FreeRADIUS is an high performance ,open source RADIUS server developed under the GNU General Public License. FreeRADIUS is the most used RADIUS server in the world. FreeRADIUS comes with web based user administration tool and is modular, very scalable and rich sets of features. This is a how to install FreeRADIUS and Daloradius on CentOS 7

RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol – a system that defines rules and conventions for communication between network devices – for remote user authentication and accounting. RADIUS is normally used to provide AAA services; Authorization. Authentication and Accounting.

Recommended books to read:

FreeRADIUS is the most deployed RADIUS server since it supports all common authentication protocols, being open source and simplified user administration made possible by its dialupadmin web GUI. The server also comes with modules for LDAP and database systems integration like MySQL,PostgreSQL,Oracle e.t.c.

Install FreeRADIUS and Daloradius on CentOS 7 and RHEL 7

Prerequisites:

Install httpd server

# yum -y update
# yum groupinstall "Development Tools" -y
# yum -y install httpd httpd-devel

Start and enable httpd server

# systemctl enable httpd
# systemctl start httpd

Check status of httpd server to make sure it’s running

[root@freeradius ~]# systemctl status httpd
  httpd.service - The Apache HTTP Server
 Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
 Active: active (running) since Sat 2016-08-06 22:03:15 UTC; 8s ago

Docs: man:httpd(8)

man:apachectl(8)

Main PID: 3824 (httpd)
 Status: "Processing requests..."
 CGroup: /system.slice/httpd.service

├─3824 /usr/sbin/httpd -DFOREGROUND
 ├─3825 /usr/sbin/httpd -DFOREGROUND
 ├─3826 /usr/sbin/httpd -DFOREGROUND
 ├─3827 /usr/sbin/httpd -DFOREGROUND
 ├─3828 /usr/sbin/httpd -DFOREGROUND
 └─3829 /usr/sbin/httpd -DFOREGROUND

Aug 06 22:03:15 freeradius systemd[1]: Starting The Apache HTTP Server...
 Aug 06 22:03:15 freeradius httpd[3824]: AH00558: httpd: Could not reliably determine th...age
 Aug 06 22:03:15 freeradius systemd[1]: Started The Apache HTTP Server.
 Hint: Some lines were ellipsized, use -l to show in full.

Installing and Configuring MariaDB

We’ll install and configure MariaDB 10, using steps below:

  1. Add MariaDB official repo content to CentOS 7 system
# vim /etc/yum.repos.d/MariaDB.repo

Add the following contents to the file

[mariadb]
 name = MariaDB
 baseurl = http://yum.mariadb.org/10.1/centos7-amd64
 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
 gpgcheck=1
  1. Update system and install MariaDB to configure Database server
# yum -y update 
# yum install -y mariadb-server mariadb

install FreeRADIUS

You’ll be prompted to install MariaDB GPG Signing key. Just press y to allow installation.

  1. Start and enable MariaDB to run on boot
# systemctl start mariadb
# systemctl enable mariadb

Check if running and if enabled

[root@radius ~]# systemctl status mariadb
[root@radius ~]# systemctl is-enabled mariadb.service
 enabled
  1. Configure initial MariaDB settings to secure it. Here you’ll set root password. For security purposes, consider removing anonymous users and disallowing remote root login. See sample configuration shown below. Key choices are marked with red.
[root@freeradius ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB

SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
 password for the root user. If you've just installed MariaDB, and
 you haven't set the root password yet, the password will be blank,
 so you should just press enter here.

Enter current password for root (enter for none): 
 OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
 root user without the proper authorisation.

Set root password? [Y/n] Y
 New password: 
 Re-enter new password: 
 Password updated successfully!
 Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
 to log into MariaDB without having to have a user account created for
 them. This is intended only for testing, and to make the installation
 go a bit smoother. You should remove them before moving into a
 production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'. This
 ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
 access. This is also intended only for testing, and should be removed
 before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
 will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
 installation should now be secure.

Thanks for using MariaDB!
  1. Allow only local connection to mysql server. This is a security mechanism.
# vim /etc/my.cnf 
 [mysqld]
 bind-address=127.0.0.1

install FreeRADIUS

Configure Database for freeradius

# mysql -u root -p -e " CREATE DATABASE radius"
# mysql -u root -p -e "show databases"
# mysql -u root -p 
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q
Bye

Installing php 7 on CentOS 7

 cd ~
 curl 'https://setup.ius.io/' -o setup-ius.sh
 sudo bash setup-ius.sh
 sudo yum remove php-cli mod_php php-common
 sudo yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear
 sudo apachectl restart

Check php version to confirm

# php -v
 PHP 7.0.9 (cli) (built: Jul 21 2016 11:48:03) ( NTS )
 Copyright (c) 1997-2016 The PHP Group
 Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies

If php 7 fails to work for you, try installing php 5 by running below commands. You’ll have to first uninstall php 7.

yum -y install php-pear php-devel php-mysql php-common php-gd php-mbstring php-mcrypt php php-xml

Installing FreeRADIUS

# yum -y install freeradius freeradius-utils freeradius-mysql
 Loaded plugins: fastestmirror
 Loading mirror speeds from cached hostfile
 * base: mirrors.linode.com
 * epel: ftp.osuosl.org
 * extras: mirrors.linode.com
 * ius: ius.mirror.constant.com
 * updates: mirrors.linode.com
 Resolving Dependencies
 --> Running transaction check
 ---> Package freeradius.x86_64 0:3.0.4-6.el7 will be installed
 --> Processing Dependency: libnaaeap.so.0()(64bit) for package: freeradius-3.0.4-6.el7.x86_64
 ---> Package freeradius-mysql.x86_64 0:3.0.4-6.el7 will be installed
 ---> Package freeradius-utils.x86_64 0:3.0.4-6.el7 will be installed
 --> Running transaction check
 ---> Package tncfhh-libs.x86_64 0:0.8.3-16.el7 will be installed
 --> Processing Dependency: tncfhh = 0.8.3 for package: tncfhh-libs-0.8.3-16.el7.x86_64
 --> Processing Dependency: libxerces-c-3.1.so()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64
 --> Processing Dependency: libtncutil.so.0()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64
 --> Processing Dependency: liblog4cxx.so.10()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64
 --> Running transaction check
 ---> Package log4cxx.x86_64 0:0.10.0-16.el7 will be installed
 ---> Package tncfhh.x86_64 0:0.8.3-16.el7 will be installed
 ---> Package tncfhh-utils.x86_64 0:0.8.3-16.el7 will be installed
 ---> Package xerces-c.x86_64 0:3.1.1-8.el7_2 will be installed
 --> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================
 Package Arch Version Repository Size
 =============================================================================================
 Installing:
 freeradius x86_64 3.0.4-6.el7 base 985 k
 freeradius-mysql x86_64 3.0.4-6.el7 base 81 k
 freeradius-utils x86_64 3.0.4-6.el7 base 188 k
 Installing for dependencies:
 log4cxx x86_64 0.10.0-16.el7 base 452 k
 tncfhh x86_64 0.8.3-16.el7 base 680 k
 tncfhh-libs x86_64 0.8.3-16.el7 base 160 k
 tncfhh-utils x86_64 0.8.3-16.el7 base 33 k
 xerces-c x86_64 3.1.1-8.el7_2 updates 878 k

Transaction Summary
 =============================================================================================
 Install 3 Packages (+5 Dependent packages)

Total download size: 3.4 M
 Installed size: 11 M
 Is this ok [y/d/N]: y
 Downloading packages:
 (1/8): freeradius-mysql-3.0.4-6.el7.x86_64.rpm | 81 kB 00:00:00 
 (2/8): freeradius-3.0.4-6.el7.x86_64.rpm | 985 kB 00:00:00 
 (3/8): freeradius-utils-3.0.4-6.el7.x86_64.rpm | 188 kB 00:00:00 
 (4/8): log4cxx-0.10.0-16.el7.x86_64.rpm | 452 kB 00:00:00 
 (5/8): tncfhh-0.8.3-16.el7.x86_64.rpm | 680 kB 00:00:00 
 (6/8): tncfhh-libs-0.8.3-16.el7.x86_64.rpm | 160 kB 00:00:00 
 (7/8): tncfhh-utils-0.8.3-16.el7.x86_64.rpm | 33 kB 00:00:00 
 (8/8): xerces-c-3.1.1-8.el7_2.x86_64.rpm | 878 kB 00:00:00 
 ---------------------------------------------------------------------------------------------
 Total 11 MB/s | 3.4 MB 00:00:00 
 Running transaction check
 Running transaction test
 Transaction test succeeded
 Running transaction
 Installing : log4cxx-0.10.0-16.el7.x86_64 1/8 
 Installing : xerces-c-3.1.1-8.el7_2.x86_64 2/8 
 Installing : tncfhh-utils-0.8.3-16.el7.x86_64 3/8 
 Installing : tncfhh-0.8.3-16.el7.x86_64 4/8 
 Installing : tncfhh-libs-0.8.3-16.el7.x86_64 5/8 
 Installing : freeradius-3.0.4-6.el7.x86_64 6/8 
 Installing : freeradius-mysql-3.0.4-6.el7.x86_64 7/8 
 Installing : freeradius-utils-3.0.4-6.el7.x86_64 8/8 
 Verifying : freeradius-mysql-3.0.4-6.el7.x86_64 1/8 
 Verifying : tncfhh-0.8.3-16.el7.x86_64 2/8 
 Verifying : xerces-c-3.1.1-8.el7_2.x86_64 3/8 
 Verifying : freeradius-utils-3.0.4-6.el7.x86_64 4/8 
 Verifying : tncfhh-libs-0.8.3-16.el7.x86_64 5/8 
 Verifying : freeradius-3.0.4-6.el7.x86_64 6/8 
 Verifying : log4cxx-0.10.0-16.el7.x86_64 7/8 
 Verifying : tncfhh-utils-0.8.3-16.el7.x86_64 8/8

Installed:
 freeradius.x86_64 0:3.0.4-6.el7 freeradius-mysql.x86_64 0:3.0.4-6.el7 
 freeradius-utils.x86_64 0:3.0.4-6.el7

Dependency Installed:
 log4cxx.x86_64 0:0.10.0-16.el7 tncfhh.x86_64 0:0.8.3-16.el7 
 tncfhh-libs.x86_64 0:0.8.3-16.el7 tncfhh-utils.x86_64 0:0.8.3-16.el7 
 xerces-c.x86_64 0:3.1.1-8.el7_2

Complete!

You have to start and enable freeradius to start at boot up.

# systemctl start radiusd.service
# systemctl enable radiusd.service
 
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.

Now you can check the status:

# systemctl status radiusd.service

install FreeRADIUS

Also, configure firewalld to allow radius and httpd packets in and out
– Radius server uses udp ports 1812 and 1813. This can be confirmed by viewing the contents of the file /usr/lib/firewalld/services/radius.xml

# cat /usr/lib/firewalld/services/radius.xml
  1. First start and enable firewalld for security
# systemctl enable firewalld
# systemctl start firewalld
# systemctl status firewalld
  1. Confirm firewalld is running
# firewall-cmd --state
 running
  1. Add permanent rules to default zone to allow http,https and radius services
# firewall-cmd --get-services | egrep 'http|https|radius'
# firewall-cmd --add-service={http,https,radius} --permanent
 success
  1. Reload firewalld for changes to take effect
# firewall-cmd --reload
  1. Confirm that services were successfully added to default zone
# firewall-cmd --get-default-zone 
 public
# firewall-cmd --list-services --zone=public 
 dhcpv6-client http https radius ssh

We can see the three services present hence we’re good to proceed.
Test radius server by running it in debug mode with option -X

# ss -tunlp | grep radiusd

install FreeRADIUS

If it’s running, debug mode will fail to bind to ports, you may have to kill radius server daemon first

# pkill radius

Then start radius server in debugging mode to see if it runs successfully:

# radiusd -X

install FreeRADIUS

Configure FreeRADIUS

To Configure FreeRADIUS to use MariaDB, follow steps below.

  1. Import the Radius database scheme to populate radius database
# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
  1. Configure Radius at this point

– First you have to create a soft link for SQL under /etc/raddb/mods-enabled

# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/

Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:

 # vim /etc/raddb/mods-available/sql
  • sql section should look similar to below.
sql {


driver = "rlm_sql_mysql"
dialect = "mysql"

# Connection info:

server = "localhost"

port = 3306
 login = "radius"
 password = "radiuspassword"

# Database table configuration for everything except Oracle

radius_db = "radius"
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = “nas”

Then change group right of /etc/raddb/mods-enabled/sql to radiusd:

# chgrp -h radiusd /etc/raddb/mods-enabled/sql

Installing and Configuring Daloradius

Installing Daloradius

You can use Daloradius to manage radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github or sourceforge
Github method:

# wget https://github.com/lirantal/daloradius/archive/master.zip
# unzip master.zip
# mv daloradius-master/ daloradius

Sourceforge way:

# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
# tar zxvf daloradius-0.9-9.tar.gz 
# mv daloradius-0.9-9 daloradius

Change directory for configuration

# cd daloradius

Configuring daloradius

  • Now import Daloradius mysql tables
# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql 
# mysql -u root -p radius < contrib/db/mysql-daloradius.sql
  • Configure daloRADIUS database connection details:
# cd ..
# mv daloradius /var/www/html/

Then change permissions for http folder and set the right permissions for daloradius configuration file.

# chown -R apache:apache /var/www/html/daloradius/
# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

You should now modify daloradius.conf.php file to adjust the MySQL database information . Therefore, open the daloradius.conf.php and add the database username, password and db name.

# vim /var/www/html/daloradius/library/daloradius.conf.php

Especially relevant variables to configure are:

CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME

To be sure everything works, restart radiusd,httpd and mysql:

# systemctl restart radiusd.service 
# systemctl restart mariadb.service 
# systemctl restart httpd

Up to this point, we’ve covered complete installation and configuration of daloradius and freeradius, to access daloradius, open the link using your IP address:

http://192.168.1.20/daloradius/login.php

Default login details are:
Username: administrator
Password: radius

install FreeRADIUS

Conclusion

You have learned how to Install FreeRADIUS, perform simple essential configurations and Installation of Daloradius which is a web based tool used to administer FreeRADIUS. You may have to consider further reading to be a guru in FreeRADIUS administration.

 

Recommended books to read:

Tags:
install FreeRADIUS on CentOS 7 and RHEL 7
install freeradius and configure it with daloradius on CentOS 7 and RHEL 7

 

  • anon

    There appears to be an issue with Daloradius and the PHP version installed on this tutorial – installing on CentOS 7 results in getting blank page after a login.

    I’m unable to install php-dba as there’s a conflict with the versions installed on an earlier step in the tutorial.

    • Try to use php 5 and see if it works. There are some bug issues with PHP 7.

      • kenneth wassajja

        Hi
        am not so good at linux but i have followed all your procedure successfully to the end but cant log in to daloradius, it says ;


        Forbidden

        You don’t have permission to access /daloradius/
        on this server.

        can you please advise.thank you

        • Jose pentester

          I’m happy for you that you did complete installation. That is likely the problem with permissions, make sure apache web user account has read permissions on daloradius folder.
          The user should be apache and group is apache as well.

          • ErPayo

            You need to sort out selinux with:
            restorecon -Rv /var/www/html/daloradius/*

            And then you will probably come across the database error that gets solved with:
            yum install php-pear-DB

          • V.Reddy

            You can fix this.
            yum install epel-release
            yum install php-pear-DB

          • Jose pentester

            Thanks for sharing

          • Jose pentester

            Sure.

          • Alexei Ramotar

            Thanks. Worked

          • I’m Happy it worked for you!

          • Viet Doan

            thanks, it done!

  • Nguyen Khanh Dung

    I got Error msg like below when run freeradius in debug mod:
    rlm_sql_mysql: MySQL error ‘Unknown column ‘acctupdatetime’ in ‘field list”

    Please help !

    • Jose pentester

      I have no idea why you’re getting such errors.

  • dominic adair-jones

    received an error during when trying to grant privileges..something about syntax near IDE FLUSH PRIVILEGES.. Any ideas???

    • Alex

      Remove cracklib plugin

  • karim

    i have service status { radius disabled – myaql disabled }
    what may fix these problem
    thanks

    • kiosaninsl

      systemctl enable radiusd.service
      systemctl enable mysqld.service

      After enable, you can start service with command systemctl start [SERVICE NAME]

  • Arturs Stay

    i get error following this step by step article “Forbidden… You don’t have permission to access /daloradius/login.php”
    all service are running, what give? lol

    • Jose pentester

      Please change ownership to apache user- www-data

    • Gilang Ramadan

      restorecon -r /var/www/html

  • Abilash PR

    Hi Kiplangat Mutai,

    Under Service status in Dalo Radius, Radius Status is disabled.

    Please advice.

    Regards,
    Abilash

  • Abilash PR

    How to enable EAP and PEAP mode in this freeradius?

    Please advice.

    Regards,
    Abilash PR.

    • Jose pentester

      I haven’t implemented that yet. I’ll try and share my findings.

      thanks.

  • Martin Borgoň

    I had the 404 forbidden error. Just type to console these 2 commands:
    find /var/www -type d -exec chmod 755 {} ;
    find /var/www -type f -exec chmod 644 {} ;
    And now I have this error after unsuccesful login:
    Database connection error
    Error Message: DB Error: connect failed

    DB name,password and db login are not the problem.
    Any suggestions ?

    • Jose pentester

      Just change the ownership to apache user for /var/www,

      chown -R apache:apache /var/www

  • rohan kalal
  • rohan kalal

    https://uploads.disquscdn.com/images/d566f5aafcc46a7f311b9a42b98ce5597e7857aa54d34867c4ac1930089e6e5d.png

    i get this error when i exec the command systemctl restart radiusd.service

  • Thomas Wilson

    I get after the login page isn’t working (HTTP ERROR 500). I have php 5 loaded not 7. Any ideas?

    • Jonpaulh

      Disable Selinux

  • Erik Aristayasa
  • Peterson

    Fantastic thanks

  • Shai Chikorel

    disabled SElinux

  • Anson

    Hi, I follow the guide, but got this error after login

    Database connection error
    Error Message: DB Error: extension not found

    I have input these commands already:

    FreeRadius:

    mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql

    Dalo:

    mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql

    mysql -u root -p radius < contrib/db/mysql-daloradius.sql

    Would you have any ideas for the problem?

    • Jonpaulh

      run this: pear install DB

  • Jonpaulh

    If you have an error when accessing dalo radius regarding permissions, this is likely Seinux, disable Selinux, reboot the server and this should be resolved.

    If you have a database error such as extension not found or Uncaught Error: Class ‘DB’ not found. Then run this command: pear install DB

    Once done restart httpd. With the above guide and these two changes it worked for me on Centos 7 minimal.

  • Renesmee Cullen

    Hi. Please advise what I missed. I got through to all the steps back and I dont know what I missed.

    [root@ip-10-100-198-19 ~]# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
    -bash: /etc/raddb/mods-config/sql/main/mysql/schema.sql: No such file or directory