BAN - Solms - Debian Radius Server

BAN - Solms

Following will describe how to setup a Radius Server on Debian Lenny 5.0

Preparation

You should already have Apache 2 (with PHP) and MySQL up and running on your Debian server.

FreeRADIUS

Fetch FreeRADIUS and some tools:

root@ford:~ # apt-get install freeradius freeradius-mysql freeradius-utils

Let's start with something easy: username and password in plain file.
Change/set the shared radius secret for localhost in /etc/freeradius/clients.conf:

client 127.0.0.1 {
        secret          = radiussecret
        nastype         = other         # localhost isn't usually a NAS...
}

Create a quick and dirty testuser by adding following to /etc/freeradius/users:

test Cleartext-Password := "testing"

Restart FreeRADIUS and test the account:

root@ford:~ # /etc/init.d/freeradius restart
root@ford:~ # radtest test testing 127.0.0.1 0 radiussecret
Sending Access-Request of id 186 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "testing"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=186, length=20

Edit the /etc/freeradius/radiusd.conf file and find/change following settings, add sql also (for later):

bind_address = *
proxy_requests  = no
#$INCLUDE  ${confdir}/proxy.conf

authorize {
	preprocess
#	auth_log
#	attr_filter
	chap
	mschap
#	digest
#	IPASS
	suffix
#	ntdomain
	eap
	files
	sql
#	etc_smbpasswd
#	ldap
#	daily
#	checkval
}

authenticate {
	Auth-Type PAP {
		pap
	}

	Auth-Type CHAP {
		chap
	}

	Auth-Type MS-CHAP {
		mschap
	}

#	digest
#	pam
#	unix

#	Auth-Type LDAP {
#		ldap
#	}

	eap
}

preacct {
	preprocess
	acct_unique
#	IPASS
	suffix
#	ntdomain
	files
}

accounting {
	detail
#	daily
	unix
	sql
	radutmp
#	sradutmp
#	main_pool
#	pgsql-voip
}

session {
	radutmp
	sql
}

Create a testuser by adding following to /etc/freeradius/users:

test1   User-Password == "password1"
DEFAULT		Auth-Type := sql
		Fall-Through := 1

comment out following lines (we don't want to authenticate against /etc/passwd file):

#DEFAULT	Auth-Type = System
#		Fall-Through = 1

change/set the shared radius secret for localhost in /etc/freeradius/clients.conf:

client 127.0.0.1 {
        secret          = radiussecret
        nastype         = other         # localhost isn't usually a NAS...
}

Restart FreeRADIUS and test the account:

root@ford:~ # /etc/init.d/freeradius restart
root@ford:~ # radtest test1 password1 127.0.0.1 0 radiussecret
Sending Access-Request of id 44 to 127.0.0.1:1812
        User-Name = "test1"
        User-Password = "password1"
        NAS-IP-Address = ford
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=44, length=20

You could add more users now or just leave things as they are.

FreeRADIUS and MySQL

Storing userinfo in a file can be become quite boring after a while, much more fun having all that (and lot's more) in a MySQL database

Create a database for Radius (enter your sql rootpassword when asked):

root@ford:~ # mysql -u root mysql -p
mysql> CREATE DATABASE radius;
mysql> quit

And fill it with data from freeradius (enter your sql rootpassword when asked):

root@ford:~ # zcat /usr/share/doc/freeradius/examples/db_mysql.sql.gz | mysql -u root radius -p

Grant access to user radius@localhost (enter your sql rootpassword when asked):

root@ford:~ # mysql -u root -p
mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radiuspassword';
mysql> FLUSH PRIVILEGES;
mysql> quit;

You can easily verify through phpMyAdmin that tables nas, radacct etc. have been added to the radius database.

Now set the MySQL loginname (radius) and password (radiuspassword) into the FreeRADIUS SQL configuration file /etc/freeradius/sql.conf. Find following lines and change accordingly:

        # Connect info
        server = "localhost"
        login = "radius"
        password = "radiuspassword"

Add a SQL testuser (enter the radiuspassword when asked):

root@ford:~ # mysql -u radius radius -p
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('testsql', 'Password', 'passwordsql');
mysql> quit

Restart FreeRADIUS and test the account:

root@ford:~ # /etc/init.d/freeradius restart
root@ford:~ # radtest testsql passwordsql 127.0.0.1 0 radiussecret
Sending Access-Request of id 48 to 127.0.0.1:1812
        User-Name = "testsql"
        User-Password = "passwordsql"
        NAS-IP-Address = ford
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=48, length=20

FreeRADIUS and CopSpot

You must add a client or change the existing entry in /etc/freeradius/clients.conf:

client 192.168.1.1 {
        secret          = radiussecret
        short-name      = ipcop
}

Change the IP address to match IPCop GREEN IP. Add CopSpot users either in /etc/freeradius/users or in the MySQL database.
Remember to restart FreeRADIUS if you change any of the config files.

I'll probably describe some more nice things that can be done in the future (when time permits).

Last modified: 2009-10-19