FreeRADIUS Installation Guide on CentOS 7

Prerequsities ​​[github]​

  • CentOS 7
  • freeradius-3.0.16

Reference


Downloads

git clone ​​https://github.com/FreeRADIUS/freeradius-server.git​​​
cd freeradius-server
git branch -a
git checkout v3.0.x

Build and Install

yum install -y libtalloc-devel openssl-devel make autoconf
rpm -ivh mysql-community-common-5.7.20-1.el7.x86_64.rpm
rpm -ivh mysql-community-libs-5.7.20-1.el7.x86_64.rpm
rpm -ivh mysql-community-client-5.7.20-1.el7.x86_64.rpm
rpm -ivh mysql-community-devel-5.7.20-1.el7.x86_64.rpm>
cd freeradius-server
./configure
make && make install

On Ubuntu15.04:
(1) talloc
$ wget https://www.samba.org/ftp/talloc/talloc-2.1.0.tar.gz
$ tar zvxf talloc-2.1.0.tar.gz
$ cd talloc-2.1.0
$ ./configure --without-gettext
$ make && sudo make install
(2) ykclient, yubikey
$ sudo apt-get install libykclient3
$ sudo apt-get install libykclient-dev
$ sudo apt-get install libyubikey-dev
(3) build
$ cd freeradius-server
$ ./configure
$ make && sudo make install

Install path is:

/usr/local/sbin/

Config files are located in:

/usr/local/etc/raddb

Run as Debug Mode

trim the first character ‘#’ in the below paragraph:

vi /usr/local/etc/raddb/users

#steve  Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP

start radius server as debug mode:

/usr/local/sbin/radiusd -X

open another window and test with command:

/usr/local/bin/radtest steve testing localhost 0 testing123

Enable Support for Mysql

located in path:

cd /usr/local/etc/raddb/mods-config/sql/main/mysql
ls

will see below files:

queries.conf
schema.sql
setup.sql

logon mysql as sample:

mysql -u root -pAbc1234! -h cent7-n3.pepstack.com

then run script in mysql promote:

create database if not exists radius;
use radius;
source schema.sql;
flush privileges;
create user ‘radius’@’cent7-n1.pepstack.com’ identified by ‘radpass1234!’;
revoke all privileges,grant option from ‘radius’@’cent7-n1.pepstack.com’;
grant all privileges on radius.* to ‘radius’@’cent7-n1.pepstack.com’;
flush privileges;

backup default config file:

cd /usr/local/etc/raddb/sites-available/
cp default default.bak

replace all ‘-sql’ with ‘sql’ in ‘/usr/local/etc/raddb/site-enabled/default’ as below:

vi /usr/local/etc/raddb/sites-enabled/default

#  See "Authorization Queries" in mods-available/sql
sql

...
#
# See "Accounting queries" in mods-available/sql
sql

...

#
# See "Authentication Logging Queries" in mods-available/sql
sql

comment all ‘files’ as below:

vi /usr/local/etc/raddb/sites-enabled/default

#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
#!--files
...

#
# Read the 'acct_users' file
#!--files
...

# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files

replace section in ‘/usr/local/etc/raddb/mods-available/sql’ with below:

sql {
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# * rlm_sql_mysql
# * rlm_sql_mssql
# * rlm_sql_oracle
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_mysql"

...

# Connection info:
#
server = "cent7-n3.pepstack.com"
port = 3306
login = "radius"
password = "radpass1234!"

# Database table configuration for everything except Oracle
radius_db = "radius"

create link as below:

cd /usr/local/etc/raddb/mods-enabled
ln -s ../mods-available/sql sql

Create Account for Test

create a new radius user in mysql database:

mysql -u radius -pradpass1234! -h cent7-n3.pepstack.com
mysql > use radius;
mysql > insert into radcheck(id,username,attribute,op,value) values(‘2’,’zhang’,’Cleartext-Password’,’:=’,’liang’);
quit

start radius server:

/usr/local/sbin/radiusd -X

start radius test client:

/usr/local/bin/radtest zhang liang localhost 1812 testing123

that shows:

Sent Access-Request Id 147 from 0.0.0.0:54246 to 127.0.0.1:1812 length 75
User-Name = "zhang"
User-Password = "liang"
NAS-IP-Address = 192.168.122.223
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "liang"
Received Access-Accept Id 147 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

in the radius terminal window shows like below:

...
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'zhang', 'liang', 'Access-Accept', '2017-12-19 07:59:59')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 147 from 127.0.0.1:1812 to 127.0.0.1:54246 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 147 with timestamp +9
Ready to process requests

modifiy clients.conf as below for accepting a BRAS ip:

client localhost {
ipaddr = 127.0.0.1
ipv4addr = * # any. 127.0.0.1 == localhost
secret = testing123
}

so all are done.