Authentication, Authorization & Accounting With FreeRadius & MySQL Backend & Web Based Management with Daloradius

This tutorial explains how to set up a FreeRadius 2.x server for wifi authentication, authorization and accounting in conjunction with mysql & web based management with Daloradius on CentOS 5.x. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities.

(For basic how-to refer to the doc http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5.)

The following steps are involved:

1- Building Centos 5.x binary rpms

2- Installing the binary packages

3- Configuring the FR with mysql

4- Setting up web management with Daloradius

 

Step 1- Building Centos 5.X packages

Get hold of src.rpms from http://rpmfind.net//linux/RPM/fedora/devel/src/freeradius-2.0.5-1.fc10.src.html.

rpm -Uvh freeradius-2.0.5-1.fc10.src

Note: It is recommended that you carry this building process on a non-production server & move over the final binary rpms over to the produtions server. But it isn't mandatory if you know what you're doing.

cd /usr/src/redhat/RPMS/SPECS

rpmbuild -bb freeradius.spec

Note: You might require some package for these. yum them & rerun the rebuild process. (I got prompted for the following)

    beecrypt-devel, sqlite-devel, unixODBC, unixODBC-devel,
    python-devel, pam-devel, elfutils-libelf-devel,
    elfutils-libelf-devel-static, rpm-devel, elfutils-devel,
    elfutils-devel-static, net-snmp-devel, mysql, cyrus-sasl-devel,
    mysql-devel, openldap-devel, gdbm-devel, libtool-ltdl-devel,
    postgresql, postgresql-devel

After a while (depending on your system specs) you should have rpms built at the following locations (if using x86):

cd /usr/src/redhat/RPMS/i386

Move these to a production server if this is your development workstation.

 

Step 2- Installing the binary packages

rpm -Uvh freeradius-libs-2.0.5-1.i386.rpm

rpm -Uvh freeradius-2.0.5-1.i386.rpm

rpm -Uvh freeradius-utils-2.0.5-1.i386.rpm

rpm -Uvh freeradius-mysql-2.0.5-1.i386.rpm

After running with the out of the box configuration, validate against a local user.

E.g: run radius in debug mode:

radiusd -X

From another shell run this while the radius -X is running:

radtest abc 123 localhost 1812 testing123

Make sure the user 'abc' with password '123' is set in the /etc/raddb/users file.

 

Step 3- Configuring the FR with MySQL

First the MySQL bits (creating the db & its admin user). Do the following from your shell.

mysqladmin -u root password 123456

mysql -u root -p

On the MySQL shell type the following:

CREATE DATABASE radiusdb;

GRANT ALL ON radiusdb.* TO radius@localhost IDENTIFIED BY "radpass";

exit;

Now import the file mysql-dalo-and-fr2x.sql schema into the radiusdb from the following zipped file which also contains daloradius.conf file for daloradius which is discussed later in the web management section.

Download sql_schema & daloradius.conf zipped

unzip daloradius.zip

mysql -u root -p radiusdb < /root/mysql-dalo-fr2x.sql

To have a look  at the db schema do the following:

mysql -u root -p

use database radiusdb;

show tables;

quit;

Now edit your /etc/raddb/sql.conf.

Reset the user/password/database parameters to reflect the changes (eg. login = radius, password=radpass & radius_db=radiusdb); to turn the NAS management from MySQL, search for the line

readclients = no

and change it to:

readclients = yes

Edit the file /etc/raddb/sites-enabled/default and add a line saying 'sql' to the authorize{} section (which is towards the end of the file). Also add a line saying 'sql' to the accounting{} section to tell FreeRadius to store accounting records in SQL as well. Optionally add 'sql' to the session{} section if you want to do Simultaneous-Use detection. Optionally add 'sql' to the post-auth{} section if you want to log all authentication attempts to SQL.

Here is the authorize section:

authorize {
          preprocess
          chap
          mschap
          suffix
          eap
          sql
          pap
}

And the accounting section:

accounting {
          detail
          sql
}

To insert a test user in the database, go to the MySQL shell and run this:

mysql -u root -p

mysql> use database radiusdb;

mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');

mysql> select * from radcheck where UserName='sqltest';

mysql> exit

Fire up radius in debug mode:

radiusd -X

Go to another shell and run the test:

radtest sqltest testpwd localhost 1812 testing123

At this moment you should see a message containing something like ... Accept-Accept ... which is an indication that your user is getting authenticated just fine.

Congratulations! Your FreeRadius + MySQL setup is working.

 

4- Setting up web management with Daloradius

The latest stable release is version 0.9-7.

Get hold of the it from http://sourceforge.net/projects/daloradius.

tar -zxvf daloradius-0.9-7.tar.gz

Download the following prerequisite packages:

yum install install httpd -y

yum install php php-mysql php-pear php-gd php-pear-DB -y

cp daloradius-0.9-7/ /var/www -vr

Change ownership:

chown apache:apache /var/www/daloradius-0.9-7 -R

A few tables that are needed by Daloradius, have already been created earlier.

Copy over the already unzippedfile daloradius.conf from the downloaded zipped file.

cp /root/daloradius.conf /var/www/daloradius-0.9-7/library/

Note: This file daloradius.conf has been modified for freeradius 2.x which, as of yet, is not being packaged by daloradius.

Now, simply adjust the MySQL database information in the DaloRadius config file.

vi /var/www/daloradius-0.9-7/library/daloradius.conf

Fill in the database details, few important parameters are listed below:

       ...........
       ......................
       CONFIG_DB_ENGINE = mysql
       CONFIG_DB_HOST = 127.0.0.1
       CONFIG_DB_USER = radius
       CONFIG_DB_PASS = radpass
       CONFIG_DB_NAME = radiusdb
       .......................
       ............

Change ownership & permission:

chown apache.apache /var/ww/daloradius-0.9-7/library/daloradius.conf

chmod 644 /var/www/daloradius-0.9-7/library/daloradius.conf

touch /tmp/daloradius.log

chown apache.apache /tmp/daloradius.log

Set up the apache server.

Edit the /etc/httpd/conf/httpd.conf file and append this to the end of the file (customize to your likings):

Alias /myradius "/var/www/daloradius-0.9-7/"
<Directory /var/www/daloradius-0.9-7/>
      Options None
      order deny,allow
      deny from all
      allow from 127.0.0.1
      allow from <my management system's ip which has a web-browser>
</Directory>

Save and exit.

Restart the httpd server:

/etc/init.d/httpd restart

Fire up Firefox (or any other borowser) and go to the URL http://<localhost or the managemet system's ip>/myradius.

Log in with the administrator for management:

    username: administrator
    password: radius

Change this information first for the sake of security (info is located in the operator table).

Take Daloradius for a spin. You should have created an sqltest user earlier. You can also try adding new users and testing the connectivity from within the Daloradius frontend.

Congratulations you are done.

Again developers of  FreeRadius, MySQL and Daloradius, do accept my humble appreciation for all your efforts. Open source community, as always you rock, thanx.

(Note: I haven't mentioned anything regarding setting up eap/ttls in this article. For that, just follow the section of setting up certificates and eap.conf from the below mentioned HowtoForge link.)

 

References:

http://freeradius.org/

http://wiki.freeradius.org/SQL_HOWTO

http://sourceforge.net/projects/daloradius

http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5

http://rpmfind.net//linux/RPM/fedora/devel/src/freeradius-2.0.5-1.fc10.src.html