404InstanceDefault - amagerard/FreeRadius GitHub Wiki
RedHat10/FreeRadius
| 01 Sypnoptic | 02 Network | 03 FreeRadius | 04 InstanceDefault | |
|---|---|---|---|---|
| 05 InstanceSql | 06 InstanceLdap | 07 InstanceAD | 08 Selinux | 09 GnomeShell |
| DaloRadius | OpenLdap | SambaAD |
4 Instance Default.
4.1 Default installation.
Compiling Freeradius needs to install Mariadb , openldap and krb5.
Mariadb update added to the repositories.
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | bash
The mariadb-masxcale url is out of service.
Put enabled = 0 .
vi /etc/yum.repos.d/mariadb.repo
[mariadb-maxscale]
# To use the latest stable release of MaxScale, use "latest" as the version
# To use the latest beta (or stable if no current beta) release of MaxScale, use "beta" as the version
name = MariaDB MaxScale
baseurl = https://dlm.mariadb.com/repo/maxscale/latest/yum/rhel/10/x86_64
gpgkey = file:///etc/pki/rpm-gpg/MariaDB-MaxScale-GPG-KEY
gpgcheck = 1
enabled = 0
Enable the CodeReady Linux Builder repository.
subscription-manager repos --enable codeready-builder-for-rhel-10-$(arch)-rpms
dnf update
dnf install gcc libtalloc-devel openssl-devel MariaDB-devel openldap-devel krb5-devel
You will find the latest version https://github.com/FreeRADIUS/freeradius-server/.
wget -P /opt https://github.com/FreeRADIUS/freeradius-server/archive/release_3_2_8.tar.gz
tar -xvf /opt/release_3_2_8.tar.gz -C /opt --one-top-level=freeradius --strip-components 1
cd /opt/freeradius
./configure --prefix=/usr --sysconfdir=/etc
make
make install
4.2 Disable IPv6.
radiusd -X doesn't give IPv6 errors with version 3.2.8.
But I disable IPv6.
vi /etc/raddb/sites-enabled/default
Comment lines "listen ipv6" with "#".
# IPv6 versions of the above - read their full config to understand options
#listen {
# type = auth
# ipv6addr = :: # any. ::1 == localhost
# port = 0
# interface = eth0
# clients = per_socket_clients
# limit {
# max_connections = 16
# lifetime = 0
# idle_timeout = 30
# }
#}
#listen {
# ipv6addr = ::
# port = 0
# type = acct
# interface = eth0
# clients = per_socket_clients
# limit {
# max_pps = 0
# idle_timeout = 0
# lifetime = 0
# max_connections = 0
# }
#}
Check radiusd.
radiusd -X
That does not generate any errors.
Ctrl+ C to exit.
4.3 Create a self-signed certificate.
I need.
- /etc/ssl/private/freeradius-ecc.key (to generate).
- /etc/ssl/certs/freeradius-ecc.crt (to generate).
- /etc/ssl/certs/CA-ecc.crt (to generate).
The certificate authority must be regenerated with a custom configuration file.
This is necessary to connect to MariaDB or OpenLDAP servers.
Example :
CountryName (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:dns.ol26modk.com
Email Address []:[email protected]
Edit a configuration file.
vi /etc/pki/tls/authority.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
C = FR
ST = France
L= Versailles
O = ol26modk
OU= office
CN = dns.ol26modk.com
emailAddress = [email protected]
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 192.168.90.41
DNS.1 = dns1.ol26modk.com
IP.1 is the IP address of dns.ol26modk.com.
Generate CA-ecc.key and CA-ecc.crt.
openssl ecparam -name prime256v1 -genkey -noout -out /etc/ssl/private/CA-ecc.key
openssl req -x509 -new -key /etc/pki/tls/private/CA-ecc.key -sha256 -days 1430 -out /etc/pki/tls/certs/CA-ecc.crt -extensions 'v3_ca' -config /etc/pki/tls/authority.conf
Check CA.
openssl x509 -in /etc/ssl/certs/CA-ecc.crt -text -noout
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:7E:C5:68:8C:D8:B2:94:A0:CA:B4:F5:9B:DA:36:FB:5B:29:D8:7F:7D
DirName:/C=FR/ST=France/L=Versailles/O=ol26modk/OU=office/CN=dns.ol26modk.com/[email protected]
serial:4C:12:01:58:60:A9:05:A7:E0:91:C8:0A:A5:DB:06:E1:37:B3:1A:9A
chmod 400 /etc/ssl/private/CA-ecc.key
chmod 400 /etc/ssl/certs/CA-ecc.crt
You need to export CA-ecc.key and CA-ecc.crt for MariaDB, Openldap and Samba-Ad servers.
Repeat the TemplateVM/certificate chapter 6.3.2 procedure to create freeradius-ecc.key and freeradius-ecc.crt.
openssl ecparam -genkey -name prime256v1 -noout -out /etc/ssl/private/freeradius-ecc.key
openssl req -new -days 365 -key /etc/ssl/private/freeradius-ecc.key -out /etc/ssl/certs/freeradius-ecc.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:freeradius.ol26modk.com
Email Address []:[email protected]
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/freeradius-ecc.crt -in /etc/ssl/certs/freeradius-ecc.csr
chmod 400 /etc/ssl/private/freeradius-ecc.key
chmod 400 /etc/ssl/certs/freeradius-ecc.crt
4.4 Eap.
Edit the eap file.
vi /etc/raddb/mods-available/eap
eap {
tls-config tls-common {
private_key_file = /etc/pki/tls/private/freeradius-ecc.key
certificate_file = /etc/pki/tls/certs/freeradius-ecc.crt
ca_file = /etc/pki/tls/certs/CA-ecc.crt
ca_path = /etc/pki/tls/certs
4.5 Check freeradius service.
radiusd -X
The test ends with:
Ready to process requests.
crtl+ c to exit.
4.6 Precaution.
The freeradius-sql instance uses the same ports 1812, 1813 as the default instance.