FreeRadius is an Ubuntu software that acts as a RADIUS server your router can use to give you a 802.11x network. There are various reasons you may want to do this, but today I'll show you how to get it installed. In addition to FreeRadius, I’ll also show you how to install DaloRADIUS which is a web UI based management system for FreeRadius (that section will be at the end)
The first thing you'll want to do is ensure your system is up to date. You can do this by running the following commands to update the available packages on your system.
sudo apt update
sudo apt upgrade -y
Next, there are some packages you need to install that you might not have already. A few notable ones are php, apache2, FreeRadius, and mariadb.
sudo apt install php apache2 freeradius libapache2-mod-php mariadb-server freeradius-mysql freeradius-utils php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl} wget unzip zip -y
Then, you need to enable and start apache2 as well as enable FreeRadius. You can do this inside of one command listed below.
sudo systemctl enable --now apache2 && sudo systemctl enable freeradius
Once you have apache2 enabled, you can setup the sql server (in this case mariadb server).
sudo mysql_secure_installation
Here's what I answered during the installation, depending on your security needs, you may want to set a root password, but in my case it doesn't matter to me. I pasted the questions as well as my answers to them (right after the questions)
Enter current password for root (enter for none): enter
Switch to unix_socket authentication [Y/n] n
Change the root password? [Y/n] n
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
Great, now that you have setup the server, we can start to configure the database. Depending on how you set it up, you may have to enter your sql root password on this first command, but since I clicked enter through the prompt, I will just type in sudo mysql
. If you entered a root password, type in the command below.
sudo mysql -u root -p
Now that you're logged in, you need to do a few things.
We can create the database by running this “CREATE DATABASE” command:
CREATE DATABASE radius;
Next we need to create the user account. I would recommend changing PASSWORD to a secure password.
CREATE USER 'radius'@'localhost' IDENTIFIED by 'PASSWORD';
To grant the privileges, run this command:
GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost';
Finally, run these commands to reload the privileges in the sql database and to quit the session.
FLUSH PRIVILEGES;
quit;
To finish setting up the database, we need to connect it to FreeRadius. To tell FreeRadius we will use sql for our logins, run these commands below one at a time. You cannot paste all these in at once.
sudo su -
mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
exit
sudo ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Now that FreeRadius and the SQL server are connected, we need to provide FreeRadius with the login to the SQL server, as well as change a few settings.
sudo nano /etc/freeradius/3.0/mods-enabled/sql
There are a few things you need to change before entering in the login. Below are the things that need changed. Scroll through and make the necessary changes.
driver = "rlm_sql_null" needs to be driver = "rlm_sql_${dialect}"
dialect = "sqlite" needs to be dialect = "mysql"
read_clients = yes needs to be uncommented (No # in front of that line)
client_table = “nas” needs to be uncommented (No # in front of that line)
One last thing, find the section that looks like this:
And comment out all the TLS settings to make it look like this:
Now you can enter in the login. Find the section that looks like this:
And uncomment the lines that say server, port, login, and password. (Note: Uncommenting means removing the #). Enter in your radius user password for your SQL database in the “” where it says “radpass”.
Here is what it should look like:
To save your changes, on your keyboard, click ctrl x, y, followed by enter.
sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
sudo systemctl restart freeradius
If you're like me and you have UniFi network hardware, there'll be an extra step you want to take.
Run these commands SEPARATELY and find the SECOND OCCURRENCE of “use_tunneled_reply” in the file that'll open..
sudo nano /etc/freeradius/3.0/mods-enabled/eap
In the second occurrence of “use_tunneled_reply", under the “peap” section, change NO to YES. This will allow UniFi to dynamically assign users's vlans based on their login stored in the SQL database.
One last thing, every time you make a change in your FreeRadius settings (that includes every time you add or modify a user) you need to reload your settings. You can do that by running this command below:
sudo service freeradius reload
Finally, to connect to the server, you will need to enter in your router's PRIVATE IP ADDRESS as a “NAS” in the nas
table in your database. In that row, you'll also need to create a “secret” that your router will use to connect to the radius server. This should be pretty straight forward so I'm not going to go into too much detail on here, but if you have questions, like always, feel free to reach out on my website, beamnetworks.dev.
To install DaloRADIUS, you just need to clone the git repo for it and then add it to your database schema. Note: you may want to make sure that you are downloading the latest version. You can do that on their git repository (https://github.com/lirantal/daloradius)
To clone the repository, you can run the following commands:
wget https://github.com/lirantal/daloradius/archive/1.3.zip
unzip 1.3.zip
cd daloradius-1.3
Next you need to copy the DaloRADIUS database schema into your existing database. You also need to move it into the directory Apache (the web server) uses.
Note: Depending on the version you download of DaloRADIUS, you may need to adjust version numbers.
sudo mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
sudo mysql -u root -p radius < contrib/db/mysql-daloradius.sql
cd
sudo mv daloradius-1.3 /var/www/html/
sudo mv /var/www/html/daloradius-1.3 /var/www/html/daloradius
sudo chown -R www-data:www-data /var/www/html/daloradius
sudo cp /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
sudo chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
Now that everything is in the correct directory, you can configure it with the correct settings.
sudo nano /var/www/html/daloradius/library/daloradius.conf.php
You’ll find the file with some blank $configValues and you need to populate those with your values. If for some reason you used the same credentials as earlier in this tutorial, here is what you’ll need to fill in:
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'PASSWORD';
$configValues['CONFIG_DB_NAME'] = 'radius'
To save and apply your changes, you can click ctrl+x on your keyboard, click y and enter.
Finally, you need to restart Apache and FreeRadius to push out the changes so that they can pull the new configurations.
sudo systemctl restart freeradius.service apache2
To login to the server, enter in it’s IP address and add /daloradius
to the path.
The default username is administrator and password is radius. I highly recommend you change those once you login. (Config > Operators > List Operators > User). You can also add a new user in that menu.
I’m not going to go into the setup for DaloRADIUS as you can do that in SQL too (it‘s not much different). If you want to see the full setup, take a look at the video tutorial for this install instead.
If you want to configure a backup server or just migrate your existing server, you'll notice that you have to “re trust” the certificate for your Freeradius server. Not anymore! If you copy over the 3 following ssl certs, it won't ask you to re trust it anymore!
Here are the three files you need to transfer over. Transfer them AFTER you setup your new server, then remove the files from the new server, copy from old, and restart Freeradius.
/etc/ssl/private/ssl-cert-snakeoil.key
/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/certs/ca-certificates.crt
Note: Unsure if the last one matters or not, haven't tried it. Doesn't seem to “hurt” anything if it is copied over.