This brief post shows you how to install FreeRadius on Linux / OpenBSD / FreeBSD with MySQL or MariaDB as the database. The Linux distributions which we will cover including CentOS and Ubuntu.
FreeRadius is an open-source, free, fast, feature-rich, modular, and scalable Radius server. According to its official web site, many Fortune-500 companies and tier 1 ISPs are using FreeRadius as their AAA solution.
Install FreeRadius with MySQL / MariaDB
Run the command with root / superuser level
CentOS
yum -y install freeradius freeradius-mysql
Ubuntu
apt-get install freeradius freeradius-mysql
OpenBSD
pkg_add -v freeradius freeradius-mysql
FreeBSD
pkg install freeradius
FreeRadius configuration ($freeradius_config) files are located inside this directory / folder:
Centos: /etc/raddb/
Ubuntu: /etc/freeradius/
OpenBSD: /etc/raddb/
FreeBSD: /usr/local/etc/raddb/
Connect to MySQL / MariaDB to create radius database!
# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 13411 Server version: 5.5.29-0ubuntu0.12.04.1 (Ubuntu) Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database radius; mysql> grant all on radius.* to raduser@localhost identified by 'radpass'; mysql> flush privileges;
Import mysql database schema included under “$freeradius_config/mysql/sql” folder.
# mysql -uroot -p radius < /etc/freeradius/sql/mysql/schema.sql
Edit the default file located under $freeradius_config/site_available/ directory to enable ‘sql’ option.
It should be something like below:
authorize {
preprocess
auth_log
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
exec
}
session {
radutmp
sql
}
post-auth {
sql
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Edit sql.conf ($freeradius_config/sql.conf) file to meet the database settings.
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
port = 3306
login = "raduser"
password = "radpass"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
# read_groups = yes
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = no
nas_table = "nas"
# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}
Using PhpMyAdmin or sql command, insert a new field in radcheck table like below!
mysql> select * from radcheck; +----+--------------------------+--------------------+----+----------+ | id | username | attribute | op | value | +----+--------------------------+--------------------+----+----------+ | 1 | testuser | Cleartext-Password | := | password | +----+--------------------------+--------------------+----+----------+ 1 rows in set (0.00 sec)
Restart the FreeRadius service to read the new config.
# /etc/init.d/freeradius restart * Stopping FreeRADIUS daemon freeradius [ OK ] * Starting FreeRADIUS daemon freeradius [ OK ]
Now it is the time to test the configuration using “radtest” tool as follow:
# radtest testuser password localhost 1812 testing123 Sending Access-Request of id 49 to 127.0.0.1 port 1812 User-Name = "testuser" User-Password = "password" NAS-IP-Address = 192.168.10.10 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=49, length=20
If you get Access-Accept as in the last line above, the FreeRadius is now successfully configured and ready to process requests.