Remote Authentication Dial-in User Service (RADIUS)
Hello everyone. In this article i will explain the configuration of radius server. What we need for the beginning is mysql and freeradius installed in your computer.One can configure radius with radiusd but i will go on with freeradius.
We define radius server as the traffic controller for any kind of “device” for AAA(Authentication, Authorization and Accounting). This means that we need to have at least one user and one client at once.
Freeradius is a very simple yet efficient tool that enables you to manage radius server. We can start by installing freeradius. Please type the following command to the command line
sudo apt-get install freeradius
Then please start freeradius by
sudo service freeradius start
As i said we need users and clients. That is the main goal of radius. To enable all the users in freeradius, we need to make a few settings in configuration files. First we need to define user(s). Please type in the command line
sudo nano /etc/freeradius/users
A file will appear with full of commanded sentences and properties. Declaration syntax of a user is extremely easy. Just type
<username> Auth-Type := EAP, Cleartext-Password := “<password>”
This is my users file yours should be something similar to this. After you write your declarations, just press F3 for saving then CTRL+X to exit the file.
Next, we need to declare our clients. There may be just one or hundreds of users and they can be localhosts, cisco devices(NAS),etc.
We will do almost the same thing that we did for users. Please open the clients file by following;
sudo nano /etc/freeradius/clients.conf
Again a file will appear full of commands with #. What you need to do is to declare clients in a format lie following, but be careful with #s because they may interfere your code. The syntax is easy again;
secret is something like a password for radius. When you make an authentication, your program will need that secret to confirm your device. Overall, your clients.conf file must be something like this;
You can declare all the clients that way. Not just the localhost. You may even get another virtual machine as client and type it’s IP address to the file.
That is all for configurations. But how will you check that the server is working? How will you see the errors and debug them? Those are also very easy. You can open freeradius in debug mode by typing
in another terminal to see the logs and errors. At the starting, please don’t forget to do this, when you see
“Ready to process requests”
you are ready to start working with freeradius.
Now it is time for connection of mysql. First we need to create a database for our radius. Let’s call that database radius. Again please ensure that mysql is installed in your computer. Open mysql by typing
sudo mysql -u root -p
Enter your “mysql” password not your pc’s password. You should be seeing mysql command program in the terminal.Type
CREATE DATABASE radius;
It will be saying something like database created. Then type exit to quit mysql for now.
Next, we need to install the necessary tables for our freeradius. Please type
sudo apt-get install freeradius freeradius-mysql
You will receive 7 tables in your radius database. See that they are installed correctly. Open mysql again and type
You should be seeing something like
Mines are much more but you will only need radacct, radcheck,radgroupcheck,radgroupreply,radpostauth,radreply and radusergroup. Some of them will be working for you when you want to create “a group” of users and radcheck is for all the users and radreply is the output of the logs which we will use to see the output of our tests.
We are almost ready now. When we add or remove a user or client, our tables will be effected directly. This is the way that freeradius is managed.
Now it is time to test our configurations. We are going to use radtest command for freeradius. The syntax is like the following;
radtest <username> <password> <hostname> <port> <secret>
radtest <username> <password> <hostname> 10 <secret>
radtest <username> <password> <hostname> 0 <secret>
In my case for localhost, my radtest is command like the following;
radtest abc 123 localhost 1812 testing123
testing123 is my secret for localhost client abc is my username 123 is my password localhost is my hostname and 1812 is the default port number for radius.
When you see “Access-Accepted” in the below you are done. If you see something like access declined or access rejected you need to debug your freeradius to see any kind of mistake that you did wrong or forgot to add. My mistakes were mostly from the database so be careful when you are declaring your database,tables and variables. You can test freeradius by adding users or clients by hand to mysql or from phpmyadmin easily. Debug mode of freeradius is pretty straightforward and understandable so i suggest you to use it efficiently.
That is all for this article. Please let me know for any kind of questions or knowledges.