Radius Server: Difference between revisions

← Older edit

Radius Server (view source)

Revision as of 17:02, 27 January 2022

4,772 bytes added , 2 years ago

→‎Configuration

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 21:10, 5 August 2017 (view source) Amanjosan2008 (talk \| contribs) (→‎Logging) ← Older edit		Latest revision as of 17:02, 27 January 2022 (view source) Amanjosan2008 (talk \| contribs) (→‎Configuration)
(14 intermediate revisions by the same user not shown)
Line 10: == Configuration == Edit the freeradius users: sudo nano /etc/freeradius/3.0/users Uncomment the user 'John Doe': Line 16: Reply-Message = "Hello, %u" Add a new User with Group Name: ~~Test teh connectivity from local machine:~~ aman Cleartext-Password := "pwd123" Citrix-User-Groups = "S_UA_G_Superuser", Reply-Message = "Hello, %{User-Name}" Test the connectivity from local machine: sudo radtest "John Doe" hello 127.0.0.1 0 testing123 Remote access to the radius server sudo nano /etc/freeradius/3.0/clients.conf And add the following snippet: Line 30 ⟶ 36: Now from another machine, try the following: radtest "John Doe" "hello" ~~example~~10.~~com~~10.40.1 0 "mysecret" You will get Access-Accept packet and "Hello, John Doe" messages. == Logging == Source: [https://wiki.freeradius.org/config/Logging#log-authentication-requests wiki.freeradius.org] The "log" section of the radiusd.conf file is where the primary logging configuration for the FreeRADIUS server is located. <pre> Line 57 ⟶ 63: stdout - log to standard output. stderr - log to standard error. = GUI = Line 63 ⟶ 68: == DaloRadius == Source: [http://www.ubuntugeek.com/install-freeradius-on-ubuntu-15-04-server-and-manage-using-daloradius-freeradius-web-management-application.html ubuntugeek.com] ~~sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5 php-mail~~ === Installation === ~~Install freeradius using the following command~~ Prerequisites: ~~sudo apt-get install freeradius freeradius-mysql freeradius-utils~~ sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5 php-mail ~~Create~~ Freeradius ~~Database~~Installation: sudo apt-get install freeradius freeradius-mysql freeradius-utils === Database === ~~You can use the following command to create freeradius database~~ Create Freeradius Database ~~sudo mysql -u root -p~~ sudo mysql -u root -p ~~Enter password:~~ ~~Welcome to the MySQL monitor. Commands end with ; or \g.~~ ~~Your MySQL connection id is 5~~ ~~Server version: 5.6.24-0ubuntu2 (Ubuntu)~~ ~~Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.~~ ~~Oracle is a registered trademark of Oracle Corporation and/or its~~ ~~affiliates. Other names may be trademarks of their respective~~ ~~owners.~~ ~~Type ‘help;' or ‘\h' for help. Type ‘\c' to clear the current input statement.~~ ~~mysql> create database radius;~~ ~~mysql> grant all on radius.* to radius@localhost identified by "password";~~ ~~Query OK, 0 rows affected (0.00 sec)~~ ~~Insert the freeradius database scheme using the following commands~~ mysql> create database radius; ~~sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql~~ mysql> grant all on radius.* to radius@localhost identified by "password"; Insert the freeradius database scheme: ~~Enter password:~~ sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql ~~Enter password:~~ Create new user for radius database sudo mysql -u root -p mysql> use radius; mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘sqltest', ‘Password', ‘testpwd'); mysql> exit === Freeradius === ~~sudo mysql -u root -p~~ ~~mysql> use radius;~~ ~~Reading table information for completion of table and column names~~ ~~You can turn off this feature to get a quicker startup with -A~~ ~~Database changed~~ ~~mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘sqltest', ‘Password', ‘testpwd');~~ ~~Query OK, 1 row affected (0.04 sec)~~ ~~mysql> exit~~ ~~Bye~~ ~~Freeradius Configuration~~ You need to edit /etc/freeradius/sql.conf file sudo nano /etc/freeradius/sql.conf ~~sudo vi /etc/freeradius/sql.conf~~ Make sure you have the following details database = mysql login = radius password = password Uncomment the following ~~database = mysql~~ readclients = yes ~~login = radius~~ ~~password = password~~ ~~Uncomment the following~~ ~~readclients = yes~~ ~~Save and Exit the file~~ Now you need to edit the /etc/freeradius/sites-enabled/default file sudo vi /etc/freeradius/sites-enabled/default ~~sudo vi /etc/freeradius/sites-enabled/default~~ Uncomment the sql option in the following sections <pre> accounting Line 166 ⟶ 131: sql </pre> ~~Save and Exit the file~~ Now edit /etc/freeradius/radiusd.conf file sudo nano /etc/freeradius/radiusd.conf Uncomment the following option ~~sudo vi /etc/freeradius/radiusd.conf~~ ~~#Uncomment the following option~~ $INCLUDE sql.conf ~~Save and exit the file~~ Restart freeradius server: ~~Now you can stop the free radius server using the following command~~ sudo /etc/init.d/freeradius stop ~~sudo /etc/init.d/freeradius stop~~ Run freeradius in debugging mode. If there is no error, you are ready to go. sudo freeradius -X ~~sudo freeradius -X~~ Start the freeradius using the following command sudo /etc/init.d/freeradius start ~~sudo /etc/init.d/freeradius start~~ Test the radius server using the following command sudo radtest sqltest testpwd localhost 18128 testing123 Output as follows ~~sudo radtest sqltest testpwd localhost 18128 testing123~~ <pre> ~~Ouput as follows~~ Sending Access-Request of id 68 to 127.0.0.1 port 1812 User-Name = "sqltest" Line 204 ⟶ 161: Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=68, length=20 </pre> === Daloradius Installation === ~~You can download~~Download the Daloradius latest version ~~from here~~: wget https://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz tar xvfz daloradius-0.9-9.tar.gz mv daloradius-0.9-9 daloradius mv daloradius /var/www Change Permissions ~~Once you downloaded the daloradius-0.9-9.tar.gz file you need to extract using the following command~~ sudo chown www-data:www-data /var/www/daloradius -R sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php Mysql database need to setup for daloradius by importing the daloradius scheme into 'radius' database. ~~$ tar xvfz daloradius-0.9-9.tar.gz~~ cd ~~$ mv daloradius-0.9-9~~ /var/www/daloradius/contrib/db sudo mysql -u root $-p mvradius < mysql-daloradius.sql ~~/var/www~~ Configure the following daloradius setting: ~~Change Permissions~~ sudo nano /var/www/daloradius/library/daloradius.conf.php Change the database password ~~sudo chown www-data:www-data /var/www/daloradius -R~~ $configValues['CONFIG_DB_PASS'] = 'password'; ~~sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php~~ Now you need to configure daloradius website under ~~Mysql database need to setup for daloradius.We need to do is to import the daloradius scheme into our existing radius database.~~ sudo nano /etc/apache2/sites-available/daloradius.conf add the following lines ~~$ cd /var/www/daloradius/contrib/db~~ <pre> Alias /daloradius "/var/www/daloradius/" <Directory /var/www/daloradius/> sudo mysql -u root -p radius < mysql-daloradius.sql configure the following daloradius setting. sudo vi /var/www/daloradius/library/daloradius.conf.php Change the database password $configValues['CONFIG_DB_PASS'] = 'password'; Save and exit the file Now you need to configure daloradius website under /etc/apache2/sites-available Options None Order allow,deny allow from all </Directory> </pre> Enable and Activate daloradius website using the following command ~~sudo vi /etc/apache2/sites-available/daloradius.conf~~ sudo a2ensite daloradius sudo service apache2 reload Daloradius Web GUI ~~add the following lines~~ http://10.107.88.93/daloradius Use the following login details ~~Alias /daloradius "/var/www/daloradius/"~~ username: administrator password: radius === Troubleshooting Daloradius === ~~< Directory /var/www/daloradius/>~~ ~~Options None~~ ~~Order allow,deny~~ ~~allow from all~~ ~~< /Directory>~~ If you get permission denied error when importing schema: ~~Save and exit the file~~ <pre> aman@ubuntu:~$ mysql -u root -ppwd@123 radius < /etc/freeradius/sql/mysql/schema.sql -bash: /etc/freeradius/sql/mysql/schema.sql: Permission denied </pre> Copy the files to home dir & change the file owner: ~~Enable daloradius website using the following command~~ sudo cp /etc/freeradius/sql/mysql/schema.sql ~ sudo cp /etc/freeradius/sql/mysql/nas.sql ~ sudo chown aman:aman ~/.sql ~~sudo a2ensite daloradius~~ * If the page stops loading after login, and you get similar errors in apache error logs: ~~Enabling site daloradius.~~ <pre> [Sat Aug 05 20:10:51.734692 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Warning: include_once(DB.php): failed to open stream: No such file or directory in /var/www/daloradius/library/opendb.php on line 84, referer: http://10.107.88.93/daloradius/login.php [Sat Aug 05 20:10:51.734877 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Warning: include_once(): Failed opening 'DB.php' for inclusion (include_path='.:/usr/share/php') in /var/www/daloradius/library/opendb.php on line 84, referer: http://10.107.88.93/daloradius/login.php [Sat Aug 05 20:10:51.734988 2017] [:error] [pid 22226] [client 10.101.255.53:59948] PHP Fatal error: Uncaught Error: Class 'DB' not found in /var/www/daloradius/library/opendb.php:86\nStack trace:\n#0 /var/www/daloradius/dologin.php(49): include()\n#1 {main}\n thrown in /var/www/daloradius/library/opendb.php on line 86, referer: http://10.107.88.93/daloradius/login.php </pre> Check if all the dependencies are installed or not: ~~To activate the new configuration, you need to run:~~ php -m If DB is missing, install it: ~~sudo service apache2 reload~~ sudo pear install DB ~~Daloradius Web GUI~~ If above issue still persists, then the Problem is, i had PHP7.0 installed, but daloradius is only supported until 5.0 ~~you can access daloradius GUI using http://server-ip/daloradius and the login screen as follows~~ So we have to change the rules for syntax reading: Make Sure you got all necessary packages ~~Use the following login details~~ sudo apt-get install php-common php-gd php-curl php-mail php-mail-mime php-pear php-db pear install DB Change Syntax: cd /var/www/html/daloradius/library/ vim daloradius.conf.php -> CONFIG_DB_ENGINE auf "mysqli" # from mysql to mysqli vim opendb.php -> $dbSocket->query("SET GLOBAL sql_mode = '';"); #append this line at the end of the file Now we have to give the db-user freeradius super rights with: mysql -u root -p mysql> GRANT SUPER ON .* TO 'freeradius'@'localhost' IDENTIFIED BY 'password'; mysql> flush privileges; You might have to import a mysql schema with: cd /var/www/html/daloradius/contrib/db/ mysql -u root -p radius <mysql-daloradius.sql * If you get DB connection failed error: sudo nano /var/www/daloradius/library/daloradius.conf.php $configValues['CONFIG_DB_USER'] = 'root'; $configValues['CONFIG_DB_PASS'] = 'ppwd@123'; Saving the file will allow you in the Landing page. *If you happen to run into this issue rad_recv: Access-Reject packet from host 127.0.0.1 port 1812 Then edit the below file: sudo nano /etc/freeradius/sites-available/default ~ line 177 and uncomment sql <pre> # Look in an SQL database. The schema of the database # is meant to mirror the “users” file. # # See “Authorization Queries” in sql.conf sql </pre> = Troubleshooting = If you are unable to use radtest from other servers, check credentials for 0.0.0.0/0 in below file: sudo nano clients.conf == Debugging == sudo service freeradius stop sudo freeradius -X = Misc = Generating Access-Challenge requests: test@test-ubuntu:~$ sudo radtest '''-t eap-md5''' aman2 pwd123 10.107.88.93 0 testing123 Sending Access-Request packet to host 10.107.88.93 port 1812, id=46, length=0 User-Name = "aman2" User-Password = "pwd123" NAS-IP-Address = 10.107.88.68 NAS-Port = 0 Message-Authenticator = 0x00 EAP-Code = Response EAP-Type-Identity = 0x616d616e32 EAP-Message = 0x022d000a01616d616e32 Received Access-Challenge packet from host 10.107.88.93 port 1812, id=46, length=80 EAP-Message = 0x012e001604105b198df62a06f8e8b6f45c6e97221cbb Message-Authenticator = 0x85003a7abf1656a3064b38be08c17409 State = 0xa3a3b720a38db3e96a996e0bad7460b2 EAP-Id = 46 EAP-Code = Request EAP-Type-MD5-Challenge = 0x105b198df62a06f8e8b6f45c6e97221cbb Sending Access-Request packet to host 10.107.88.93 port 1812, id=47, length=87 User-Name = "aman2" User-Password = "pwd123" NAS-IP-Address = 10.107.88.68 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Code = Response EAP-Type-MD5-Challenge = 0x10c09519c41c4c2384e79a1242928c5f31 EAP-Id = 46 State = 0xa3a3b720a38db3e96a996e0bad7460b2 EAP-Message = 0x022e00160410c09519c41c4c2384e79a1242928c5f31 Received Access-Accept packet from host 10.107.88.93 port 1812, id=47, length=51 EAP-Message = 0x032e0004 Message-Authenticator = 0xfc73020acc54cd6b85a82c8f52c094f5 User-Name = "aman2" EAP-Id = 46 EAP-Code = Success Packet flow is as follows: 22:40:29.222278 IP 10.107.88.68.54216 > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2e length: 87 22:40:29.240517 IP ubuntu.radius > 10.107.88.68.54216: RADIUS, '''Access-Challenge''' (11), id: 0x2e length: 80 22:40:29.242083 IP 10.107.88.68.54216 > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2f length: 117 22:40:29.292782 IP ubuntu.radius > 10.107.88.68.54216: RADIUS, Access-Accept (2), id: 0x2f length: 51 Similar Packet capture file: [[Media:RADIUS2.cap\|RADIUS2]] Forcing EAP for a user: ~~username: administrator~~ {{UC}} ~~password: radius~~ Forcing just EAP {{UC}}