIG_DB_PASS CONFIG_DB_NAME
To be sure everything works, restart radiusd,httpd and mysql:
5 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
# systemctl restart radiusd.service # systemctl restart mariadb.service # systemctl restart httpd
Up to this point, we’ve covered complete installation and configuration of daloradius and freeradius, to access daloradius, open the link using your IP address: http://192.168.0.24/daloradius/login.php
Default login details are: Username: administrator Password: radius
If login screen does not appear stop firewall and retry:
[root@ns1 daloradius]# service firewalld stop Redirecting to /bin/systemctl stop firewalld.service
6 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
Create User:
7 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
Configure FreeRadius for MySql user:
# cd /etc/raddb/sites-enabled/ # vim default
Uncomment sql line# 372, 602, 650, 676, 779
# cd /etc/raddb/sites-enabled/ # vim inner-tunnel
Uncomment sql line# 132, 249, 282, 306
Now Configure clients on the bottom of /etc/raddb/clients.conf file:
# vim /etc/raddb/clients.conf client Ap-1 { ipaddr = 192.168.0.150/24 secret = RadSec123 }
Now restart the radius service
# systemctl restart radiusd.service
Let check the connectivity with radtest
[root@ns1]# radtest [email protected] Mahedi123 localhost 0 testing123
Sending Access-Request Id 204 from 0.0.0.0:44538 to 127.0.0.1:1812 User-Name = '[email protected]' User-Password = 'Mahedi123' NAS-IP-Address = 218.93.250.18 NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Accept Id 204 from 127.0.0.1:1812 to 127.0.0.1:44538 length 20
8 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
Wireless Access Point Configuration
Configure LAN:
Configure SSID:
9 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
Configure Wireless Security:
Select Radius server for wireless security:
10 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd
Check Log:
[root@ns1 raddb]# tail -f /var/log/radius/radius.log
Sun Aug 20 04:39:57 2017 : Auth: (7) Login OK: [[email protected]/
For enable user log, you have to change in /etc/raddb/radiusd.conf
# vim /etc/raddb/radiusd.conf
auth = yes
auth_badpass = yes auth_goodpass = yes
11 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd