Receipe for Compiling and Installing FreeRADIUS 2.1 on Debian 5 from source

Posted: January 6th, 2011 | Author: | Filed under: Debian, freeRADIUS, Virtual Box | Tags: , , , , , , , , , , , | No Comments »

With the advent of virtualization, I prefer to have virtual machines that perform one and only function.
So instead of having one server that would be my RADIUS, file server etc. I rather have several virtual machines each performing one task.
To setup a FreeRADIUS server from source on a Debian server:
First install Debian:

  1. Grab the latest netinst CD from debian.org.
  2. Install the base installation (I think 3GB of disc space will be more than enough).
  3. Run apt-get update and apt-get upgrade to make sure you have the latest version.
  4. Edit the network configuration which is located /etc/network/interfaces
  5. Install sudo
  6. Install openssh-server, so that you can ssh into the machine remotely.
  7. Save and Shutdown the VM.
  8. Replicate the VM via your virtualization software. We will use one copy to compile from source, and the other one to install.

Second, configure, compile and create the Debian packages.
Since we are using this as a one off compile machine, we will compile as root.

  1. Grab the latest stable FreeRADIUS source code from the website
  2. apt-get install bunzip2
  3. apt-get install fakeroot
  4. apt-get install dpkg-dev (this will get all of the development environment)
  5. apt-get build-dep freeradius (this will grab all the libraries required for compile). Unlike the official instructions libssl-dev is automatically downloaded.
  6. apt-get install quilt
  7. run ./configure in the source directory
  8. run make to compile
  9. fakeroot dpkg-buildpackage -b -uc

Now you should have the following one directory up.

freeradius_2.1.10+git_amd64.changes
freeradius_2.1.10+git_amd64.deb
freeradius-common_2.1.10+git_all.deb
freeradius-dbg_2.1.10+git_amd64.deb
freeradius-dialupadmin_2.1.10+git_all.deb
freeradius-iodbc_2.1.10+git_amd64.deb
freeradius-krb5_2.1.10+git_amd64.deb
freeradius-ldap_2.1.10+git_amd64.deb
freeradius-mysql_2.1.10+git_amd64.deb
freeradius-postgresql_2.1.10+git_amd64.deb
freeradius-server-2.1.10
freeradius-server-2.1.10.tar
freeradius-utils_2.1.10+git_amd64.deb
libfreeradius2_2.1.10+git_amd64.deb
libfreeradius-dev_2.1.10+git_amd64.deb

Third, install and configure your FreeRADIUS machine.

  1. Transfer the FreeRADIUS *.deb files from the compiling machine to the deployment machine.
  2. You can shutdown and delete the compiling virtual machine now.
  3. Create a directory for the Certificate Authority (I use /ca)
  4. Copy the the files: xpextensions, client.cnf, server.cnf, ca.cnf and bootstrap from the raddb/certs directory to the /ca directory
  5. Install Openssl by issue the following command apt-get install openssl openssl-blacklist ssl-cert libltdl3 libperl5.10
  6. Edit the *.cnf files and create the required certificates
  7. Note the path of the server certificate and keys, also the location of the ca certificate
  8. Run openssl dhparam -out dh 2048 in the ca directory (note the path)
  9. Also run dd if=/dev/urandom of=random count=2
  10. Install mysql (optional, or any database backend) by using this command: apt-get install mysql-server, libmysqlclient15-dev
  11. Install libpcap0.8 (optional)
  12. Install the deb files in the following order via dpkg -i package.deb command:
  13. libfreeradius2_2.1.10+git_amd64.deb
    libfreeradius-dev_2.1.10+git_amd64.deb
    freeradius-common_2.1.10+git_all.deb
    freeradius_2.1.10+git_amd64.deb
    freeradius-mysql_2.1.10+git_amd64.deb (or postgres version)
    freeradius-utils_2.1.10+git_amd64.deb
    freeradius-dbg_2.1.10+git_amd64.deb
  14. Edit the eap.conf file in the /etc/freeradius directory and put in the variables gained from Step 7.
  15. Create a freerad user and freerad group
  16. Add this 2 commands in the /etc/init.d/freeradius file:
    mkdir -p /tmp/radiusd
    chown freerad:freerad /tmp/radiusd

    Somewhere before the statement test -f $PROGRAM || exit 0 should be fine (mine is around line 23). This is for the option to verify the client certificate, the option to do that is located in eap.conf.

  17. Add an entry into the clients.conf which indicate the IP of your AP where TLS requests will be coming from, the ipaddr variable is the ip address of your AP. The secret has to be the same as the secret set on the AP. The secret is completely unrelated to anything else, so you can have a random phrase. It is between the AP and the FreeRADIUS server. It is not required anywhere else.
    client wifi {
            ipaddr = 192.168.1.2
            secret = mysecretisnosecret
    #       shortname = linksys
            nastype = other
    }
  18. Setup mysql (ie set root password etc), then run admin.sql, nas.sql, ippool.sql, schema,sql and cui.sql in the /etc/freeradius/sql/mysql
  19. Setup the user radius‘ password and add the pertinent information to /etc/freeradius/sql.conf
  20. Add a test user sqltest with password testpassword, attribute Cleartext-Password, op == in the radcheck table
  21. Do your clean up ie create ssh keys for remote logins etc.

Testing:

  1. Stop any running freeradius servers by /etc/init.d/freeradius -stop
  2. Run radius server in debug mode: freeradius -X (note captialised X)
  3. Open another ssh window and issue radtest username password localhost 1812 testing123
    It should return something simliar to this:

    Sending Access-Request of id 28 to 127.0.0.1 port 1812
      User-Name = "username"
      User-Password = "password"
      NAS-IP-Address = 67.213.65.132
      NAS-Port = 1812
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=28, length=26
      Framed-IP-Address = 192.168.1.2 (your ip)

    NAS-IP Address is the address that the machine managed to resolve your IP from.

  4. If the FreeRADIUS server is not receiving your request from your AP. eg You initiated 802.1X authentication but the AP reports the server is not responding AND there is no activity shown on the screen of freeradius -X. Reset the AP!

Additional Reading:



Leave a Reply

You must be logged in to post a comment.