Track 1b) Module 3 Handson Lab
***********************************************************
1. Install Required Packages 

sudo apt update 
sudo apt install freeradius freeradius-mysql freeradius-utils mysql-server php php-mysqli php-gd php-curl php-xml php-pear php-db apache2 unzip git 

2. Download and Setup daloRADIUS (Web UI)

cd /var/www/html 
sudo git clone https://github.com/lirantal/daloradius.git 
sudo chown -R www-data:www-data daloradius 
sudo chmod -R 755 daloradius 
  
3. Create MySQL Database 

sudo mysql -u root -p 
CREATE DATABASE radius; 
CREATE USER 'radius'@'localhost' IDENTIFIED BY 'securepassword'; -----> use preferred password
GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost'; 
FLUSH PRIVILEGES; 
EXIT; 
  

4. Import Schema 

cd /var/www/html/daloradius/contrib/db 
mysql -u radius -p radius < mysql-daloradius.sql 
mysql -u radius -p radius < fr3-mysql-schema.sql 
  

5. Configure daloRADIUS Web UI 

Edit /var/www/html/daloradius/library/daloradius.conf.php: 

$configValues['CONFIG_DB_USER'] = 'radius'; 
$configValues['CONFIG_DB_PASS'] = 'securepassword'; ---------> Use the same password configured in the MySQL DB
$configValues['CONFIG_DB_NAME'] = 'radius'; 
$configValues['FREERADIUS_VERSION'] = '3'; 
  
6. Enable SQL Module 

cd /etc/freeradius/3.0/mods-enabled 
sudo ln -s ../mods-available/sql . 
  
7. Edit SQL Module Config 

Edit /etc/freeradius/3.0/mods-available/sql: 

driver = "rlm_sql_mysql" 
dialect = "mysql" 
 
server = "localhost" 
port = 3306 
login = "radius" 
password = "securepassword" 
radius_db = "radius" 
 
read_clients = yes 
client_table = "nas" 
 
# Uncomment this line 
$INCLUDE sql/mysql/dialup.conf 
  
8. Add Clients (APs, localhost) 

Edit /etc/freeradius/3.0/clients.conf or populate MySQL nas table: 

	client localhost { 
    	ipaddr = 127.0.0.1 
    	secret = testing123 
	} 
 
	client wifi-ap { 
    	ipaddr = 192.168.1.10 
    	secret = apsharedsecret 
	} 
  
9. Configure sites-available/default & inner-tunnel 

Ensure these blocks are active: 

	authorize { 
    	... 
    	sql 
	} 
 
	accounting { 
    	... 
    	sql 
	} 
 
	session { 
    	sql 
	} 
 
	post-auth { 
    	... 
    	sql 
	} 
  
10. Configure EAP 

Edit /etc/freeradius/3.0/mods-available/eap: 

	default_eap_type = peap 
	tls-config tls-common { 
    	private_key_file = /etc/freeradius/3.0/certs/server.key 
    	certificate_file = /etc/freeradius/3.0/certs/server.pem 
    	ca_file = /etc/freeradius/3.0/certs/ca.pem 
	} 
 	cd /etc/freeradius/3.0/certs 
sudo make  # Or create your own CA and certs 
  
Add Test Users 
-------------------------------------

You can do this via daloRADIUS or SQL: 

INSERT INTO radcheck (username, attribute, op, value) 
VALUES ('testuser@institution.ac.ke', 'Cleartext-Password', ':=', 'testpass'); 
  

 
Set up eduroam Virtual Servers
------------------------------------- 

11. Create sites-available/eduroam 

	server eduroam { 
    	authorize { 
        preprocess 
        suffix 
        eap 
        sql 
    	} 
 
    	authenticate { 
        eap 
    	} 
 
    	post-auth { 
        sql 
    	} 
	} 
  

Symlink it: 

ln -s /etc/freeradius/3.0/sites-available/eduroam /etc/freeradius/3.0/sites-enabled/ 
  

12. Create eduroam-inner-tunnel 

Clone and modify inner-tunnel or: 

cp /etc/freeradius/3.0/sites-available/inner-tunnel /etc/freeradius/3.0/sites-available/eduroam-inner-tunnel 
ln -s /etc/freeradius/3.0/sites-available/eduroam-inner-tunnel /etc/freeradius/3.0/sites-enabled/ 
  

Set virtual_server = eduroam-inner-tunnel in eap config (TTLS/PEAP sections). 

 

Configure proxy.conf (for eduroam Roaming) 
----------------------------------------------------

Edit /etc/freeradius/3.0/proxy.conf: 

	realm institution.ac.ke { 
    	type = radius 
    	authhost = LOCAL 
   	accthost = LOCAL 
	} 
  
Testing the Setup 
---------------------------------------------

14. Run in Debug Mode 

sudo freeradius -xX 
  

15. Test User Authentication - Run the command below in a second terminal session. freeradius -XX should still be running in another tab

radtest -t pap testuser@institution.ac.ke testpass localhost 0 testing123 
radtest -t mschap testuser@institution.ac.ke testpass localhost 0 testing123 
  

 

