This document describes how to setup a FreeRADIUS server. A MySQL server is used as backend and for the user accounting. OpenVPN and the radiusplugin from Ralf Lübben are used together as nas service.
I do not guarantee for anything in this howto. In my environment this setup is doing a great job here. So hopefully it will do the same for you.
[Update on 2008-10-03]:
This setup is also working with freeradius version 2.1.0, while this document originally was written for a 1.x version. Much of the structure has changed in this newer release, but you can apply this howto even for this version.
[Update on 2009-04-25]:
LDAP authentication coming soon.
Required software
The installation was done on Ubuntu Gutsy Gibbon:
- freeradius (1.1.6-2)
- freeradius-mysql (1.1.6-2)
- mysql-server-5.0 (5.0.45-1ubuntu2)
- openvpn (2.0.9-8)
- radiusplugin_v2.0b_beta2.tar.gz (Please download separately)
- libgcrypt11-dev (1.2.4-2ubuntu2)
I act on the assumption that there is an already running MySQL server.
Radiusserver
After having isuccessfully nstalled freeradius and freeradius-mysql using aptitude (apt-get), you have to change the directory to /etc/freeradius.
radiusd.conf:
Please change the following variables under the section PROXY CONFIGURATION
proxy_requests = no
Please comment out any files-entry and as you can see, please enable the sql statements. The changes should look similar like this::
authorize { preprocess chap mschap suffix eap sql } preacct { preprocess acct_unique suffix } accounting { detail unix radutmp sql }
For freeradisu 2.x in file /etc/freeradius/sites-enabled/default:
authorize { sql } authenticate { } preacct { acct_unique } accounting { sql } session { sql } post-auth { } pre-proxy { } post-proxy { }
As you can see, you only require the sql statements and no others. Please give a feedback, if you require more information on freeradius 2.x configuration.
You do not need to change anything else in this configuration files. It keeps as it is.
clients.conf:
client 127.0.0.1 { secret = EinsupertollesSecret shortname = localhost }
The secret should be a secret as far as possible. It will be required in a later configuration file below.
sql.conf:
sql { driver = "rlm_sql_mysql" server = "127.0.0.1" login = "radius" password = "MySQL-passowrd-see-next-paragraph" radius_db = "radius" ... }
MySQL
mysql -u root -h 127.0.0.1 -p
Please insert the following schema into MySQL:
zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | \
mysql -u root -prootpass radius
mysql -u root -prootpass
mysql> GRANT ALL ON radius.* to radius@’127.0.0.1′ IDENTIFIED BY ‘Use the same password as in sql.conf’;
Next, some example entries:
mysql> select * from radcheck; +----+------------+----------------+----+---------------+ | id | UserName | Attribute | op | Value | +----+------------+----------------+----+---------------+ | 1 | croessner | Crypt-Password | := | XXXXXXXXXXXXX | +----+------------+----------------+----+---------------+
You can use the MySQL ENCRYPT() function to create the passwords.
mysql> select * from radgroupcheck; +----+-----------+-----------+----+-------------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------------+ | 1 | dynamic | Auth-Type | := | Crypt-Local | +----+-----------+-----------+----+-------------+ mysql> select * from radgroupreply; +----+-----------+-----------------------+----+-------------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------------------+----+-------------+ | 1 | dynamic | Acct-Interim-Interval | = | 60 | +----+-----------+-----------------------+----+-------------+ mysql> select * from radreply; +----+------------+-------------------+----+-------------------------------+ | id | UserName | Attribute | op | Value | +----+------------+-------------------+----+-------------------------------+ | 1 | croessner | Framed-IP-Address | = | 10.10.0.153 | | 2 | croessner | Framed-Route | = | 192.168.3.0/24 10.10.0.2/32 1 | +----+------------+-------------------+----+-------------------------------+
Short description:
After the user croessner as logged on, the IP 10.10.0.153 is assigned to his computer as a point-to-point connection with the endpoint IP 10.10.0.154. At the same time, the OpenVPN server manipulates its internal routing table and adds the network 192.168.3.0/24. If you wish to assign more than one route, you have to use the ‘+=’ operator for any additional data set.
mysql> select * from usergroup; +-----------+-----------+----------+ | UserName | GroupName | priority | +-----------+-----------+----------+ | croessner | dynamic | 1 | +-----------+-----------+----------+
I have to mention for the table shown here that the usage of the operators seems not to be really trivial. But you can find more information in /usr/share/doc/freeradius/rlm_sql.gz.
I explicitly use “Crypt-Password” entries in these examples. If this is not desired, you can use the attribute “Cleartext-Password”. But doing so, you have to choose the value “Local” in the table “radgroupcheck”.
You can find more information in the README under http://wiki.freeradius.org/SQL_HOWTO.
OpenVPN
RadiusPlugin
As of writing this howto, the freeradius plugin is not available as an Ubuntu package. Therefor you have to download and compile the source code. Please install the GNU compiler “g++” and “make”. Simply a basic installation of tools, giving you the ability to compile C++ applications. Maybe the package “build-essential”.
cd /usr/local/src/
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.0b_beta2.tar.gz
tar xvzf radiusplugin_v2.0b_beta2.tar.gz
cd /usr/local/src/radiusplugin_v2.0b_beta2
After that run “make”.
The result is called radiusplugin.so.
cp /usr/local/src/radiusplugin_v2.0b_beta2/radiusplugin.so /etc/openvpn/
Please also copy the file radiusplugin.cnf from the directory /usr/local/src/radiusplugin_v2.0b_beta2 to /etc/openvpn.
The configuration should look something like this:
--- Beginning --- # The NAS identifier which is sent to the RADIUS server NAS-Identifier=OpenVpn # The service type which is sent to the RADIUS server Service-Type=5 # The framed protocol which is sent to the RADIUS server Framed-Protocol=1 # The NAS port type which is sent to the RADIUS server NAS-Port-Type=5 # The NAS IP address which is sent to the RADIUS server NAS-IP-Address=127.0.0.1 # Path to the OpenVPN configfile. The plugin searches there for # client-config-dir PATH (searches for the path) # status FILE (searches for the file, version must be 1) # client-cert-not-required (if the option is used or not) # username-as-common-name (if the option is used or not) OpenVPNConfig=/etc/openvpn/radiusvpn.conf # Support for topology option in OpenVPN 2.1 # If you don't specify anything, option "net30" (default in OpenVPN) is used. # You can only use one of the options at the same time. # If you use topology option "subnet", fill in the right netmask, e.g. from # OpenVPN option "--server NETWORK NETMASK" #subnet=255.255.255.0 # If you use topology option "p2p", fill in the right network, e.g. from OpenVPN # option "--server NETWORK NETMASK" #p2p=10.10.0.1 ####################### Ich benutze die Default Option # Allows the plugin to overwrite the client config in client config file directory, # default is true overwriteccfiles=true # Path to a script for vendor specific attributes. # Leave it out if you don't use an own script. # vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl # Path to the pipe for communication with the vsascript. # Leave it out if you don't use an own script. # vsanamedpipe=/tmp/vsapipe # A radius server definition, there could be more than one. # The priority of the server depends on the order in this file. The first one # has the highest priority. server { # The UDP port for radius accounting. acctport=1813 # The UDP port for radius authentication. authport=1812 # The name or ip address of the radius server. name=127.0.0.1 # How many times should the plugin send the if there is no response? retry=1 # How long should the plugin wait for a response? wait=1 # The shared secret. sharedsecret=Hier das Secret aus der client.conf des Radius-Servers } --- End of file ---
Point-to-Multipoint Server
Please setup a point-to-multipoint configuration. Tip: Use the easy-rsa-package, which you can install seperatly with aptitude:
i.e.:
cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc
cd /etc/easy-rsa/2.0/
Edit the file vars and change the lines below, like described in the README.
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
Now you can create one or more client certificates:
./build-key cl1
cd keys
openvpn –genkey –secret ta.key
Please change to the directory /etc/openvpn
cd /etc/openvpn
mkdir ssl
cp -a /etc/easy-rsa/keys/{ca.crt,dh1024.pem,ta.key,server.crt,server.key} ssl/
Use an editor and put in the following sample configuration:
radiusvpn.conf:
--- Beginning ---
# Which device
dev tun
fast-io
user nobody
group nogroup
persist-tun
persist-key
server 10.10.0.0 255.255.255.0
management 127.0.0.1 7505
float
username-as-common-name
client-config-dir ccd
client-to-client
push "redirect-gateway def1"
push "dhcp-option NTP 10.10.0.1"
push "dhcp-option DOMAIN lan"
push "dhcp-option DNS 10.10.0.1"
ping-timer-rem
keepalive 10 60
# Use compression
comp-lzo
# Strong encryption
tls-server
tls-auth ssl/ta.key 0
dh ssl/dh1024.pem
cert ssl/server.crt
key ssl/server.key
ca ssl/ca.crt
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
verb 3
mute 10
status /var/log/openvpn/status.log 1
log /var/log/openvpn/radiusvpn.log
--- End of file ---
mkdir /etc/openvpn/ccd
mkdir /var/log/openvpn
That´s it 
The server is ready to go. Now you can start the services freeradius, mysql and openvpn.
Afterwards you can configure the client(s). The following output is just an idea of how it could look like. Any further documentation can be found on the project website.
Client example
--- Beginning ---
# Which device
dev tun
fast-io
persist-key
persist-tun
replay-persist radiusvpn.d/cur-replay-protection.cache
# Our remote peer
nobind
remote <HIER_REMOTE_ADRESSE_DES_OPENVPN_SERVERS> 1194
pull
# Use compression
comp-lzo
# Strong encryption
tls-client
tls-remote server
ns-cert-type server
tls-auth ssl/ta.key 1
cert ssl/common.crt
key ssl/common.key
ca ssl/ca.crt
verb 3
mute 10
auth-user-pass radiusvpn.d/auth-user-pass.conf
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# log /var/log/openvpn.log
--- End of file ---
mkdir /etc/openvpn/radiusvpn.d
Change to the given directory and create the file auth-user-pass.conf. Please also refer to the openvpn manpage for the parameter –auth-user-pass.
Test it … Be happy
Have fun - You can send me bug reports concerning the hoto to Christian Roessner <info@roessner-net.com> or if you like to, just give a comment.
refer : http://www.roessner-net.com/?p=4
