[How to] Install FreeRADIUS ver 2 with MySQL into a Jail

[GrumpyBear]

I want to experiment with using a RADIUS server on my home network for controlling management access to my Cisco switches, experimenting with 802.1x authentication on network ports and using WPA2 Enterprise on my wireless (Tomato/Shibby).

The FreeRADIUS server is available as a port for FreeNAS 9.3 both as the older, deprecated Version 2 and the newer Version 3.

I initially tried to install Version 3 but there appears to be some errors in the packages or in the port when MySQL support is added so I tried Version 2 and was able to successfully install a server and authenticate against it.

Here are the steps taken.

 

[GrumpyBear]

Create a Jail and install AMP (Apache, MySQL and PHP) services on it using this HowTo.

Following loosely the post for installing FreeRADIUS on OpenBSD.

1. Configure & Install the freeradius2 port
a) Configure freeradius version 2 to add MySQL support:

Code:

cd /usr/ports/net/freeradius2 && make config

select "MySQL database support" and then "OK"
b) Install the FreeRADIUS port

Code:

make install clean BATCH=yes

2. Configure FreeRADIUS to run at boot

Code:

echo 'radiusd_enable="YES"' >> /etc/rc.conf

3. Connect to MySQL and create the radius database from the supplied schema
a) run MySQL as root

Code:

mysql -u root -p

b) Create a Database named "radius"

Code:

create database radius;

c) Add a user named "radadmin" with a password "radpass" and give that user superuser rights to the database:

Code:

grant all on radius.* to radadmin@localhost identified by 'radadminpass';

d) Flush the privileges:

Code:

flush privileges;

e) Type <Ctrl> + C to exit MySQL
4. Import FreeRADIUS Schema into the Database you just created.

Code:

mysql -uroot -p radius < /usr/local/etc/raddb/sql/mysql/schema.sql

5. Optional: Create a NAS Table in MySQL to manage your NAS devices.
A Network Authentication Server (NAS) sends username and passwords to the RADIUS server for Authentication and Authorization. A NAS is usually a software component running on another device such as a Remote Access Server (RAS), Router, Switch or Wireless Access Point. The RADIUS Server responds back with whether the supplied credentials are valid (Authentication) and, optionally, what privilege level the specified account should have (Authorization).
The list of "client" NAS servers is by default kept in a text config file on the FreeRADIUS server.
To facilitate ease of management it can be kept in a table in MySQL.
Copy the table definition for the nas table to the radius database:

Code:

mysql -uroot -p radius < /usr/local/etc/raddb/sql/mysql/nas.sql

6. Edit the main FreeRADIUS "site" config to use SQL

Code:

cd /usr/local/etc/raddb/sites-available
nano default

Uncomment these directives:

Code:

authorize {
       preprocess
       auth_log # Uncomment This
       chap
       mschap
       digest
       suffix
       eap {
         ok = return
       }
       files
       sql   # Uncomment This
       expiration
       logintime
       pap
     }
   
     authenticate {
       Auth-Type PAP {
         pap
       }
       Auth-Type CHAP {
         chap
       }
       Auth-Type MS-CHAP {
         mschap
       }
       digest
       unix
       eap
     }
   
     preacct {
       preprocess
       acct_unique
       suffix
       files
     }
   
     accounting {
       detail
       unix   # Uncomment This
       radutmp   # Uncomment This
       sql   # Uncomment This
       exec
     }
   
     session {
       radutmp
       sql   # Uncomment This
     }
   
     post-auth {
       sql   # Uncomment This
       exec
       Post-Auth-Type REJECT {
         # log failed authentications in SQL, too.
     #     sql   # May want to Uncomment this
         attr_filter.access_reject
       }
     }
   
     pre-proxy {
     }
   
     post-proxy {
       eap
     }

7. Edit the FreeRADIUS SQL configuration with site-specific information:

Code:

cd /usr/local/etc/raddb
nano sql.conf

Code:

     sql {
     database = "mysql"
     driver = "rlm_sql_${database}"
     server = "localhost"
     port = 3306       # Uncomment This
     login = "radadmin"     # Uncomment This and make username same as set in 3c
     password = "radadminpass"   # Uncomment This and make password same as set in 3c
     radius_db = "radius"
     acct_table1 = "radacct"
     acct_table2 = "radacct"
     postauth_table = "radpostauth"
   
     authcheck_table = "radcheck"
     authreply_table = "radreply"
   
     groupcheck_table = "radgroupcheck"
     groupreply_table = "radgroupreply"
   
     usergroup_table = "radusergroup"
   
     # read_groups = yes
     deletestalesessions = yes
     sqltrace = no
     sqltracefile = ${logdir}/sqltrace.sql
     num_sql_socks = 5
     connect_failure_retry_delay = 60
     lifetime = 0
     max_queries = 0
     readclients = no
     nas_table = "nas"
   
     # Read driver-specific configuration
     $INCLUDE sql/${database}/dialup.conf
     }

Optional: if you added a nas table to manage the NAS configuration then also uncomment:

Code:

readclients=yes

8. Configure FreeRADIUS to use the sql.conf file

Code:

nano /usr/local/etc/raddb/radiusd.conf

uncomment "$INCLUDE sql.conf" as per instructions from the maintainer.
9. Create a test user with a Clear Text Password

Code:

mysql -uroot -p radius
mysql>INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (NULL, 'testuser', 'Cleartext-Password', ':=', 'password');
mysql> select * from radcheck;
+----+--------------------------+--------------------+----+----------+
| id | username  | attribute  | op | value  |
+----+--------------------------+--------------------+----+----------+
|  1 | testuser  | Cleartext-Password | := | password |
+----+--------------------------+--------------------+----+----------+
1 rows in set (0.00 sec)

10. Restart the FreeRADIUS daemon to load the new config in debug mode to see if all the modules load propery and it parses the config file without error

Code:

service radiusd debug

If it is working properly you should see:

Code:

     Listening on authentication address * port 1812
     Listening on accounting address * port 1813
     Listening on command file /var/run/radiusd/radiusd.sock
     Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
     Listening on proxy address * port 1814
     Ready to process requests.

Close the debugging session by typing <Ctrl>+c
11. In another SSH session use the radtest tool to test authentication is working:

Code:

# radtest testuser password localhost 1812 testing123
Sending Access-Request of id 203 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=203, length=20

 

[cyberjock]

Moved to the guide section (thanks for the guide).

I have totally been meaning to do a RADIUS server, so this sounds like an awesome tool for me to get a RADIUS server. The only downside is I'd rather it have been v3. Reading up on this it sounds like you should start off with v3 if you want to use v3 vice trying to 'upgrade' from v2 to v3. That being said, I'm probably going to wait and see if I can do this with v3. Maybe if I get it working I'll post my own guide. :P

 

[GrumpyBear]

Moved to the guide section (thanks for the guide).

I have totally been meaning to do a RADIUS server, so this sounds like an awesome tool for me to get a RADIUS server. The only downside is I'd rather it have been v3. Reading up on this it sounds like you should start off with v3 if you want to use v3 vice trying to 'upgrade' from v2 to v3. That being said, I'm probably going to wait and see if I can do this with v3. Maybe if I get it working I'll post my own guide. :p

If you just want straight RADIUS and are content to manage it using the config files then the stock version 3 port will work (I tested it). However if you want to use MySQL to manage the Configs or to integrate the RADIUS with LDAP or AD then you will need to modify the stock port using "make config" and that is where the port seems to have issues.

 

[cyberjock]

Thanks for the confidence in v3. I may try to do this this weekend. I've always wanted to do a RADIUS server just "for the experience" but without a working model to look at I ran into problems that I could not troubleshoot myself out of.

 

[David Jolicoeur]

Can someone please help the less savvy geeks that dont know BSD and linux and CLI stuff as well as all of you and just create a plugin already?

I bought a unifi USG router and wifi APs (enterprise grade hardware that is awesome). The VPN that they have - in order to set it up with the GUI you have to have a RADIUS server (dindt realize that when I bought it). Had to SSH in and create VPN workaround from the terminal (it works). Downside is anytime I want to edit my config or add a user or whatever, if I try to do it from the GUI then it WIPES OUT my custom VPN config and I have to start all over.

I realize that is a bug on unifis end, but still....I bet a lot of people with FREENAS boxes probably use unifi as well and they would love a RADIUS plugin for FREENAS so that when they want to use a UNIFI VPN they already have an easy way to make a RADIUS server deploy on their network via FREENAS.....

 

[GrumpyBear]

Can someone please help the less savvy geeks that dont know BSD and linux and CLI stuff as well as all of you and just create a plugin already

David,

The first problem is, that as I explained above, last I checked the latest stable package version of FreeRADIUS didn't install properly on FreeNAS so I had to resort to the "hack" detailed above to get the older, deprecated, version running.

The biggest issue is likely that RADIUS is kind of the Swiss army knife of AAA servers and has a myriad of use cases so configuration is not trivial. I've worked in networking for a living for over 20 years and still had issues with getting it working. At work we tend to use purpose-built appliances for this costing tens of thousands of dollars with spiffy GUIs and even then they typically are far from easy to configure as there are so many "knobs" to tweak. Typically one has to spend days to get them working whilst digging through piles of technical documents and if you don't make copious notes if you have to go back and change the server config (as opposed to the user database or back-end authentication) later you have to tread very carefully as when they break EVERYONE gets locked out (undo holster, withdraw pistol, disengage safety, point at foot, pull trigger ...)

I'm certain there are people out there who live, eat and breath AAA servers and they might be able to create a canned package that would suit this kind of use case.

In my case it was easier to use LOCAL accounts.

 

[David Jolicoeur]

Thanks. I get it. I have been following your guide for almost an hour and I am ALMOST there! :)

what are LOCAL accounts? are you referring to a freenas thing or something for unifi? My main problem is I had to basically hack the unifi config to make the VPN work because I dont have RADIUS (actually technically had to have my brother help me do it and i get confused so if ever need to change it I have to bug him).

I just need an easy way to be able to use the GUI for unifi and make it not break my VPN (in other words I want to be able to configure my unifi USG router VPN settings THROUGH the unifi GUI (and therefore I think I need a RADIUS server).