05InstanceFreeRadiusSql - amagerard/FreeRadius GitHub Wiki
RedHat/FreeRadius
| 01 Sypnoptic | 02 Network | 03 FreeRadius | 04 InstanceDefault | |
|---|---|---|---|---|
| 05 InstanceSql | 06 InstanceLdap | 07 InstanceAD | 08 Selinux | 09 GnomeShell |
| DaloRadius | OpenLdap | SambaAD |
5. Instance Freeradius-sql.
5.1 Principle.
It is not recommended to install the user accounts database on the Freeradius server.
The database is on another server (example: daloradius).
Freeradius will use a secure mysql connection to access the database on daloradius.
I will create a freeradius-sql instance reserved for users of the database hosted on the daloradius server.
5.2 Daloradius.
Go to the Install DaloRadius.
IMPORTANT.
Your daloradius server should be ready to continue.
Very important.
The driver = "RLM_SQL_MYSQL" needs to have the same CA as Freeradius and Daloradius.
On February 10, 2025, this driver does not work with a CA generated by OpenSSL from Redhat 9.5.
It is necessary to create the certificate of authority (CA) with a live CD Alamlinux 9.4.
And then import the CA.CRT and CA.KEY from Live CD Almalinux to freeradius and daloradius.
Maybe this problem will be resolved in future versions.
5.3 Add user system frirad.
groupadd frirad
useradd -g frirad -s /bin/false -d /etc/freeradius-sql frirad
Give permissions for frirad.
setfacl -m u:frirad:rx /etc/pki/tls/private/freeradius.key
setfacl -m u:frirad:rx /etc/pki/tls/certs/freeradius.crt
setfacl -m u:frirad:rx /etc/pki/tls/private/CA.key
setfacl -m u:frirad:rx /etc/pki/tls/certs/CA.crt
5.4 Freeradius-sql installation.
Copy /etc/raddb to /etc/freeradius-sql.
cp -R /etc/raddb/* /etc/freeradius-sql/
chgrp -R frirad /etc/freeradius-sql
5.5 Configuration.
vi /etc/freeradius-sql/radiusd.conf
prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/freeradius-sql
raddbdir = ${sysconfdir}/freeradius-sql
radacctdir = ${logdir}/radacct
name = freeradius-sql
user = frirad
group = frirad
Create the directory for the logs.
mkdir /var/log/freeradius-sql
mkdir /var/log/freeradius-sql/radacct
touch /var/log/freeradius-sql/radius.log
chown -R frirad:frirad /var/log/freeradius-sql
chmod 0755 /var/log/freeradius-sql
5.6 Create a freeradius-sql service.
Create the /run/freeradius-sql folder at startup.
vi /usr/lib/tmpfiles.d/freeradius-sql.conf
#Type Path Mode UID GID Age Argument
d /run/freeradius-sql 0775 root frirad - -
You must restart to activate
"/usr/lib/tmpfiles.d/freeradius-sql.conf"
reboot
Copy the service radiusd.service to freeradius-sql.service.
See InstanceDefault chapter 3.1.
cp /opt/freeradius/redhat/radiusd.service /usr/lib/systemd/system/freeradius-sql.service
Edit the file.
vi /usr/lib/systemd/system/freeradius-sql.service
[Service]
Type=forking
WatchdogSec=0
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/radiusd
# FreeRADIUS can do static evaluation of policy language rules based
# on environmental variables which is very useful for doing per-host
# customization.
# Unfortunately systemd does not allow variable substitutions such
# as %H or $(hostname) in the EnvironmentFile.
# We provide HOSTNAME here for convenience.
Environment=HOSTNAME=%H
# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
# is not memory hungry, if it's using more than this, then there's probably
# a leak somewhere.
MemoryLimit=2G
RuntimeDirectory=radiusd radiusd/tmp
RuntimeDirectoryMode=0775
User=frirad
Group=frirad
PIDFile=/run/freeradius-sql/freeradius-sql.pid
ExecStart=/usr/sbin/radiusd -d /etc/freeradius-sql -l /var/log/freeradius-sql/radius.log
Restart=on-failure
RestartSec=5
ExecReload=/usr/sbin/radiusd -d /etc/freeradius-sql -l /var/log/freeradius-sql/radius.log
ExecReload=/bin/kill -HUP $MAINPID
# Don't elevate privileges after starting
NoNewPrivileges=true
# Allow binding to secure ports, broadcast addresses, and raw interfaces.
#
# This list of capabilities may not be exhaustive, and needs
# further testing. Please uncomment, test, and report any issues.
#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
# Private /tmp that isn't shared by other processes
PrivateTmp=true
# cgroups are readable only by radiusd, and child processes
ProtectControlGroups=true
# don't load new kernel modules
ProtectKernelModules=true
# don't tune kernel parameters
ProtectKernelTunables=true
# Only allow native system calls
SystemCallArchitectures=native
# We shouldn't be writing to the configuration directory
ReadOnlyDirectories=/etc/freeradius-sql/
# We can read and write to the log directory.
ReadWriteDirectories=/var/log/freeradius-sql/
[Install]
WantedBy=multi-user.target
Modify listen port 0 by 1812 and accounting config.
vi /etc/freeradius-sql/sites-available/default
server default {
listen {
type = auth
ipaddr = *
port = 1812
limit {
----- # Do not change anything
}
}
# This second "listen" section is for listening on the accounting
listen {
ipaddr = *
# ipv6addr = ::
port = 1813
type = acct
limit {
}
}
5.7 Mods-available.
Edit the sql file.
vi /etc/freeradius-sql/mods-available/sql
dialect = "mysql"
driver = "rlm_sql_mysql"
ca_file = "/etc/pki/tls/certs/CA.crt"
ca_path = "/etc/pki/tls/certs"
certificate_file = "/etc/pki/tls/certs/freeradius.crt"
private_key_file = "/etc/pki/tls/private/freeradius.key"
appname = "freeradius-sql"
# Connection info:
#
server = "daloradius.ol26modk.com"
port = 3306
login = "admsql"
password = "641fqAB4d"
# Database table configuration for everything except Oracle
radius_db = "sqlradius"
Create the sql link in /etc/freeradius-sql/mods-enabled.
ln -s /etc/freeradius-sql/mods-available/sql /etc/freeradius-sql/mods-enabled/sql
Edit the eap file.
Maybe already done Instancedefault chapter eap 4.4.
vi /etc/freeradius-sql/mods-available/eap
eap {
tls-config tls-common {
private_key_file = /etc/pki/tls/private/freeradius.key
certificate_file = /etc/pki/tls/certs/freeradius.crt
ca_file = /etc/pki/tls/certs/CA.crt
ca_path = /etc/pki/tls/certs
Change permissions.
chgrp -R frirad /etc/freeradius-sql/mods-enabled/
5.8 Sites-enabled.
vi /etc/freeradius-sql/sites-available/default
Put a "#" in front of -ldap.
# The ldap module reads passwords from the LDAP database.
# -ldap
vi /etc/freeradius-sql/sites-available/inner-tunnel
Put a "#" in front of -ldap.
# The ldap module reads passwords from the LDAP database.
# -ldap
5.9 Check if there are any other errors.
To this step, freeradius-sql must not announce an error.
radiusd -d /etc/freeradius-sql -l /var/log/freeradius-sql/radius.log -X
Ctrl+C exit.
You have this message in freeradius logs.
Skipping contents of 'if' as it is always 'false' -- /etc/freeradius-sql/sites-enabled/inner-tunnel:366
vi /etc/freeradius-sql/sites-available/inner-tunnel
Instead of "use_tunneled_reply", change this "if (0)" to an
"# "if (1)".
Change if (0) to if (1)
If there are errors, review the configuration.
If it's good.
systemctl enable --now freeradius-sql
Check the ports.
netstat -tunlp | grep radiusd
udp 0 0 127.0.0.1:18120 0.0.0.0:* 2575/radiusd
udp 0 0 0.0.0.0:1812 0.0.0.0:* 2575/radiusd
udp 0 0 0.0.0.0:1813 0.0.0.0:* 2575/radiusd
5.10 Nas.
The nas is a device that makes its authentication request to freereadius.
In my example, it's a dd-wrt wifi router.
We need a secret key shared between nas and freeradius.
First change all "secret" by another password.
cat /etc/freeradius-sql/clients.conf|grep secret
Example: new secret = 3bd45df3-3bd45df3
sed -i -e "s/testing123/3bd45df3-3bd45df3/g" /etc/freeradius-sql/clients.conf
Put a "#" in front of the Ipv6 configurations of clients.conf file.
vi /etc/freeradius-sql/clients.conf
# IPv6 Client
##client localhost_ipv6 {
## ipv6addr = ::1
## secret = 3bd45df3
##}
Add a new "nas" at the end of the clients.conf file.
vi /etc/freeradius-sql/clients.conf
client linksys2 {
#ip du linksys2.
ipaddr = 192.168.5.1
# Shared key.
secret = ABjA#3r3bAB6n
}
Change value require_message_authenticator = yes.
vi /etc/freeradius-ldap/clients.conf
# allowed values: yes, no, auto
#
require_message_authenticator = yes
5.11 Proxy.
First change all "secret" by another password.
cat /etc/freeradius-sql/proxy.conf| grep secret
Example: new secret = 3bd45df3-3bd45df3
sed -i -e "s/testing123/3bd45df3-3bd45df3/g" /etc/freeradius-sql/proxy.conf
Delete realm example.com.
Put a "#" in front.
vi /etc/freeradius-sql/proxy.conf
## realm example.com {
## auth_pool = my_auth_failover
## }
5.12 Logs.
vi /etc/freeradius-sql/radiusd.conf
Change only these lines.
log {
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
tail -200 /var/log/freeradius-sql/radius.log
Auth: (2) Login OK: [jemarre/<via Auth-Type = mschap>] (from client localhost port 1812)
5.13 Check user sqlradius connection.
-
Daloradius server.
Sqlradius database.
User: jemarre
Password: 7YhjiDfg4 -
Freeradius server.
1-Open a terminal console.
systemctl stop freeradius-sql
radiusd -d /etc/freeradius-sql -l /var/log/freeradius-sql/radius.log -X
2-Open another terminal console.
radtest jemarre "7YhjiDfg4" localhost:1812 0 3bd45df3-3bd45df3
Sent Access-Request Id 45 from 0.0.0.0:50187 to 127.0.0.1:1812 length 77
User-Name = "jemarre"
User-Password = "7YhjiDfg4"
NAS-IP-Address = 192.168.50.41
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "7YhjiDfg4"
Received Access-Accept Id 45 from 127.0.0.1:1812 to 127.0.0.1:50187 length 20
radtest -t mschap jemarre "7YhjiDfg4" localhost:1812 0 3bd45df3-3bd45df3
Sent Access-Request Id 48 from 0.0.0.0:52137 to 127.0.0.1:1812 length 133
User-Name = "jemarre"
MS-CHAP-Password = "7YhjiDfg4"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "7YhjiDfg4"
MS-CHAP-Challenge = 0x697ae9ca2ff6da03
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004692ebe011da80322fcc0786b8d33e7f3ec03b49285d9919
Received Access-Accept Id 48 from 127.0.0.1:1812 to 127.0.0.1:52137 length 84
MS-CHAP-MPPE-Keys = 0x000000000000000051b05c393881ae8342b2abac522eae39
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed