Wednesday, July 17, 2019

Installation FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

SELINUX Setting:-

Before installations, I recommend turning off SELinux or setting it in permissive mode:-
[root@radius ~]# setenforce 0
[root@radius ~]# sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
[root@radius ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@radius ~]#

Prerequisites:-

Update your CentOS 7 and install Deployment Tool. You can run this commands to update your CentOS and for Deployment Tool installation.
[root@radius ~]# yum -y update
[root@radius ~]# yum groupinstall "Development Tools" -y

Install httpd server

[root@radius ~]# yum -y install httpd httpd-devel
Once installation competed you can enable and start your HTTPD service using below commands. You can also check running status of HTTPD service using below commands. As like below screen shot.
[root@radius ~]# systemctl enable httpd
[root@radius ~]# systemctl start httpd
[root@radius ~]# systemctl status httpd

Installing and Configuring MariaDB

Now we are going to install and configure MariaDB 10.1.33, using below steps:-

Add MariaDB official repo content to CentOS 7 system

Add the below content in MariaDB.repo file and save the file.
[root@radius ~]#vi /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDBgpgcheck=1

Update system and install MariaDB to configure Database server

[root@radius ~]# yum -y update
[root@radius ~]# yum install -y mariadb-server mariadb
You will get prompted to install MariaDB GPG Signing key. Just press to allow installation.

Start and enable MariaDB

[root@radius ~]# systemctl start mariadb
[root@radius ~]# systemctl enable mariadb

Check running and enabled status of MariaDB

[root@radius ~]# systemctl status mariadb
[root@radius ~]# systemctl is-enabled mariadb.service
 enabled

Configure initial MariaDB settings to secure it.

Here we will set root password. For security purposes, consider removing anonymous users and disallowing remote root login. You can see below example configuration. Key choices has been marked in bold.
[root@radius ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@radius ~]#

Allow only local connection to mysql server. This is a security mechanism.

[root@radius ~]# vi /etc/my.cnf
 [mysqld]
 bind-address=127.0.0.1

Configure Database for freeradius

[root@radius ~]# mysql -u root -p -e " CREATE DATABASE radius"
[root@radius ~]# mysql -u root -p -e "show databases"
[root@radius ~]# mysql -u root -p
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q
Bye
[root@radius ~]#

Installing php 7 on CentOS 7

[root@radius ~]# cd ~
[root@radius ~]# curl 'https://setup.ius.io/' -o setup-ius.sh
[root@radius ~]# bash setup-ius.sh
[root@radius ~]# yum remove php-cli mod_php php-common
[root@radius ~]# yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear
[root@radius ~]# apachectl restart
After installation you can check php version to confirm using below commands:-
[root@radius ~]# php -v
If php 7 fails to work for you, then you can install php 5 by running below commands. You have to first uninstall php 7 then you can try with php 5.
[root@radius ~]# yum -y install php-pear php-devel php-mysql php-common php-gd php-mbstring php-mcrypt php php-xml

Installing FreeRADIUS

[root@radius ~]# yum -y install freeradius freeradius-utils freeradius-mysql
You have to start and enable freeradius with below commands, after successfully installation.
[root@radius ~]# systemctl start radiusd.service
[root@radius ~]# systemctl enable radiusd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.
Now you can check the status:-
[root@radius ~]# systemctl status radiusd.service
Now we have to configure firewalld to allow radius and httpd packets in and out.
Radius server use udp ports 1812 and 1813. This can be confirmed by viewing the contents of the file /usr/lib/firewalld/services/radius.xml. You can cat this file and see.
[root@radius ~]# cat /usr/lib/firewalld/services/radius.xml

First start and enable firewalld for security

[root@radius ~]# systemctl enable firewalld
[root@radius ~]# systemctl start firewalld
[root@radius ~]# systemctl status firewalld

Confirm firewalld is running or not

[root@radius ~]# firewall-cmd --state
running

Add permanent rules to default zone to allow http,https and radius services

[root@radius ~]# firewall-cmd --get-services | egrep 'http|https|radius'
[root@radius ~]# firewall-cmd --add-service={http,https,radius} --permanent

Reload firewalld for changes to take effect

[root@radius ~]# firewall-cmd --reload

We can confirm that services were successfully added to default zone

[root@radius ~]# firewall-cmd --get-default-zone
public
[root@radius ~]# firewall-cmd --list-services --zone=public
dhcpv6-client http https radius ssh
You can see the three services present hence we are good to proceed.
[root@radius ~]# ss -tunlp | grep radiusd
If you want to run radius server in debug mode. You can run this command radiusd -X If debug mode is going to fail to bind to ports, you may have to kill radius server daemon first. You will get this types of massage if your radius server will fail to bind the port.
In this case you have to kill radius daemon first then you can start radiusd -X
[root@radius ~]# pkill radius
Then you can start radius server in debugging mode and you will see below massage if your radius service successfully run in debug mode.
[root@radius ~]# radiusd –X
----------------------------
----------------------------------
--------------------------------------
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 39556
Listening on proxy address :: port 52609
Ready to process requests

Configure FreeRADIUS

To Configure FreeRADIUS to use MariaDB, you can follow steps below:-

Import the Radius database scheme to populate radius database

[root@radius ~]# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql

Configure Radius at this point

First of all we have to create a soft link for SQL under /etc/raddb/mods-enabled
[root@radius ~]# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
Then we can configure SQL module /raddb/mods-available/sql and change the database connection parameters to suitable our environment like this:-
sql section should be look similar to below.
[root@radius ~]# vi /etc/raddb/mods-available/sql
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
server = "localhost"
port = 3306
 login = "radius"
 password = "radiuspassword"
# Database table configuration for everything except Oracle
radius_db = "radius"
}
# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes
# Table to keep radius client info
client_table = “nas”
Then change group right of /etc/raddb/mods-enabled/sql to radiusd:-
[root@radius ~]# chgrp -h radiusd /etc/raddb/mods-enabled/sql

Installing and Configuring Daloradius

Installing Daloradius

We can use Daloradius to manage our radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github or sourceforge.

Github method:-

[root@radius ~]# wget https://github.com/lirantal/daloradius/archive/master.zip
[root@radius ~]# unzip master.zip
[root@radius ~]# mv daloradius-master/ daloradius

Sourceforge way:-

[root@radius ~]# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
[root@radius ~]# tar zxvf daloradius-0.9-9.tar.gz
[root@radius ~]# mv daloradius-0.9-9 daloradius

Change directory for configuration

[root@radius ~]# cd daloradius

Configuring daloradius

Now import Daloradius mysql tables

[root@radius ~]# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
[root@radius ~]# mysql -u root -p radius < contrib/db/mysql-daloradius.sql

Configure daloRADIUS database connection details

[root@radius ~]# cd ..
[root@radius ~]# mv daloradius /var/www/html/
We need to change permissions for http folder and set the right permissions for daloradius configuration file.
[root@radius ~]# chown -R apache:apache /var/www/html/daloradius/
[root@radius ~]# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
Now we have to modify daloradius.conf.php file to adjust the MySQL database information . So let’s open the daloradius.conf.php and add the database username, password and db name.
[root@radius ~]# vi /var/www/html/daloradius/library/daloradius.conf.php
Especially relevant variables to configure are:
CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME
Make sure everything works, restart radiusd, httpd and mysql:
[root@radius ~]# systemctl restart radiusd.service
[root@radius ~]# systemctl restart mariadb.service
[root@radius ~]# systemctl restart httpd
If you have install php 7 then you can ignore php-pear installation. And you have to only run pear install DB.
[root@radius ~]# yum install php-pear
[root@radius ~]# pear install DB
We have completed installation and configuration of daloradius and freeradius. To access daloradius, open the link using your IP address, then you will get your radius dashboard.
http://ip-address/daloradius/login.php
Default login details are:
Username: administrator
Password: radius

In this tutorial we have seen how to install FreeRADIUS and DaloRADIUS. If you getting any issue in this steps, let us know. My pleasure to help you. 

No comments:

Post a Comment

Installation FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

SELINUX Setting:- Before installations, I recommend turning off SELinux or setting it in permissive mode:- [root@radius ~]# setenforce ...

Popular Posts