How to install radius server

Based on the freeradius manual and , thanks to the writer admin.

 

1, install CentOS4.7 on VMwareSelinux is disabled
Firewall is disabled

Server configure tool 4/11
Web server 16/21, add php, mysql
Mysql database 14/14, select all
Development tool  57/76, default
Legacy Software Devilopment  6/7, detail
Administrator tool  11/12, default
printing Support  11/12, default

rpm -ivh lm_sensors-2.8.7-2.40.5.i386.rpm
rpm -ivh net-snmp-5.1.2-13.el4.i386.rpm
rpm -ivh net-snmp-perl-5.1.2-13.el4.i386.rpm
rpm -ivh net-snmp-utils-5.1.2-13.el4.i386.rpm

zip the Virtual machine, get CentOS4.7.zip for backup

##### configure IP address

vi /etc/sysconfig/network-scripts/ifcfg-eth0

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
#HWADDR=00:0C:29:21:EC:7E
IPADDR=172.30.50.26
NETMASK=255.255.255.0
NETWORK=172.30.50.0
GATEWAY=172.30.50.1

vi /etc/resolv.conf

search test.net
nameserver 172.30.50.21
nameserver 151.10.0.21

mv /etc/ntp.conf /etc/ntp.conf.bak

touch /etc/ntp.conf

vi /etc/ntp.conf

driftfile /var/lib/ntp/drift
#fudge 127.127.1.0 stratum 10
# servers generated by /sbin/dhclient-script
server ntp.test.net
#server 127.127.1.0
fudge ntp.test.net stratum 3

chkconfig ntpd on

 

2, download FreeRadius2.1.4.tar.gz, upload it to CentOS4.7

 

3, tar -zxvf freeradius

cd freeradius2.1.4
./configure
make
make install

4, mv /usr/local/etc/raddb/users /usr/local/etc/raddb/users.bak

touch /usr/local/etc/raddb/users

vi /usr/local/etc/raddb/users

#### for normal user

test  Cleartext-Password := "test"
       Service-Type = Framed-User

william  Cleartext-Password := "william"
       Service-Type = Framed-User

#### multiip user

multiip Cleartext-Password := "multiip"
#  Service-Type = Framed-User,
#  Framed-Protocol = PPP,
  Framed-IP-Address = 172.26.40.0,
  Framed-IP-Netmask = 255.255.255.0

#### static IP user

      Cleartext-Password := "testing"
#       Service-Type = Framed-User,
#       Framed-Protocol = PPP,
        Framed-IP-Address = 172.26.32.33,
#       Framed-IP-Netmask = 255.255.255.255,
#       Framed-Routing = Broadcast-Listen,
#       Framed-Filter-Id = "std.ppp",
#       Framed-MTU = 1500,
#       Framed-Compression = Van-Jacobsen-TCP-IP

 

#### deny user

deny-user Auth-Type := Reject
               Reply-Message = "Your account has been disabled."

#### enable any user, all request will be accept except deny-user

DEFAULT Auth-Type := Accept

 

5, chkconfig mysqld on; chkconfig httpd on

/etc/init.d/mysqld start; /etc/init.d/httpd start

mysqladmin -uroot password testing123

6, vi /usr/local/etc/raddb/radiusd.conf

##### delete "#" at the lines head
        $INCLUDE sql.conf
        $INCLUDE sql/mysql/counter.conf
        $INCLUDE sqlippool.conf

7, vi /usr/local/etc/raddb/sql.conf

        login = "root"
        password = "testing123"

        #readclients = yes
        readclients = yes

8, vi /usr/local/etc/raddb/sites-enabled/default

#       sql   #### in authorize { }
 sql

#       sql   #### in accounting { }
 sql

9, vi /usr/local/etc/raddb/sites-enabled/inner-tunnel

#       sql   #### in authorize { }
 sql

10, ##### very important

ln -s /usr/local/etc/raddb/sql.conf /usr/local/etc/raddb/modules/sql

#### disable mysql, need rm /usr/local/etc/raddb/modules/sql

11, mysql -uroot -ptesting123
  CREATE DATABASE radius;
#####  GRANT ALL ON radius.* TO IDENTIFIED BY "radpass";
  exit

cd /usr/local/etc/raddb/sql/mysql/

vi wimax.sql

#### modify 400 to 255
 mipkey varchar(255) NOT NULL default '',

mysql -uroot -ptesting123 radius < schema.sql
mysql -uroot -ptesting123 radius < nas.sql
mysql -uroot -ptesting123 radius < ippool.sql
mysql -uroot -ptesting123 radius < wimax.sql

12, mysql -uroot -ptesting123 radius

insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask','=','255.255.255.254');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'User-Password', 'testpwd');
insert into radusergroup (groupname) values ('user');
insert into radusergroup(username,groupname) values('sqltest','user');

select * from radcheck where UserName='sqltest';

13, ###### not understand, maybe needn't

vi /usr/local/etc/raddb/eap.conf

#               default_eap_type = md5
                default_eap_type = peap

 

14, #### don't know the difference between nas in mysql and clients.conf

mv /usr/local/etc/raddb/clients.conf /usr/local/etc/raddb/clients.conf.bak

touch /usr/local/etc/raddb/clients.conf

vi /usr/local/etc/raddb/clients.conf

client 172.30.255.254 {
       # secret and password are mapped through the "secrets" file.
       secret      = testing123
       shortname   = SE400-local
       # the following three fields are optional, but may be used by
       # checkrad.pl for simultaneous usage checks
       # nastype     = livingston
       # login       = !root
       # password    = someadminpas
}

client 172.30.255.10 {
       # secret and password are mapped through the "secrets" file.
       secret      = testing123
       shortname   = SE400-ALL
       # the following three fields are optional, but may be used by
       # checkrad.pl for simultaneous usage checks
       # nastype     = livingston
       # login       = !root
       # password    = someadminpas
}

client 172.30.255.50 {
       # secret and password are mapped through the "secrets" file.
       secret      = testing123
       shortname   = SE400-DATA
       # the following three fields are optional, but may be used by
       # checkrad.pl for simultaneous usage checks
       # nastype     = livingston
       # login       = !root
       # password    = someadminpas
}

client 172.30.255.60 {
       # secret and password are mapped through the "secrets" file.
       secret      = testing123
       shortname   = SE400-VIDEO
       # the following three fields are optional, but may be used by
       # checkrad.pl for simultaneous usage checks
       # nastype     = livingston
       # login       = !root
       # password    = someadminpas
}
client 172.30.255.70 {
       # secret and password are mapped through the "secrets" file.
       secret      = testing123
       shortname   = SE400-VoIP
       # the following three fields are optional, but may be used by
       # checkrad.pl for simultaneous usage checks
       # nastype     = livingston
       # login       = !root
       # password    = someadminpas
}
client 172.30.255.80 {
       # secret and password are mapped through the "secrets" file.
       secret      = testing123
       shortname   = SE400-TR69
       # the following three fields are optional, but may be used by
       # checkrad.pl for simultaneous usage checks
       # nastype     = livingston
       # login       = !root
       # password    = someadminpas
}

15, ##### not understand, mayneedn't

vi /usr/local/etc/raddb/proxy.conf

##### insert them at the end

realm NULL {
      authhost = LOCAL       # not strictly necessary
      accthost = LOCAL       # not strictly necessary
}

16, ##### auto start

cp /usr/local/sbin/rc.radiusd /etc/init.d/radiusd

vi /etc/rc.local

####  insert at end

/etc/init.d/radiusd start

radiusd -X

##### to generate CA

17####install web interface

mv /root/freeradius-server-2.1.4/dialup_admin /usr/local/

ln -s /usr/local/dialup_admin/htdocs /var/www/html/freeradius

18, vi /etc/httpd/conf.d/php.conf

AddType application/x-httpd-php .php
AddType application/x-httpd-php .php3 # This is most important since many of the PHP scripts of Dialup Admin have this extension
AddType application/x-httpd-php-source .phps

/etc/init.d/httpd restart

19, cd /usr/local/dialup_admin/sql/mysql/

vi userinfo.sql,  delete DEFAULT '0', save quit

mysql -uroot -ptesting123 radius < badusers.sql
mysql -uroot -ptesting123 radius < mtotacct.sql
mysql -uroot -ptesting123 radius < totacct.sql
mysql -uroot -ptesting123 radius < userinfo.sql

 

20, vi /usr/local/dialup_admin/conf/admin.conf

#general_radiusd_base_dir: /usr/local/radiusd
general_radiusd_base_dir: /usr/local/bin
#general_domain: company.com
general_domain: test.net

#general_test_account_login: sqltest
#general_test_account_password: testpwd

general_test_account_login: sqltest
general_test_account_password: testpwd

#general_radius_server_auth_proto: pap

general_radius_server_auth_proto: chap

#general_radius_server_secret: XXXXXX

general_radius_server_secret: testing123

#general_encryption_method: crypt

general_encryption_method: clear

#sql_username: dialup_admin
#sql_password: XXXXXX

sql_username: root
sql_password: testing123
#sql_usergroup_table: usergroup

sql_usergroup_table: radusergroup

 

#sql_command: /usr/local/bin/mysql
sql_command: /usr/bin/mysql

#general_snmpwalk_command: /usr/local/bin/snmpwalk
#general_snmpget_command: /usr/local/bin/snmpget

general_snmpwalk_command: /usr/bin/snmpwalk
general_snmpget_command: /usr/bin/snmpget

#sql_debug: true
sql_debug: false

 

21, vi /usr/local/dialup_admin/conf/naslist.conf

#### comment all, insert, not understand, maybe needn't

nas1_name: se400.test.net
nas1_model: Redback SE400
nas1_ip: 172.30.255.10
nas1_port_num: 12000
nas1_community: public
nas1_finger_type: snmp
nas1_type: cisco
#nas1_type: general_nas_type

nas2_name:
nas2_model: CentOS 4.7
nas2_ip: 127.0.0.1
nas2_port_num: 12000
nas2_community: public
nas2_finger_type: snmp
#nas2_type: cisco
nas2_type: general_nas_type

22, configure SE400, test authentication and accounting

aithentication is working for both file and mysql. web interface for freeradius is working too.

later I will test accounting and put the picture here.