103DaloRadius - amagerard/FreeRadius GitHub Wiki
| 01- Synoptic | 02 Network | 03 Daloradius | 04 Selinux |
|---|---|---|---|
| 05 Backup | 06 GnomeShell | 07 Accounting | |
| FreeRadius | OpenLdap | ADserver |
Mariadb update in addition to deposits.
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | bash
dnf update
dnf install MariaDB-server
systemctl enable --now mariadb
Secure mariadb.
mariadb-secure-installation
For this example, the root password will be `X2m56AB50`.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Switch to unix_socket authentication [Y/n] n
... skipping.
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n] y
New password: X2m56AB50!
... Success!
Remove anonymous users? [Y/n] y
... Success!
Disallow root login remotely? [Y/n] y
... Success!
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done!
PHP installation from the remi repository.
dnf install http://fr2.rpmfind.net/linux/remi/enterprise/remi-release-9.5.rpm
Choose php version 8.
PHP module flow reset.
dnf module reset php
Enable PHP module stream: REMI-8.4.
dnf module enable php:remi-8.4
dnf install -y php-fpm php-mbstring php-mysqlnd php-gd php-opcache php-json php-curl php-zip php-xml php-bz2 php-intl php-gmp php-pgsql php-pear
systemctl enable --now php-fpm
PEAR (for PHP Extension and Application Repository) is a collection of PHP libraries.
https://github.com/lirantal/daloradius.
PEAR package DB in order to access the database.
To install it, execute at the command line :
pear install DB MDB2
PEAR packages Mail and Mail_Mime to send notifications by email.
To install them, execute at the command line:
pear install -a Mail
pear install -a Mail_Mime
We need to retrieve sql files from freeradius.
We need to temporarily install the freeradius packages.
subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms
dnf install freeradius freeradius-mysql
Create the sqlradius database and its administrator sqlradius.
Example, the sqlradius password is D51mAB59!.
mariadb -u root -p
MariaDB [(none)]> create database sqlradius;
MariaDB [(none)]> grant all privileges on sqlradius.* to 'sqlradius'@'localhost' identified by 'D51mAB59!';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
Import the Radius mysql schema in the sqlradius database.
mariadb -u root -p sqlradius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
Check.
mariadb -u root -p
MariaDB [(none)]> use sqlradius;
MariaDB [sqlradius]> show tables;
+---------------------+
| Tables_in_sqlradius |
+---------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+---------------------+
dnf remove freeradius-mysql freeradius
dnf install nginx
Delete IPv6 and change root.
vi /etc/nginx/nginx.conf
listen 80;
# listen [::]:80;
root /var/www/html;
systemctl enable --now nginx
systemctl status nginx
Change apache group by nginx.
cd /var/lib/php
chgrp -R nginx opcache
chgrp -R nginx session
chgrp -R nginx wsdlcache
Change user and group by nginx.
vi /etc/php-fpm.d/www.conf
user : nginx
group : nginx
Restart php-fpm and nginx services.
systemctl restart php-fpm
systemctl restart nginx
Nginx custom reconfiguration.
-
Site configuration folder.
mkdir /etc/nginx/sites-available -
Folder of sites taken into account by nginx.
mkdir /etc/nginx/sites-enabled -
Configure nginx.conf.
Edit nginx.conf
Before making a backup of your nginx.conf.
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_backup
Erase nginx.conf.
> /etc/nginx/nginx.conf
Edit nginx.conf.
vi /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# -- nginx paranoia--
#The values below may generate 403 errors
client_body_buffer_size 1m;
client_max_body_size 1m;
large_client_header_buffers 4 8k;
# Prevent clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN" always;
# Add an HSTS header to your nginx server
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; always";
# Cross-site scripting protection
add_header X-XSS-Protection "1; mode=block";
# Prevention of MIME confusion-based attacks
add_header X-Content-Type-Options "nosniff" always;
# Hide X-Powered-By header
proxy_hide_header X-Powered-By;
# Referrer policy
add_header Referrer-Policy "origin-when-cross-origin" always;
#--End nginx paranoia --
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
systemctl restart nginx
- Certificat.
I need:
/etc/ssl/certs/daloradius.crt (to be created).
/etc/ssl/certs/CA.crt (already exists).
/etc/ssl/private/daloradius.key (to be created).
Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create daloradius.key and daloradius.crt.
IMPORTANT The CA.crt and CA.key of the Daloradius server must be the same as the CA.crt and CA.key of the freeradius server.
Very important.
The driver = "RLM_SQL_MYSQL" needs to have the same CA as Freeradius and Daloradius.
On February 10, 2025, this driver does not work with a CA generated by OpenSSL from Redhat 9.5.
It is necessary to create the certificate of authority (CA) with a live CD Alamlinux 9.4.
And then import the CA.CRT and CA.KEY from Live CD Almalinux to freeradius and daloradius.
Maybe this problem will be resolved in future versions.
openssl genrsa -out /etc/ssl/private/daloradius.key 4096
openssl req -new -days 365 -key /etc/ssl/private/daloradius.key -out /etc/ssl/certs/daloradius.csr
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/daloradius.crt -in /etc/ssl/certs/daloradius.csr
Add permission nginx.
setfacl -m u:nginx:r /etc/pki/tls/private/daloradius.key
setfacl -m u:nginx:r /etc/pki/tls/certs/daloradius.crt
setfacl -m u:nginx:r /etc/pki/tls/certs/CA.crt
- daloradius.conf
Edit daloradius.conf.
vi /etc/nginx/sites-available/daloradius.conf
Be careful,only the subnets 127.0.0.1 , 192.168.20.0/24 and 192.168.80.0/24 are allowed.
server {
listen 80;
# listen [::]:80;
server_name _;
# redirect to https
return 301 https://$host$request_uri;
}
## Settings for a TLS enabled server.
#
server {
listen 443 ssl http2;
# listen [::]:443 ssl http2;
server_name _;
root /var/www/html;
index index.php index.html;
#
ssl_certificate "/etc/ssl/certs/daloradius.crt";
ssl_certificate_key "/etc/ssl/private/daloradius.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
#
# Be careful,only the subnets below are allowed.
# restrictions access daloradius
location / {
try_files $uri $uri/ /index.php;
allow 127.0.0.1;
allow 192.168.70.41;
allow 192.168.20.0/24;
allow 192.168.80.0/24;
deny all;
}
### Connecting NGINX to PHP FPM
location ~ ^/(.+\.php)$ {
try_files $uri =404;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
# block access to files starting with.
location ~ /\. {
deny all; access_log off;
log_not_found off;
}
error_page 404 /404.html;
location = /40x.html {
}
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
charset utf8;
}
Create the link of the postfixadmin.conf file in the sites-enabled folder.
ln -s /etc/nginx/sites-available/daloradius.conf /etc/nginx/sites-enabled/daloradius.conf
systemctl restart nginx
This version has not been updated since 2021.
wget -P /opt https://github.com/lirantal/daloradius/archive/refs/tags/1.3.tar.gz
tar -xvf /opt/1.3.tar.gz -C /var/www/html --one-top-level=daloradius --strip-components 1
chown -R nginx:nginx /var/www/html/daloradius
cp /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
chown nginx:nginx /var/www/html/daloradius/library/daloradius.conf.php
chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
Import the daloradius mysql schema in the sqlradius database.
cd /var/www/html/daloradius
mariadb -u root -p sqlradius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mariadb -u root -p sqlradius < contrib/db/mysql-daloradius.sql
vi /var/www/html/daloradius/library/daloradius.conf.php
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'sqlradius';
$configValues['CONFIG_DB_PASS'] = 'D51mAB59!';
$configValues['CONFIG_DB_NAME'] = 'sqlradius';
systemctl restart nginx
http://daloradius.ol26modk.com/daloradius
Login : administrator
Password : radius
Mysql exchanges between freeradius and daloradius are not encrypted.
The user and password accounts are in clear text.
IMPORTANT : The Authority Certificate (CA) is the same for freeradius and daloradius.
User admsql is the account used by freeradius (Ip 192.168.50.41) to connect to the sqlradius database hosted on the daloradius server (192.168.70.41).
mariadb -u root -p
USE sqlradius;
MariaDB [sqlradius]> GRANT ALL PRIVILEGES on sqlradius.* to 'admsql'@'192.168.50.41' identified by '641fqAB4d';
MariaDB [sqlradius]> FLUSH PRIVILEGES;
MariaDB [sqlradius]> select user,host from mysql.user;
+-------------+---------------+
| User | Host |
+-------------+---------------+
| PUBLIC | |
| admsql | 192.168.50.41 |
| mariadb.sys | localhost |
| mysql | localhost |
| root | localhost |
| sqlradius | localhost |
+-------------+---------------+
MariaDB [sqlradius]>exit
Take over the certificates already created.
/etc/pki/tls/certs/daloradius.crt.
/etc/pki/tls/certs/CA.crt.
/etc/pki/tls/private/daloradius.key.
vi /etc/my.cnf.d/my.cnf
Add these lines.
[mysqld]
ssl-ca=/etc/pki/tls/certs/CA.crt
ssl-cert=/etc/pki/tls/certs/daloradius.crt
ssl-key=/etc/pki/tls/private/daloradius.key
Give permissions for mysql.
setfacl -m g:mysql:r /etc/pki/tls/private/daloradius.key
setfacl -m g:mysql:r /etc/pki/tls/certs/daloradius.crt
setfacl -m g:mysql:r /etc/pki/tls/certs/CA.crt
systemctl restart mariadb
Check.
mariadb -u root -p
MariaDB [mysql]> show variables LIKE "%ssl%";
+---------------------+-------------------------------------+
| Variable_name | Value |
+---------------------+-------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/pki/tls/certs/CA.crt |
| ssl_capath | |
| ssl_cert | /etc/pki/tls/certs/daloradius.crt |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/pki/tls/private/daloradius.key |
| version_ssl_library | OpenSSL 3.2.2 4 Jun 2024 |
+---------------------+-------------------------------------+
Require ssl connection for [email protected].
mariadb -u root -p
ALTER USER "admsql"@"192.168.50.41" REQUIRE SSL;
FLUSH PRIVILEGES;
Check.
mariadb -u root -p
SELECT USER,host,ssl_type FROM mysql.user;
+-------------+---------------+----------+
| User | Host | ssl_type |
+-------------+---------------+----------+
| mariadb.sys | localhost | |
| root | localhost | |
| mysql | localhost | |
| PUBLIC | | |
| sqlradius | localhost | |
| admsql | 192.168.50.41 | ANY |
+-------------+---------------+----------+
The MariaDB-client package must be installed on the freeradius server.
[@freeradius]$mariadb -u admsql -p -h daloradius.ol26modk.com
MariaDB [(none)]> \s
Current user: [email protected]
SSL: Cipher in use is TLS_AES_256_GCM_SHA384