Creating a Debian VirtualBox VM

Posted: January 7th, 2011 | Author: | Filed under: Debian, Mac, Virtual Box | Tags: , , , , , , , , | No Comments »

In the past, I used to use Parallels 5 for my VM needs (and I still do). Recently I have found out that in order to install the Parallel Guest Tools on the latest Ubuntu (10.10); I have to upgrade Parallels from version 5 to 6. Since Ubuntu updates every 6 month, it means that there is a good chance that I have to update Parallels every year on order for the latest version of Ubuntu to work. I have decided to check out VirtualBox and see how well it works with my Development environment.

To create a basic Debian VirtualBox image:

  1. Grab the latest netinst image
  2. For typical development use, I don’t think one will use more than 8GB of disc space.
  3. Use the Guided hard disc setup and use the whole drive
  4. Deselect everything else and only install Standard System
  5. Install GRUB to your bootloader
  6. Go through the system setup and reboot
  7. Install OpenSSH server by apt-get install openssh-server
  8. Run apt-get upgrade
  9. Run apt-get update
  10. Do a ACPI Shutdown via the Machine menu or run shutdown now
  11. Edit the VM’s Settings via the Oracle VM VirtualBox Manager
    I typically set:

    • Hardware clock in UTC time. This is to make sure that clocks are in sync so things like ssh won’t misbehave.
    • Disable Audio
    • Change Network -> Adapter 1 -> Attached to: Bridged Networking
    • Disable the Ports (both serial and USB)
    • Leave Shared Folders option unset, I just use SSH for everything.
  12. Reboot, Login
  13. Run ifconfig, the ip address will now be in your home network’s subnet (for me it is 192.168.123.0). So you can ssh into the machine via ssh username@ipaddress
  14. Shutdown again and select Export Appliance under File in the VirtualBox Manager. Now, whenever you need a debian vm, you just have to import the appliance. At this stage. I also highly recommend you take a snapshot of the image before you do any tinkering.
  15. Start the machine again, if you want to give the vm a static IP run nano /etc/network/interfaces
    Replace

    1
    2
    allow-hotplug eth0
    iface eth0 inet dhcp

    with (IP Address and Gateway adjusted to taste)

    1
    2
    3
    4
    5
    6
    iface eth0 inet static
           address 192.168.1.10
           netmask 255.255.255.0
           network 192.168.1.0
           broadcast 192.168.1.255
           gateway 192.168.1.1

    Run /etc/init.d/networking restart

  16. Next time, you can start the Virtual Machine via commandline by using VBoxHeadless -startvm “machinename”

Receipe for Compiling and Installing FreeRADIUS 2.1 on Debian 5 from source

Posted: January 6th, 2011 | Author: | Filed under: Debian, freeRADIUS, Virtual Box | Tags: , , , , , , , , , , , | No Comments »

With the advent of virtualization, I prefer to have virtual machines that perform one and only function.
So instead of having one server that would be my RADIUS, file server etc. I rather have several virtual machines each performing one task.
To setup a FreeRADIUS server from source on a Debian server:
First install Debian:

  1. Grab the latest netinst CD from debian.org.
  2. Install the base installation (I think 3GB of disc space will be more than enough).
  3. Run apt-get update and apt-get upgrade to make sure you have the latest version.
  4. Edit the network configuration which is located /etc/network/interfaces
  5. Install sudo
  6. Install openssh-server, so that you can ssh into the machine remotely.
  7. Save and Shutdown the VM.
  8. Replicate the VM via your virtualization software. We will use one copy to compile from source, and the other one to install.

Second, configure, compile and create the Debian packages.
Since we are using this as a one off compile machine, we will compile as root.

  1. Grab the latest stable FreeRADIUS source code from the website
  2. apt-get install bunzip2
  3. apt-get install fakeroot
  4. apt-get install dpkg-dev (this will get all of the development environment)
  5. apt-get build-dep freeradius (this will grab all the libraries required for compile). Unlike the official instructions libssl-dev is automatically downloaded.
  6. apt-get install quilt
  7. run ./configure in the source directory
  8. run make to compile
  9. fakeroot dpkg-buildpackage -b -uc

Now you should have the following one directory up.

freeradius_2.1.10+git_amd64.changes
freeradius_2.1.10+git_amd64.deb
freeradius-common_2.1.10+git_all.deb
freeradius-dbg_2.1.10+git_amd64.deb
freeradius-dialupadmin_2.1.10+git_all.deb
freeradius-iodbc_2.1.10+git_amd64.deb
freeradius-krb5_2.1.10+git_amd64.deb
freeradius-ldap_2.1.10+git_amd64.deb
freeradius-mysql_2.1.10+git_amd64.deb
freeradius-postgresql_2.1.10+git_amd64.deb
freeradius-server-2.1.10
freeradius-server-2.1.10.tar
freeradius-utils_2.1.10+git_amd64.deb
libfreeradius2_2.1.10+git_amd64.deb
libfreeradius-dev_2.1.10+git_amd64.deb

Third, install and configure your FreeRADIUS machine.

  1. Transfer the FreeRADIUS *.deb files from the compiling machine to the deployment machine.
  2. You can shutdown and delete the compiling virtual machine now.
  3. Create a directory for the Certificate Authority (I use /ca)
  4. Copy the the files: xpextensions, client.cnf, server.cnf, ca.cnf and bootstrap from the raddb/certs directory to the /ca directory
  5. Install Openssl by issue the following command apt-get install openssl openssl-blacklist ssl-cert libltdl3 libperl5.10
  6. Edit the *.cnf files and create the required certificates
  7. Note the path of the server certificate and keys, also the location of the ca certificate
  8. Run openssl dhparam -out dh 2048 in the ca directory (note the path)
  9. Also run dd if=/dev/urandom of=random count=2
  10. Install mysql (optional, or any database backend) by using this command: apt-get install mysql-server, libmysqlclient15-dev
  11. Install libpcap0.8 (optional)
  12. Install the deb files in the following order via dpkg -i package.deb command:
  13. libfreeradius2_2.1.10+git_amd64.deb
    libfreeradius-dev_2.1.10+git_amd64.deb
    freeradius-common_2.1.10+git_all.deb
    freeradius_2.1.10+git_amd64.deb
    freeradius-mysql_2.1.10+git_amd64.deb (or postgres version)
    freeradius-utils_2.1.10+git_amd64.deb
    freeradius-dbg_2.1.10+git_amd64.deb
  14. Edit the eap.conf file in the /etc/freeradius directory and put in the variables gained from Step 7.
  15. Create a freerad user and freerad group
  16. Add this 2 commands in the /etc/init.d/freeradius file:
    mkdir -p /tmp/radiusd
    chown freerad:freerad /tmp/radiusd

    Somewhere before the statement test -f $PROGRAM || exit 0 should be fine (mine is around line 23). This is for the option to verify the client certificate, the option to do that is located in eap.conf.

  17. Add an entry into the clients.conf which indicate the IP of your AP where TLS requests will be coming from, the ipaddr variable is the ip address of your AP. The secret has to be the same as the secret set on the AP. The secret is completely unrelated to anything else, so you can have a random phrase. It is between the AP and the FreeRADIUS server. It is not required anywhere else.
    client wifi {
            ipaddr = 192.168.1.2
            secret = mysecretisnosecret
    #       shortname = linksys
            nastype = other
    }
  18. Setup mysql (ie set root password etc), then run admin.sql, nas.sql, ippool.sql, schema,sql and cui.sql in the /etc/freeradius/sql/mysql
  19. Setup the user radius‘ password and add the pertinent information to /etc/freeradius/sql.conf
  20. Add a test user sqltest with password testpassword, attribute Cleartext-Password, op == in the radcheck table
  21. Do your clean up ie create ssh keys for remote logins etc.

Testing:

  1. Stop any running freeradius servers by /etc/init.d/freeradius -stop
  2. Run radius server in debug mode: freeradius -X (note captialised X)
  3. Open another ssh window and issue radtest username password localhost 1812 testing123
    It should return something simliar to this:

    Sending Access-Request of id 28 to 127.0.0.1 port 1812
      User-Name = "username"
      User-Password = "password"
      NAS-IP-Address = 67.213.65.132
      NAS-Port = 1812
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=28, length=26
      Framed-IP-Address = 192.168.1.2 (your ip)

    NAS-IP Address is the address that the machine managed to resolve your IP from.

  4. If the FreeRADIUS server is not receiving your request from your AP. eg You initiated 802.1X authentication but the AP reports the server is not responding AND there is no activity shown on the screen of freeradius -X. Reset the AP!

Additional Reading: