Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius

By osman Published: 2008-09-08 17:53

Authentication, Authorization & Accounting With FreeRadius & MySQL Backend & Web Based Management with Daloradius
This tutorial explains how to set up a FreeRadius 2.x server for wifi authentication, authorization and accounting in conjunction with mysql & web based management with Daloradius on CentOS 5.x. Production deployment is also possible with minor tweaking. But as usual I do not guarantee anything & take no responsibilities. (For basichow-to refer to the dochttp://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5. And of-course for the faint-hearted this turn-key solution can always be employed. http://www.howtoforge.com/how-to-set-up-an-aaa-server-with-ciitix-wifi ) The following steps are involved: 1- BuildingCentos 5.x binary rpms 2-Installing the binary packages 3-Configuring the FR with mysql 4- Settingup web management with Daloradius

Step 1- Building Centos 5.X packages

Get hold of src.rpms fromhttp://rpmfind.net//linux/RPM/fedora/devel/src/freeradius-2.0.5-1.fc10.src.html.
rpm -Uvh freeradius-2.0.5-1.fc10.src

Copyright 2011 All Rights Reserved.

HowtoForge

Page 1 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius

http://www.howtoforge.com/

Note: It is recommended that you carry this building process on a non-production server & move over the final binary rpms over to the produtions server. But it isn't mandatory if you know what you're doing.
cd /usr/src/redhat/RPMS/SPECS

rpmbuild -bb freeradius.spec

Note: You might require some package for these. yum them & rerun the rebuild process. (I got prompted for the following)
beecrypt-devel, sqlite-devel, unixODBC, unixODBC-devel, python-devel, pam-devel, elfutils-libelf-devel, elfutils-libelf-devel-static, rpm-devel, elfutils-devel, elfutils-devel-static, net-snmp-devel, mysql, cyrus-sasl-devel, mysql-devel, openldap-devel, gdbm-devel, libtool-ltdl-devel, postgresql, postgresql-devel

After a while (depending on your system specs) you should have rpms built at the following locations (if using x86):
cd /usr/src/redhat/RPMS/i386

Move these to a production server if this is your development workstation.

Step 2- Installing the binary packages

rpm -Uvh freeradius-libs-2.0.5-1.i386.rpm

rpm -Uvh freeradius-2.0.5-1.i386.rpm

Copyright 2011 All Rights Reserved.

HowtoForge

Page 2 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius rpm -Uvh freeradius-utils-2.0.5-1.i386.rpm

http://www.howtoforge.com/

rpm -Uvh freeradius-mysql-2.0.5-1.i386.rpm

After running with the out of the box configuration, validate against a local user. E.g: run radius in debug mode:
radiusd -X

From another shell run this while the radius -X is running:

radtest abc 123 localhost 1812 testing123

Make sure the user 'abc' with password '123' is set in the /etc/raddb/users file.

Step 3- Configuring the FR with MySQL

Turn on the sql authentication in the radiusd.conf
vi /etc/raddb/radiusd.conf

Search & uncomment this line $INCLUDE sql.conf Save & quit. Now the MySQL bits (creating the db & its admin user). Do the following from your shell.

Copyright 2011 All Rights Reserved.

HowtoForge

Page 3 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius mysqladmin -u root password 123456

http://www.howtoforge.com/

mysql -u root -p

On the MySQL shell type the following:

CREATE DATABASE radiusdb;

GRANT ALL ON radiusdb.* TO radius@localhost IDENTIFIED BY "radpass";

exit;

Now import the file mysql-dalo-and-fr2x.sql schema into the radiusdb from the following zipped file which also contains daloradius.conf file for daloradius which is discussed later in the web management section. Download sql_schema & daloradius.conf zipped
unzip daloradius.zip

mysql -u root -p radiusdb < /root/mysql-dalo-fr2x.sql

To have a look at the db schema do the following:

mysql -u root -p

Copyright 2011 All Rights Reserved.

HowtoForge

Page 4 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius use database radiusdb;

http://www.howtoforge.com/

show tables;

quit;

Now edit your /etc/raddb/sql.conf. Reset the user/password/database parameters to reflect the changes(eg. login = radius, password=radpass & radius_db=radiusdb); to turn the NAS management from MySQL,search for the line
readclients = no

and change it to:

readclients = yes

Edit the file /etc/raddb/sites-enabled/default and add a line saying 'sql' to the authorize{} section (which is towards the end of the file). Also add a line saying 'sql' to the accounting{} section to tell FreeRadius to store accounting records in SQL as well. Optionally add 'sql' to the session{} section if you want to do Simultaneous-Use detection. Optionally add 'sql' to the post-auth{} section if you want to log all authentication attempts to SQL. Here is the authorize section:
authorize { preprocess chap mschap suffix

Copyright 2011 All Rights Reserved.

HowtoForge

Page 5 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius eap sql pap }

http://www.howtoforge.com/

And the accounting section:

accounting { detail sql }

To insert a test user in the database, go to the MySQL shell and run this:
mysql -u root -p

mysql> use database radiusdb;

mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');

mysql> select * from radcheck where UserName='sqltest';

mysql> exit

Fire up radius in debug mode:

Copyright 2011 All Rights Reserved.

HowtoForge

Page 6 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius radiusd -X

http://www.howtoforge.com/

Go to another shell and run the test:

radtest sqltest testpwd localhost 1812 testing123

At this moment you should see a message containing something like ... Accept-Accept ... which is an indication that your user is getting authenticated just fine. Congratulations! Your FreeRadius + MySQL setup is working.

4- Setting up web management with Daloradius

The latest stable release is version 0.9-7. Get hold of the it fromhttp://sourceforge.net/projects/daloradius.
tar -zxvf daloradius-0.9-7.tar.gz

Download the following prerequisite packages:

yum install install httpd -y

yum install php php-mysql php-pear php-gd php-pear-DB -y

cp daloradius-0.9-7/ /var/www -vr

Copyright 2011 All Rights Reserved.

HowtoForge

Page 7 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius

http://www.howtoforge.com/

Change ownership:
chown apache:apache /var/www/daloradius-0.9-7 -R

A few tables that are needed by Daloradius, have already been created earlier. Copy over the already unzippedfile daloradius.conf from the downloaded zipped file.
cp /root/daloradius.conf /var/www/daloradius-0.9-7/library/

Note: This file daloradius.conf has been modified for freeradius 2.x which, as of yet, is not being packaged by daloradius.

Now, simply adjust the MySQL database information in the DaloRadius config file.
vi /var/www/daloradius-0.9-7/library/daloradius.conf

Fill in the database details, few important parameters are listed below:
........... ...................... CONFIG_DB_ENGINE = mysql CONFIG_DB_HOST = 127.0.0.1 CONFIG_DB_USER = radius CONFIG_DB_PASS = radpass CONFIG_DB_NAME = radiusdb ....................... ............

Change ownership & permission:

Copyright 2011 All Rights Reserved.

HowtoForge

Page 8 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius chown apache.apache /var/ww/daloradius-0.9-7/library/daloradius.conf

http://www.howtoforge.com/

chmod 644 /var/www/daloradius-0.9-7/library/daloradius.conf

touch /tmp/daloradius.log

chown apache.apache /tmp/daloradius.log

Set up the apache server. Edit the /etc/httpd/conf/httpd.conf file and append this to the end of the file (customize to your likings):
Alias /myradius "/var/www/daloradius-0.9-7/" <Directory /var/www/daloradius-0.9-7/> Options None order deny,allow deny from all allow from 127.0.0.1 allow from <my management system's ip which has a web-browser> </Directory>

Save and exit. Restart the httpd server:

/etc/init.d/httpd restart

Copyright 2011 All Rights Reserved.

HowtoForge

Page 9 of 10

Authentication, Authorization & Accounting with FreeRadius & MySQL backend & web based Management with Daloradius

http://www.howtoforge.com/

Fire up Firefox (or any other borowser) and go to the URL http://<localhost or the managemet system's ip>/myradius. Log in with the administrator for management: username: administrator password: radius Change this information first for the sake of security (info is located in the operator table). Take Daloradius for a spin. You should have created an sqltest user earlier. You can also try adding new users and testing the connectivityfrom within the Daloradius frontend. Congratulations you are done. Again developers of FreeRadius, MySQL and Daloradius, do accept myhumble appreciation for all your efforts. Open source community, as always you rock, thanx. (Note: I haven't mentioned anything regarding setting upeap/ttls in this article. For that, just follow the section of settingup certificates and eap.conf from the below mentioned HowtoForge link.)

References:
http://freeradius.org/ http://wiki.freeradius.org/SQL_HOWTO http://sourceforge.net/projects/daloradius http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5 http://rpmfind.net//linux/RPM/fedora/devel/src/freeradius-2.0.5-1.fc10.src.html

Copyright 2011 All Rights Reserved.

HowtoForge

Page 10 of 10