I want to Install FreeRADIUS and Daloradius on CentOS 8 / RHEL 8?. RADIUS, which stands for “Remote Authentication Dial-In User Service“, is a network protocol used for remote user authentication and accounting. It provides AAA services; namely Authorization, Authentication, and Accounting.
FreeRADIUS is an open source, high-performance, scalable, modular and feature-rich RADIUS server. FreeRADIUS has support for request proxy, fail-over and load balancing, as well as access to various database backends.
Top Features of FreeRADIUS
- Flexible Configuration through a wide range of methods to select user configurations.
- Complete support for RFC 2865 and RFC 2866 attributes.
- EAP with EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP, and Cisco LEAP EAP sub-types
- Vendor Specific Attributes for almost one hundred vendors, including BinTec, Foundry, Cisco, Juniper, Lucent/Ascend, HP ProCurve, Microsoft, USR/3Com, Acc/Newbridge and many more.
Bringing daloRADIUS into the mix
daloRADIUS is an advanced RADIUS web management platform written in PHP and JavaScript. It is mainly aimed at managing Hotspots and general-purpose ISP deployments powered by FreeRADIUS server. Below are the key features of daloRADIUS:
- Database abstraction layer with support for many database systems – MySQL, SQLite, PostgreSQL, MsSQL and Oracle
- Advanced user management
- Powerful graphical reporting and accounting
- Integrates with GoogleMaps for geo-location
- Has a billing engine
Follow the next steps discussed to install FreeRADIUS and daloRADIUS on CentOS 8 / RHEL 8 Linux system.
Step 1: Update your Server
Never trust a system not updated. All installed packages can be updated by executing below command in the terminal.
sudo dnf -y updateStep 2: Install Apache and PHP
We’ll use Apache httpd server to host daloRADIUS on your system. Install both httpd and PHP packages with the following command.
sudo dnf module reset -y php
sudo dnf module reset -y php && sudo dnf module install -y php:8.0
sudo dnf -y install php-{cli,curl,mysqlnd,devel,gd,pear,mbstring,xml,pear,zip}
sudo pear install DB
sudo pear install MDB2Check the version of PHP installed to confirm the installation was successful.
$ php -v
PHP 8.0.30 (cli) (built: Aug 3 2023 17:13:08) ( NTS gcc x86_64 )
Copyright (c) The PHP Group
Zend Engine v4.0.30, Copyright (c) Zend TechnologiesInstall apache web server:
sudo dnf -y install @httpdStart and enable php-fpm and httpd services.
sudo systemctl enable --now httpd php-fpmLet’s validate the start by checking status of the two services.
systemctl status httpd php-fpmAllow http and https ports on the firewall.
sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reloadReference for Apache httpd installation:
Step 3: Install and Configure MariaDB
We have a separate guide on installation of MariaDB database server on RHEL / CentOS 8. Refer to it using the link below.
After the installation, access mysql console as root user and create database/user for FreeRADIUS/daloRADIUS.
$ mysql -u root -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "StrongradIusPass";
FLUSH PRIVILEGES;
\qStep 4: Installing FreeRADIUS
FreeRADIUS packages are available in modular repository.
$ sudo dnf module list freeradius
Last metadata expiration check: 0:04:00 ago on Thu 10 Oct 2019 05:08:54 PM EAT.
CentOS-8 - AppStream
Name Stream Profiles Summary
freeradius 3.0 [d] server [d] High-performance and highly configurable free RADIUS server
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalledTo install, just run the command.
sudo dnf install -y @freeradius freeradius-utils freeradius-mysqlStart the service after installation.
sudo systemctl enable --now radiusd.serviceNow you can check the status:
$ systemctl status radiusd.service
● radiusd.service - FreeRADIUS high performance RADIUS server.
Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2023-11-23 01:53:42 UTC; 3s ago
Process: 14781 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
Process: 14778 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
Process: 14732 ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap (code=exited, status=0/SUCCESS)
Process: 14731 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
Main PID: 14783 (radiusd)
Tasks: 6 (limit: 22612)
Memory: 77.8M
CGroup: /system.slice/radiusd.service
└─14783 /usr/sbin/radiusd -d /etc/raddb
Nov 23 01:53:41 rocky8.mylab.io sh[14769]: URI:http://www.example.com/example_ca.crl
Nov 23 01:53:41 rocky8.mylab.io sh[14769]: Certificate is to be certified until Jan 22 01:53:41 2024 GMT (60 days)
Nov 23 01:53:41 rocky8.mylab.io sh[14769]: Write out database with 1 new entries
Nov 23 01:53:41 rocky8.mylab.io sh[14769]: Data Base Updated
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:'whatever' -passout pass:'whatever'
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: chmod g+r client.p12
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: openssl pkcs12 -in client.p12 -out client.pem -passin pass:'whatever' -passout pass:'whatever'
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: chmod g+r client.pem
Nov 23 01:53:41 rocky8.mylab.io sh[14741]: cp client.pem '[email protected]'.pem
Nov 23 01:53:42 rocky8.mylab.io systemd[1]: Started FreeRADIUS high performance RADIUS server..If you have Firewalld service running, allow radius and http traffic in and out. Radius server uses udp ports 1812 and 1813.
sudo firewall-cmd --add-service=radius --permanent
sudo firewall-cmd --reloadStep 5: Configure FreeRADIUS
To Configure FreeRADIUS to use MariaDB, follow steps below.
1 – Import the Radius database scheme to populate radius database
sudo su -
mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql2 – Configure Radius
First you have to create a soft link for SQL under /etc/raddb/mods-enabled
sudo ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:
sudo vi /etc/raddb/mods-available/sql- sql section should look similar to below.
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "StrongradIusPass"
# Database table configuration for everything except Oracle
radius_db = "radius"
}
# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes
# Table to keep radius client info
client_table = "nas"Comment MySQL SSL settings.
mysql {
# If any of the files below are set, TLS encryption is enabled
# tls {
# ca_file = "/etc/ssl/certs/my_ca.crt"
# ca_path = "/etc/ssl/certs/"
# certificate_file = "/etc/ssl/certs/private/client.crt"
# private_key_file = "/etc/ssl/certs/private/client.key"
# cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
#
# tls_required = yes
# tls_check_cert = no
# tls_check_cert_cn = no
# }Then change group right of /etc/raddb/mods-enabled/sql to radiusd:
sudo chgrp -h radiusd /etc/raddb/mods-enabled/sql
Restart radiusd service
sudo systemctl restart radiusdStep 6: Install and Configure Daloradius (Optional)
You can use Daloradius to manage radius server from a web interface. This is an optional configuration which you can select depending on your use case.
Download daloradius code from Github.
sudo yum -y install git vim
git clone https://github.com/lirantal/daloradius.gitImport Daloradius mysql tables
mysql -u root -p radius < daloradius/contrib/db/fr3-mariadb-freeradius.sql
mysql -u root -p radius < daloradius/contrib/db/mariadb-daloradius.sqlMove daloradius folder to path in /var/www/html
sudo mv daloradius /var/www/Then change permissions for http folder and set the right permissions for daloradius configuration file.
cd /var/www/daloradius/app/common/includes/
sudo cp daloradius.conf.php.sample daloradius.conf.php
sudo chown -R apache:apache /var/www/daloradius/You should now modify daloradius.conf.php file to adjust the MySQL database information .
sudo vim daloradius.conf.phpSet database name, user and password for connection.
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'StrongradIusPass';
$configValues['CONFIG_DB_NAME'] = 'radius';To be sure everything works, restart radiusd and httpd services.
sudo systemctl restart radiusd.service httpd
systemctl status radiusd.service httpdThere should be no error is service status output:
Create extra directories required.
cd /var/www/daloradius/
sudo mkdir -p var/{log,backup}
sudo chown -R apache:apache varInstall below PHP modules.
sudo pear install DB
sudo pear install MDB2Configure Apache web server
Configure Apache to listen on port 80 and port 8000
$ sudo vim /etc/httpd/conf/httpd.conf
Listen 80
Listen 8000Configure virtual host for operators module:
sudo tee /etc/httpd/conf.d/operators.conf<<EOF
<VirtualHost *:8000>
ServerAdmin operators@localhost
DocumentRoot /var/www/daloradius/app/operators
<Directory /var/www/daloradius/app/operators>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/daloradius>
Require all denied
</Directory>
ErrorLog /var/log/httpd/daloradius/operators/error.log
CustomLog /var/log/httpd/daloradius/operators/access.log combined
</VirtualHost>
EOFNext we create virtual host for users:
sudo tee /etc/httpd/conf.d/users.conf<<EOF
<VirtualHost *:80>
ServerAdmin users@localhost
DocumentRoot /var/www/daloradius/app/users
<Directory /var/www/daloradius/app/users>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/daloradius>
Require all denied
</Directory>
ErrorLog /var/log/httpd/daloradius/users/error.log
CustomLog /var/log/httpd/daloradius/users/access.log combined
</VirtualHost>
EOFCreate directories that will store log files.
sudo mkdir -p /var/log/httpd/daloradius/{operators,users}Disable default Apache web server welcome page.
sudo rm /etc/httpd/conf.d/welcome.confIf you have SELinux active, label directories accordingly.
sudo yum -y install policycoreutils-python-utils
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/daloradius(/.*)?"
sudo restorecon -Rv /var/www/daloradiusIf SELinux is enforcing add label to port 8000 for use by httpd.
sudo semanage port -m -t http_port_t -p tcp 8000Check if applied correctly.
# semanage port -l | grep -w http_port_t
http_port_t tcp 8000, 80, 81, 443, 488, 8008, 8009, 8443, 9000Allow ports access from the firewall.
sudo firewall-cmd --add-service={http,https,radius} --permanent
sudo firewall-cmd --add-port=8000/tcp --permanent
sudo firewall-cmd --reloadRestart the services to ensure everything is working.
sudo systemctl restart httpd radiusd.serviceThe status of your services can be checked using systemctl:
systemctl status httpd radiusdNow access daloradius with below URLs.
- RADIUS management application: http://<ip>:8000/
- RADIUS user portal application: http://<ip>
Example of RADIUS management application portal interface.
The default login details are:
Username: administrator
Password: radiusdaloRADIUS management UI look:
Enjoy using FreeRADIUS and daloRADIUS:
