Thursday, 19 December 2013

Raspberry PI based FreeRadius Server with GUI

09:49 Posted by Jurgens Krause , , 32 comments
I run a small wireless network for a non-profit organization in my home town, it consists of a single high site with internet connectivity, with nine client sites connecting via wireless. The network is built with Ubiquiti hardware, with a Mikrotik 750 handling the routing. I also use this network for experimentation and learning. One of the things that I have been keen on doing is managing it as though it is a commercial network in terms of the network architecture. To this end I have decided to deploy a Raspberrry Pi based Radius server for PPPoE Authentication. The Mikrotik will serve as the PPPoE server, and the Raspberry Pi Radius server will be managed with DaloRADIUS. The instructions below should be easy to use on any Debian based distro.



This tutorial will not cover installation of Raspbian onto your Raspberry Pi.

What you will need:

  • A Raspberry Pi Model B
  • A 4GB+ SD Card running Raspbian
  • SSH Access (or a terminal on the device)
  • PPPoE server (Mikrotik 750 in my case)
  • An internet connection
Raspberry Pi Model B



Log into the Raspberry Pi via SSH or a Terminal Window:
Configure the IP Address

Edit /etc/network/interfaces to reflect your network settings
vi /etc/network/interfaces
Change from:
iface lo inet loopback
iface eth0 inet dhcp
allow-hotplug wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
To:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.3.0.2
netmask 255.255.255.252
gateway 10.3.0.1
dns-nameservers 10.0.0.1
allow-hotplug wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Remember to adjust for your own network parameters

Install FreeRADIUS and other prerequisites, remember to note the password for your mysql server:

$apt-get install freeradius freeradius-mysql apache2 php5 libapache2-mod-php5 mysql-server mysql-client php5-mysql php-pear php5-gd php-db

Download and extract the DaloRADIUS package to /var/www:

cd /usr/src
wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
tar zxvf daloradius-0.9-9.tar.gz -C /var/www/
mv /var/www/daloradius-0.9-9/ /var/www/daloradius
cd /var/www/daloradius
Configure the DaloRadius/Freeradius database

mysql -uroot -p
mysql>create database radiusdb;
mysql>exit
mysql -u root -p radiusdb < /usr/src/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p
mysql>CREATE USER 'radiususer'@'localhost';
mysql>SET PASSWORD FOR 'radiususer'@'localhost' = PASSWORD('radiuspass');
mysql>GRANT ALL ON radiusdb.* to 'radiususer'@'localhost';
mysql>exit
You will aslo need to configure DaloRadius to connect to the database:
vi /var/www/daloradius/library/daloradius.conf.php
Input the following values
$configValues['DALORADIUS_VERSION'] = '0.9-9';
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radiusuder';
$configValues['CONFIG_DB_PASS'] = 'radiuspass';
$configValues['CONFIG_DB_NAME'] = 'radiusdb';
The default configuration of FreeRADIUS loads user accounts from a file located at /etc/freeradius/users.
It makes sense to test the functioning of FreeRADIUS before trying to link it to a database. To activate the test user you have to edit /etc/freeradius/users:
vi /etc/freeradius/users
Uncomment the following lines:
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
To look like this:
"John Doe" Cleartext-Password := "hello"
Reply-Message = "Hello, %{User-Name}"
Restart the freeradius service and show the debug console to make sure all is well:
$/etc/init.d/freeradius stop
$freeradius -XXX
If all goes well you will be presented with the last line :
Info: Ready to process requests.

Press CTRL+C to disconnect.
Start the freeradius service again
$/etc/init.d/freeradius start
Use radtest to make sure that you can authenticate against the file:

$radtest "John Doe" hello 127.0.0.1 0 testing123
Sending Access-Request of id 180 to 127.0.0.1 port 1812
        User-Name = "John Doe"
        User-Password = "hello"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000

Now it is time to switch over to mysql authentication:
$vi /etc/freeradius/radiusd.conf
Change the lines that read:
# $INCLUDE sql.conf&lt
# $INCLUDE sql/mysql/counter.conf
To:
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
Update the configuration to reflect the database username and password as chosen earlier:
$vi /etc/freeradius/sql.conf

        server = "localhost"
        #port = 3306
        login = "radiususer"
        password = "radiuspass"

        # Database table configuration for everything except Oracle
        radius_db = "radiusdb"

Uncomment the lines that read "sql" in the session, accounting and authorize sections

$vi /etc/freeradius/sites-enabled/default 
Uncomment sql in authorize{}
# See “Authorization Queries” in sql.conf
sql
Uncomment sql in accounting{}
# See “Accounting queries” in sql.conf
sql
Uncomment sql in session{}
# See “Simultaneous Use Checking Queries” in sql.conf
sql
Uncomment sql in post-auth{}
# See “Authentication Logging Queries” in sql.conf
sql

To test the configuration, stop the freeradius service:
$service freeradius stop

Then run the freeradius debug console.
$freeradius -X

If it comes back without any errors you can continue.

To enable remote authentication from a Mikrotik device edit /etc/freeradius/clients.conf
Add the following to the end of the file, changing the IP/Class as appropriate.

$vi /etc/freeradius/clients.conf

client 10.0.0.0/24 {
        secret = mikrotest
        shortname = mikrotikpppoe
        nastype= mikrotik
}

Also edit /etc/freeradius/dictionary and add mikrotik:
$vi /etc/freeradius.dictionary

and add:

$INCLUDE  /usr/share/freeradius/dictionary.mikrotik

Restart FreeRadius
$service freeradius restart

You can now log in with a web browser on http://<raspberry-ip>/daloradius
username: administrator
password: radius

32 comments:

  1. HELP!!!

    I keep getting this error. I followed you tutorial exaclty. What do I do? Alse, when I try this command: mysql -u root -p radiusdb < fr2-mysql-daloradius-and-freeradius.sql, it says no such file or directory.

    Database error
    Error Message: DB Error: no such table
    Debug info: SELECT id, username FROM operators WHERE username = 'administrator' AND password = 'radius' [nativecode=1146 ** Table 'radiusdb.operators' doesn't exist]

    ReplyDelete
  2. Hi,
    I don't have a bench set up right now, but try to use the full path to fr2-mysql-daloradius-and-freeradius.sql for example:
    mysql -u root -p radiusdb < /usr/src/daloradius/fr2-mysql-daloradius-and-freeradius.sql

    this should solve both problems, as the command above is the one that actually creates the tables in mysql.

    ReplyDelete
  3. Where does http://raspberry-ip/daloradius come from? I don't see it anywhere in the config, and certainly it can't be a default?

    @PI_User5 I had the same problem. The new path for that file is /usr/src/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

    ReplyDelete
    Replies
    1. Thanks, I have corrected both the part as well as the sql import.

      Delete
  4. The right command to configure the DaloRadius/Freeradius database is
    mysql -u root -p radiusdb < /var/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
    because we have moved all files there before with
    mv /var/www/daloradius-0.9-9/ /var/www/daloradius

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Ok Webinterface works fine now. But after login the webinterface says Database connection error
    Error Message: DB Error: connect failed. May I have forgotten something?
    Thanks
    Markus

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Markus, I was getting the same error as you...go back and validate that you did the steps correctly. I misconfigured the "daloradius.conf.php file. Afterwards no issues...good luck

      Delete
    3. check

      $configValues['CONFIG_DB_USER'] = 'radiusuder'

      its

      $configValues['CONFIG_DB_USER'] = 'radiususer'

      Delete
  7. hi,

    after install i've got a blank page on http;//myraspberry_ip/daloradius/login.php

    thanks

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Have you any tips/guide for your mikrotik pppoe setup combined with this daloradius server please

    ReplyDelete
  10. Hi Guys. I keep on getting Error 404 when trying to reach the http://ip/daloradius. I even reinstalled the whole linux and followed steps again. freeradius -X reports no errors. If I only enter http://ip then I get to the apache info page? Any help would be appreciated. Regards

    ReplyDelete
  11. When i try to login : using username : administrator
    password: radius

    I get error:


    Database connection error
    Error Message: DB Error: insufficient permissions

    ReplyDelete
  12. You have to edit the file /etc/apache2/sites-available/000-default.conf. Ther is a line "Document Root /var/www/html". Remove "/html", save the file and restart apache2. Then it will work fine.

    ReplyDelete
  13. Please help, i try to move daloradius with mv /var/www/daloradius-0.9-9/ /var/www/daloradius, but i keep getting "mv: cannot stat `/var/www/daloradius-0.9-9/': No such file or directory"

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Database connection error
    Error Message: DB Error: connect failed


    :(

    ReplyDelete
    Replies
    1. Sohanur this tutorial works perfectly. However there a few changes you have to do.

      This is what I did.

      1) Install a fresh copy of Raspbian OS.

      2) Follow Steps until "Download and extract the DaloRADIUS package to /var/www:"

      3) During Mysql installation input the password as radiuspass (just use his usernames and passwords for now)

      4) NOW change "mysql -u root -p radiusdb < /usr/src/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql" TO "mysql -u root -p radiusdb < /var/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql"

      Thanks to MarkGyver

      5)Follow the steps after that

      6) Change "$configValues['CONFIG_DB_USER'] = 'radiusuder';" to "$configValues['CONFIG_DB_USER'] = 'radiususer'; "

      7) The rest of the steps are easy. Hope it works for you. All the best

      Delete
    2. thanks i have already solved this one, but i cant understand daloradius web UI, can u help me with this one ? http://accessmanager.in/

      Delete
  16. it would be easy for everyone, if someone upload a working image of Raspberry PI based daloFreeRadius Server

    ReplyDelete
  17. I followed all the steps but I get "Job for freeradius.service failed. See 'systemctl status freeradius.service' and 'journalctl -xn' for details."

    When I try to restart it. Can someone explain why?

    ReplyDelete
    Replies
    1. Is it because I'm not using a Mikrotik like he is?

      Delete
    2. me to (Failed to start LSB: Radius Daemon)
      and i think its not cause of using Mikrotik.

      Delete
  18. Thanks for the tutorial. I keep getting error 404 when i try to access http://pi_ip/daoradius. I can however access apache server page with http://pi_ip. Any help would be appreciated. Thank you.

    ReplyDelete
  19. Using Lighthttpd and work with text, define user and password in mysql database radcheck and run radtest .. .. and works fine. Installed daloradius and use user : administrator and password :radius (verified in database using phpmyadmin) but keep on showing error 500.

    ReplyDelete
  20. I have gone though all the steps and when I run the command
    service freeradius restart

    I get this error
    Job for freeradius.service failed. See 'systemctl status freeradius.service' and 'journalctl -xn' for details.

    I have the web site working but under service status radius shows disabled.

    ReplyDelete