install FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

August 8, 2016

31506

FreeRADIUS is an high performance ,open source RADIUS server developed under the GNU General Public License. FreeRADIUS is the most used RADIUS server in the world. FreeRADIUS comes with web based user administration tool and is modular, very scalable and rich sets of features. This is a how to install FreeRADIUS and Daloradius on CentOS 7

RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol – a system that defines rules and conventions for communication between network devices – for remote user authentication and accounting. RADIUS is normally used to provide AAA services; Authorization. Authentication and Accounting.

Install FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

Prerequisites:

Install httpd server

# yum -y update
# yum groupinstall "Development Tools" -y
# yum -y install httpd httpd-devel

Start and enable httpd server

# systemctl enable httpd
# systemctl start httpd

Check status of httpd server to make sure it’s running

[root@freeradius ~]# systemctl status httpd
 ● httpd.service - The Apache HTTP Server
 Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
 Active: active (running) since Sat 2016-08-06 22:03:15 UTC; 8s ago

Docs: man:httpd(8)

man:apachectl(8)

Main PID: 3824 (httpd)
 Status: "Processing requests..."
 CGroup: /system.slice/httpd.service

├─3824 /usr/sbin/httpd -DFOREGROUND
 ├─3825 /usr/sbin/httpd -DFOREGROUND
 ├─3826 /usr/sbin/httpd -DFOREGROUND
 ├─3827 /usr/sbin/httpd -DFOREGROUND
 ├─3828 /usr/sbin/httpd -DFOREGROUND
 └─3829 /usr/sbin/httpd -DFOREGROUND

Aug 06 22:03:15 freeradius systemd[1]: Starting The Apache HTTP Server...
 Aug 06 22:03:15 freeradius httpd[3824]: AH00558: httpd: Could not reliably determine th...age
 Aug 06 22:03:15 freeradius systemd[1]: Started The Apache HTTP Server.
 Hint: Some lines were ellipsized, use -l to show in full.

Installing and Configuring MariaDB

We’ll install and configure MariaDB 10, using steps below:

Add MariaDB official repo content to CentOS 7 system

# vim /etc/yum.repos.d/MariaDB.repo

Add the following contents to the file

[mariadb]
 name = MariaDB
 baseurl = http://yum.mariadb.org/10.1/centos7-amd64
 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
 gpgcheck=1

Update system and install MariaDB to configure Database server

# yum -y update 
# yum install -y mariadb-server mariadb

You’ll be prompted to install MariaDB GPG Signing key. Just press y to allow installation.

Start and enable MariaDB to run on boot

# systemctl start mariadb
# systemctl enable mariadb

Check if running and if enabled

[root@radius ~]# systemctl status mariadb
[root@radius ~]# systemctl is-enabled mariadb.service
 enabled

Configure initial MariaDB settings to secure it. Here you’ll set root password. For security purposes, consider removing anonymous users and disallowing remote root login. See sample configuration shown below. Key choices are marked with red.

[root@freeradius ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB

SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
 password for the root user. If you've just installed MariaDB, and
 you haven't set the root password yet, the password will be blank,
 so you should just press enter here.

Enter current password for root (enter for none): 
 OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
 root user without the proper authorisation.

Set root password? [Y/n] Y
 New password: 
 Re-enter new password: 
 Password updated successfully!
 Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
 to log into MariaDB without having to have a user account created for
 them. This is intended only for testing, and to make the installation
 go a bit smoother. You should remove them before moving into a
 production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'. This
 ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
 access. This is also intended only for testing, and should be removed
 before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
 will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
 installation should now be secure.

Thanks for using MariaDB!

Allow only local connection to mysql server. This is a security mechanism.

# vim /etc/my.cnf 
 [mysqld]
 bind-address=127.0.0.1

Configure Database for freeradius

# mysql -u root -p -e " CREATE DATABASE radius"
# mysql -u root -p -e "show databases"
# mysql -u root -p 
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q
Bye

Installing php 7 on CentOS 7

 cd ~
 curl 'https://setup.ius.io/' -o setup-ius.sh
 sudo bash setup-ius.sh
 sudo yum remove php-cli mod_php php-common
 sudo yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear
 sudo apachectl restart

Check php version to confirm

# php -v
 PHP 7.0.9 (cli) (built: Jul 21 2016 11:48:03) ( NTS )
 Copyright (c) 1997-2016 The PHP Group
 Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies

If php 7 fails to work for you, try installing php 5 by running below commands. You’ll have to first uninstall php 7.

yum -y install php-pear php-devel php-mysql php-common php-gd php-mbstring php-mcrypt php php-xml

Installing FreeRADIUS

# yum -y install freeradius freeradius-utils freeradius-mysql
 Loaded plugins: fastestmirror
 Loading mirror speeds from cached hostfile
 * base: mirrors.linode.com
 * epel: ftp.osuosl.org
 * extras: mirrors.linode.com
 * ius: ius.mirror.constant.com
 * updates: mirrors.linode.com
 Resolving Dependencies
 --> Running transaction check
 ---> Package freeradius.x86_64 0:3.0.4-6.el7 will be installed
 --> Processing Dependency: libnaaeap.so.0()(64bit) for package: freeradius-3.0.4-6.el7.x86_64
 ---> Package freeradius-mysql.x86_64 0:3.0.4-6.el7 will be installed
 ---> Package freeradius-utils.x86_64 0:3.0.4-6.el7 will be installed
 --> Running transaction check
 ---> Package tncfhh-libs.x86_64 0:0.8.3-16.el7 will be installed
 --> Processing Dependency: tncfhh = 0.8.3 for package: tncfhh-libs-0.8.3-16.el7.x86_64
 --> Processing Dependency: libxerces-c-3.1.so()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64
 --> Processing Dependency: libtncutil.so.0()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64
 --> Processing Dependency: liblog4cxx.so.10()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64
 --> Running transaction check
 ---> Package log4cxx.x86_64 0:0.10.0-16.el7 will be installed
 ---> Package tncfhh.x86_64 0:0.8.3-16.el7 will be installed
 ---> Package tncfhh-utils.x86_64 0:0.8.3-16.el7 will be installed
 ---> Package xerces-c.x86_64 0:3.1.1-8.el7_2 will be installed
 --> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================
 Package Arch Version Repository Size
 =============================================================================================
 Installing:
 freeradius x86_64 3.0.4-6.el7 base 985 k
 freeradius-mysql x86_64 3.0.4-6.el7 base 81 k
 freeradius-utils x86_64 3.0.4-6.el7 base 188 k
 Installing for dependencies:
 log4cxx x86_64 0.10.0-16.el7 base 452 k
 tncfhh x86_64 0.8.3-16.el7 base 680 k
 tncfhh-libs x86_64 0.8.3-16.el7 base 160 k
 tncfhh-utils x86_64 0.8.3-16.el7 base 33 k
 xerces-c x86_64 3.1.1-8.el7_2 updates 878 k

Transaction Summary
 =============================================================================================
 Install 3 Packages (+5 Dependent packages)

Total download size: 3.4 M
 Installed size: 11 M
 Is this ok [y/d/N]: y
 Downloading packages:
 (1/8): freeradius-mysql-3.0.4-6.el7.x86_64.rpm | 81 kB 00:00:00 
 (2/8): freeradius-3.0.4-6.el7.x86_64.rpm | 985 kB 00:00:00 
 (3/8): freeradius-utils-3.0.4-6.el7.x86_64.rpm | 188 kB 00:00:00 
 (4/8): log4cxx-0.10.0-16.el7.x86_64.rpm | 452 kB 00:00:00 
 (5/8): tncfhh-0.8.3-16.el7.x86_64.rpm | 680 kB 00:00:00 
 (6/8): tncfhh-libs-0.8.3-16.el7.x86_64.rpm | 160 kB 00:00:00 
 (7/8): tncfhh-utils-0.8.3-16.el7.x86_64.rpm | 33 kB 00:00:00 
 (8/8): xerces-c-3.1.1-8.el7_2.x86_64.rpm | 878 kB 00:00:00 
 ---------------------------------------------------------------------------------------------
 Total 11 MB/s | 3.4 MB 00:00:00 
 Running transaction check
 Running transaction test
 Transaction test succeeded
 Running transaction
 Installing : log4cxx-0.10.0-16.el7.x86_64 1/8 
 Installing : xerces-c-3.1.1-8.el7_2.x86_64 2/8 
 Installing : tncfhh-utils-0.8.3-16.el7.x86_64 3/8 
 Installing : tncfhh-0.8.3-16.el7.x86_64 4/8 
 Installing : tncfhh-libs-0.8.3-16.el7.x86_64 5/8 
 Installing : freeradius-3.0.4-6.el7.x86_64 6/8 
 Installing : freeradius-mysql-3.0.4-6.el7.x86_64 7/8 
 Installing : freeradius-utils-3.0.4-6.el7.x86_64 8/8 
 Verifying : freeradius-mysql-3.0.4-6.el7.x86_64 1/8 
 Verifying : tncfhh-0.8.3-16.el7.x86_64 2/8 
 Verifying : xerces-c-3.1.1-8.el7_2.x86_64 3/8 
 Verifying : freeradius-utils-3.0.4-6.el7.x86_64 4/8 
 Verifying : tncfhh-libs-0.8.3-16.el7.x86_64 5/8 
 Verifying : freeradius-3.0.4-6.el7.x86_64 6/8 
 Verifying : log4cxx-0.10.0-16.el7.x86_64 7/8 
 Verifying : tncfhh-utils-0.8.3-16.el7.x86_64 8/8

Installed:
 freeradius.x86_64 0:3.0.4-6.el7 freeradius-mysql.x86_64 0:3.0.4-6.el7 
 freeradius-utils.x86_64 0:3.0.4-6.el7

Dependency Installed:
 log4cxx.x86_64 0:0.10.0-16.el7 tncfhh.x86_64 0:0.8.3-16.el7 
 tncfhh-libs.x86_64 0:0.8.3-16.el7 tncfhh-utils.x86_64 0:0.8.3-16.el7 
 xerces-c.x86_64 0:3.1.1-8.el7_2

Complete!

You have to start and enable freeradius to start at boot up.

# systemctl start radiusd.service
# systemctl enable radiusd.service
 
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.

Now you can check the status:

# systemctl status radiusd.service

Also, configure firewalld to allow radius and httpd packets in and out
– Radius server uses udp ports 1812 and 1813. This can be confirmed by viewing the contents of the file /usr/lib/firewalld/services/radius.xml

# cat /usr/lib/firewalld/services/radius.xml

First start and enable firewalld for security

# systemctl enable firewalld
# systemctl start firewalld
# systemctl status firewalld

Confirm firewalld is running

# firewall-cmd --state
 running

Add permanent rules to default zone to allow http,https and radius services

# firewall-cmd --get-services | egrep 'http|https|radius'
# firewall-cmd --add-service={http,https,radius} --permanent
 success

Reload firewalld for changes to take effect

# firewall-cmd --reload

Confirm that services were successfully added to default zone

# firewall-cmd --get-default-zone 
 public
# firewall-cmd --list-services --zone=public 
 dhcpv6-client http https radius ssh

We can see the three services present hence we’re good to proceed.
Test radius server by running it in debug mode with option -X

# ss -tunlp | grep radiusd

If it’s running, debug mode will fail to bind to ports, you may have to kill radius server daemon first

# pkill radius

Then start radius server in debugging mode to see if it runs successfully:

# radiusd -X

<img class=”alignnone wp-image-959″ src=”https://computingforgeeks.com/wp-content/uploads/2016/08/start-radius-server-debug-mode-300×151.png” alt=”install FreeRADIUS” width=”563″ height=”284″ srcset=”https://computingforgeeks.com/wp-content/uploads/2016/08/start-radius-server-debug-mode-300×151.png 300w, https://computingforgeeks.com/wp-content/uploads/2016/08/start-radius-server-debug-mode.png 675w” sizes=”(max-width: 563px) 100vw, 563px” />

Configure FreeRADIUS

To Configure FreeRADIUS to use MariaDB, follow steps below.

Import the Radius database scheme to populate radius database

# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql

Configure Radius at this point

– First you have to create a soft link for SQL under /etc/raddb/mods-enabled

# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/

Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:

 # vim /etc/raddb/mods-available/sql

sql section should look similar to below.

sql {


driver = "rlm_sql_mysql"
dialect = "mysql"

# Connection info:

server = "localhost"

port = 3306
 login = "radius"
 password = "radiuspassword"

# Database table configuration for everything except Oracle

radius_db = "radius"
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = “nas”

Then change group right of /etc/raddb/mods-enabled/sql to radiusd:

# chgrp -h radiusd /etc/raddb/mods-enabled/sql

Installing and Configuring Daloradius

Installing Daloradius

You can use Daloradius to manage radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github or sourceforge
Github method:

# wget https://github.com/lirantal/daloradius/archive/master.zip
# unzip master.zip
# mv daloradius-master/ daloradius

Sourceforge way:

# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
# tar zxvf daloradius-0.9-9.tar.gz 
# mv daloradius-0.9-9 daloradius

Change directory for configuration

# cd daloradius

Configuring daloradius

Now import Daloradius mysql tables

# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql 
# mysql -u root -p radius < contrib/db/mysql-daloradius.sql

Configure daloRADIUS database connection details:

# cd ..
# mv daloradius /var/www/html/

Then change permissions for http folder and set the right permissions for daloradius configuration file.

# chown -R apache:apache /var/www/html/daloradius/
# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

You should now modify daloradius.conf.php file to adjust the MySQL database information . Therefore, open the daloradius.conf.php and add the database username, password and db name.

# vim /var/www/html/daloradius/library/daloradius.conf.php

Especially relevant variables to configure are:

CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME

To be sure everything works, restart radiusd,httpd and mysql:

# systemctl restart radiusd.service 
# systemctl restart mariadb.service 
# systemctl restart httpd

Up to this point, we’ve covered complete installation and configuration of daloradius and freeradius, to access daloradius, open the link using your IP address:

http://192.168.1.20/daloradius/login.php

Default login details are:
Username: administrator
Password: radius

Conclusion

You have learned how to Install FreeRADIUS, perform simple essential configurations and Installation of Daloradius which is a web based tool used to administer FreeRADIUS. You may have to consider further reading to be a guru in FreeRADIUS administration.