04InstanceDefault - amagerard/FreeRadius GitHub Wiki

HOME

RedHat/FreeRadius

01 Sypnoptic 02 Network 03 FreeRadius 04 InstanceDefault
05 InstanceSql 06 InstanceLdap 07 InstanceAD 08 Selinux 09 GnomeShell
DaloRadius OpenLdap SambaAD

4 Instance Default.

4.1 Default installation.

Compiling Freeradius needs to install Mariadb , openldap and krb5.

curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | bash

subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms

dnf update

dnf install gcc libtalloc-devel openssl-devel MariaDB-devel openldap-devel krb5-devel

You will find the latest version https://github.com/FreeRADIUS/freeradius-server/.

wget -P /opt https://github.com/FreeRADIUS/freeradius-server/archive/release_3_2_7.tar.gz
tar -xvf /opt/release_3_2_7.tar.gz -C /opt --one-top-level=freeradius --strip-components 1

cd /opt/freeradius
./configure --prefix=/usr --sysconfdir=/etc
make
make install

4.2 Disable IPv6.

radiusd -X gives ipv6 error because I disabled it.

Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol /etc/raddb/sites-enabled/default[246]: Error binding to port for :: port 1812

vi /etc/raddb/sites-enabled/default
Comment lines "listen ipv6" with "#".

# IPv6 versions of the above - read their full config to understand options  
#listen {  
#       type = auth  
#       ipv6addr = ::   # any.  ::1 == localhost  
#       port = 0  
#       interface = eth0  
#       clients = per_socket_clients  
#       limit {  
#             max_connections = 16  
#             lifetime = 0  
#             idle_timeout = 30  
#       }  
#}  
  
#listen {  
#       ipv6addr = ::  
#       port = 0  
#       type = acct  
#       interface = eth0  
#       clients = per_socket_clients  
  
#       limit {  
#               max_pps = 0  
#               idle_timeout = 0  
#               lifetime = 0  
#               max_connections = 0  
#       }  
#}

Check radiusd.
radiusd -X
That does not generate any errors.
Ctrl+ C to exit.

4.3 Create a self-signed certificate.

I need.

  • /etc/ssl/private/freeradius.key (to generate).
  • /etc/ssl/certs/freeradius.crt (to generate).
  • /etc/ssl/certs/CA.crt (already generated).

Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create freeradius.key and freeradius.crt.

openssl genrsa  -out /etc/ssl/private/freeradius.key 4096  
openssl req -new  -days 365 -key /etc/ssl/private/freeradius.key -out /etc/ssl/certs/freeradius.csr  
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/freeradius.crt -in /etc/ssl/certs/freeradius.csr

chmod 400 /etc/ssl/certs/*
chmod 400 /etc/ssl/private/*

4.4 Eap.

Edit the eap file.
vi /etc/raddb/mods-available/eap

eap {  
    tls-config tls-common {  
    private_key_file = /etc/pki/tls/private/freeradius.key  
    certificate_file = /etc/pki/tls/certs/freeradius.crt  
    ca_file = /etc/pki/tls/certs/CA.crt  
    ca_path = /etc/pki/tls/certs

4.5 Check freeradius service.

radiusd -X
The test ends with:
Ready to process requests.
crtl+ c to exit.

4.6 Precaution.

The freeradius-sql instance uses the same ports 1812, 1813 as the default instance.