This brief post shows you how to install FreeRadius on Linux / OpenBSD / FreeBSD with MySQL or MariaDB as the database. The Linux distributions which we will cover including CentOS and Ubuntu.
FreeRadius is an open-source, free, fast, feature-rich, modular, and scalable Radius server. According to its official web site, many Fortune-500 companies and tier 1 ISPs are using FreeRadius as their AAA solution.
Install FreeRadius with MySQL / MariaDB
Run the command with root / superuser level
CentOS
yum -y install freeradius freeradius-mysql
Ubuntu
apt-get install freeradius freeradius-mysql
OpenBSD
pkg_add -v freeradius freeradius-mysql
FreeBSD
pkg install freeradius
FreeRadius configuration ($freeradius_config) files are located inside this directory / folder:
Centos: /etc/raddb/
Ubuntu: /etc/freeradius/
OpenBSD: /etc/raddb/
FreeBSD: /usr/local/etc/raddb/
Connect to MySQL / MariaDB to create radius database!
# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 13411 Server version: 5.5.29-0ubuntu0.12.04.1 (Ubuntu) Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database radius; mysql> grant all on radius.* to raduser@localhost identified by 'radpass'; mysql> flush privileges;
Import mysql database schema included under “$freeradius_config/mysql/sql” folder.
# mysql -uroot -p radius < /etc/freeradius/sql/mysql/schema.sql
Edit the default file located under $freeradius_config/site_available/ directory to enable ‘sql’ option.
It should be something like below:
authorize { preprocess auth_log chap mschap digest suffix eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql exec } session { radutmp sql } post-auth { sql exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }
Edit sql.conf ($freeradius_config/sql.conf) file to meet the database settings.
sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" port = 3306 login = "raduser" password = "radpass" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" # read_groups = yes deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 readclients = no nas_table = "nas" # Read driver-specific configuration $INCLUDE sql/${database}/dialup.conf }
Using PhpMyAdmin or sql command, insert a new field in radcheck table like below!
mysql> select * from radcheck; +----+--------------------------+--------------------+----+----------+ | id | username | attribute | op | value | +----+--------------------------+--------------------+----+----------+ | 1 | testuser | Cleartext-Password | := | password | +----+--------------------------+--------------------+----+----------+ 1 rows in set (0.00 sec)
Restart the FreeRadius service to read the new config.
# /etc/init.d/freeradius restart * Stopping FreeRADIUS daemon freeradius [ OK ] * Starting FreeRADIUS daemon freeradius [ OK ]
Now it is the time to test the configuration using “radtest” tool as follow:
# radtest testuser password localhost 1812 testing123 Sending Access-Request of id 49 to 127.0.0.1 port 1812 User-Name = "testuser" User-Password = "password" NAS-IP-Address = 192.168.10.10 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=49, length=20
If you get Access-Accept as in the last line above, the FreeRadius is now successfully configured and ready to process requests.