How to install freeRADIUS on CentOS 7

Learn how to install freeRADIUS on CentOS 7 with our step-by-step guide. Follow detailed instructions to set up and configure freeRADIUS and daloRADIUS for your network authentication needs. #centlinux #linux #freeradius

What is RADIUS Server?

RADIUS (Remote Authentication and Dial-In User Service) is network protocol and software that authenticate dial-in users and authorize their access to the requested service. RADIUS provides centralized Authentication, Authorization and Accounting (AAA) management for a user, who connect and use a network service. RADIUS allows an organization to maintain user profiles in a central database that all remote servers can share.

A RADIUS server is a network protocol that performs the following three key functions:

1. Authentication: Verifies the identity of users or devices trying to access the network.
2. Authorization: Determines what level of access the user or device is allowed based on policies and credentials.
3. Accounting: Records and tracks the user’s activity for auditing, billing, or reporting purposes.

How Does a RADIUS Server Work?

Here’s a simplified overview of the RADIUS authentication process:

1. User Requests Access:
   • A user or device attempts to connect to the network (e.g., logging into a Wi-Fi network or VPN).
   • The user provides credentials (like a username and password) or device information.
2. RADIUS Client Sends Request:
   • The RADIUS client (like a network access server, NAS, or Wi-Fi access point) forwards the user’s credentials and request for access to the RADIUS server.
3. RADIUS Server Processes Request:
   • The RADIUS server authenticates the credentials against a database or an external directory service (like LDAP, Active Directory).
   • It also checks authorization policies to determine if the user or device has the correct permissions.
4. RADIUS Server Responds:
   • Access-Accept: If the credentials are valid and the user is authorized, the RADIUS server sends an “Access-Accept” message to the RADIUS client, granting access.
   • Access-Reject: If the credentials are invalid or the user is not authorized, the RADIUS server sends an “Access-Reject” message, denying access.
   • Access-Challenge: For additional verification steps, the server may send an “Access-Challenge” request asking for more information.
5. Accounting:
   • During or after the session, the RADIUS server can receive accounting messages to log the user’s session details for tracking usage, billing, or auditing.

Key Components of a RADIUS Server

1. RADIUS Client:
   • The device or application that requests authentication from the RADIUS server. Examples include network switches, wireless access points, and VPN gateways.
2. RADIUS Server:
   • The central component that handles authentication, authorization, and accounting requests. It processes requests from RADIUS clients and provides the appropriate responses.
3. RADIUS Database:
   • The backend where user credentials and policies are stored. This can be a local file, an external database (SQL), or an external directory service (LDAP, Active Directory).
4. RADIUS Protocol:
   • A UDP-based protocol that facilitates communication between the RADIUS client and server. It uses two main types of messages:
     • Request Messages: Include Access-Request, Accounting-Request, and Status-Request.
     • Response Messages: Include Access-Accept, Access-Reject, Access-Challenge, and Accounting-Response.

Benefits of Using a RADIUS Server

1. Centralized Management:
   • Centralizes user management and authentication processes, making it easier to manage access controls for large networks.
2. Scalability:
   • Designed to handle a large number of authentication requests and can be scaled to accommodate growing networks.
3. Security:
   • Supports various secure authentication methods and can be configured to use encryption for sensitive data.
4. Flexibility:
   • Can be integrated with different back-end systems and customized to meet specific network requirements.
5. Accounting and Auditing:
   • Provides detailed logs of user activities, which can be used for billing, auditing, or reporting.

Common Use Cases for RADIUS Servers

• Wi-Fi Networks: Authenticating users trying to connect to wireless networks.
• VPN Services: Managing access for remote users connecting through a VPN.
• ISP Services: Authenticating customers for dial-up or broadband internet connections.
• Enterprise Networks: Managing access to corporate networks for employees and guests.

Read Also: Setup WireGuard VPN Server on CentOS 8

What is freeRADIUS?

freeRADIUS is a high-performance, open-source RADIUS server that offers a flexible and scalable solution for managing network access control. It supports a variety of authentication methods and is widely used in both small and large-scale networks.

Key Features of freeRADIUS

1. Authentication:
   • Methods Supported: Supports multiple authentication methods including PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAPv2, EAP (Extensible Authentication Protocol), and more.
   • Integration: Can integrate with various back-end systems like LDAP, Active Directory, SQL databases, and more.
2. Authorization:
   • Access Control: Allows administrators to define who can access the network based on a range of criteria such as user credentials, device types, or connection methods.
   • Policies: Supports advanced policies for controlling user access and permissions.
3. Accounting:
   • Logging: Tracks network usage and generates accounting records for billing or monitoring purposes.
   • Reports: Provides detailed logs and reports for auditing and analysis.
4. Scalability:
   • Performance: Designed to handle high volumes of authentication requests and can be scaled for large deployments.
   • Configuration: Flexible configuration options for both small and large environments.
5. Extensibility:
   • Modules: Offers a variety of modules for extending functionality, such as integration with external authentication sources, custom scripts, and advanced logging.
   • Customization: Allows for extensive customization of authentication and authorization processes.

Use Cases for freeRADIUS

• Network Access Control: Managing access to Wi-Fi networks, VPNs, and other network services.
• ISP Authentication: Used by Internet Service Providers for customer authentication.
• Enterprise Networks: Implemented in large corporate environments for user management and access control.
• Educational Institutions: Provides authentication for students and staff accessing campus networks.

What is daloRADIUS?

daloRADIUS is a easy to use, but advanced RADIUS web interface, that aimed at managing hotspots and general-purpose ISP deployments. daloRADIUS is written in PHP and supports famous database systems.

daloRADIUS is an open-source web application designed to enhance the management of RADIUS servers. It offers a graphical interface for interacting with freeRADIUS, making it easier to perform administrative tasks, configure settings, and review accounting data.

Key Features of daloRADIUS

1. Web-Based Interface:
   • User Management: Create, edit, and delete RADIUS users and manage their credentials and attributes.
   • Configuration Management: View and edit RADIUS server configuration files.
   • Monitoring and Reporting: Monitor live RADIUS requests, view logs, and generate detailed reports on authentication, authorization, and accounting data.
2. User Management:
   • Add/Edit Users: Manage user accounts including their credentials, permissions, and attributes.
   • Group Management: Create and manage user groups with specific access rights and policies.
   • Bulk Operations: Perform bulk updates and management tasks for multiple users.
3. Accounting and Logging:
   • Session Logs: View detailed logs of user sessions including start and stop times, data usage, and connection details.
   • Reports: Generate and export reports for usage statistics, billing, and auditing purposes.
4. Configuration Assistance:
   • Configuration Files: Edit RADIUS configuration files like radiusd.conf, clients.conf, and users directly from the web interface.
   • Graphical Tools: Provides tools for easy configuration of RADIUS server settings without manual file editing.
5. Integration with FreeRADIUS:
   • Database Integration: Connects to the RADIUS server’s database to manage users and access control.
   • Support for Multiple Databases: Compatible with various databases like MySQL, PostgreSQL, and SQLite for backend storage.
6. Customizable and Extensible:
   • Plugins and Extensions: Supports plugins and additional modules for extended functionality.
   • Themes and Customization: Allows customization of the interface with different themes and styles.
7. Security Features:
   • Role-Based Access Control: Define roles and permissions for different users of the daloRADIUS interface.
   • Secure Connections: Supports secure connections (HTTPS) for accessing the web interface.

How daloRADIUS Works

1. User Requests Access:
   • A user attempts to connect to a network service, such as a Wi-Fi network or VPN.
   • The RADIUS client (like a Wi-Fi access point) sends a request to the RADIUS server.
2. RADIUS Server Processes Request:
   • The RADIUS server authenticates the user and processes the request.
3. daloRADIUS Management:
   • Administrators use the daloRADIUS web interface to manage users, view logs, and configure settings.
   • daloRADIUS interacts with the RADIUS server’s database to provide real-time management and reporting capabilities.

Benefits of Using daloRADIUS

1. User-Friendly Interface:
   • Provides a graphical interface for managing RADIUS server settings and users, which is more accessible than editing configuration files manually.
2. Centralized Management:
   • Centralizes RADIUS server management tasks, making it easier for administrators to perform their duties.
3. Enhanced Reporting and Monitoring:
   • Offers detailed reporting and real-time monitoring of RADIUS server activity.
4. Scalability:
   • Suitable for both small and large deployments, providing tools for managing a wide range of RADIUS server configurations.
5. Improved Efficiency:
   • Simplifies administrative tasks, reducing the time and effort required for managing RADIUS servers.

This article emphasize on the installation and initial configuration of freeRADIUS and daloRADIUS on CentOS 7. If you want to know, how to use freeRADIUS or daloRADIUS, then we recommend you to read FreeRADIUS Beginner’s Guide (PAID LINK) and daloRADIUS User Guide (Volume 1) (PAID LINK).

System Specification

In this article, we will install freeRADIUS and daloRADIUS on CentOS 7 without disabling SELinux.

We are using a CentOS 7 virtual machine with following specifications:

• Hostname – radius-01.example.com
• IP Address – 192.168.116.158 /24
• Operating System – CentOS 7.6
• freeRADIUS version – 3.0
• daloRADIUS version – 1.0

Install prerequisite packages

Connect with radius-01.example.com using ssh as root user.

We will require some utiliies during installation of freeRADIUS and daloRADIUS, therefore, we are installing them now, using yum command.

# yum install -y wget unzip

Some prereqiusite packages are available through extras yum repository, therefore, we are installing EPEL (Extra Packages for Enterprise Linux) yum repository.

# yum install -y epel-release

Build yum cache using following command.

# yum makecache fast
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                     | 4.6 kB     00:00
 * base: centos.mirror.net.in
 * epel: mirror.horizon.vn
 * extras: centos.mirror.net.in
 * updates: centos.mirror.net.in
base                                                     | 3.6 kB     00:02
extras                                                   | 3.4 kB     00:00
mariadb                                                  | 2.9 kB     00:00
updates                                                  | 3.4 kB     00:00
Metadata Cache Created

Install MariaDB on CentOS 7

Follow my previous article to install latest version of MariaDB.

After installation, connect with MariaDB database as root user.

# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 16
Server version: 10.3.14-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]>

Create a database, that serves as the repository for our RADIUS server.

MariaDB [(none)]> create database radius;
Query OK, 1 row affected (0.001 sec)

Create a database owner for radius database.

MariaDB [(none)]> grant all on radius.* to radius@localhost identified by '123';
Query OK, 0 rows affected (0.001 sec)

Reload privileges tables.

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)

Exit from MariaDB prompt.

MariaDB [(none)]> exit
Bye

Install Apache on CentOS 7

daloRADIUS is a web application developed in PHP. Therefore, we need Apache Web Server with PHP to deploy daloRADIUS.

Install Apache Web Server using yum command.

# yum install -y httpd

Start and enable httpd.service.

# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
# systemctl start httpd.service

Apache Webserver has been configured successfully. It is advised that, you should read our previous article Chroot Apache Web Server in CentOS 7 to increase the security.

Install PHP on CentOS 7

Install PHP (Hypertext Preprocessor) and related packages using yum command.

# yum install -y php php-mysql php-pear php-devel php-common php-gd php-mbstring php-mcrypt php-xml php-pear-DB

Restart httpd.service to load changes, made by PHP installation.

# systemctl restart httpd.service

Install freeRADIUS on CentOS 7

freeRADIUS and relevant packages are available through CentOS base repository. Therefore, we can easily install it using yum command.

# yum install -y freeradius freeradius-utils freeradius-mysql

Start and enable radiusd.service.

# systemctl start radiusd.service
# systemctl enable radiusd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.

Allow RADIUS service in Linux firewall.

# firewall-cmd --permanent --add-service=radius
success
# firewall-cmd --reload
success

Configure freeRADIUS to use MariaDB database

By default, freeRADIUS uses flat-files to store data. Therefore, we have to configure it to use MariaDB database as its repository.

Use the following script to create database objects.

# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
Enter password:

You can either copy sql module from /etc/raddb/mods-available/sql or create using following script.

# vi /etc/raddb/mods-enabled/sql

Add following lines therein:

sql {
 driver = "rlm_sql_mysql"
 dialect = "mysql"
 
 # Connection info:
 server = "localhost"
 port = 3306
 login = "radius"
 password = "123"

 # Database table configuration for everything except Oracle
 radius_db = "radius"
 }

# Set to "yes" to read radius clients from the database ("nas" table)
# Clients will ONLY be read on server startup.
read_clients = yes
# Table to keep radius client info
client_table = "nas"

Adjust file permissions.

# chgrp -h radiusd /etc/raddb/mods-enabled/sql

Restart radiusd.service.

# systemctl restart radiusd.service

Install daloRADIUS on CentOS 7

daloRADIUS is open source and distributed under GPL 2.0 license. It’s complete source is available at GitHub.

# wget https://github.com/lirantal/daloradius/archive/master.zip
--2019-04-25 19:37:59--  https://codeload.github.com/lirantal/daloradius/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.253.121, 192.30.253.120
Connecting to codeload.github.com (codeload.github.com)|192.30.253.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: âmaster.zip.1â

    [             <=>                       ] 5,447,362    386KB/s   in 14s

2019-04-25 19:38:14 (375 KB/s) - âmaster.zip.1â saved [5447362]

Unzip downloaded file.

# unzip master.zip

Place the extracted directory at the document root of Apache Web server.

# rm -f master.zip
# mv daloradius-master/ /var/www/html/daloradius

Restore SELinux security context as follows.

# restorecon -Rv /var/www/html/daloradius/

Adjust permissions and ownership of daloRADIUS software.

# chown -R apache:apache /var/www/html/daloradius
# chmod -R 664 /var/www/html/daloradius/library/daloradius.conf.php

Allow HTTP service in Linux firewall.

# firewall-cmd --permanent --add-service=http
success
# firewall-cmd --reload
success

Create daloRADIUS objects in MariaDB database.

# mysql -u root -p radius < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
Enter password:
# mysql -u root -p radius < /var/www/html/daloradius/contrib/db/mysql-daloradius.sql
Enter password:

Edit daloRADIUS configuration file.

# vi /var/www/html/daloradius/library/daloradius.conf.php

and define MariaDB database password in it.

$configValues['CONFIG_DB_PASS'] = '123';

Browse URL http://radius-01.example.com/daloradius using a client’s browser.

Login using default credentials i.e.

Username: administrator
Password: radius

freeRADIUS and daloRADIUS has been installed on CentOS 7.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

Final Thoughts

Setting up freeRADIUS on CentOS 7 can greatly enhance your network’s authentication capabilities. This guide is designed to provide you with clear, step-by-step instructions to ensure a successful installation and configuration.

If you need further assistance or prefer to have a professional handle the installation, I offer specialized services on Fiverr. From initial setup to advanced configurations, I can help you achieve a seamless freeRADIUS installation on CentOS 7. Visit my Fiverr profile to learn more about my services and how I can assist you.

Thank you for following along, and best of luck with your freeRADIUS installation!