In this post I will say something about FreeRadius config files, database connection, basic instruction how to insert user in database, etc. Before you step inside this post, I recommend reading part 1 and part 2.
I suppose you’re using RH based distros (Red Hat, CentOS, Fedora,..) and you already installed FreeRadius from source (config files are located in /usr/local/etc/raddb/). Now lets get back to FreeRadius source dir (the place where you extracted the tar.gz).
Inside redhat dir you can find freeradius-radiusd-init script which can be used for easy start/stop radiusd process. Copy this script to /etc/init.d/ dir
# cp freeradius-radiusd-init /etc/init.d/radiusd |
Now open /etc/init.d/radiusd script and change the next lines
exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd} |
into
exec=${exec:=/usr/local/sbin/$prog}
config_dir=${config_dir:=/usr/local/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/usr/local/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd} |
Save changes and exit from editor. (Notice above that we actually changed the path from / to /usr/local/)
Now you can easily start/stop radiusd process.
[root@ms /]# service radiusd
Usage: /etc/init.d/radiusd {start|stop|status|restart|condrestart|try-restart|reload|force-reload} |
Also, you can exec chkconfig –level 235 radiusd on to start radiusd on boot.
Now lets get back to our setup.
I suppose you have at least one NAS (A Network Access Server (NAS) is a system that provides access to a network. In some cases also known as a Terminal Server or Remote Access Server (RAS).) NAS is a CLIENT for your radiusd server so please do not mess users and clients. Freeradius doesn’t interact with your users directly so “radius client” is another term for NAS.
The first step is to add your NAS to client list and to create a unique password. Inside clients.conf (/usr/local/etc/raddb/clients.conf) you can find the next lines
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#} |
Uncomment those lines and set up client IP address according to your addresses. In the example shown above, all IPs from 192.168.0.0/24 network will be able to use your radiusd server.
You can allow any IP with
client 0.0.0.0/0 {
secret = mysecret
shortname = myNAS
} |
which means all IPs in the world can use my radius server (which is not recommended)…
To allow only one IP (in this case 192.168.0.15),
client 192.168.0.15 {
secret = mysecret
shortname = myNAS
} |
Delete user Cleartext-Password := “password” line from users because we don’t need this any more.
Stop radiusd and start in debugging mode (radiusd -X).
You should see the similar lines
...............
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.0.15 {
require_message_authenticator = no
secret = "mysecret"
shortname = "myNAS"
}
........... |
This means that radiusd will allow NAS with IP address 192.168.0.15 and secret mysecret. Ctrl+C to stop radiusd.
In case you want to use MySQL with freeradius, you should do the next steps. Before anything, you need to create a database for freeradius.
Connect as root to your mysql and exec next queries.
CREATE USER 'radius'@'localhost' IDENTIFIED BY 'radpass'; GRANT USAGE ON * . * TO 'radius'@'localhost' IDENTIFIED BY 'radpass'; CREATE DATABASE IF NOT EXISTS `radius` ; GRANT ALL PRIVILEGES ON `radius` . * TO 'radius'@'localhost'; |
Another option is to use admin.sql script from raddb/sql/mysql dir.
CREATE USER 'radius'@'localhost'; SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); GRANT SELECT ON radius.* TO 'radius'@'localhost'; GRANT ALL ON radius.radacct TO 'radius'@'localhost'; GRANT ALL ON radius.radpostauth TO 'radius'@'localhost'; |
This script will set a little bit safer permissions where radius will be able only to write radacct and radpostauth tables. (Do not forget to change default username/pass shown above).
The next step is to import default Freeradius tables (the sql files can be found inside raddb/sql/mysql dir). You should import nas.sql and schema.sql. The nas.sql will create a table for your NASes. It is much easier to maintain the NAS list inside database then inside clients.conf. Also, you can add more fields to nas table so you can do other operations with your NAS.
After this operations you should have something like:
[root@ms mysql]# mysql -u radius -p Enter password: Welcome TO the MySQL monitor. Commands END WITH ; OR \g. Your MySQL connection id IS 23387 Server version: 5.0.77-log SOURCE distribution TYPE 'help;' OR '\h' FOR help. TYPE '\c' TO clear the buffer. mysql> USE radius; Reading TABLE information FOR completion OF TABLE AND COLUMN names You can turn off this feature TO GET a quicker startup WITH -A DATABASE changed mysql> SHOW TABLES; +------------------+ | Tables_in_radius | +------------------+ | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +------------------+ 8 ROWS IN SET (0.00 sec) mysql> |
Now we have a working database and we need to configure FreeRadius to use SQL.
radiusd.conf
Open radiusd.conf file (/usr/local/etc/raddb/radiusd.conf), and uncomment $INCLUDE sql.conf line inside modules section. Save changes and exit.
sql.conf
Open sql.conf and edit next lines
# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius" |
to fit your settings (database name, username and password).
dialup.conf
Then open /usr/local/etc/raddb/sql/mysql/dialup.conf and find the next lines (near the end)
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL" |
Sometimes you will need to check users for simultaneous use and uncommenting sql in session section and uncommenting the query shown above will help you to do this.
default
Now open /usr/local/etc/raddb/sites-available/default and uncomment sql lines inside authorize, accounting and session sections. You can uncomment sql inside post-auth section too if you want to log login attempts (notice that this is not recommended for production servers. Your database can grow and eat up all free space in case someone tries to brute force your NAS.).
Then comment the next lines: files inside authorize section, detail, unix and radutmp inside accounting section and radutmp inside session section.
Please note that those lines we commented above are not important for now and commenting those lines can improve performance. Also, note that detail should remain uncommented in case you want to create ‘detail’ed log of the packets for accounting requests. You will need this in case you want to proxy accounting to another server.
Then save the file and check your config with radiusd -X (debugging mode).
After this you should see something like
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 |
which means your freeradius server successfully connected to MySQL database.
There are hundreds of options inside the files shown above and it is impossible to explain all of them. Read comments inside config files and try to figure yourself about them. If you’re using another database scheme, you will need to set up sql.conf and dialup.conf according to your tables. All parameters are editable and it is very easy to understand them. For example if you have a large number on users (1000-xxxx) open sql.conf and increase num_sql_socks from 5 to 15 or 20.
You should not change/delete any other lines in the config file without reading and understanding the comments!
Populating tables and testing
This is the most important part. Before you continue, you need to know what actually do you want from FreeRadius. Which kind of connection do you expect, etc. Also, you need to know something about tables, attributes, operators, etc.
This is it for now…. Next time we will add some users inside database and see what we can do.
Stay tuned…
Thanks for your nice share, i am managing a network and i have the scenarion in which my wireless clients are assingin ips through DHCP i am using squid as a proxy server also have a MS Domain Controller, i want to integrate the freeradius with domain controller to authenticate the wireless clients… help me regarding the same… Thanks in Advance
Thanks for your comment.
Here you can find something about your problem
http://deployingradius.com/documents/configuration/setup.html
i should first apologise that i will be so disturbing sort of. Thanks for your help on stage 2, am new to linux and happen to have our institution radius server crashed. Can’t get fast help from our Network admin who are both not available and wont be around until the next 8month, temporaly network adimn recruitment is pending and have all this mess to sort out. I am running fedora core 15 and i downloaded freeradius-server-2.1.11 OKAY NOW MY PROBLEM IS i get this error when i run the cp command (cp: cannot stat `freeradius-radiusd-init’: No such file or directory) went to the Downloads directory then to freeradius-server-2.1.11 dir run ls but can’t find any file like “init.d” or radiusd i don’t know am am astray maybe help me got to get this running and wanted to know how i could combine freeradius with daloradius for it web interface. Thanks in advance
never mind took time again trying to understand what u meant u menat in the extracted files of freeradius-server dir there is also a directory redhat then whilist inside that directory run the copy command now it worked sorry am such abother
OKAY AFTER RUNNING nano /etc/init.d/radiusd i get the following script don’t know where to start changing and which are the next line am sorry again am totally an amature.
#!/bin/sh
#
# radiusd Start/Stop the FreeRADIUS daemon
#
# chkconfig: – 88 10
# description: Extensible, configurable, high performance RADIUS server.
### BEGIN INIT INFO
# Provides: radiusd
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Should-Start: $time $syslog mysql ldap postgresql samba krb5-kdc
# Should-Stop:
# Short-Description: FreeRADIUS server
# Description: Extensible, configurable, high performance RADIUS server.
### END INIT INFO
Geting stuck trying then later figure out through try and error but now i surey don’t which commands to run to import the nas.sql and schema.sql. lol
Please do not spam this blog with your questions.
You need to learn the basic Linux commands.
That can be done in less than 1 hour….
nice blog,
Now i m waiting next blog FreeRadius install howto (4)
please ASAP
BR
Nishu
Please post the next blog ASAP..pls pls
last time i posted here i din’t know what i was asking and filled this blod with all kinda stupid question but now i don’t have much to say i came here simply to say thanks. with you blog i have managed to build three stable radius servers 2 managed by daloradius and one is used as a wifi billing hot-spot 3 months ago i din’t know anything its amazing how other can insipire u to read and work hard. the third one works much great with mikrotik 5.7. u earn all the credit much thanks xxxxx just gave u five stars score
Thank you very much for your comment. I’m glad I can help…
Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file:
Hi, I have encountered with this problem. Could you please advise?
No such file or directory
Make sure it (and all its dependent libraries!) are in the search path of your system’s ld.
/usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module “sql”
/usr/local/etc/raddb/sites-enabled/default[177]: Failed to load module “sql”.
/usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
If you’re installed via yum than you didn’t install freeradius-mysql package. If you installed from source than you should check the ./configure part and you’ll be able to see where is the problem.
Without more details it is impossible to see where is the problem…
I had that issue ASH.. installing mysql-devel via yum does the trick. Just remember to ./configure once that package is installed. the build of rlm_sql_mysql.so requires that package.
I have same error above :
rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
rlm_sql_mysql: Starting connect to MySQL server for #17
rlm_sql (sql): Connected new DB handle, #17
rlm_sql (sql): starting 18
rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
rlm_sql_mysql: Starting connect to MySQL server for #18
rlm_sql (sql): Connected new DB handle, #18
rlm_sql (sql): starting 19
rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
rlm_sql_mysql: Starting connect to MySQL server for #19
rlm_sql (sql): Connected new DB handle, #19
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserving sql socket id: 19
rlm_sql_mysql: MYSQL check_error: 1054 received
rlm_sql (sql): database query error, SELECT id, nasname, shortname, type, secret, server FROM nas: Unknown column ‘server’ in ‘field list’
rlm_sql (sql): Released sql socket id: 19
Failed to load clients from SQL.
rlm_sql (sql): Closing sqlsocket 19
rlm_sql (sql): Closing sqlsocket 18
rlm_sql (sql): Closing sqlsocket 17
rlm_sql (sql): Closing sqlsocket 16
rlm_sql (sql): Closing sqlsocket 15
rlm_sql (sql): Closing sqlsocket 14
rlm_sql (sql): Closing sqlsocket 13
rlm_sql (sql): Closing sqlsocket 12
rlm_sql (sql): Closing sqlsocket 11
rlm_sql (sql): Closing sqlsocket 10
rlm_sql (sql): Closing sqlsocket 9
rlm_sql (sql): Closing sqlsocket 8
rlm_sql (sql): Closing sqlsocket 7
rlm_sql (sql): Closing sqlsocket 6
rlm_sql (sql): Closing sqlsocket 5
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
/etc/raddb/sql.conf[22]: Instantiation failed for module “sql”
/etc/raddb/sites-enabled/default[177]: Failed to load module “sql”.
/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
when i try with radiusd -X
my radiusd service can’t start.
Can you help me đ My service is running. But when i try restart it not start đ
Of course it won’t start when you changed config files of default db schema without checking them.
rlm_sql (sql): database query error, SELECT id, nasname, shortname, type, secret, server FROM nas: Unknown column âserverâ in âfield listâ
Check your nas table and see does “server” field exists.
hey, I removed the line user Cleartext-Password := âpasswordâ from users
now i’m trying to use the command
radtest teste 123abc 127.0.0.1 0 testing123
where teste is the shortname and 123abc is the password, but now the radtest isnt working. can you help me?
PS: in clients.conf i put (for tests purpose):
client 0.0.0.0/0 {
require_message_authenticator = no
secret = “123abc”
shortname = “teste”
}
Start freeradius in debug mode (radiusd -X) and see what is the problem. (Open one terminal for work and the other one for debug)
I guess I’ve understood the previous problem, now im trying to integrate the LDAP with freeradius and, when I try to test dosen’t work.
I’m trying: radtest -t eap-md5 user1 123 127.0.0.1 0 testing123
where user1 is a user on ldap base and 123 is the password of this user (stored in MD5)
I get: Received Access-Reject packet from host 127.0.0.1 port 1812, id=16, length=20
rad_recv: Access-Request packet from host 127.0.0.1 port 60211, id=28, length=87
User-Name = “user1”
User-Password = “123”
NAS-IP-Address = 200.131.96.47
NAS-Port = 0
Message-Authenticator = 0xe5d2938b65a36b6a7c2b7815ff95b1fe
EAP-Message = 0x021b000a017573657231
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {…}
[eap] EAP packet type response id 27 length 10
[eap] No EAP Start, assuming it’s an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for user1
[ldap] expand: (uid=%u)) -> (uid=user1))
[ldap] expand: ou=People,dc=xxxxx,dc=edu,dc=br -> ou=People,dc=xxxxxxxx,dc=edu,dc=br
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=xxxxxxxx,dc=edu,dc=br, with filter (uid=user1))
[ldap] ldap_search() failed: Bad search filter: (uid=user1))
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [user1/123] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {…}
[attr_filter.access_reject] expand: %{User-Name} -> user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
can you help me?
[ldap] performing search in ou=People,dc=xxxxxxxx,dc=edu,dc=br, with filter (uid=user1))
[ldap] ldap_search() failed: Bad search filter: (uid=user1))
It seems as a bad search filter.
Check this http://www.ietf.org/rfc/rfc2254.txt