Create a Jail and install AMP (Apache, MySQL and PHP) services on it using
this HowTo.
Following loosely the post for installing
FreeRADIUS on OpenBSD.
1. Configure & Install the freeradius2 port
a) Configure freeradius version 2 to add MySQL support:
Code:
cd /usr/ports/net/freeradius2 && make config
select "MySQL database support" and then "OK"
b) Install the FreeRADIUS port
Code:
make install clean BATCH=yes
2. Configure FreeRADIUS to run at boot
Code:
echo 'radiusd_enable="YES"' >> /etc/rc.conf
3. Connect to MySQL and create the radius database from the supplied schema
a) run MySQL as root
b) Create a Database named "radius"
Code:
create database radius;
c) Add a user named "radadmin" with a password "radpass" and give that user superuser rights to the database:
Code:
grant all on radius.* to radadmin@localhost identified by 'radadminpass';
d) Flush the privileges:
e) Type <Ctrl> + C to exit MySQL
4. Import FreeRADIUS Schema into the Database you just created.
Code:
mysql -uroot -p radius < /usr/local/etc/raddb/sql/mysql/schema.sql
5. Optional: Create a NAS Table in MySQL to manage your NAS devices.
A Network Authentication Server (NAS) sends username and passwords to the RADIUS server for Authentication and Authorization. A NAS is usually a software component running on another device such as a Remote Access Server (RAS), Router, Switch or Wireless Access Point. The RADIUS Server responds back with whether the supplied credentials are valid (Authentication) and, optionally, what privilege level the specified account should have (Authorization).
The list of "client" NAS servers is by default kept in a text config file on the FreeRADIUS server.
To facilitate ease of management it can be kept in a table in MySQL.
Copy the table definition for the nas table to the radius database:
Code:
mysql -uroot -p radius < /usr/local/etc/raddb/sql/mysql/nas.sql
6. Edit the main FreeRADIUS "site" config to use SQL
Code:
cd /usr/local/etc/raddb/sites-available
nano default
Uncomment these directives:
Code:
authorize {
preprocess
auth_log # Uncomment This
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql # Uncomment This
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix # Uncomment This
radutmp # Uncomment This
sql # Uncomment This
exec
}
session {
radutmp
sql # Uncomment This
}
post-auth {
sql # Uncomment This
exec
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
# sql # May want to Uncomment this
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
7. Edit the FreeRADIUS SQL configuration with site-specific information:
Code:
cd /usr/local/etc/raddb
nano sql.conf
Code:
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
port = 3306 # Uncomment This
login = "radadmin" # Uncomment This and make username same as set in 3c
password = "radadminpass" # Uncomment This and make password same as set in 3c
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
# read_groups = yes
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = no
nas_table = "nas"
# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}
Optional: if you added a nas table to manage the NAS configuration then also uncomment:
8. Configure FreeRADIUS to use the sql.conf file
Code:
nano /usr/local/etc/raddb/radiusd.conf
uncomment "$INCLUDE sql.conf" as per instructions from
the maintainer.
9. Create a test user with a Clear Text Password
Code:
mysql -uroot -p radius
mysql>INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (NULL, 'testuser', 'Cleartext-Password', ':=', 'password');
mysql> select * from radcheck;
+----+--------------------------+--------------------+----+----------+
| id | username | attribute | op | value |
+----+--------------------------+--------------------+----+----------+
| 1 | testuser | Cleartext-Password | := | password |
+----+--------------------------+--------------------+----+----------+
1 rows in set (0.00 sec)
10. Restart the FreeRADIUS daemon to load the new config in debug mode to see if all the modules load propery and it parses the config file without error
Code:
service radiusd debug
If it is working properly you should see:
Code:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
Close the debugging session by typing <Ctrl>+c
11. In another SSH session use the radtest tool to test authentication is working:
Code:
# radtest testuser password localhost 1812 testing123
Sending Access-Request of id 203 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=203, length=20