I want to Install FreeRADIUS and Daloradius on CentOS 8 / RHEL 8?. RADIUS, which stands for “Remote Authentication Dial-In User Service“, is a network protocol used for remote user authentication and accounting. It provides AAA services; namely Authorization, Authentication, and Accounting.

FreeRADIUS is an open source, high-performance, scalable, modular and feature-rich RADIUS server. FreeRADIUS has support for request proxy, fail-over and load balancing, as well as access to various database backends.

Top Features of FreeRADIUS

  • Flexible Configuration through a wide range of methods to select user configurations.
  • Complete support for RFC 2865 and RFC 2866 attributes.
  • EAP with EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP, and Cisco LEAP EAP sub-types
  • Vendor Specific Attributes for almost one hundred vendors, including BinTec, Foundry, Cisco, Juniper, Lucent/Ascend, HP ProCurve, Microsoft, USR/3Com, Acc/Newbridge and many more.

Bringing daloRADIUS into the mix

daloRADIUS is an advanced RADIUS web management platform written in PHP and JavaScript. It is mainly aimed at managing Hotspots and general-purpose ISP deployments powered by FreeRADIUS server. Below are the key features of daloRADIUS:

  • Database abstraction layer with support for many database systems – MySQL, SQLite, PostgreSQL, MsSQL and Oracle
  • Advanced user management
  • Powerful graphical reporting and accounting
  • Integrates with GoogleMaps for geo-location
  • Has a billing engine

Follow the next steps discussed to install FreeRADIUS and daloRADIUS on CentOS 8 / RHEL 8 Linux system.

Step 1: Update your Server

Never trust a system not updated. All installed packages can be updated by executing below command in the terminal.

sudo dnf -y update

Step 2: Install Apache and PHP

We’ll use Apache httpd server to host daloRADIUS on your system. Install both httpd and PHP packages with the following command.

sudo dnf module reset -y php
sudo dnf module reset -y php && sudo dnf module install -y php:8.0
sudo dnf -y install php-{cli,curl,mysqlnd,devel,gd,pear,mbstring,xml,pear,zip}
sudo pear install DB
sudo pear install MDB2

Check the version of PHP installed to confirm the installation was successful.

$ php -v
PHP 8.0.30 (cli) (built: Aug  3 2023 17:13:08) ( NTS gcc x86_64 )
Copyright (c) The PHP Group
Zend Engine v4.0.30, Copyright (c) Zend Technologies

Install apache web server:

sudo dnf -y install @httpd

Start and enable php-fpm and httpd services.

sudo systemctl enable --now httpd php-fpm

Let’s validate the start by checking status of the two services.

systemctl status httpd php-fpm

Allow http and https ports on the firewall.

sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload

Reference for Apache httpd installation:

Step 3: Install and Configure MariaDB

We have a separate guide on installation of MariaDB database server on RHEL / CentOS 8. Refer to it using the link below.

After the installation, access mysql console as root user and create database/user for FreeRADIUS/daloRADIUS.

$ mysql -u root -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "StrongradIusPass";
FLUSH PRIVILEGES;
\q

Step 4: Installing FreeRADIUS

FreeRADIUS packages are available in modular repository.

$ sudo dnf module list freeradius
Last metadata expiration check: 0:04:00 ago on Thu 10 Oct 2019 05:08:54 PM EAT.
CentOS-8 - AppStream
Name                      Stream                 Profiles                 Summary                                                                  
freeradius                3.0 [d]                server [d]               High-performance and highly configurable free RADIUS server              

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

To install, just run the command.

sudo dnf install -y @freeradius freeradius-utils freeradius-mysql

Start the service after installation.

sudo systemctl enable --now radiusd.service

Now you can check the status:

$ systemctl status radiusd.service
● radiusd.service - FreeRADIUS high performance RADIUS server.
   Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2023-11-23 01:53:42 UTC; 3s ago
  Process: 14781 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
  Process: 14778 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
  Process: 14732 ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap (code=exited, status=0/SUCCESS)
  Process: 14731 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
 Main PID: 14783 (radiusd)
    Tasks: 6 (limit: 22612)
   Memory: 77.8M
   CGroup: /system.slice/radiusd.service
           └─14783 /usr/sbin/radiusd -d /etc/raddb

Nov 23 01:53:41 rocky8.mylab.io sh[14769]:                   URI:http://www.example.com/example_ca.crl
Nov 23 01:53:41 rocky8.mylab.io sh[14769]: Certificate is to be certified until Jan 22 01:53:41 2024 GMT (60 days)
Nov 23 01:53:41 rocky8.mylab.io sh[14769]: Write out database with 1 new entries
Nov 23 01:53:41 rocky8.mylab.io sh[14769]: Data Base Updated
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:'whatever' -passout pass:'whatever'
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: chmod g+r client.p12
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: openssl pkcs12 -in client.p12 -out client.pem -passin pass:'whatever' -passout pass:'whatever'
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: chmod g+r client.pem
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: cp client.pem '[email protected]'.pem
Nov 23 01:53:42 rocky8.mylab.io systemd[1]: Started FreeRADIUS high performance RADIUS server..

If you have Firewalld service running, allow radius and http traffic in and out. Radius server uses udp ports 1812 and 1813.

sudo firewall-cmd --add-service=radius --permanent
sudo firewall-cmd --reload

Step 5: Configure FreeRADIUS

To Configure FreeRADIUS to use MariaDB, follow steps below.

1 – Import the Radius database scheme to populate radius database

sudo su -
mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql

2 – Configure Radius

First you have to create a soft link for SQL under /etc/raddb/mods-enabled

sudo ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/

Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:

sudo vi /etc/raddb/mods-available/sql
  • sql section should look similar to below.
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"

# Connection info:

server = "localhost"
port = 3306
login = "radius"
password = "StrongradIusPass"

# Database table configuration for everything except Oracle

radius_db = "radius"
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = "nas"

Comment MySQL SSL settings.

 mysql {
                # If any of the files below are set, TLS encryption is enabled
#               tls {
#                       ca_file = "/etc/ssl/certs/my_ca.crt"
#                       ca_path = "/etc/ssl/certs/"
#                       certificate_file = "/etc/ssl/certs/private/client.crt"
#                       private_key_file = "/etc/ssl/certs/private/client.key"
#                       cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
#
#                       tls_required = yes
#                       tls_check_cert = no
#                       tls_check_cert_cn = no
#               }

Then change group right of /etc/raddb/mods-enabled/sql to radiusd:

sudo chgrp -h radiusd /etc/raddb/mods-enabled/sql

Restart radiusd service

sudo systemctl restart radiusd

Step 6: Install and Configure Daloradius (Optional)

You can use Daloradius to manage radius server from a web interface. This is an optional configuration which you can select depending on your use case.

Download daloradius code from Github.

sudo yum -y install git vim
git clone https://github.com/lirantal/daloradius.git

Import Daloradius mysql tables

mysql -u root -p radius < daloradius/contrib/db/fr3-mariadb-freeradius.sql
mysql -u root -p radius < daloradius/contrib/db/mariadb-daloradius.sql

Move daloradius folder to path in /var/www/html

sudo mv daloradius /var/www/

Then change permissions for http folder and set the right permissions for daloradius configuration file.

cd /var/www/daloradius/app/common/includes/
sudo cp daloradius.conf.php.sample daloradius.conf.php
sudo chown -R apache:apache /var/www/daloradius/

You should now modify daloradius.conf.php file to adjust the MySQL database information .

sudo vim daloradius.conf.php

Set database name, user and password for connection.

$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'StrongradIusPass';
$configValues['CONFIG_DB_NAME'] = 'radius';

To be sure everything works, restart radiusd and httpd services.

sudo systemctl restart radiusd.service httpd
systemctl status radiusd.service httpd

There should be no error is service status output:

Create extra directories required.

cd /var/www/daloradius/
sudo mkdir -p var/{log,backup}
sudo chown -R apache:apache var

Install below PHP modules.

sudo pear install DB
sudo pear install MDB2

Configure Apache web server

Configure Apache to listen on port 80 and port 8000

$ sudo vim /etc/httpd/conf/httpd.conf
Listen 80
Listen 8000

Configure virtual host for operators module:

sudo tee /etc/httpd/conf.d/operators.conf<<EOF
<VirtualHost *:8000>
    ServerAdmin operators@localhost
    DocumentRoot /var/www/daloradius/app/operators

    <Directory /var/www/daloradius/app/operators>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <Directory /var/www/daloradius>
        Require all denied
    </Directory>

    ErrorLog /var/log/httpd/daloradius/operators/error.log
    CustomLog /var/log/httpd/daloradius/operators/access.log combined
</VirtualHost>
EOF

Next we create virtual host for users:

sudo tee /etc/httpd/conf.d/users.conf<<EOF
<VirtualHost *:80>
    ServerAdmin users@localhost
    DocumentRoot /var/www/daloradius/app/users

    <Directory /var/www/daloradius/app/users>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <Directory /var/www/daloradius>
        Require all denied
    </Directory>

    ErrorLog /var/log/httpd/daloradius/users/error.log
    CustomLog /var/log/httpd/daloradius/users/access.log combined
</VirtualHost>
EOF

Create directories that will store log files.

sudo mkdir -p /var/log/httpd/daloradius/{operators,users}

Disable default Apache web server welcome page.

sudo rm /etc/httpd/conf.d/welcome.conf

If you have SELinux active, label directories accordingly.

sudo yum -y install policycoreutils-python-utils
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/daloradius(/.*)?"
sudo restorecon -Rv /var/www/daloradius

If SELinux is enforcing add label to port 8000 for use by httpd.

sudo semanage port -m -t http_port_t -p tcp 8000

Check if applied correctly.

# semanage port -l | grep -w http_port_t
http_port_t                    tcp      8000, 80, 81, 443, 488, 8008, 8009, 8443, 9000

Allow ports access from the firewall.

sudo firewall-cmd --add-service={http,https,radius} --permanent
sudo firewall-cmd --add-port=8000/tcp --permanent
sudo firewall-cmd --reload

Restart the services to ensure everything is working.

sudo systemctl restart httpd radiusd.service

The status of your services can be checked using systemctl:

systemctl status httpd radiusd

Now access daloradius with below URLs.

  • RADIUS management application: http://<ip>:8000/
  • RADIUS user portal application: http://<ip>

Example of RADIUS management application portal interface.

image

The default login details are:

Username: administrator
Password: radius

daloRADIUS management UI look:

daloradius dashboard new

Enjoy using FreeRADIUS and daloRADIUS:

LEAVE A REPLY

Please enter your comment!
Please enter your name here