Wireless Authentication Using Radius Server
Total Page:16
File Type:pdf, Size:1020Kb
Wireless Authentication using Radius Server Radius Server: RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol – a system that defines rules and conventions for communication between network devices – for remote user authentication and accounting. RADIUS is normally used to provide AAA services; Authorization, Authentication and Accounting. FreeRADIUS is the most deployed RADIUS server since it supports all common authentication protocols, being open source and simplified user administration made possible by its dialupadmin web GUI. The server also comes with modules for LDAP and database systems integration like MySQL,PostgreSQL,Oracle e.t.c. Install FreeRADIUS and Daloradius on CentOS 7 and RHEL 7 Prerequisites: Step-01: Install httpd server: # yum -y install httpd httpd-devel Start and enable httpd server # systemctl enable httpd # systemctl start httpd Check status of httpd server to make sure it’s running [root@freeradius ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:33:03 EDT; 7s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 7147 (httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ├─7147 /usr/sbin/httpd -DFOREGROUND ├─7194 /usr/sbin/httpd -DFOREGROUND ├─7195 /usr/sbin/httpd -DFOREGROUND ├─7196 /usr/sbin/httpd -DFOREGROUND ├─7197 /usr/sbin/httpd -DFOREGROUND └─7199 /usr/sbin/httpd -DFOREGROUND Aug 20 02:33:00 ns1.mahedi.net systemd[1]: Starting The Apache HTTP Server... Aug 20 02:33:01 ns1.mahedi.net httpd[7147]: gethostby*.getanswer: asked for ..." Aug 20 02:33:01 ns1.mahedi.net httpd[7147]: AH00558: httpd: Could not reliab...e Aug 20 02:33:02 ns1.mahedi.net httpd[7147]: gethostby*.getanswer: asked for ..." Aug 20 02:33:03 ns1.mahedi.net systemd[1]: Started The Apache HTTP Server. Hint: Some lines were ellipsized, use -l to show in full. 1 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd Installing and Configuring MariaDB # yum install -y mariadb-server mariadb Start and enable MariaDB to run on boot # systemctl start mariadb # systemctl enable mariadb Check if running and if enabled [root@radius ~]# systemctl status mariadb ● mariadb.service - MariaDB database server Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:35:18 EDT; 12s ago Process: 7724 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=0/SUCCESS) Process: 7695 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS) Main PID: 7723 (mysqld_safe) CGroup: /system.slice/mariadb.service ├─7723 /bin/sh /usr/bin/mysqld_safe --basedir=/usr └─7882 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql - -plugin-dir=/usr/lib64/my... Aug 20 02:35:16 ns1.mahedi.net systemd[1]: Starting MariaDB database server... Aug 20 02:35:16 ns1.mahedi.net mysqld_safe[7723]: 170820 02:35:16 mysqld_safe Logging to '/var/log/ma...g'. Aug 20 02:35:16 ns1.mahedi.net mysqld_safe[7723]: 170820 02:35:16 mysqld_safe Starting mysqld daemon ...sql Aug 20 02:35:18 ns1.mahedi.net systemd[1]: Started MariaDB database server. Hint: Some lines were ellipsized, use -l to show in full. [root@radius ~]# systemctl is-enabled mariadb.service enabled Configure Database for freeradius # mysql -u root -p Password: MariaDB [(none)]> MariaDB [(none)]> CREATE DATABASE radius; MariaDB [(none)]> show databases; MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpassword"; Query OK, 0 rows affected (0.05 sec) MariaDB [(none)]> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> quit Bye 2 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd Installing php # yum -y install php-pear php-devel php-mysql php-common php-gd php- mbstring php-mcrypt php php-xml Installing FreeRADIUS # yum -y install freeradius freeradius-utils freeradius-mysql You have to start and enable freeradius to start at boot up. # systemctl start radiusd.service # systemctl enable radiusd.service Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service. Now you can check the status: [root@ns1 ~]# systemctl status radiusd.service ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-08-20 02:42:40 EDT; 22s ago Main PID: 8283 (radiusd) CGroup: /system.slice/radiusd.service └─8283 /usr/sbin/radiusd -d /etc/raddb Aug 20 02:42:39 ns1.mahedi.net systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Aug 20 02:42:40 ns1.mahedi.net systemd[1]: Started FreeRADIUS high performance RADIUS server.. Configure FreeRADIUS To Configure FreeRADIUS to use MariaDB, follow steps below. Import the Radius database scheme to populate radius database # mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql Configure Radius at this point – First you have to create a soft link for SQL under /etc/raddb/mods-enabled # ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/ Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment: # vim /etc/raddb/mods-available/sql 3 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd sql section should look similar to below. sql { driver = "rlm_sql_mysql" dialect = "mysql" # Connection info: server = "localhost" port = 3306 login = "radius" password = "radpassword" # Database table configuration for everything except Oracle radius_db = "radius" } # Set to ‘yes’ to read radius clients from the database (‘nas’ table) # Clients will ONLY be read on server startup. read_clients = yes # Table to keep radius client info client_table = "nas" Then change group right of /etc/raddb/mods-enabled/sql to radiusd: # chgrp -h radiusd /etc/raddb/mods-enabled/sql You have to restart freeradius # systemctl restart radiusd.service Now you can check the status: # systemctl status radiusd.service Test radius server by running it in debug mode with option -X # ss -tunlp | grep radiusd Installing and Configuring Daloradius Installing Daloradius You can use Daloradius to manage radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github or sourceforge 4 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd Github method: # cd /var/www/html/ # wget https://github.com/lirantal/daloradius/archive/master.zip # unzip master.zip # mv daloradius-master/ daloradius Sourceforge way: # wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/d aloradius0.9-9/daloradius-0.9-9.tar.gz # tar zxvf daloradius-0.9-9.tar.gz # mv daloradius-0.9-9 daloradius Change directory for configuration # cd daloradius Configuring daloradius Now import Daloradius mysql tables # mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql # mysql -u root -p radius < contrib/db/mysql-daloradius.sql Configure daloRADIUS database connection details: # cd .. Then change permissions for http folder and set the right permissions for daloradius configuration file. # chown -R apache:apache /var/www/html/daloradius/ # chmod 664 /var/www/html/daloradius/library/daloradius.conf.php You should now modify daloradius.conf.php file to adjust the MySQL database information . Therefore, open the daloradius.conf.php and add the database username, password and db name. # vim /var/www/html/daloradius/library/daloradius.conf.php Especially relevant variables to configure are: CONFIG_DB_USER CONFIG_DB_PASS CONFIG_DB_NAME To be sure everything works, restart radiusd,httpd and mysql: 5 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd # systemctl restart radiusd.service # systemctl restart mariadb.service # systemctl restart httpd Up to this point, we’ve covered complete installation and configuration of daloradius and freeradius, to access daloradius, open the link using your IP address: http://192.168.0.24/daloradius/login.php Default login details are: Username: administrator Password: radius If login screen does not appear stop firewall and retry: [root@ns1 daloradius]# service firewalld stop Redirecting to /bin/systemctl stop firewalld.service 6 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd Create User: 7 Workshop Manual (Radius Server) [Copyright © BdREN] Web: http://www.bdren.net.bd Configure FreeRadius for MySql user: # cd /etc/raddb/sites-enabled/ # vim default Uncomment sql line# 372, 602, 650, 676, 779 # cd /etc/raddb/sites-enabled/ # vim inner-tunnel Uncomment sql line# 132, 249, 282, 306 Now Configure clients on the bottom of /etc/raddb/clients.conf file: # vim /etc/raddb/clients.conf client Ap-1 { ipaddr = 192.168.0.150/24 secret = RadSec123 } Now restart the radius service # systemctl restart radiusd.service Let check the connectivity with radtest [root@ns1]# radtest [email protected] Mahedi123 localhost 0 testing123 Sending Access-Request Id 204 from 0.0.0.0:44538 to 127.0.0.1:1812 User-Name = '[email protected]' User-Password = 'Mahedi123' NAS-IP-Address = 218.93.250.18 NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Accept Id 204 from 127.0.0.1:1812 to 127.0.0.1:44538