FreeRadius + MySQL Setup and Configuration on Ubuntu 14.04 64-bit
The FreeRADIUS Server functions as a daemon designed for Unix and Unix-like operating systems. It enables the establishment of a RADIUS protocol server, serving purposes of authentication and accounting for various types of network access. Utilizing the server requires a properly configured client that can communicate with it. Examples of such clients include hotspots, VPN protocols like OpenVPN, StrongSwan, SoftEther, and certain router operating systems.
In this tutorial, we’ll guide you through the process of installing a FreeRADIUS server on the Ubuntu 14.04 64-bit distribution with MySQL support. Follow the steps carefully for a successful installation.
Requirements
This tutorial requires will require the following ingredients to setup freeradius+mysql:
– an Ubuntu 14 64bit server
– Root Access to the server
– An SSH client (You can download putty or bitvise depends on your operating system and liking)
In this guide, we’ll establish a basic FreeRADIUS setup with a MySQL database to store user credentials and additional information. Follow the steps to create this fundamental configuration.
Freeradius Installation Guide
Before proceeding with the installation, let’s ensure that our distribution is up to date by performing an update. This step helps ensure that we can successfully install the necessary applications.
sudo apt-get update
Now, let’s install FreeRADIUS. Execute the following command to install FreeRADIUS on your Ubuntu 14.04 system:
sudo apt-get install freeradius freeradius-mysql
Indeed, the ‘freeradius-mysql’ module is crucial for communication with the MySQL server, which will store the necessary data for FreeRADIUS to authenticate the client machine.
After the installation, we need to edit the default configuration file to change the AAA mechanism of FreeRADIUS from the file system to the SQL server. Please provide further instructions if needed for this configuration file editing step.
nano /etc/freeradius/sites-enabled/default
Afterwards, we will need to uncomment the lines that say “sql” and comment out every line that says “file.” This is an overview of what our actions should ultimately lead to. Kindly leave the default settings alone; simply comment the “file” line and uncomment the “sql” line.
authorize {
# files
sql
}
authenticate {
}
preacct {
# files
}
accounting {
sql
}
session {
sql
}
post-auth {
sql
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
sql
attr_filter.access_reject
}
}
Save the file and exit.
Next, we will go to the main radius configuration file. We will enable the mysql module so we can use it later on.
nano /etc/freeradius/radiusd.conf
We will un-comment the line:
$INCLUDE sql.conf
Once you’ve made the necessary changes to the configuration file, save it and exit.
After completing all the configurations, we’ll need to input the MySQL server access credentials into RADIUS. If you have your credentials ready, use them. If not, I’ll provide sample credentials for now.
nano /etc/freeradius/sql.conf
edit the file and supply your mysql credentials.
sql {
database = "mysql"
server = "localhost"
login = "sampleuser"
password = "samplepassword"
radius_db = "radius"
#uncomment read_groups
read_groups = yes
#uncomment readclients
readclients = yes
}
Save the changes to the configuration file and exit.
We’ll revisit FreeRADIUS later. For now, let’s proceed with the installation of MySQL.
Setting Up and Configuring MySQL
To install MySql we need to execute the command.
sudo apt-get install mysql-server
enter and repeat the password for the new mysql root user.
Enter Mysql root and create the radius database and user.
CREATE DATABASE radius;
CREATE USER 'sampleuser'@'localhost' IDENTIFIED BY 'samplepassword';
GRANT ALL PRIVILEGES ON *.* TO 'sampleuser'@'localhost';
FLUSH PRIVILEGES;
Then exit Mysql root to command line.
Next, import the SQL files for FreeRADIUS into the ‘radius’ database. The ‘schema.sql‘ and ‘nas.sql‘ files are located in the ‘/etc/freeradius/sql/mysql’ folder.
mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql;
exit;
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql;Radius Database Filling
It’s crucial to enter accurate FreeRADIUS values into the radius database for proper functionality. Failure to do so may result in errors during FreeRADIUS operation. The information we need to input includes:
- FreeRADIUS client IP and secret (ensure the secret is unique per FreeRADIUS client and can be alphanumeric, preferably more than 10 characters).
- Usernames and passwords.
- FreeRADIUS check values for groups and individual users.
- FreeRADIUS reply values for groups and individual users.
To begin, let’s input the FreeRADIUS client information into the ‘nas’ table. Log in as the MySQL root user and execute the command.
INSERT INTO nas VALUES (NULL , '0.0.0.0/0, 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client');
Next, we’ll input user information into the ‘radcheck’ table. Please proceed with the necessary MySQL commands after logging in as the root user.
INSERT INTO radcheck (username, attribute, op, value) VALUES ('thisuser', 'User-Password', ':=', 'thispassword');
Following that, we need to assign the user to a group. Execute the required MySQL commands to accomplish this task.
INSERT INTO radusergroup (username, groupname, priority) VALUES ('thisuser', 'thisgroup', '1');
Once the user is assigned to a group, proceed to assign the reply properties for that group in the ‘radgroupreply’ table. Execute the appropriate MySQL commands for this step.
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('thisgroup', 'Service-Type', ':=', 'Framed-User'), ('thisgroup', 'Framed-Protocol', ':=', 'PPP'), ('thisgroup', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
All is done for now. Exit Mysql root and go to the next step.
Checking the Freeradius+Mysql setup
To test the setup we will have to run freeradius in debug mode. We will execute the below command.
service freeradius stop
freeradius -X
To check if freeradius is running, you should see the following lines in your screen.
... adding new socket proxy address * port 55302
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
Download NTRAdPing[1] (Windows only) and enter the following information.
- Your Freeradius server ip
- Your username and password (you entered into radcheck earlier)
- Your secret (you entered into nas table earlier)
- Port is standard 1812 for authentication (do not change it)
If your test is successful you will see the Access-Accept line in NTRadPing.
Utilising Freeradius at the Same Time
This mechanism is utilized to manage simultaneous logins of users for a specific service based on the limit specified in the database. The process involves reading the accounting table for the currently logged-in username. If no entry is found and the connecting user is within the specified limit, authentication is allowed. However, if the limit is reached, the connecting user is rejected.
To enable simultaneous-use limit we un-comment the line in ‘/etc/freeradius/sql/mysql/dialup.conf’.
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
then entering the required value in the radgroupcheck table.
INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES ('thisgroup', 'Simultaneous-Use', ':=', '3');
This indicates that before being refused, members of the group “thisgroup” may log in three times concurrently.
Whoooo! A rather lengthy tutorial, but well worth it. I sincerely hope that reading my instructions has taught you a lot, and I have no doubt that you will read this much more than previously.