AKZN Notes

Archives for My Lazy and Forgetful Mind

Install FreeRADIUS & daloRADIUS on Ubuntu 20.04 + MySQL/MariaDB

Last Modified on

taken from https://bytexd.com/freeradius-ubuntu/ with a few update to support daloRADIUS with freeradius v3.0. (as is, daloradius only support freeradius v2, and accounting will error)

  • (TBA) add mikrotik radius client
  • (TBA) add tutorial sqlcounter daloradius scheme to freeradius

In this tutorial we’ll install FreeRADIUS on a server running Ubuntu 20.04 and configure it to work with MySQL/MariaDB; we’ll also install daloRADIUS, a RADIUS web management panel, which is basically a FreeRADIUS GUI, and then perform a simple test on the RADIUS server to make sure it works.

Prerequisites

  • A server running Ubuntu 20.04, and we recommend a minimum of 512RAM and 300MB storage space.
  • Being logged in as a non-root sudo user. This is because when you’re acting as root, you can do anything and the system won’t ask. If you’re not careful you can harm your system, and if you run malicious/buggy applications with root permissions, the application can harm your system. There is good reason why this has been the security model for years.

Assuming you’re on a fresh server running Ubuntu 20.04 install, first we’ll update the server’s package index and upgrade to the latest packages:

sudo apt update

sudo apt upgrade

Install LAMP Stack

follow another gist for full LAMP install

Install PHP & Additional PHP Modules

daloradius need pear and db module so check if its installed

Install FreeRADIUS and Configure with MySQL/MariaDB on Ubuntu 20.04

Install FreeRADIUS along with two modules that FreeRADIUS will need:

  • freeradius-mysql – MySQL module for FreeRADIUS, so the server can do accounting and authentication using MySQL.
  • freeradius-utils – a module that adds additional useful features to the FreeRADIUS server
sudo apt -y install freeradius freeradius-mysql freeradius-utils -y

Test the FreeRADIUS Server

FreeRADIUS is expected to run well with the default configuration.

To quickly check that FreeRADIUS and up and running we’ll run it in debug mode.

Stop the FreeRADIUS server, as it started automatically after installing it.

sudo systemctl stop freeradius

Run FreeARDIUS in debug mode (remember to use sudo):

sudo freeradius -X

The output should look something like this:

Listening on auth address * port 1812 bound to server default

Listening on acct address * port 1813 bound to server default

Listening on auth address :: port 1812 bound to server default

Listening on acct address :: port 1813 bound to server default

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel

Listening on proxy address * port 52868

Listening on proxy address :: port 57983

Ready to process requests

Stop debug mode by pressing Ctrl+C.

Start and enable FreeRADIUS service so it runs on system boot:

sudo systemctl enable --now freeradius

Allow FreeRADIUS in Firewall

(If you have UFW running on Ubuntu 20.04)

FreeRADIUS uses UDP ports 1812 for authentication and 1813 for accounting. You need to make sure those ports are allowed. The method by which you allow them can also depend on the platform you’re using.

If you’re using UFW, then you can open them by running:

sudo ufw allow to any port 1812 proto udp

sudo ufw allow to any port 1813 proto udp

Configure FreeRADIUS to use MySQL/MariaDB

We’ll create a database and a database user for FreeRADIUS to use.

You can use any credentials you like but make sure to remember to replace the credentials that I’m using with your own, throughout the rest of the tutorial.

The details we’ll use are:

Database: radius

User: radius

Password: Somestrongpassword_321

To begin, access the MySQL/MariaDB console as root, by running the following command and then inputting your password at the prompt:

sudo mysql -u root -p

Create a database and user that will be used by FreeRADIUS:

MariaDB [(none)]> CREATE DATABASE radius;

MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "Somestrongpassword_321";

MariaDB [(none)]> FLUSH PRIVILEGES;

MariaDB [(none)]> quit;

Now to populate the database with the RADIUS MySQL schema.

First we’ll have to switch to using the root user, otherwise we get Access denied when trying to import, even if we’re using sudo:

sudo su -

Now import the RADIUS MySQL schema:

mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

Let’s switch back to our non-root user (I’m using edxd so I’ll switch to that):

sudo su - edxd

You can check the tables just created in the radius database by running the following command, and then entering your root MySQL/MariaDB password:

sudo mysql -u root -p -e "use radius;show tables;"

Output:

+------------------+

| Tables_in_radius |

+------------------+

| nas |

| radacct |

| radcheck |

| radgroupcheck |

| radgroupreply |

| radpostauth |

| radreply |

| radusergroup |

+------------------+

Create a soft link to the SQL module to /etc/freeradius/3.0/mods-enabled:

sudo ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

Next we configure FreeRADIUS to use SQL. To do this open /etc/freeradius/3.0/mods-enabled/sql using your favorite text editor, so we can edit some parameters.

I’ll install and use nano as my text editor, and open the file:

sudo apt install nano
sudo nano /etc/freeradius/3.0/mods-enabled/sql

There’s quite a bit of text, but most of it is commented out. We’ll just need to edit a few things.

  1. Change dialect = “sqlite” to dialect = “mysql”

  2. Change driver = “rlm_sql_null” to driver = “rlmsql${dialect}”

  3. If we use MySQL the FreeRADIUS configuration assumes the use of TLS certs by default. For the purpose of this tutorial we won’t be using TLS certs, so we’ll comment out the MySQL TLS section, by adding a # sign in at the beginning of every line in the tls section.The TLS section looks something like this:

    mysql {
    
        # If any of the files below are set, TLS encryption is enabled
    
        tls {
    
        ca_file = "/etc/ssl/certs/my_ca.crt"
    
        ca_path = "/etc/ssl/certs/"
    
        certificate_file = "/etc/ssl/certs/private/client.crt"
    
        private_key_file = "/etc/ssl/certs/private/client.key"
    
        cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
    
        tls_required = yes
    
        tls_check_cert = no
    
        tls_check_cert_cn = no
    
        }
    
        # If yes, (or auto and libmysqlclient reports warnings are
    
        # available), will retrieve and log additional warnings from
    
        # the server if an error has occured. Defaults to 'auto'
    
        warnings = auto
    
        }

    And this is how it looks with the tls section commented out:

    mysql {
    
        # If any of the files below are set, TLS encryption is enabled
    
        # tls {
    
        # ca_file = "/etc/ssl/certs/my_ca.crt"
    
        # ca_path = "/etc/ssl/certs/"
    
        # certificate_file = "/etc/ssl/certs/private/client.crt"
    
        # private_key_file = "/etc/ssl/certs/private/client.key"
    
        # cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
    
        # tls_required = yes
    
        # tls_check_cert = no
    
        # tls_check_cert_cn = no
    
        #}
    
        # If yes, (or auto and libmysqlclient reports warnings are
    
        # available), will retrieve and log additional warnings from
    
        # the server if an error has occured. Defaults to 'auto'
    
        warnings = auto
    
        }
  4. Next we’ll uncomment the Connection info section and add in the connection details to our MySQL/MariaDB database.First uncomment (remove the # signs) from the beginning of the lines starting with server, port, login, password.

    server – this is the server where the database is located. In this case it’s the local server so we can leave “localhost”

    port – is set to 3306, which is the default port for the classic MySQL protocol. Leave it as is, unless you changed the MySQL port.

    login – this is the database user you created earlier for FreeRADIUS to use. I created the user radius so I’ll leave it as is. You change it if your user is something else.

    password – the password for that MySQL user that you also set earlier.

    This is it’s initial state:

    # Connection info:
    
    #
    
    # server = "localhost"
    
    # port = 3306
    
    # login = "radius"
    
    # password = "radpass"

    And here it is edited.

    # Connection info:
    
    #
    
    server = "localhost"
    
    port = 3306
    
    login = "radius"
    
    password = "Somestrongpassword_321"
  5. A few lines lower we need to configure the name of the database. By default it looks like this:

    # Database table configuration for everything except Oracle
    
    radius_db = "radius"

    Instead of radius, input the database you created. Since I created the database radius I’ll leave it as is:

    # Database table configuration for everything except Oracle
    
    radius_db = "radius"
  6. Further down we’ll uncomment a line containing read_clients = yes. This is to enable FreeRADIUS to read clients from the database.Here is how it looks:

    # Set to 'yes' to read radius clients from the database ('nas' table)
    
    # Clients will ONLY be read on server startup.
    
    # read_clients = yes

    And just remove the # sign to uncomment it:

    # Set to 'yes' to read radius clients from the database ('nas' table)
    
    # Clients will ONLY be read on server startup.
    
    read_clients = yes
  7. Just a few lines lower, we want client_table = “nas” to be uncommented. It should be uncommented by default, but just check to make sure it looks like this:

    # Table to keep radius client info
    
    client_table = "nas"

    Now change the group rights of the file we just edited:

sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql

sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql

And restart the FreeRADIUS service:

sudo systemctl restart freeradius.service

Since we’ve done quite a few edits, we should run FreeRADIUS in debug mode so we know if we made any mistake, before going further.

First stop the FreeRADIUS service since we can’t have 2 instances of the service running simultaneously:

sudo systemctl stop freeradius.service

And run FreeRADIUS in debug mode:

sudo freeradius -X

The output looks something like this:

Listening on auth address * port 1812 bound to server default

Listening on acct address * port 1813 bound to server default

Listening on auth address :: port 1812 bound to server default

Listening on acct address :: port 1813 bound to server default

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel

Listening on proxy address * port 52025

Listening on proxy address :: port 42807

Ready to process requests

Exit debug mode by pressing Ctrl+C and then start FreeRADIUS again by running:

sudo systemctl start freeradius.service

Now FreeRADIUS is installed on your Ubuntu 20.04 machine and is configured to work with MySQL or MariaDB.

Next we’ll install daloRADIUS, which is a web control panel to manage our FreeRADIUS server. This step is optional, for those who want a GUI for their FreeRADIUS server.

Install & Configure daloRADIUS (FreeRADIUS GUI) on Ubuntu 20.04 (Optional)

daloRADIUS is a popular RADIUS web management panel, that offers user management, graphical reporting, accounting, a billing engine, integrates with GoogleMaps, and more. It’s one of the most popular solutions if you need a FreeRADIUS GUI.

First we’ll download daloRADIUS from the Github repository.

I’ll use wget to download it, so I’ll have to install it since it’s not installed by default, and unzip since we’ll be downloading a .zip file:

sudo apt -y install wget unzip

Now download daloRADIUS and cd into the newly created daloradius-master folder:

wget https://github.com/lirantal/daloradius/archive/master.zip

unzip master.zip

cd daloradius-master

Populate the database with the daloRADIUS schema:

sudo mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql

sudo mysql -u root -p radius < contrib/db/mysql-daloradius.sql

cdout of the daloradius-master directory, and move the folder into the document root as daloradius :

cd ..

sudo mv daloradius-master /var/www/html/daloradius

Next we’ll change the owner and group for the daloradius folder to www-data:www-data, which are the user and group under which the Apache Web Server runs.

sudo chown -R www-data:www-data /var/www/html/daloradius/

Now we’ll need to create the daloRADIUS configuration file. Right now we’re just provided a sample file, so we’ll make a copy from that sample file:

sudo cp /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php

We’ll also change the permissions for the daloRADIUS configuration file:

sudo chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

Next we edit a few variables in the daloRADIUS connection file, so it’s able to connect to the FreeRADIUS database.

Open the configuration file using your favorite editor:

sudo nano /var/www/html/daloradius/library/daloradius.conf.php

Similarly to what we’ve done earlier, when editing the FreeRADIUS config file, we just need to adjust the variables for the database user, their password, and the database name. Those are all the edits for the scope of this tutorial.

This is how they initially look in the daloRADIUS configuration file:

$configValues['CONFIG_DB_USER'] = 'root';

$configValues['CONFIG_DB_PASS'] = '';

$configValues['CONFIG_DB_NAME'] = 'radius';

This is how it looks after editing with the details for the database I created earlier:

$configValues['CONFIG_DB_USER'] = 'radius';

$configValues['CONFIG_DB_PASS'] = 'Somestrongpassword_321';

$configValues['CONFIG_DB_NAME'] = 'radius'

Lastly restart FreeRADIUS and Apache to make sure everything works:

sudo systemctl restart freeradius.service apache2

Because daloradius is configured to use freeradius v2, here is table list to add to support accounting for freeradius v3

Add this column into table radacct to fix accounting error

  • acctupdatetime | type datetime
  • framedipv6address | type (tba, text for now)
  • framedipv6prefix | type (tba, text for now)
  • framedinterfaceid | type (tba, text for now)
  • delegatedipv6prefix | type (tba, text for now)
use radius alter table radacct 
add column acctupdatetime datetime,  
add column acctinterval datetime, 
add column framedipv6address text, 
add column framedipv6prefix text, 
add column framedinterfaceid text, 
add column delegatedipv6prefix text;

Access daloRADIUS

You can access daloRADIUS through a web browser by visiting:

http://server_ip_address/daloradius

Make sure it’s http://and that your browser doesn’t automatically change it to https://

because you may not be able to access daloRADIUS since we haven’t configured it to use SSL.

The daloRADIUS start page looks something like this:

word image 6

Default daloRADIUS username/password:

username: administrator

password: radius

Change daloRADIUS username & password

Having default credentials such as administrator/radius is a security vulnerability, and there are bots that scan absolutely all IPs and try known default credentials for certain software.

In this manner someone can be scanning all of the possible IPs and they’re trying to detect if daloRADIUS is installed by visiting http://random_ip/daloradius and they’ll try out to log in using administrator/radius, and chances are they’ll succeed some of the time because some people don’t change their default credentials.

You can change a user password by logging into daloRADIUS > Config (In the top menu) > Operators (In the submenu) > List Operators (In the gray sidebar) > Click on user (in our case administrator) and in the next screen change the password and click Apply.

To create a new daloRADIUS user (called Operator) go to Config > Operators (in the submenu) > New Operator (in the gray sidebar) > input Operator Username and Operator Password and click Apply.

To get acquainted with daloRADIOUS, next we’ll create a NAS Client Table and a user, and then we’ll test if everything works correctly by sending an Authentication Request using a software called NTRadPing.

Testing FreeRADIUS & daloRADIUS

For the last part of this tutorial we’ll test our FreeRADIUS server and the daloRADIUS web panel.

In short, we’ll send an Authentication Request from another computer to our server to see if it works.

To do this we’ll need to add a NAS (explanation below), a User, and another computer from where to send the request (this can be your computer, for example).

Note: For this demo you’ll need to install a Windows software, called NTRadPing.

1. Creating a NAS Client Table in daloRADIUS

For another computer to use our RADIUS server, it first needs to be added to the NAS Client Table.

The Network Access Server (NAS) client table acts as a gateway that guards a protected resource. For another computer to connect to our RADIUS server, it needs to be added to the NAS client table.

The NAS is an intermediary that a client connects to, then the NAS asks the resource (in our case the RADIUS server) if the credentials are valid, and based on this the NAS will allow or disallow access to the protected resource.

You can read a bit more about the NAS on this page from the FreeRADIUS wiki.

To add a NAS, go in the daloRADIUS dashboard, Management > NAS (in the blue submenu) > New NAS (in the left, dark gray, sidebar).

NAS IP/Host

: the IP or fully qualified hostname from which you’re trying to connect

NAS Secret

: a password for connecting to the NAS, but it’s referred to as a secret. It’s used to communicate between the client/NAS and RADIUS server.

NAS Type

: There are a few types that are recognized, including livingston, cisco, portslave. This is passed to the external checklogin program when it is called to detect double logins. For the purposes of this tutorial we’ll select other.

NAS Shortname

: An alias that can be used in place of the IP address or fully qualified hostname provided under NAS IP/Host

For our example we’ll fill in:

NAS IP/Host

: IP of another computer we’re using as a client

NAS Secret

: nobodywilleverlearnthissecret!!11!!

NAS Type

: other

NAS Shortname

: ProductionServer

2. Creating a User in daloRADIUS

To test our RADIUS server we’ll also need to have a user.

We can easily create one by navigating in the top menu to Management > Users (in the blue submenu) >New User (in the left, dark gray, sidebar)

For our example all we need is a Username and Password. There are other attributes, but these will be enough for our purposes.

I’ll fill in the following:

Username: new_customer
Password: customer_strong_passwd_123

3. Run FreeRADIUS in Debug Mode

We want to see for ourselves what’s happening on the server, so we’ll run FreeRADIUS in debug mode.

First stop the running process:

sudo systemctl stop freeradius.service

And run the following command to run FreeRADIUS debug mode:

sudo freeradius -X

Important Note
Every time a new NAS is added you need to restart FreeRADIUS so it fetches the updated table.

We’re already doing this in this demo, since we’re stopping it and running it in debug mode, but you should remember this in the future.

Now we’re ready to test the server.

4. Test daloRADIUS with NTRadPing

For convenience, we’ll test the server using a free software for Windows, called NTRadPing.

You can download it here https://community.microfocus.com/t5/OES-Tips-Information/NTRadPing-1-5-RADIUS-Test-Utility/ta-p/1777768. This is a direct link to the archive https://community.microfocus.com/dcvta86296/attachments/dcvta86296/OES_Tips/148/1/ntradping.zip

To run it just unzip the archive and run the executable.

This is how it looks like and how we’ll fill in the details in NTRadPing. We’ll use it to send an Authentication Request to the RADIUS server while it’s running in debug mode, so we can see first hand how it accepts the request.

word image 7

We’ve filled the fields as follows:

RADIUS Server/port

: IP of the server we have FreeRADIUS installed on / port 1812

Reply timeout (sec.)

: 1

Retries

: 1

RADIUS Secret key

: nobodywilleverlearnthissecret!!11!!

User-Name

: new_customer

Password

: customer_strong_passwd_123

Lastly check the CHAP checkbox. This is so the request is made using a CHAP password, instead of the default PAP password.

Now you can test the RADIUS server. Just click Send in NTRadPing and if you get an Access-Accept response we can assume it’s working.

The output in NTRadPing should look something like this:

Sending authentication request to server 40.76.122.52:1812

transmiting Packet, code=1 id=3 length=53

recieved response from the server in  16 milliseconds

replay packet code=2 id=3 length=20

response: Access-Accept

-------------------attribute dump------------------

And the output in the terminal, where you’re running FreeRADIUS in debug mode should end with something like this:

...

(2) Sent Access-Accept Id 7 from 10.0.2.4:1812 to 213.136.66.127:52163 length 0

(2) Finished request

Waking up in 4.9 seconds.

(2) Cleaning up request packet ID 7 with timestamp +67

Ready to process requests

Enable SQLCounter FreeRadius

base logic taken from https://mangospot.net/enable-sqlcounter-freeradius.html

what this section do
The rlm_sqlcounter module enables a packet counter using accounting records written into an SQL database. i.e : access-period or daily, monthly user time period, such as recording the time a user logs in, transfers data, and sessions.

DaloRADIUS have sqlcounter scheme that ready to be added on freeradius.

1. Add DaloRADIUS sqlcounter scheme to freeRADIUS

TBA

2. Enable SQLCounter on FreeRADIUS

Example to activate Access Period attribute

Open file

sudo nano /etc/freeradius/3.0/mods-available/sqlcounter

Add code

...
sqlcounter accessperiod {
    sql_module_instance = sql
    dialect = ${modules.sql.dialect}

    counter_name = Max-Access-Period-Time
    check_name = Access-Period
    key = User-Name
    reset = never

    $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
...

Create file accessperiod.conf

sudo nano /etc/freeradius/3.0/mods-config/sql/counter/mysql/accessperiod.conf

insert code

query = "\
SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) \
FROM radacct \
WHERE UserName='%{${key}}' \
ORDER BY AcctStartTime LIMIT 1"

edit file default

sudo nano /etc/freeradius/3.0/sites-enabled/default

Add counter in the authorize{} section

authorize {
    sql # for mysql integration this part need to be added before any other counter
    accessperiod
    ...
}

to add a reply to be catched by client router, we can use unlang on authorize,
from above example, edit accesperiod call by below

authorize {
    ...
    accessperiod{
        reject = 1
    }
    if(reject){
            update reply {
                    Reply-Message := "You have reached your time limit"
            }
            reject
    }
    ...
}

Enable sqlcounter

cd /etc/freeradius/3.0/mods-enabled
sudo ln -s ../mods-available/sqlcounter sqlcounter

If the above command doesn't work
open file

sudo nano /etc/freeradius/3.0/radiusd.conf

Add code to modules {} section

$INCLUDE mods-enabled/sql  # this line need to be placed above sqlcounter
$INCLUDE mods-available/sqlcounter
$INCLUDE mods-enabled/  

Or if freeradius installed on non ubuntu distro
go to radiusd.conf

sudo nano /etc/raddb/radiusd.conf

Go to line 789 and enable sql module before any other module with removing # from $INCLUDE mods-enabled/sql

Restart FreeRadius

sudo /etc/init.d/freeradius restart
or
sudo systemctl restart freeradius.service

Connect Mikrotik client to radius

TBA

To display reply msg from radius

increase the timeout time limit by 2s

/radius
print detail
set 0 timeout=2s

All done, if there is no error, radius should be running flawlesly

Frequent Errors

“Failed binding with auth address […]” when running in debug mode

Failed binding to auth address * port 1812 bound to server default: Address already in use

/etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812

If you get the following error when running FreeRADIUS in debug mode, it most likely means that the FreeRADIUS service is already running and you need to stop it first.

$ sudo systemctl stop freeradius.service

Daloradius login throw server error code 500

  • install php dependenci DB
    sudo apt install php-db

Mikrotik hotspot user cant login if accounting is enabled

Add this column into table radacct to fix accounting error

use radius alter table radacct 
add column acctupdatetime datetime, 
add column acctinterval datetime, 
add column framedipv6address text, 
add column framedipv6prefix text, 
add column framedinterfaceid text, 
add column delegatedipv6prefix text;

access-period error

  1. to add module https://mangospot.net/enable-sqlcounter-freeradius.html
  2. to fix module sqlcounter run before module sql https://github.com/FreeRADIUS/freeradius-server/issues/2020#issuecomment-876196378
  3. follow instruction from freeradius doc https://wiki.freeradius.org/modules/Rlm_sqlcounter

user groups only load highest priority

Add attribute fall-through := Yes on reply to each profile/group.

Leave a Reply

Your email address will not be published.