Before we start doing installations, I recommend turning it off SELinux or setting it to permissive:
setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
Install FreeRADIUS and Daloradius on CentOS 7 and RHEL 7
Prerequisites:
Install httpd server
yum -y update yum groupinstall "Development Tools" -y yum -y install httpd httpd-devel
Start and enable httpd server
systemctl enable httpd systemctl start httpd
Check status of httpd server to make sure it’s running
[root@freeradius ~]# systemctl status httpd
Installing and Configuring MariaDB
We’ll install and configure MariaDB 10, using steps below:- Add MariaDB official repo content to CentOS 7 system
vim /etc/yum.repos.d/MariaDB.repo
Add the following contents to the file
[mariadb] name = MariaDB baseurl = http://yum.mariadb.org/10.1/centos7-amd64 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck=1
- Update system and install MariaDB to configure Database server
yum -y update yum install -y mariadb-server mariadb
You’ll be prompted to install MariaDB GPG Signing key. Just press y to allow installation.
- Start and enable MariaDB to run on boot
[root@radius ~]# systemctl status mariadb
[root@radius ~]# systemctl is-enabled mariadb.service enabled
- Configure initial MariaDB settings to secure it. Here you’ll set root password. For security purposes, consider removing anonymous users and disallowing remote root login.
- Allow only local connection to mysql server. This is a security mechanism.
# vim /etc/my.cnf [mysqld] bind-address=127.0.0.1
Configure Database for freeradius
# mysql -u root -p -e " CREATE DATABASE radius"
# mysql -u root -p -e "show databases"
# mysql -u root -p
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q
Bye
Installing php 7 on CentOS 7
cd ~ curl 'https://setup.ius.io/' -o setup-ius.sh sudo bash setup-ius.sh sudo yum remove php-cli mod_php php-common sudo yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear sudo apachectl restart
Check php version to confirm
# php -v
If php 7 fails to work for you, try installing php 5 by running below commands. You’ll have to first uninstall php 7.
yum -y install php-pear php-devel php-mysql php-common php-gd php-mbstring php-mcrypt php php-xml
Installing FreeRADIUS
# yum -y install freeradius freeradius-utils freeradius-mysqlYou have to start and enable freeradius to start at boot up.
# systemctl start radiusd.service # systemctl enable radiusd.service
Now you can check the status:
# systemctl status radiusd.service
Also, configure firewalld to allow radius and httpd packets in and out
– Radius server uses udp ports 1812 and 1813. This can be confirmed by viewing the contents of the file /usr/lib/firewalld/services/radius.xml
# cat /usr/lib/firewalld/services/radius.xml
- First start and enable firewalld for security
# systemctl enable firewalld # systemctl start firewalld # systemctl status firewalld
- Confirm firewalld is running
- Add permanent rules to default zone to allow http,https and radius services
- Reload firewalld for changes to take effect
- Confirm that services were successfully added to default zone
# firewall-cmd --get-default-zone public # firewall-cmd --list-services --zone=public dhcpv6-client http https radius ssh
We can see the three services present hence we’re good to proceed.
Test radius server by running it in debug mode with option -X
# ss -tunlp | grep radiusd
If it’s running, debug mode will fail to bind to ports, you may have to kill radius server daemon first
# pkill radius
Then start radius server in debugging mode to see if it runs successfully:
# radiusd -X
Configure FreeRADIUS
To Configure FreeRADIUS to use MariaDB, follow steps below.- Import the Radius database scheme to populate radius database
# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
- Configure Radius at this point
# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:
# vim /etc/raddb/mods-available/sql
- sql section should look similar to below.
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "radiuspassword"
# Database table configuration for everything except Oracle
radius_db = "radius"
}
# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes
# Table to keep radius client info
client_table = “nas”
Then change group right of /etc/raddb/mods-enabled/sql to radiusd:
# chgrp -h radiusd /etc/raddb/mods-enabled/sql
Installing and Configuring Daloradius
Installing Daloradius
You can use Daloradius to manage radius server. This is optional and should not be done before install FreeRADIUS. There are two ways to download daloradius, either from github.# wget https://github.com/lirantal/daloradius/archive/master.zip
# unzip master.zip
# mv daloradius-master/ daloradius
Change directory for configuration
# cd daloradius
Configuring daloradius
- Now import Daloradius mysql tables
# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql # mysql -u root -p radius < contrib/db/mysql-daloradius.sql
- Configure daloRADIUS database connection details:
# cd .. # mv daloradius /var/www/html/
Then change permissions for http folder and set the right permissions for daloradius configuration file.
# chown -R apache:apache /var/www/html/daloradius/ # chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
You should now modify daloradius.conf.php file to adjust the MySQL database information . Therefore, open the daloradius.conf.php and add the database username, password and db name.
# vim /var/www/html/daloradius/library/daloradius.conf.php
Especially relevant variables to configure are:
CONFIG_DB_USER CONFIG_DB_PASS CONFIG_DB_NAME
To be sure everything works, restart radiusd,httpd and mysql:
# systemctl restart radiusd.service # systemctl restart mariadb.service # systemctl restart httpd
Then run:
yum install php-pear pear install DB
Up to this point, we’ve covered complete installation and configuration of daloradius and freeradius, to access daloradius, open the link using your IP address:
http://ip-address/daloradius/login.phpDefault login details are:
Username: administrator
Password: radius
Integrate Linux Server into FreeRadius for SSH Authentication
Linux Server (CentOS 7) Configurations
#yum -y install epel-release
#yum -y install pam_radius
#echo '192.168.10.4 test 3' >> /etc/pam_radius.conf
This Command Means------>[##### echo 'IPofRadiusServer NASsecret TimeOut' >> /etc/pam_radius.conf###]
Insert the following line into /etc/pam.d/sshd
vi /etc/pam.d/sshd
auth sifficient /usr/lib64/security/pam_radius_auth.so
Now Edit the following in /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
UsePAM yes
And Restart sshd Daemon
# systemctl restart sshd
Now Add new user with empty password that you want to be authenticated via freeradius server
#useradd thenabx
And User and Configuring NAS in Daloradius
Login to DaloRadius and go to Management>Users>New User
Add username thenabx and password of your choice and apply setting
Now go to Management>NAS>New NAS
Add IP of Linux Server and secret we already mentioned in /etc/pam_radius.conf and apply
Test User with Putty.
Done.
No comments:
Post a Comment