Install FreeRADIUS & daloRADIUS on Debian 10/11 + MySQL/MariaDB

[powerkit_collapsible title=”Not using Debian 10/Debian 11? Choose a different version or distro.”]
Ubuntu 20.04
CentOS 8
[/powerkit_collapsible]

FreeRADIUS is the most widely-deployed, open-source, and free RADIUS implementation. It works as a daemon (operates in the background) in Unix and Unix-like servers.

The RADIUS protocol allows you to authenticate users over a network, authorize them for various actions, and monitor their usage of the network. This framework is referred to as AAA (Authentication, Authorization, and Accounting).

According to a survey result, FreeRADIUS is used to authenticate over one-thirds of the users on the internet.

By default, FreeRADIUS has a command line interface, and any changes are made by editing the configuration files that are highly customizable. Since it’s open-source, you can even make changes in the code of the software.

Objectives

In this article, we will discuss how to install FreeRADIUS and daloRADIUS on Debian 10 and Debian 11, and how to configure it to use MySQL or MariaDB. We will also install and configure daloRADIUS, a web interface to manage FreeRADIUS.

Finally we will test our setup to make sure both the FreeRADIUS server and daloRADIUS are working properly.

Prerequisites

• A server running Debian 10 or Debian 11 with a recommended minimum of 512MB RAM and at least 300MB free storage space.
• A non-root sudo user, because acting as root can cause harm to your system if you’re not careful. You can do everything and the system won’t ask. If you run a command to format a disk by mistake, then it’s done and you can destroy your system. Acting as a non-root sudo user has been the security model for years for good reason.

Install LAMP Stack

LAMP stack is a very common web server stack named after its first four components Linux, Apache, MySQL, and PHP. LAMP stack can not only run static pages but also dynamic ones where the content can change anytime.

In the LAMP stack, the process starts at Apache when a user requests a web page. If the request is for a PHP file, then Apache forwards it to PHP, which loads the files and executes the code. PHP also collaborates with MySQL if it needs any data from the database. That all runs on the Linux operating system.

Although, LAMP stack was named after the original components, it’s no longer limited to the four components.

First update the package index:

sudo apt update

Install Apache

Apache also known as the Apache HTTP server is an open-source and free web server software. Apache has been around for over 20 years and powers nearly 40% of the websites around the world.

Despite the name, Apache is not a physical server, but a software that establishes a connection between the browser and server and delivers files to and from them. It’s a cross-platform software and works on both Windows and Unix servers.

Install Apache and enable it so it starts on boot:

sudo apt -y install apache2
sudo systemctl enable --now apache2

Make sure to allow it in your firewall. If you’re using UFW run the following command to allow it:

sudo ufw allow WWW

[powerkit_alert type=”info” dismissible=”false” multiline=”true”]Sidenote: If that does not work then the web server profile in UFW is probably called something else than WWW. You can also try sudo ufw allow Apache instead.[/powerkit_alert]

You can check if it’s working by visiting your server’s IP address in your browser. You should see something like the following screenshot:

Install MySQL/MariaDB

We often hear MySQL and MariaDB mentioned together, but the two database management systems are in fact different.

MySQL is an open-source relational database management system (RDBMS). It makes use of SQL (structured query language) to access, update, and manipulate data stored in the database. It also keeps the stored data organized.

MariaDB was developed in response to the rising concerns regarding the acquisition of MySQL by Oracle. It’s a fork of MySQL that was developed with the intention to keep the MySQL code free and open-source. It’s developed and maintained by the original developers of MySQL and uses the same database structure and indexes as MySQL. That way users can switch from MySQL to MariaDB without having to alter their application or losing data.

To install MySQL run:

sudo apt -y install mysql-server

Or to install MariaDB run:

sudo apt -y install mariadb-server

Secure MySQL/MariaDB by running the following script, which helps you remove less secure values:

sudo mysql_secure_installation

You’ll be asked to set a password if you haven’t already and then if you want to remove anonymous users, disallow root login remotely, remove the test database and reload tables. Unless you have other plans and know what you are doing, I recommend pressing Enter to all of those.

Validate Password Plugin (If you installed MySQL)

If you installed MySQL (and not MariaDB) you also go through a step where the script asks you if you want to set up the Validate Password Plugin, which basically helps you make sure that you’ve set up a strong password.

The instructions in the console should guide you through the process.

Now MySQL or MariaDB should be set up on your system.

Install PHP & Additional PHP Modules

Run the following command to install PHP and some additional PHP modules:

sudo apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,mbstring,xml,curl}

Check the PHP version to make sure the installation was successful:

php -v

My output:

PHP 7.3.27-1~deb10u1 (cli) (built: Feb 13 2021 16:31:40) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.27, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.27-1~deb10u1, Copyright (c) 1999-2018, by Zend Technologies

Install FreeRADIUS

Run the following command to install FreeRADIUS along with two additional modules we’ll need, freeradius-utils and freeradius-mysql:

sudo apt -y install freeradius freeradius-mysql freeradius-utils -y

Allow FreeRADIUS in Firewall

If you’re using a firewall, make sure to allow access to ports 1812 and 1813, which are used by RADIUS.

On Debian, if you’re using UFW run the following to allow access:

sudo ufw allow to any port 1812 proto udp
sudo ufw allow to any port 1813 proto udp

Test the RADIUS Server

We’ll quickly run the RADIUS server in debug mode to check if we get any errors.

First stop FreeRADIUS:

sudo systemctl stop freeradius

And run it in debug mode:

sudo freeradius -X

The output should be quite long and end with something like this:

Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 37040
Listening on proxy address :: port 54623
Ready to process requests

Configure FreeRADIUS to Use MySQL/MariaDB

By default FreeRADIUS isn’t configured to use MySQL or MariaDB. We’ll change that.

First we’ll create a new database and credentials for it, whichFreeRADIUS will use.

We’ll use the following database name and credentials:
Database name: radius_db
Database User: radius_user
Database User Password: Somestrongpassword_321

Log into MySQL or MariaDB as root by running the following command, then fill in the root MySQL password when prompted:

sudo mysql -u root -p

Create the database and credentials that will be used by FreeRADIUS:

MariaDB [(none)]> CREATE DATABASE radius_db;
MariaDB [(none)]> CREATE USER 'radius_user'@'localhost' IDENTIFIED BY 'Somestrongpassword_321';
MariaDB [(none)]> GRANT ALL ON radius_db.* TO radius_user@localhost IDENTIFIED BY "Somestrongpassword_321";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> quit;

Next we’ll import the RADIUS MySQL schema provided by FreeRADIUS.

Switch to root for this operation, otherwise, you may get Access denied when trying to import:

sudo su -

Now import the MySQL schema into the database you created earlier (radius_db) by running the following command:

mysql -u root -p radius_db < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

It should now be imported. Now let’s switch back to your non-root sudo user:

sudo su - edxd

You can now check the tables in the database to confirm the schema has been imported:

sudo mysql -u root -p -e "use radius_db;show tables;"

Example output when checking the tables in the radius_db database:

+------------------+
| Tables_in_radius_db |
+------------------+
| nas              |
| radacct          |
| radcheck         |
| radgroupcheck    |
| radgroupreply    |
| radpostauth      |
| radreply         |
| radusergroup     |
+------------------+

Create a symbolic link from the SQL module into the /etc/freeradius/3.0/mods-enabled directory:

sudo ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

Next, we configure FreeRADIUS to use MySQL/MariaDB. To do this we edit /etc/freeradius/3.0/mods-available/sql with our favorite text editor. I’ll use nano:

sudo apt install nano
sudo nano /etc/freeradius/3.0/mods-enabled/sql

We’ll make the following edits:

1. Change driver = "rlm_sql_null" to driver = "rlm_sql_mysql"
2. Change dialect = "sqlite" to dialect = "mysql"
3. FreeRADIUS assumes that we’ll be using TLS certs by default, if we switch to MySQL. Setting them up is beyond the scope of this tutorial, so we’ll comment out the TLS section.This is how it looks initially:

   mysql {
       # If any of the files below are set, TLS encryption is enabled
       tls {
              ca_file = "/etc/ssl/certs/my_ca.crt"
              ca_path = "/etc/ssl/certs/"
              certificate_file = "/etc/ssl/certs/private/client.crt"
              private_key_file = "/etc/ssl/certs/private/client.key"
              cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
   
              tls_required = yes
              tls_check_cert = no
              tls_check_cert_cn = no
       }
   
       # If yes, (or auto and libmysqlclient reports warnings are
       # available), will retrieve and log additional warnings from
       # the server if an error has occured. Defaults to 'auto'
       warnings = auto
   }

   And this is how it looks after we’ve commented it out:

   mysql {
       # If any of the files below are set, TLS encryption is enabled
       # tls {
       #       ca_file = "/etc/ssl/certs/my_ca.crt"
       #       ca_path = "/etc/ssl/certs/"
       #       certificate_file = "/etc/ssl/certs/private/client.crt"
       #       private_key_file = "/etc/ssl/certs/private/client.key"
       #       cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
   
       #       tls_required = yes
       #       tls_check_cert = no
       #       tls_check_cert_cn = no
       #}
   
       # If yes, (or auto and libmysqlclient reports warnings are
       # available), will retrieve and log additional warnings from
       # the server if an error has occured. Defaults to 'auto'
       warnings = auto
   }
   

4. Search for Connection info, right under it you’ll uncomment server, port, login, password and change them to the MySQL credentials you created earlier for FreeRADIUS.This is the section in its initial state:

   # Connection info:
   #
   # server = "localhost"
   # port = 3306
   # login = "radius"
   # password = "radpass"

   And we’ll uncomment server, port, login, password and change the values.

   # Connection info:
   #
   server = "localhost"
   port = 3306
   login = "radius_user"
   password = "Somestrongpassword_321"

5. A few lines further down look for radius_db and change the default value to the database name that you created earlier. In my case it’s “radius_db”

   # Database table configuration for everything except Oracle
   radius_db = "radius_db"

6. Further down find a line with read_clients = yes that is commented out, and uncomment it.Here is it’s initial state:

   # Set to 'yes' to read radius clients from the database ('nas' table)
   # Clients will ONLY be read on server startup.
   # read_clients = yes

   And here it is after we edit it:

   # Set to 'yes' to read radius clients from the database ('nas' table)
   # Clients will ONLY be read on server startup.
   read_clients = yes

7. Lastly, further down there should be a line client_table = “nas”. It should be uncommented by default. Just make sure it is uncommented and looks like this:

   # Table to keep radius client info
   client_table = "nas"
   

Now change the group rights of the file we just edited:

sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql

And restart the FreeRADIUS service:

sudo systemctl restart freeradius.service

Finally, we’ll run FreeRADIUS in debug mode to make sure everything works.

First stop the currently running service:

sudo systemctl stop freeradius.service

And run the following command to run FreeRADIUS in debug mode:

sudo freeradius -X

The end of the output should look something like this:

Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 52025
Listening on proxy address :: port 42807
Ready to process requests

Press Ctrl+C to exit debug mode.

And start the FreeRADIUS service again.

sudo systemctl start freeradius.service

Now FreeRADIUS should be installed on your Debian 10 or Debian 11 machine. Next we’ll install a GUI called daloRADIUS to easily manage FreeRADIUS.

Install and Configure daloRADIUS (FreeRADIUS GUI)

DaloRADIUS is an advanced web-based RADIUS server that’s aimed at managing hotspots and ISP deployments. It’s written in PHP and JavaScript, and supports many database backends including MySQL, PostgreSQL, and SQLite.

We’ll download daloRADIUS from the Github repository:

If not already installed, install wget and unzip:

sudo apt -y install wget unzip

Download and extract daloRADIUS and cd into the resulting folder, which is daloradius-master:

wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
cd daloradius-master

Now we’ll populate the database we use for FreeRADIUS with the daloRADIUS schema. It’s the database we created earlier – in my case radius_db.

First switch to root, otherwise you may get Access Denied:

sudo su -

Now run the following commands to import the daloRADIUS SQL schema:

sudo mysql -u root -p radius_db < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
sudo mysql -u root -p radius_db < contrib/db/mysql-daloradius.sql

Switch back to the non-root sudo user:

sudo su - edxd

cd out of the daloradius-master directory and move the folder into the document root and rename it as daloradius:

cd ..
sudo mv daloradius-master /var/www/html/daloradius

Change the owner and the group for the daloradius folder to www-data:www-data, which are the owner and group under which Apache Web Server runs.

sudo chown -R www-data:www-data /var/www/html/daloradius/

Next we’ll need to create the daloRADIUS configuration file. daloRADIUS comes with a template for the configuration file, named /var/www/html/daloradius/library/daloradius.conf.php.sample which we’ll just copy.

sudo cp /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php

Change permissions for the configuration file to 664:

sudo chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

Next we’ll edit a few values in the daloRADIUS configuration file so it connects to the database we created earlier for FreeRADIUS.

sudo nano /var/www/html/daloradius/library/daloradius.conf.php

We’ll change the following values:

$configValues['CONFIG_DB_USER'] = 'root';
$configValues['CONFIG_DB_PASS'] = '';
$configValues['CONFIG_DB_NAME'] = 'radius';

Here is how I have changed them, in accordance to the database name, user, and password that I have created earlier.

$configValues['CONFIG_DB_USER'] = 'radius_user';
$configValues['CONFIG_DB_PASS'] = 'Somestrongpassword_321';
$configValues['CONFIG_DB_NAME'] = 'radius_db'

Lastly restart daloRADIUS and Apache:

sudo systemctl restart freeradius.service apache2

Access daloRADIUS

First we’ll need to install the DB and MDB2 modules using PEAR:

sudo pear install DB
sudo pear install MDB2

To access daloRADIUS visit IP or domain name of the machine in your browser, followed by /daloradius – for example http://your_server_ip/daloradius

Unless you configured SSL, make sure it’s http:// and the browser doesn’t change it to https://, as this may happen sometimes.

This is how daloRADIUS looks like:

The default login credentials are:

username: administrator
password: radius

Test FreeRADIUS & daloRADIUS

1. Creating a NAS Client Table

A NAS (Network Access Server) client table acts as a gateway to a protected resource. For another device to connect to our FreeRADIUS server, it needs to be added to the NAS client table.

Add a NAS client table by logging into the daloRADIUS dashboard. Then navigate to Management > NAS (in the blue submenu) > New NAS (in the left, dark gray sidebar)

The minimum options we need to fill in are the following:

NAS IP/Host: the IP of the computer from which you’ll connect
NAS Secret: a password
NAS Type: you can fill in everything here
NAS Shortname: a shortname for your convenience

I’ll fill in the following:

NAS IP/Host: the IP of my machine from which I’m trying to connect
NAS Secret: nobodywilleverlearnthissecret!!11!!
NAS Type: other
NAS Shortname: ProductionServer

2. Creating a daloRADIUS User

To test our server we’ll also need a user.

Create one by navigating in the top menu to Management > Users (in the blue submenu) > New User (in the left, dark gray sidebar)

For our example I’ll create the user with the following credentials:

Username: new_customer
Password: customer_strong_passwd_123

There are other fields available when creating a user, but those are enough for our purposes.

3. Run FreeRADIUS in Debug Mode

Next we’ll run FreeRADIUS in debug mode so we can see what happens when we send an authentication request to it.

First stop the running process:

sudo systemctl stop freeradius.service

And run the following command to run FreeRADIUS in debug mode:

sudo freeradius -X

[powerkit_alert type=”warning” dismissible=”false” multiline=”true”]Important
Every time you add a new NAS table you need to restart the FreeRADIUS server so it fetches the updated table.[/powerkit_alert]

4. Test the FreeRADIUS Server with NTRadPing

A convenient way to test the server is by using a free Windows software called NTRadPing.

You can download it here https://community.microfocus.com/t5/OES-Tips-Information/NTRadPing-1-5-RADIUS-Test-Utility/ta-p/1777768

This is a direct link to the archive https://community.microfocus.com/dcvta86296/attachments/dcvta86296/OES_Tips/148/1/ntradping.zip

This is the VirusTotal report so you know it’s safe https://www.virustotal.com/gui/file/e1b3318b884e4643a043ec5e3104638016c343c447424c244fc1da4f6e7165ec/detection

Just unzip the archive and run the executable to run NTRadPing. This is how it looks like:

We’ll use it to send an authentication request to our server running FreeRADIUS in debug mode.

We’ll fill in the fields as follows:

RADIUS Server/port: IP of the FreeRADIUS server / port 1812
Reply timeout (sec.): 1
Retries: 1
RADIUS Secret Key: nobodywilleverlearnthissecret!!11!!
User-Name: new_customer
Password: customer_strong_passwd_123

Check the CHAP checkbox so the request is made using a CHAP password, instead of a PAP password.

Now click the Send button to send the authentication request.

If you receive an Access-Accept response, then we can assume it works.

The output of NTRadPing should look something like this:

Sending authentication request to server 40.76.122.52:1812
transmiting Packet, code=1 id=3 length=53
recieved response from the server in 16 milliseconds
replay packet code=2 id=3 length=20
response: Access-Accept
-------------------attribute dump------------------

And the output in the terminal, where we’re running FreeRADIUS in debug mode, should end with something like this:

...
(2) Sent Access-Accept Id 7 from 10.0.2.4:1812 to 213.136.66.127:52163 length 0
(2) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 7 with timestamp +67
Ready to process requests

Frequent Errors

“Failed binding with auth address […]” when running in debug mode

Failed binding to auth address * port 1812 bound to server default: Address already in use
/etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812

This error occurs when you’re trying to run FreeRADIUS but there is another instance of FreeRADIUS already running, so you’ll need to run the following command to stop it:

sudo systemctl stop freeradius.service

Conclusion

Well done. Hopefully you’ve successfully installed FreeRADIUS on Debian 10 or Debian 11, along with installing and configuring daloRADIUS, and then successfully tested the FreeRADIUS server.

If you’ve encountered any issues, then feel free to let us know in the comments or contact us, and we’ll get back to you as soon as we can.

sudo pear install DB
sudo pear install MDB2