04InstanceDefault - amagerard/FreeRadius GitHub Wiki
RedHat/FreeRadius
| 01 Sypnoptic | 02 Network | 03 FreeRadius | 04 InstanceDefault | |
|---|---|---|---|---|
| 05 InstanceSql | 06 InstanceLdap | 07 InstanceAD | 08 Selinux | 09 GnomeShell |
| DaloRadius | OpenLdap | SambaAD |
4 Instance Default.
4.1 Default installation.
Compiling Freeradius needs to install Mariadb , openldap and krb5.
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | bash
subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms
dnf update
dnf install gcc libtalloc-devel openssl-devel MariaDB-devel openldap-devel krb5-devel
You will find the latest version https://github.com/FreeRADIUS/freeradius-server/.
wget -P /opt https://github.com/FreeRADIUS/freeradius-server/archive/release_3_2_7.tar.gz
tar -xvf /opt/release_3_2_7.tar.gz -C /opt --one-top-level=freeradius --strip-components 1
cd /opt/freeradius
./configure --prefix=/usr --sysconfdir=/etc
make
make install
4.2 Disable IPv6.
Radiusd -X gives ipv6 error because I disabled it.
Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol /etc/raddb/sites-enabled/default[246]: Error binding to port for :: port 1812
vi /etc/raddb/sites-enabled/default
Comment lines "listen ipv6" with "#".
# IPv6 versions of the above - read their full config to understand options
#listen {
# type = auth
# ipv6addr = :: # any. ::1 == localhost
# port = 0
# interface = eth0
# clients = per_socket_clients
# limit {
# max_connections = 16
# lifetime = 0
# idle_timeout = 30
# }
#}
#listen {
# ipv6addr = ::
# port = 0
# type = acct
# interface = eth0
# clients = per_socket_clients
# limit {
# max_pps = 0
# idle_timeout = 0
# lifetime = 0
# max_connections = 0
# }
#}
Check radiusd.
radiusd -X
That does not generate any errors.
Ctrl+ C to exit.
4.3 Create a self-signed certificate.
I need.
- /etc/ssl/private/freeradius.key (create).
- /etc/ssl/certs/freeradius.crt (create).
- /etc/ssl/certs/CA.crt (already created).To be regenerated if you have an SQL or OpenLdap server.
Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create freeradius.key and freeradius.crt.
Very important.
On February 10, 2025, the mods-available/ldap and the driver = "RLM_SQL_MYSQL" do not work with a CA generated by OpenSSL from Redhat 9.5.
It is necessary to create the certificate of authority (CA) with a live CD Alamlinux 9.4.
And then import the CA.CRT and CA.KEY from Live CD Almalinux to freeradius , openldap and sql server.
Maybe this problem will be resolved in future versions.
openssl genrsa -out /etc/ssl/private/freeradius.key 4096
openssl req -new -days 365 -key /etc/ssl/private/freeradius.key -out /etc/ssl/certs/freeradius.csr
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/freeradius.crt -in /etc/ssl/certs/freeradius.csr
chmod 400 /etc/ssl/certs/*
chmod 400 /etc/ssl/private/*
4.4 Eap.
Edit the eap file.
vi /etc/raddb/mods-available/eap
eap {
tls-config tls-common {
private_key_file = /etc/pki/tls/private/freeradius.key
certificate_file = /etc/pki/tls/certs/freeradius.crt
ca_file = /etc/pki/tls/certs/CA.crt
ca_path = /etc/pki/tls/certs
4.5 Check freeradius service.
radiusd -X
The test ends with:
Ready to process requests.
crtl+ c to exit.
4.6 Precaution.
The freeradius-sql instance uses the same ports 1812, 1813 as the default instance.