User:Anson
From FreeRADIUS Wiki
I am going to be adding notes on my newest attempts at installation of
FR1.1. My goal is to have EVERYTHING running via mySQL, from
authentication and accounting to error logs.
Some basic assumptions:
1) a CLEAN installation of freeBSD
2) a basic understanding of how to edit and manipulate files and sufficient rights to do so.
3) know how to look up a PID and kill a process.
4) basic understanding of SQL in general.
If you can't access SQL and do a basic SELECT and INSERT, STOP NOW!
Installation is on a VA Linux Server running freeBSD 6.1 Release.
7/19/2006
First Step, INSTALL mySQL:
% cd /usr/ports/databases/mysql51-server
% make && make install
I then moved the location of my db files to a larger mount than /var:
% echo 'mysql_dbdir="/path/to/dir"' >> /etc/rc.conf
Then I enabled mysql on startup
% echo 'mysql_enable="YES"' >> /etc/rc.conf
I then rebooted and tested that I could get into the CLI
7/20/2006
Second Step, INSTALL freeRADIUS:
% cd /usr/ports/net/freeradius
% make && make install
Select mySQL support and optionally added SNMP.
Third Step, CONFIGURE freeRADIUS:
% cd /usr/local/etc/raddb
% cp clients.conf.sample clients.conf
I started with the basic config here to start my testing just with localhost
% cp users.sample users
I added testuser Auth-Type := Local, User-Password == "testpass"
just before the DEFAULTs at the bottom. I deleted all of the commented
examples. You can look these up in the sample file later.
Now I had to just get some default files in place so that radiusd will start.
% cp snmp.conf.sample snmp.conf
% cp sql.conf.sample sql.conf
% cp huntgroups.sample huntgroups
% cp dictionary.sample dictionary
% cp hints.sample hints
% cp acct_users.sample acct_users
% cp preproxy_users.sample preproxy_users
No changes here, yet.
% cp radiusd.conf.sample radiusd.conf
Edit radiusd.conf, I want to log auth requests to radius.log
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
Time to make a test run. Start radius in debug:
NOTE: I found it good to do a reboot before going farther.
% radiusd -X
Great, it starts right up and is ready to process.
If you still have errors go back over and check the debug statements.
From a new shell window I run a radtest.
% radtest testuser testpass localhost 1812 testing123
In my "client" screen, I get back:
Sending Access-Request of id 119 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=119, length=20
In my "server" screen I get: (summarized)
rad_recv: Access-Request packet from host 127.0.0.1:58931, id=124, length=60
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
<SNIP>
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 124 to 127.0.0.1 port 58931
GREAT! Now I'll try a invalid combo
% radtest testuser badpass localhost 1812 testing123
It didn't work, but I would hope not. I got back to my "client":
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=169, length=20
If everything checks out for you here, kill the server process and
start it again, but this time without debug.
% radiusd
Run your auth tests again.
Check /var/log/radius.log and see that both requests are logged.
Fourth Step, CONFIGURE mySQL:
First, you should create a 'radius' database in MySQL. Call it whatever you like, but 'radius' makes sense to me.
% mysqladmin create radius
I found in the docs that you there is a nice mysql script already in the
examples. I did a quick find for it: % find / -name db_mysql.sql
I might as well try this first.
% mysql -uroot radius < /usr/local/share/examples/freeradius/db_mysql.sql
Completed without errors, look and see. (If doing this is beyond your
scope, perhaps you should read up on mySQL a bit before continuing.)
At this point I took the time to install phpMyAdmin. This is outside the
scope of this document. Feel free to continue using the CLI or any other
interface. I reccommend phpMyAdmin or SQLion.
Now insert some basic data to test against. I'll give the output of what I
have. If you can't figure out how to get this in your database, please
review some SQL before going any further.
mysql> select * from radcheck; +----+----------+-----------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+----------+ | 1 | anson | Password | == | mypasswd | +----+----------+-----------+----+----------+ mysql> select * from radgroupcheck; +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | dynamic | Auth-Type | := | Local | +----+-----------+-----------+----+-------+ mysql> select * from radgroupreply order by id; +----+-----------+-------------------------+----+---------------------+------+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+-------------------------+----+---------------------+------+ | 1 | dynamic | Framed-Compression | := | Van-Jacobsen-TCP-IP | 0 | | 2 | dynamic | Framed-Protocol | := | PPP | 0 | | 3 | dynamic | Service-Type | := | Framed-User | 0 | | 4 | dynamic | Framed-MTU | := | 1500 | 0 | | 5 | dynamic | X-Ascend-Assign-IP-Pool | := | 0 | 0 | | 6 | dynamic | X-Ascend-Maximum-Time | := | 7200 | 0 | | 7 | dynamic | X-Ascend-Route-IP | := | Route-IP-Yes | 0 | | 8 | dynamic | Idle-Timeout | := | 1800 | 0 | +----+-----------+-------------------------+----+---------------------+------+ mysql> select * from usergroup; +----+----------+-----------+ | id | UserName | GroupName | +----+----------+-----------+ | 2 | anson | dynamic | +----+----------+-----------+
This is by no means a complete config, but enough to show some
details in a red-reply message.
Fifth Step, CONFIGURE freeRADIUS to use mySQL:
If you have followed this so far, the only thing you need to do in the
sql.conf file is change the password to nothing (password = ""). I realize
this is not a good thing, but add security later, once you know you have a
basic config running.
Edit radiusd.conf.
In the authorize{} section:
Uncomment from 'sql' . I think I'll comment out the 'files'
portion after I have a working setup.
In the accounting {} section:
Uncomment 'sql' to the accounting{}. Same thing here, I'll probably
remove the 'detail' portion at a later time.
In the post-auth () section:
Uncomment 'sql'. If you want bad auth's logged to SQL (which I do),
also uncomment the last 3 lines of post-auth and change the module to sql.
Post-Auth-Type REJECT {
sql
}
Now if you still have the previous radiusd running as a process,
kill it now and restart in debug.
% radiusd -X
Run your previous tests with the new username and password (if you
used the same username, try deleting it from the users file so you know
you are authenticating from SQL.)
If this is successful, kill that process and run a background version.
Now do the same tests. You should see things showing up in your
radpostauth directories.
When you start actual authentications, you will see them in the radacct.
If you have access to NTRadPing, this is a great tool for testing auth
as well as accounting.
From here I will be getting particular about my NAS, a Lucent APX-1000/TNT. More to follow.....