Installation FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

Friends today we will see how to install FreeRADIUS server with Daloradius on Centos 7 and RHEL 7. So first of all we should know what is RADIUS and Daloradius?

What is RADIUS?

RADIUS, which stands for “Remote Authentication Dial In User Service”.RADIUS authentication and accounting protocols, which are UDP-based protocols. During the RADIUS authentication phase a network client connects to a network access server (NAS) and provides authentication credentials. The NAS then uses the authentication credentials to issue a RADIUS authentication request to the RADIUS server. The RADIUS server and the NAS will then exchange RADIUS authentication messages.

Once the authentication completes, the RADIUS server passes an “Accept” or “Reject” message to the NAS. The NAS will then permit or reject connection of the client to the network.

FreeRADIUS is a open source RADIUS server developed under the GNU General Public License. FreeRADIUS comes with web-based user administration tool and is modular, very scalable and rich sets of features.

What is Daloradius?

DaloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with Google Maps for Geo-locating.

Now let’s start installation process of FreeRADIUS and DaloRADIUS

SELINUX Setting:-

Before installations, I recommend turning off SELinux or setting it in permissive mode:-

[root@radius ~]# setenforce 0
[root@radius ~]# sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
[root@radius ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@radius ~]#

Prerequisites:-

Update your CentOS 7 and install Deployment Tool. You can run this commands to update your CentOS and for Deployment Tool installation.

[root@radius ~]# yum -y update
[root@radius ~]# yum groupinstall "Development Tools" -y

Install httpd server

[root@radius ~]# yum -y install httpd httpd-devel

Once installation competed you can enable and start your HTTPD service using below commands. You can also check running status of HTTPD service using below commands. As like below screen shot.

[root@radius ~]# systemctl enable httpd
[root@radius ~]# systemctl start httpd
[root@radius ~]# systemctl status httpd

Installing and Configuring MariaDB

Now we are going to install and configure MariaDB 10.1.33, using below steps:-

Add MariaDB official repo content to CentOS 7 system

Add the below content in MariaDB.repo file and save the file.

[root@radius ~]#vi /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDBgpgcheck=1

Update system and install MariaDB to configure Database server

[root@radius ~]# yum -y update
[root@radius ~]# yum install -y mariadb-server mariadb

You will get prompted to install MariaDB GPG Signing key. Just press y to allow installation.

Start and enable MariaDB

[root@radius ~]# systemctl start mariadb
[root@radius ~]# systemctl enable mariadb

Check running and enabled status of MariaDB

[root@radius ~]# systemctl status mariadb
[root@radius ~]# systemctl is-enabled mariadb.service
 enabled

Configure initial MariaDB settings to secure it.

Here we will set root password. For security purposes, consider removing anonymous users and disallowing remote root login. You can see below example configuration. Key choices has been marked in bold.

[root@radius ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@radius ~]#

Allow only local connection to mysql server. This is a security mechanism.

[root@radius ~]# vi /etc/my.cnf
 [mysqld]
 bind-address=127.0.0.1

Configure Database for freeradius

[root@radius ~]# mysql -u root -p -e " CREATE DATABASE radius"
[root@radius ~]# mysql -u root -p -e "show databases"
[root@radius ~]# mysql -u root -p
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q
Bye
[root@radius ~]#

Installing php 7 on CentOS 7

[root@radius ~]# cd ~
[root@radius ~]# curl 'https://setup.ius.io/' -o setup-ius.sh
[root@radius ~]# bash setup-ius.sh
[root@radius ~]# yum remove php-cli mod_php php-common
[root@radius ~]# yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear
[root@radius ~]# apachectl restart

After installation you can check php version to confirm using below commands:-

[root@radius ~]# php -v

If php 7 fails to work for you, then you can install php 5 by running below commands. You have to first uninstall php 7 then you can try with php 5.

[root@radius ~]# yum -y install php-pear php-devel php-mysql php-common php-gd php-mbstring php-mcrypt php php-xml

HostGator Web Hosting

Installing FreeRADIUS

[root@radius ~]# yum -y install freeradius freeradius-utils freeradius-mysql

You have to start and enable freeradius with below commands, after successfully installation.

[root@radius ~]# systemctl start radiusd.service
[root@radius ~]# systemctl enable radiusd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.

Now you can check the status:-

[root@radius ~]# systemctl status radiusd.service

Now we have to configure firewalld to allow radius and httpd packets in and out.
Radius server use udp ports 1812 and 1813. This can be confirmed by viewing the contents of the file /usr/lib/firewalld/services/radius.xml. You can cat this file and see.

[root@radius ~]# cat /usr/lib/firewalld/services/radius.xml

First start and enable firewalld for security

[root@radius ~]# systemctl enable firewalld
[root@radius ~]# systemctl start firewalld
[root@radius ~]# systemctl status firewalld

Confirm firewalld is running or not

[root@radius ~]# firewall-cmd --state
running

Add permanent rules to default zone to allow http,https and radius services

[root@radius ~]# firewall-cmd --get-services | egrep 'http|https|radius'
[root@radius ~]# firewall-cmd --add-service={http,https,radius} --permanent

Reload firewalld for changes to take effect

[root@radius ~]# firewall-cmd --reload

We can confirm that services were successfully added to default zone

[root@radius ~]# firewall-cmd --get-default-zone
public
[root@radius ~]# firewall-cmd --list-services --zone=public
dhcpv6-client http https radius ssh

You can see the three services present hence we are good to proceed.

[root@radius ~]# ss -tunlp | grep radiusd

If you want to run radius server in debug mode. You can run this command radiusd -X If debug mode is going to fail to bind to ports, you may have to kill radius server daemon first. You will get this types of massage if your radius server will fail to bind the port.

In this case you have to kill radius daemon first then you can start radiusd -X

[root@radius ~]# pkill radius

Then you can start radius server in debugging mode and you will see below massage if your radius service successfully run in debug mode.

[root@radius ~]# radiusd –X
----------------------------
----------------------------------
--------------------------------------
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 39556
Listening on proxy address :: port 52609
Ready to process requests

Configure FreeRADIUS

To Configure FreeRADIUS to use MariaDB, you can follow steps below:-

Import the Radius database scheme to populate radius database

[root@radius ~]# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql

Configure Radius at this point

First of all we have to create a soft link for SQL under /etc/raddb/mods-enabled

[root@radius ~]# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/

Then we can configure SQL module /raddb/mods-available/sql and change the database connection parameters to suitable our environment like this:-

sql section should be look similar to below.

[root@radius ~]# vi /etc/raddb/mods-available/sql
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
server = "localhost"
port = 3306
 login = "radius"
 password = "radiuspassword"
# Database table configuration for everything except Oracle
radius_db = "radius"
}
# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes
# Table to keep radius client info
client_table = “nas”

Then change group right of /etc/raddb/mods-enabled/sql to radiusd:-

[root@radius ~]# chgrp -h radiusd /etc/raddb/mods-enabled/sql

Installing and Configuring Daloradius

Installing Daloradius

We can use Daloradius to manage our radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github or sourceforge.

Github method:-

[root@radius ~]# wget https://github.com/lirantal/daloradius/archive/master.zip
[root@radius ~]# unzip master.zip
[root@radius ~]# mv daloradius-master/ daloradius

Sourceforge way:-

[root@radius ~]# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
[root@radius ~]# tar zxvf daloradius-0.9-9.tar.gz
[root@radius ~]# mv daloradius-0.9-9 daloradius

Change directory for configuration

[root@radius ~]# cd daloradius

Configuring daloradius

Now import Daloradius mysql tables

[root@radius ~]# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
[root@radius ~]# mysql -u root -p radius < contrib/db/mysql-daloradius.sql

Configure daloRADIUS database connection details

[root@radius ~]# cd ..
[root@radius ~]# mv daloradius /var/www/html/

We need to change permissions for http folder and set the right permissions for daloradius configuration file.

[root@radius ~]# chown -R apache:apache /var/www/html/daloradius/
[root@radius ~]# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

Now we have to modify daloradius.conf.php file to adjust the MySQL database information . So let’s open the daloradius.conf.php and add the database username, password and db name.

[root@radius ~]# vi /var/www/html/daloradius/library/daloradius.conf.php

Especially relevant variables to configure are:

CONFIG_DB_USER

CONFIG_DB_PASS

CONFIG_DB_NAME

Make sure everything works, restart radiusd, httpd and mysql:

[root@radius ~]# systemctl restart radiusd.service
[root@radius ~]# systemctl restart mariadb.service
[root@radius ~]# systemctl restart httpd

If you have install php 7 then you can ignore php-pear installation. And you have to only run pear install DB.

[root@radius ~]# yum install php-pear
[root@radius ~]# pear install DB

We have completed installation and configuration of daloradius and freeradius. To access daloradius, open the link using your IP address, then you will get your radius dashboard.

http://ip-address/daloradius/login.php

Default login details are:
Username: administrator
Password: radius

In this tutorial we have seen how to install FreeRADIUS and DaloRADIUS. If you getting any issue in this steps, let us know. My pleasure to help you. 

 

5 thoughts on “Installation FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

      1. Hi Zafar, i have installed the freeradius and it is working in debug mode. How do I assign the IP address to this server so that my juniper Client can connect to it.

        Thanks

        1. Hi Simranjeet,

          You can add clinet detail in /etc/freeradius/clients.conf where client IP address and secret for client server like below.

          client IP/subnet {
          secret = juniper
          shortname = JUNOS-devices
          }

          Kindly let me know if any doubt.

          Best Regards
          Zafar

  1. Good tutorial except one problem…
    [root@test-radius ~]# pear install DB
    WARNING: “pear/DB” is deprecated in favor of “pear/MDB2”
    WARNING: channel “pear.php.net” has updated its protocols, use “pear channel-update pear.php.net” to update
    pear/DB requires package “pear/PEAR” (version >= 1.10.0), installed version is 1.9.4
    No valid packages found
    install failed

    Now what?

Leave a Reply

Your email address will not be published. Required fields are marked *