Install FreeRADIUS and Daloradius on Debian 12/11/10

This guide will discuss how to install FreeRADIUS and Daloradius on Debian Linux. RADIUS is a network protocol used for remote user authentication, authorization and accounting. FreeRADIUS is an open source RADIUS server commonly used on Linux, Unix and embedded systems.

daloRADIUS is a web-based RADIUS management tool written in PHP. It was created to ease the management and administration of RADIUS server and hotspots devices (NAS). It comes with a powerful graphical reporting and accounting, billing and advanced user management features.

Our next steps will help you to install and configure both freeRADIUS and daloRADIUS on Debian Linux.

Step 1: Update your Server

Update your package index by running the command:

sudo apt -y update

Step 2: Install Database Server

We’ll be using MariaDB but any other supported database server can be used. Install MariaDB by running the following commands.

curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s --
sudo apt install mariadb-server mariadb-client

Once installed, create a database and user for FreeRADIUS/daloRADIUS.

$ sudo mariadb -u root -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "StrongradIusPass";
FLUSH PRIVILEGES;
\q

Confirm that radius database user can access database granted.

$ mariadb -u radius -p'StrongradIusPass'
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 34
Server version: 11.4.2-MariaDB-deb12 mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| radius             |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> QUIT
Bye

Step 3: Install Apache and PHP

We’ll use Apache httpd server to host daloRADIUS on Debian Linux system. Install both httpd and PHP packages with the following command.

sudo apt -y install apache2
sudo apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,mbstring,xml,curl}

Check the version of PHP installed to confirm the installation was successful.

$ php -v
PHP 8.2.20 (cli) (built: Jun 17 2024 13:33:14) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.20, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.20, Copyright (c), by Zend Technologies

Let’s validate the start by checking status of the two services.

systemctl status apache2

Allow http and https ports on the firewall is ufw is enabled.

sudo ufw allow http
sudo ufw allow https

Step 4: Installing FreeRADIUS

FreeRADIUS packages are available on default Debian repositories. There is no special pre-requisite for this installation.

To install, just run the command.

sudo apt -y install vim freeradius freeradius-mysql freeradius-utils

Start the service after installation.

sudo systemctl enable --now freeradius.service 

Now you can check the status:

$ systemctl status freeradius
● freeradius.service - FreeRADIUS multi-protocol policy server
     Loaded: loaded (/lib/systemd/system/freeradius.service; enabled; preset: enabled)
     Active: active (running) since Sat 2024-08-03 11:33:56 UTC; 8s ago
       Docs: man:radiusd(8)
             man:radiusd.conf(5)
             http://wiki.freeradius.org/
             http://networkradius.com/doc/
   Main PID: 14308 (freeradius)
     Status: "Processing requests"
      Tasks: 6 (limit: 4531)
     Memory: 78.3M (limit: 2.0G)
        CPU: 653ms
     CGroup: /system.slice/freeradius.service
             └─14308 /usr/sbin/freeradius -f

Aug 03 11:33:57 deb12 freeradius[14351]: Compiling Auth-Type CHAP for attr Auth-Type
Aug 03 11:33:57 deb12 freeradius[14351]: Compiling Auth-Type MS-CHAP for attr Auth-Type
Aug 03 11:33:57 deb12 freeradius[14351]:  # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Aug 03 11:33:57 deb12 freeradius[14351]: Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Aug 03 11:33:57 deb12 freeradius[14351]: radiusd: #### Skipping IP addresses and Ports ####
Aug 03 11:33:57 deb12 freeradius[14351]: Configuration appears to be OK
Aug 03 11:33:57 deb12 systemd[1]: Reloaded freeradius.service - FreeRADIUS multi-protocol policy server.
.......

Step 5: Configure FreeRADIUS

To Configure FreeRADIUS to use MariaDB, follow steps below.

1 – Import the Radius database scheme to populate radius database

sudo su -
mariadb -u root -p radius < /etc/freeradius/*/mods-config/sql/main/mysql/schema.sql
exit

2 – Configure Radius

First you have to create a soft link for SQL module.

sudo ln -s /etc/freeradius/*/mods-available/sql /etc/freeradius/*/mods-enabled/

Configure SQL module by changing the database connection parameters to suite your environment:

sudo vim /etc/freeradius/*/mods-enabled/sql

• sql section should look similar to below.

sql {
dialect = "mysql"

driver = "rlm_sql_mysql"

# Connection info:

server = "localhost"
port = 3306
login = "radius"
password = "StrongradIusPass"

# Database table configuration for everything except Oracle

radius_db = "radius"
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = "nas"

Disable MySQL SSL connection.

        mysql {
                # If any of the files below are set, TLS encryption is enabled
#               tls {
#                       ca_file = "/etc/ssl/certs/my_ca.crt"
#                       ca_path = "/etc/ssl/certs/"
#                       certificate_file = "/etc/ssl/certs/private/client.crt"
#                       private_key_file = "/etc/ssl/certs/private/client.key"
#                       cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
#
#                       tls_required = no
#                       tls_check_cert = no
#                       tls_check_cert_cn = no
#               }

                # If yes, (or auto and libmysqlclient reports warnings are
                # available), will retrieve and log additional warnings from
                # the server if an error has occured. Defaults to 'auto'
                warnings = auto
        }

Then change group right of /etc/freeradius/*/mods-enabled/sql

sudo chgrp -h freerad /etc/freeradius/*/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/*/mods-enabled/sql

Restart radiusd service

sudo systemctl restart freeradius

Step 6: Install and Configure Daloradius

You can use Daloradius to manage radius server from a web interface. This is an optional configuration which you can select depending on your use case.

Download daloradius release from Github using git command line tool.

sudo apt -y install git
git clone https://github.com/lirantal/daloradius.git

Configuring daloradius

• Import Daloradius mysql tables with the following commands executed in the terminal.

sudo mariadb -u root -p radius < daloradius/contrib/db/fr3-mariadb-freeradius.sql
sudo mariadb -u root -p radius < daloradius/contrib/db/mariadb-daloradius.sql

• Configure daloRADIUS database connection details:

sudo mv daloradius /var/www/

Create configuration file and set correct directory permissions.

cd /var/www/daloradius/app/common/includes/
sudo cp daloradius.conf.php.sample daloradius.conf.php
sudo chown www-data:www-data daloradius.conf.php

Then modify the daloradius.conf.php and adjust MySQL database information.

sudo vim daloradius.conf.php

Set database user, database name, and password.

$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'StrongradIusPass';
$configValues['CONFIG_DB_NAME'] = 'radius';

Create var directory and its subdirectories, then change their ownership:

cd /var/www/daloradius/
sudo mkdir -p var/{log,backup}
sudo chown -R www-data:www-data var

Configure Apache web server

Configure Apache web server to listen on port 80 and port 443.

sudo tee /etc/apache2/ports.conf<<EOF
Listen 80
Listen 8000

<IfModule ssl_module>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>
EOF

Create Apache Virtual host file for operators:

sudo tee /etc/apache2/sites-available/operators.conf<<EOF
<VirtualHost *:8000>
    ServerAdmin operators@localhost
    DocumentRoot /var/www/daloradius/app/operators

    <Directory /var/www/daloradius/app/operators>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <Directory /var/www/daloradius>
        Require all denied
    </Directory>

    ErrorLog \${APACHE_LOG_DIR}/daloradius/operators/error.log
    CustomLog \${APACHE_LOG_DIR}/daloradius/operators/access.log combined
</VirtualHost>
EOF

Also create one virtual host for Daloradius users:

sudo tee /etc/apache2/sites-available/users.conf<<EOF
<VirtualHost *:80>
    ServerAdmin users@localhost
    DocumentRoot /var/www/daloradius/app/users

    <Directory /var/www/daloradius/app/users>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <Directory /var/www/daloradius>
        Require all denied
    </Directory>

    ErrorLog \${APACHE_LOG_DIR}/daloradius/users/error.log
    CustomLog \${APACHE_LOG_DIR}/daloradius/users/access.log combined
</VirtualHost>
EOF

Enable created virtual hosts using a2ensite command line tool.

sudo a2ensite users.conf operators.conf

Create directories for storing logs.

sudo mkdir -p /var/log/apache2/daloradius/{operators,users}

We don’t need default virtual host enabled on the system.

sudo a2dissite 000-default.conf

With all configurations done we can restart Apache web server and Freeradius.

sudo systemctl restart apache2 freeradius

Confirm services are running without errors.

$ systemctl status apache2 freeradius
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; preset: enabled)
     Active: active (running) since Sat 2024-08-03 11:40:43 UTC; 3s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 17080 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
   Main PID: 17085 (apache2)
      Tasks: 6 (limit: 4531)
     Memory: 16.1M
        CPU: 137ms
     CGroup: /system.slice/apache2.service
             ├─17085 /usr/sbin/apache2 -k start
             ├─17086 /usr/sbin/apache2 -k start
             ├─17087 /usr/sbin/apache2 -k start
             ├─17088 /usr/sbin/apache2 -k start
             ├─17089 /usr/sbin/apache2 -k start
             └─17090 /usr/sbin/apache2 -k start

Aug 03 19:38:27 deb12 systemd[1]: Starting apache2.service - The Apache HTTP Server...
Aug 03 19:38:27 deb12 systemd[1]: Started apache2.service - The Apache HTTP Server.

● freeradius.service - FreeRADIUS multi-protocol policy server
     Loaded: loaded (/lib/systemd/system/freeradius.service; enabled; preset: enabled)
     Active: active (running) since Sat 2024-08-03 11:40:43 UTC; 3s ago
       Docs: man:radiusd(8)
             man:radiusd.conf(5)
             http://wiki.freeradius.org/
             http://networkradius.com/doc/
    Process: 17076 ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout (code=exited, status=0/SUCCESS)
   Main PID: 17091 (freeradius)
     Status: "Processing requests"
      Tasks: 6 (limit: 4531)
     Memory: 78.5M (limit: 2.0G)
        CPU: 438ms
     CGroup: /system.slice/freeradius.service
             └─17091 /usr/sbin/freeradius -f

Aug 03 11:40:42 deb12 freeradius[14795]: Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Aug 03 11:40:42 deb12 freeradius[14795]: Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
Aug 03 11:40:42 deb12 freeradius[14795]: Compiling Auth-Type PAP for attr Auth-Type
Aug 03 11:40:42 deb12 freeradius[14795]: Compiling Auth-Type CHAP for attr Auth-Type
Aug 03 11:40:42 deb12 freeradius[14795]: Compiling Auth-Type MS-CHAP for attr Auth-Type
Aug 03 11:40:42 deb12 freeradius[14795]:  # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Aug 03 11:40:42 deb12 freeradius[14795]: Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Aug 03 11:40:42 deb12 freeradius[14795]: radiusd: #### Skipping IP addresses and Ports ####
Aug 03 11:40:42 deb12 freeradius[14795]: Configuration appears to be OK
Aug 03 11:40:43 deb12 systemd[1]: Started freeradius.service - FreeRADIUS multi-protocol policy server.

Step 7: Access daloRADIUS Web Interface

Install DB and MDB2 modules:

sudo pear install DB
sudo pear install MDB2
cd ~/

Access the service on the following URLS:

• RADIUS management application: http://<ip>:8000/
• RADIUS user portal application: http://<ip>

RADIUS management application portal will look like this.

Default login details are:

Username: administrator
Password: radius

This is how daloRADIUS interface looks like.

Enjoy using Freeradius and Daloradius on Debian Linux.

• Install FreeRADIUS and daloRADIUS on CentOS 7
• Install FreeRADIUS and daloRADIUS on CentOS 8 / RHEL 8
• Install FreeRADIUS and daloRADIUS on Ubuntu