Aerospace Software Ltd.

RADIUS Howto

Scope

This guide describes how to install FreeRADIUS on Mandriva Linux 10.2 2005LE.

RADIUS was originally designed to handle the authentication of dialin users. It has become much more than that and is now used to authenticate all manner of mobile users for Cell Phones, WiFi, Wi-Max and yes, even Dialin users too.

FreeRADIUS is mainly documented in the configuration files. Most of the defaults are sane and can be left alone. The problem is figuring out which settings you need to change for your application. This guide describes the setup that I started with.

You have to read all the configuration files, readme files and the FAQ, in order to get some inkling of how this thing works. There is no escaping that. Consequently, the first time around, setting up this server will take a few days - guide, or no guide.

Prerequisites

First install mysql, including the dev package, to get the header files. You should also install checkinstall, so you can turn all this hard work into a RPM.

I installed mysqld-max, to ensure that I also have BerkeleyDB capability - not needed for this project though. Install the following RPMs from the 10.2 distribution CDs:

libmysql
mysql-max
mysql-client
mysql-common
perl-db-mysql
php-mysql
mysqlcc
libmysqlxxx-devel

You also need some tools, to debug RADIUS, therefore also install:

libradius
radiusclient-utils

Finally, run the Web Server wizard, to install Apache. This will configure Apache with PHP and Perl support, exactly the way we need it. If you can't find the web server wizard, run rpmdrake and search for 'wizard' - install the additional wizards, then run drakconf and you'll find a quite a few more, handy server wizards.

Now we can get down to business.

Get RADIUS

You can get FreeRADIUS from, you guessed it, http://www.freeradius.org. It includes the Web GUI configuration tool Dialin Admin. Save it somewhere, untar it and let the fun begin:

# tar -zxvf freeradius-1.0.4.tar.gz
# cd freeradius-1.0.4
# ./configure --localstatedir=/var --sysconfdir=/etc
# make
# checkinstall
# rpm freeradius-1.0.4-1.i386.rpm

This will install RADIUS using basic flat files for its configuration. That is perfectly acceptable for a small system with a hundred or so users. However, whenever you change a configuration file to add a new user, you would need to restart RADIUS, which is clunky. A better solution is to use a database backend. We'll get to that later, first lets get RADIUS to work in its basic mode.

Text File Configuration

This is quite simple. You need to change only three files. In /etc/raddb/radiusd.conf, uncomment the following:

passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group

I suggest that you also set the system to minimize calls to tech support:

lower_user = after
lower_pass = after
nospace_user = after
nospace_pass = after

Also set your domainname to whatever it should be and select plain text passwords. It is not very secure to have plain text passwords, but it is much preferred from a support point of view.

In /etc/raddb/clients.conf, set the shared secret:

secret = yoursharedsecret

Note that some equipment has a 16 character limit on the shared secret, so don't make it too long.

In /etc/raddb/users add one simple test user entry. We are going to use Mr John Doe a lot still, so give him a proper password:

johndoe     Auth-Type := Local, User-Password == "johndoepassword"
            Reply-Message = "Hello, %u"

Be sure to use lower case and no spaces in user names and passwords, in order to minimize calls to tech support.

Simple RADIUS Test

Run the server in debug mode in one console, so you can watch the error messages, then connect to it from another console, using the radtest utility:

# radiusd -X
# radtest johndoe johndoepassword localhost 1812 yoursharedsecret

It should respond with "rad_recv: Access Accept packet...". If not, check the error messages in the other console.

There is also a more powerful, but more obscure utility called radclient. The syntax for this one is quite arcane and the man page is wrong in some respects. Here is an example that I figured out by trial and terror:

# echo "User-Name=johndoe,User-Password=johndoepassword"|radclient -x localhost
auth yoursharedsecret

That should do the same as radtest example. Radclient can also exercise the accounting features, by using the 'acct' command, but I could not figure out how to make it work. However, replacing 'auth' with 'acct' in the above command will prove that the accounting module is at least trying to do something.

Maintenance Configuration

There are a couple of useful scripts in the redhat directory. Copy the following:

# cp radiusd-logrotate /etc/logrotate
# cp rc.radiusd-radhat /etc/init.d/radiusd

Note that the path in the radiusd start script is wrong. Edit the file and change it to '/usr/local/sbin/radiusd'. Now you can start or stop radiusd the usual way with 'service radiusd start', 'stop' or 'restart'. You also need to create a directory where radiusd can store the pid file when it starts up, else it simply won't run and you'll be left wondering why:

# mkdir /var/run/radiusd

Radiusd creates a log file in /var/log/radius and you can watch it with:

# tail -f /var/log/radius/radius.log

Configure MySQL

By now, you will have a better feel for RADIUS and can add the database backend. First, you have to define the users and passwords, then create a radius database and finally, you can use a script to create the tables, so this is not too difficult - just the usual slew of gotchas...

When you install the Mandriva MySQL RPM files, it will execute a 'mysql-install-db' command for you and the root user will get a default account with the password 'mysql' - you have to change that. For security reasons, network access to MySQL will be disabled - you can leave it disabled.

Start MySQL with the command 'service mysql-max start'. It should go without much ado about nothing.

The databases are created in /var/lib/mysql. Each database is a subdirectory here. The mysql subdirectory contains the MySQL configuration - users and passwords for example - so don't delete it...

The most basic utility for MySQL configuration is aptly named 'mysql' and that is the one we shall use from now on. Create the radius database and set up some users. The dialupadmin user is used later for the web GUI and at this stage is restricted to localhost - MySQL networking is still stopped too - first get things to work, before you give the whole wide world access:

# mysql -u root -p mysql
> set password for root = password("yourrootpassword"); 
> quit

# mysql -u root -p yourrootpassword
> create database radius;
> grant all privileges on radius.* to 'dialupadmin'@localhost identified by
'adminpassword' with grant option;

Now create the tables using the carefully hidden script src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql. Someone really went to great lengths to hide that one...

The next problem is that the script is a wee bit buggy, so we got to fix it first. Edit the file and properly comment out the last 'nas' table. The comments read that the last two tables are deprecated and commented out, but someone undid some of it, so you got to redo it, else you shall get some weird syntax errors. Finally, create your tables:

cd src/modules/rlm_sql/drivers/rlm_sql_mysql
mysql -u root -p yourrootpassword < db_mysql.sql

You should end up with these tables:

# mysql
mysql> use radius;
Database changed
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas              |
| radacct          |
| radcheck         |
| radgroupcheck    |
| radgroupreply    |
| radpostauth      |
| radreply         |
| usergroup        |
+------------------+
8 rows in set (0.00 sec)

Now we need to enable the SQL features in the RADIUS configuration file /etc/raddb/sql.conf and radiusd.conf. Edit sql.conf and ensure that the root password is defined. Then scroll through radiusd.conf and uncomment 'sql' in the 'authorize' and 'accounting' sections. Also comment out 'files' and 'unix' in those sections, else RADIUS will still try to use the flat files and you'll be left wondering why SQL won't work. Now you can restart radiusd in debug mode and see what happens.

Test the MySQL RADIUS

Restart the server in debug mode with 'radiusd -X' and repeat the tests done earlier. The messages returned, should show that the server connects to MySQL and everything should work as before. If not - read the messages returned, they will tell you exactly what is amiss.

Install Dialup Admin

Right, we got the server, the database backend and we did battle on the command line to understand how it all works. Now it is time for a nice looking front end to kiss the CLI goodbye.

Dialup Admin needs to be copied to /usr/local from wherever you untarred FreeRADIUS. Then we need to configure Apache and add some simple security via a .htaccess file.

First copy the whole kaboodle:

# cp -a dialup_admin /usr/local

Now set up a link from the Apache html directory to here. By default, Apache is configured to follow links:

# ln -s /usr/local/dialup_admin /var/www/html/dialup

Now we need to add some security using a .htaccess file. This is done using the Apache 'htpasswd' utility:

htpasswd -cm /var/www/.htaccess johndoe

The '-c' switch creates the file, so only use it the first time, when you add more users, only use '-m'. To make this work, we also need to add something to the bottom of the Apache configuration file /etc/httpd/conf/httpd2.conf:

### MyDialupAdmin
<Directory /var/www/html/dialup>
    AuthName "Restricted Area"
    AuthType Basic
    AuthUserFile /var/www/.htpasswd
    require valid-user
</Directory>

Finally restart Apache with 'service httpd restart'. It should come up without much ado and we can now configure Dialup Admin in /usr/local/dialup_admin/conf/admin.conf.

Set the following parameters so you can connect to RADIUS and MySQL - and there is our old friend Mr John Doe again too:

general_domain: yourdomain
general_test_account_login: johndoe
general_test_account_password: johndoepassword
sql_username: dialupadmin
sql_password: youradminpassword
general_encryption_method: clear

You can now test Dialup Admin with Konqueror, by browsing to the URL http://localhost/dialup and it should present you with a login prompt, followed by Dialup Admin itself.

By default, debug is enabled. Once things are working, change this line:

sql_debug: false

La Voila!

'Hope this helps!

Herman