Chitika

Thursday, March 1, 2012

Installing Freeradius on RedHat Enterprise Linux 5 Part2

In this post we will talk about some freeradius configuration files. Database connections, How to use freeradius as service.
As we have already installed freeradius from source and the config files are located in usr/local/etc/raddb. Now get back to freeradius source directory.
cd /home/araza/freeradius-server-2.1.12/redhet


In this directory you can find freeradius-radiusd-init script which can be used to stop/start/restart rediusd process. Copy that script to /etc/init.d directory. 
# cp freeradius-radiusd-init /etc/init.d/radiusd


Now open /etc/init.d/radiusd
# cd /etc/init.d/
# vi radiusd 
and change the following lines

exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd}
into
exec=${exec:=/usr/local/sbin/$prog}
config_dir=${config_dir:=/usr/local/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/usr/local/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd}
Save Changes and exit from editor. Now we can easily stop/start/restart radiusd process.

You have at least one NAS server (Network Access Server) a system that Provide access to a network. 
Radius client is a term of NAS server. first of all we need to add your NAS to client list with a unique password. 

To do so we need to edit clients.conf file in /usr/local/etc/raddb

[root@localhost /]# cd /usr/local/etc/raddb/

[root@localhost raddb]# vi clients.conf 

Add following lines to clients.conf file

client 192.168.0.0/22 {
        secret = mysecret
        shortname = localnas
}
All IP's from network 192.168.0.0/22 will be able to use the radius server.

#client 0.0.0.0/0 {
#        secret = mysecret
#       shortname = mynas
#}
This means all IP's from all over the world can use this radius server which is not recommended.
To Allow only one IP
#client 192.168.0.10 {
#        secret = mysecret
#        shortname = mynas
#}
save changes and exit the clients.conf file. 
Open a new terminal window and start the radius server in debug mode. 
# radiusd -X

This mean that radius will allow NAS with IP addresses from network 192.168.0.0/22 with secret "mysecret" Press Ctrl+c to stop the radius server.
In case you want to use mysql with freeradius you should do next steps.
To know if mysql is installed type mysql -V.


[root@localhost ~]# mysql -V
mysql  Ver 14.12 Distrib 5.0.77, for redhat-linux-gnu (i386) using readline 5.1
You have mail in /var/spool/mail/root
(In case you do not have mysql installed you need to install it and run the freeradius setup)

First step is to create a database for radius. connect as root to you mysql server

[root@localhost ~]# mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> 
Followed by the following commands.
mysql> CREATE USER 'radius'@'localhost' IDENTIFIED BY  'radpass'; 
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT USAGE ON * . * TO  'radius'@'localhost' IDENTIFIED BY  'radpass'; 
Query OK, 0 rows affected (0.00 sec)
mysql> CREATE DATABASE IF NOT EXISTS  `radius` ; press enter
Query OK, 1 row affected (0.06 sec)
mysql> GRANT ALL PRIVILEGES ON  `radius` . * TO  'radius'@'localhost';  press enter
Query OK, 0 rows affected (0.01 sec)
mysql>

Exit mysql

Import mysql schema and nas from 
[root@localhost ~]# cd /usr/local/etc/raddb/sql/mysql/
[root@localhost /]# mysql -u radius -p radius < /usr/local/etc/raddb/sql/mysql/schema.sql;
Enter password: 
Enter password for user radius (radpass) 
[root@localhost /]# mysql -u radius -p radius < /usr/local/etc/raddb/sql/mysql/nas.sql;
Enter password: 
Enter password for user radius (radpass)
[root@localhost /]# 


First step After this process you will have some thing like following. Start mysql with user radius this will ask you for password for the user radius which is "radpass" 

[root@localhost ~]# mysql -u radius -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> USE radius;
Database changed
Database changed
mysql> SHOW TABLES;
+------------------+
| Tables_in_radius |
+------------------+
| radacct          | 
| radcheck         | 
| radgroupcheck    | 
| radgroupreply    | 
| radpostauth      | 
| radreply         | 
| radusergroup     | 
+------------------+
7 rows in set (0.00 sec)

mysql> 


Exit mysql.

Edit the file /usr/local/etc/raddb/sql.conf


# vi sql.conf 
  server = "localhost"
  login = "radius"
  password = "radpass"
  radius_db = "radius"

Enable SQL configuration in /usr/local/etc/raddb/radiusd.conf
[root@localhost raddb]# vi radiusd.conf
un-comment following line

$INCLUDE sql.conf
Enable SQL configuration is default enabled sites. /usr/local/etc/raddb/sites-enabled/default
[root@localhost /]# vi /usr/local/etc/raddb/sites-enabled/default 
authorize {
sql
}
accounting {
sql
}
session {
sql
}
post-auth {
sql
}



Now you can users in SQL tables and test those users via radtest utility. Delete the user "araza" from /usr/local/etc/raddb/users
Create a new user "araza" in sql


[root@localhost /]# mysql -u radius -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> USE radius;
Database changed
mysql> SHOW TABLES;
mysql> SHOW TABLES;
+------------------+
| Tables_in_radius |
+------------------+
| radacct          | 
| radcheck         | 
| radgroupcheck    | 
| radgroupreply    | 
| radpostauth      | 
| radreply         | 
| radusergroup     | 
+------------------+
7 rows in set (0.00 sec)
mysql> INSERT INTO radcheck (UserName , Attribute , op , Value ) VALUES ('araza', 'Cleartext-password', ':=', 'araza');  press enter
Query OK, 1 row affected (0.00 sec)
mysql> select * from radcheck;
+----+----------+--------------------+----+-------+
| id | username | attribute          | op | value |
+----+----------+--------------------+----+-------+
|  1 | araza    | Cleartext-password | := | araza | 
+----+----------+--------------------+----+-------+
1 row in set (0.00 sec)

You can see a user "araza" with Cleartext=Password "araza" in radcheck table.
Start radius server in a new terminal window with debug mode. and run the following command
[root@localhost ~]# radtest araza araza 127.0.0.1 0 testing123


You can see Access-Accept message for the SQL user "araza" we have created in radcheck table. 

That's All for now. we will continue more configurations in next part.

Good Luck