freeradius+daloradius+mysql ###################### ####################### 1.Install pre-requisites: sudo apt-get update sudo apt-get install mysql-server sudo apt-get install php5-gd php-pear php-db sudo apt-get install freeradius freeradius-mysql sudo apt-get install phpmyadmin 2.Download and install Daloradius wget http://tenet.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz tar -zxvf daloradius-0.9-9.tar.gz mv daloradius-0.9-9 daloradius sudo cp -R daloradius/ /var/www 3.change permissions sudo chown -R www-data:www-data /var/www/daloradius sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php 4. If you *DONT HAVE* the radius database in MySQL you need to create it and then import both freeradius and daloradius tables using this schema: (for fresh installations) cd /var/www/daloradius/contrib/db/ mysql -u root -p Enter password: mysql> CREATE DATABASE radius; mysql> quit; 5. Move the table schema to the database radius. Note this is only for fresh installations of freeradius mysql -u root -p radius < fr2-mysql-daloradius-and-freeradius.sql 6. Configure Daloradius cd /var/www/daloradius/library/ sudo vim daloradius.conf.php 7. Configure as follows: $configValues['FREERADIUS_VERSION'] = '2'; $configValues['CONFIG_DB_PASS'] = 'password'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; 8. Login to daloradius http://your ip address/daloradius username: administrator password: radius ############################################## ################################################# freeradius configuration ################################################## ################################################## 9.The configuration files can be found under /etc/freeradius/ acct_users clients.conf modules sites-enabled attrs dictionary policy.conf sql attrs.access_challenge eap.conf policy.txt sql.conf attrs.access_reject experimental.conf preproxy_users sqlippool.conf attrs.accounting_response hints proxy.conf templates.conf attrs.pre-proxy huntgroups radiusd.conf users certs ldap.attrmap sites-available 10. Configure radiusd.conf Main configuration file for freeradius NB:to view file without comments use: sed -e 's/#.*//;/^\s*$/d' configure the port which radius will use to listen for requests and uncomment the line #$INCLUDE sql.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 1812 } listen { ipaddr = * port = 1813 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ $INCLUDE sql.conf 11. Configure clients.conf .Here you add the devices that will communicate with the radius servers.This will include the access points and KENET radius servers. Specify the virtual server that will be used. In our case it is eduroam client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no nastype = other virtual_server = eduroam } client 192.168.0.0/16 { secret = testing123 shortname = all-access-points virtual_server = eduroam } 12. Configure sql.conf with the username and password to mysql and the database to use. database = "mysql" server = "localhost" login = "username-to-login" password = "mysqlpassword" radius_db = "radius" readclients = yes # $INCLUDE sql/${database}/dialup.conf $INCLUDE /etc/freeradius/sql/mysql/dialup.conf 13. Populate the mysql database with users. Remember that the database schema was created during Daloradius Installation Populate the table radcheck with information on users.. this can be done on Daloradius webpage or manually. Below it is done manually.Remember institution.ac.ke is the domain of the Institution mysql -u root -p mysql> use radius; mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest@institution.ac.ke', 'Password', 'testpwd'); mysql> select * from radcheck where UserName='sqltest@institution.ac.ke'; mysql> exit 14. create the file /etc/freeradius/sites-enabled/eduroam with the following content server eduroam { authorize { preprocess chap mschap suffix eap sql pap auth_log } authenticate { eap Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } preacct { suffix } accounting { detail sql } post-auth { reply_log Post-Auth-Type REJECT { reply_log sql } } pre-proxy { pre_proxy_log if (Packet-Type != Accounting-Request) { attr_filter.pre-proxy } } } 15.create a file /etc/freeradius/Sites-enabled/eduroam-inner-tunnel with the following content server eduroam-inner-tunnel { authorize { auth_log eap files mschap pap sql } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } eap } post-auth { reply_log Post-Auth-Type REJECT { reply_log } } } 16. edit eap.conf as follows: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = ${cadir} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } mschapv2 { } } 17. edit the file proxy.conf add the following with your respective realm. realm institition.ac.ke { nostrip } 18. Finally need to test that the setup is working. Run freeradius is debug mode freeradius -xX Ensure it runs and fix any errors that it may show 19.Test that a user is being authenticated with the following command radtest -t mschap sqltest@institution.ac.ke testpwd localhost 1812 testing123 radtest -t pap sqltest@institution.ac.ke testpwd localhost 1812 testing123 radtest -t chap sqltest@institution.ac.ke testpwd localhost 1812 testing123 If works , you should get an Access-Accept as shown below: rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=178, length=20 Ensure you configure the wireless LAN controller for 802.1x authentication as shown