FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. In this post I will try to describe basic installation and config options (at least some of them). The biggest problem for me was the lack of documentation and it was very hard to learn something about it when the latest book about Radius was published 8 years ago.
Where possible, I recommend using the packaging system that is used for your distro. The version that is supplied might be out of date, but it is likely to work “out of the box”.
RPM packages
FreeRADIUS is distributed on Fedora/RHEL/CentOS systems as a set of RPM packages. There is a main package called “freeradius” and several subpackages whose name is “freeradius-XXX” where XXX is optional functionality. For example the support needed for MySQL database backend will be found in the package “freeradius-mysql”.
On CentOS and Red Hat, “yum install freeradius” will install FreeRadius 1.1.3 which is a several years old version. Better option is to install FreeRadius 2.x with yum install freeradius2. Please see the notes above about optional packages. Also, keep in mind that all config files will be installed in /etc/raddb. More info can be found HERE.
More info about RPM versions can be found Here (Thanks J. Dennis).
[root@ms ~]# yum search freeradius
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: mirror.centos.com.ba
* base: mirror.centos.com.ba
* extras: mirror.centos.com.ba
* rpmforge: ftp-stud.fht-esslingen.de
* updates: mirror.centos.com.ba
Excluding Packages in global exclude list
Finished
====================== Matched: freeradius ===================================
freeradius.x86_64 : High-performance and highly configurable free RADIUS server.
freeradius-mysql.x86_64 : MySQL bindings for freeradius
freeradius-postgresql.x86_64 : postgresql bindings for freeradius
freeradius-unixODBC.x86_64 : unixODBC bindings for freeradius
freeradius2.x86_64 : High-performance and highly configurable free RADIUS server
freeradius2-krb5.x86_64 : Kerberos 5 support for freeradius
freeradius2-ldap.x86_64 : LDAP support for freeradius
freeradius2-mysql.x86_64 : MySQL support for freeradius
freeradius2-perl.x86_64 : Perl support for freeradius
freeradius2-postgresql.x86_64 : Postgresql support for freeradius
freeradius2-python.x86_64 : Python support for freeradius
freeradius2-unixODBC.x86_64 : Unix ODBC support for freeradius
freeradius2-utils.x86_64 : FreeRADIUS utilities
More info about basic settings will be shown later.
Install from source
Download the latest FreeRadius from this link. (Current version is 2.1.10)
# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.gz
# tar xvzf freeradius-server-2.1.10.tar.gz
# cd freeradius-server-2.1.10
# ./configure
It is very likely that config process will fail for some reasons. To fix this, search WARNINGS lines and install the missing rpms (yum install libtood-ltdl libtool-ltdl-devel is required).
# make
# make install
This is a default installation and all config files will be located in /usr/local/etc/raddb and you should find the next files inside
[root@ms raddb]# ls -la
total 220
drwxr-xr-x 7 root root 4096 Jan 27 15:54 .
drwxr-xr-x 4 root root 4096 Jan 27 15:53 ..
-rw-r----- 1 root root 671 Jan 27 15:54 acct_users
-rw-r----- 1 root root 4174 Jan 27 15:54 attrs
-rw-r----- 1 root root 513 Jan 27 15:54 attrs.access_challenge
-rw-r----- 1 root root 458 Jan 27 15:54 attrs.access_reject
-rw-r----- 1 root root 437 Jan 27 15:54 attrs.accounting_response
-rw-r----- 1 root root 2022 Jan 27 15:54 attrs.pre-proxy
drwxr-x--- 2 root root 4096 Jan 27 15:54 certs
-rw-r----- 1 root root 6703 Jan 27 15:54 clients.conf
-rw-r----- 1 root root 883 Jan 27 15:54 dictionary
-rw-r----- 1 root root 18063 Jan 27 15:54 eap.conf
-rwxr-xr-x 1 root root 4744 Jan 27 15:54 example.pl
-rw-r----- 1 root root 12722 Jan 27 15:54 experimental.conf
-rw-r----- 1 root root 2352 Jan 27 15:54 hints
-rw-r----- 1 root root 1604 Jan 27 15:54 huntgroups
-rw-r----- 1 root root 3218 Jan 27 15:54 ldap.attrmap
drwxr-x--- 2 root root 4096 Jan 27 15:54 modules
-rw-r----- 1 root root 2840 Jan 27 15:54 policy.conf
-rw-r----- 1 root root 4873 Jan 27 15:54 policy.txt
-rw-r----- 1 root root 984 Jan 27 15:54 preproxy_users
-rw-r----- 1 root root 26529 Jan 27 15:54 proxy.conf
-rw-r----- 1 root root 27238 Jan 27 15:54 radiusd.conf
drwxr-x--- 2 root root 4096 Jan 27 15:54 sites-available
drwxr-x--- 2 root root 4096 Jan 27 15:54 sites-enabled
drwxr-x--- 7 root root 4096 Jan 27 15:54 sql
-rw-r----- 1 root root 3042 Jan 27 15:54 sql.conf
-rw-r----- 1 root root 2475 Jan 27 15:54 sqlippool.conf
-rw-r----- 1 root root 3597 Jan 27 15:54 templates.conf
-rw-r----- 1 root root 6524 Jan 27 15:54 users
The default configuration is designed to work everywhere, and to provide nearly every authentication method. Do not edit the default configuration files until you understand what they do. This means reading the documentation contained in the comments of the configuration files.
When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:
# radiusd -X
This step demonstrates that the server is installed and configured properly. If you have installed Version 2 from source, this step will also create the default certificates used for EAP authentication. If everything went OK, you should see the lines
......
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
To stop freeradius press Ctrl+C.
FreeRadius is active project and you should always stick to the official site and wiki. Very often all of the documentation on “third party” web sites is outdated.
I suppose you already installed the FreeRadius (from source) and now I will try to explain a few basic steps.
Files
-rw-r----- 1 root root 671 Jan 27 15:54 acct_users
-rw-r----- 1 root root 4174 Jan 27 15:54 attrs
-rw-r----- 1 root root 513 Jan 27 15:54 attrs.access_challenge
-rw-r----- 1 root root 458 Jan 27 15:54 attrs.access_reject
-rw-r----- 1 root root 437 Jan 27 15:54 attrs.accounting_response
-rw-r----- 1 root root 2022 Jan 27 15:54 attrs.pre-proxy
drwxr-x--- 2 root root 4096 Jan 27 16:00 certs
-rw-r----- 1 root root 6703 Jan 27 15:54 clients.conf
-rw-r----- 1 root root 883 Jan 27 15:54 dictionary
-rw-r----- 1 root root 18063 Jan 27 15:54 eap.conf
-rwxr-xr-x 1 root root 4744 Jan 27 15:54 example.pl
-rw-r----- 1 root root 12722 Jan 27 15:54 experimental.conf
-rw-r----- 1 root root 2352 Jan 27 15:54 hints
-rw-r----- 1 root root 1604 Jan 27 15:54 huntgroups
-rw-r----- 1 root root 3218 Jan 27 15:54 ldap.attrmap
drwxr-x--- 2 root root 4096 Jan 27 15:54 modules
-rw-r----- 1 root root 2840 Jan 27 15:54 policy.conf
-rw-r----- 1 root root 4873 Jan 27 15:54 policy.txt
-rw-r----- 1 root root 984 Jan 27 15:54 preproxy_users
-rw-r----- 1 root root 26529 Jan 27 15:54 proxy.conf
-rw-r----- 1 root root 27238 Jan 27 15:54 radiusd.conf
drwxr-x--- 2 root root 4096 Jan 27 15:54 sites-available
drwxr-x--- 2 root root 4096 Jan 27 15:54 sites-enabled
drwxr-x--- 7 root root 4096 Jan 27 15:54 sql
-rw-r----- 1 root root 3042 Jan 27 15:54 sql.conf
-rw-r----- 1 root root 2475 Jan 27 15:54 sqlippool.conf
-rw-r----- 1 root root 3597 Jan 27 15:54 templates.conf
-rw-r----- 1 root root 6524 Jan 27 15:54 users
Initial test
Start the server with
# radiusd
The easiest way to test your radius installation is via radtest utility. It is a fast and convenient way to test a radius server. The radtest syntax is
radtest [-d raddb_directory] [-t pap/chap/mschap] [-x ] user password radius-server nas-port-number secret [ppphint] [nasname]
In this case lets test with user “user” and password “password” on localhost (127.0.0.1) with secret testing123
# radtest user password 127.0.0.1 0 testing123
You should see something like this:
[root@test raddb]# radtest user password 127.0.0.1 0 testing123
Sending Access-Request of id 245 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 192.168.1.10
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=245, length=20
Notice the Access-Reject message. This is the normal message because user “user” doesn’t exist.
Now add
user Cleartext-Password := "password"
inside users file (at the top, before anything else). Save the file, restart radius server (pkill radiusd, radiusd) and test again.
# radtest user password 127.0.0.1 0 testing123
[root@test raddb]# radtest user password 127.0.0.1 0 testing123
Sending Access-Request of id 53 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 192.168.1.10
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=53, length=20
Fine. Now we have a Access-Accept message.
If you notice some problems wile testing, start the server in debug mode (radiusd -X) and test it from the new terminal window. In debug mode you will have more details so it is very easy to find out where the problem is.
In next post, I will write something about basic configuration (which config files you should check), how to assign FreeRadius and MySQL (or other database).
Refer to http://www.serveradminblog.com/category/freeradius/
1 comments
Thank you very much...
because of u, my problem's was resolved...
Post a Comment