I run a modest wireless network for a non-profit organization inwards my abode town, it consists of a unmarried high site amongst network connectivity, amongst nine customer sites connecting via wireless. The network is built amongst Ubiquiti hardware, amongst a Mikrotik 750 treatment the routing. I besides utilization this network for experimentation in addition to learning. One of the things that I accept been corking on doing is managing it equally though it is a commercial network inwards damage of the network architecture. To this destination I accept decided to deploy a Raspberrry Pi based Radius server for PPPoE Authentication. The Mikrotik volition serve equally the PPPoE server, in addition to the Raspberry Pi Radius server volition live on managed amongst DaloRADIUS. The instructions below should live on slow to utilization on whatever Debian based distro.
This tutorial volition non encompass installation of Raspbian onto your Raspberry Pi.
What you lot volition need:
Log into the Raspberry Pi via SSH or a Terminal Window:
This tutorial volition non encompass installation of Raspbian onto your Raspberry Pi.
What you lot volition need:
- A Raspberry Pi Model B
- A 4GB+ SD Card running Raspbian
- SSH Access (or a terminal on the device)
- PPPoE server (Mikrotik 750 inwards my case)
- An network connection
Log into the Raspberry Pi via SSH or a Terminal Window:
Configure the IP Address
Edit /etc/network/interfaces to reverberate your network settings
vi /etc/network/interfaces
Change from: iface lo inet loopback
iface eth0 inet dhcp
allow-hotplug wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
To:iface eth0 inet dhcp
allow-hotplug wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
machine lo
iface lo inet loopback
machine eth0
iface eth0 inet static
address 10.3.0.2
netmask 255.255.255.252
gateway 10.3.0.1
dns-nameservers 10.0.0.1
allow-hotplug wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
iface lo inet loopback
machine eth0
iface eth0 inet static
address 10.3.0.2
netmask 255.255.255.252
gateway 10.3.0.1
dns-nameservers 10.0.0.1
allow-hotplug wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
Remember to accommodate for your ain network parameters
Install FreeRADIUS in addition to other prerequisites, scream upward to banking concern annotation the password for your mysql server:
$apt-get install freeradius freeradius-mysql apache2 php5 libapache2-mod-php5 mysql-server mysql-client php5-mysql php-pear php5-gd php-db
Download in addition to extract the DaloRADIUS bundle to /var/www:
cd /usr/src
wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
tar zxvf daloradius-0.9-9.tar.gz -C /var/www/
mv /var/www/daloradius-0.9-9/ /var/www/daloradius
cd /var/www/daloradius
wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
tar zxvf daloradius-0.9-9.tar.gz -C /var/www/
mv /var/www/daloradius-0.9-9/ /var/www/daloradius
cd /var/www/daloradius
Configure the DaloRadius/Freeradius database
mysql -uroot -p
mysql>create database radiusdb;
mysql>exit
mysql -u origin -p radiusdb < /usr/src/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u origin -p
mysql>CREATE USER 'radiususer'@'localhost';
mysql>SET PASSWORD FOR 'radiususer'@'localhost' = PASSWORD('radiuspass');
mysql>GRANT ALL ON radiusdb.* to 'radiususer'@'localhost';
mysql>exit
mysql>create database radiusdb;
mysql>exit
mysql -u origin -p radiusdb < /usr/src/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u origin -p
mysql>CREATE USER 'radiususer'@'localhost';
mysql>SET PASSWORD FOR 'radiususer'@'localhost' = PASSWORD('radiuspass');
mysql>GRANT ALL ON radiusdb.* to 'radiususer'@'localhost';
mysql>exit
You volition aslo demand to configure DaloRadius to connect to the database:
It makes feel to exam the performance of FreeRADIUS before trying to link it to a database. To activate the exam user you lot accept to edit /etc/freeradius/users:
Now it is fourth dimension to switch over to mysql authentication:
To exam the configuration, halt the freeradius service:
Then run the freeradius debug console.
If it comes dorsum without whatever errors you lot tin continue.
To enable remote authentication from a Mikrotik device edit /etc/freeradius/clients.conf
Add the next to the destination of the file, changing the IP/Class equally appropriate.
Also edit /etc/freeradius/dictionary in addition to add together mikrotik:
in addition to add:
Restart FreeRadius
vi /var/www/daloradius/library/daloradius.conf.php
Input the next values $configValues['DALORADIUS_VERSION'] = '0.9-9';
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radiusuder';
$configValues['CONFIG_DB_PASS'] = 'radiuspass';
$configValues['CONFIG_DB_NAME'] = 'radiusdb';
The default configuration of FreeRADIUS loads user accounts from a file located at /etc/freeradius/users.$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radiusuder';
$configValues['CONFIG_DB_PASS'] = 'radiuspass';
$configValues['CONFIG_DB_NAME'] = 'radiusdb';
It makes feel to exam the performance of FreeRADIUS before trying to link it to a database. To activate the exam user you lot accept to edit /etc/freeradius/users:
vi /etc/freeradius/users
Uncomment the next lines: #"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
To hold off similar this: # Reply-Message = "Hello, %{User-Name}"
"John Doe" Cleartext-Password := "hello"
Reply-Message = "Hello, %{User-Name}"
Reply-Message = "Hello, %{User-Name}"
Restart the freeradius service in addition to present the debug console to brand certain all is well:
$/etc/init.d/freeradius stop
$freeradius -XXX
$freeradius -XXX
If all goes good you lot volition live on presented amongst the final delineate of piece of occupation :
Press CTRL+C to disconnect.
Start the freeradius service in 1 lawsuit again
Info: Ready to procedure requests.
Press CTRL+C to disconnect.
Start the freeradius service in 1 lawsuit again
$/etc/init.d/freeradius initiative off
Use radtest to brand certain that you lot tin authenticate against the file:
$radtest "John Doe" howdy 127.0.0.1 0 testing123
Sending Access-Request of id 180 to 127.0.0.1 port 1812
User-Name = "John Doe"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 180 to 127.0.0.1 port 1812
User-Name = "John Doe"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
$vi /etc/freeradius/radiusd.conf
Change the lines that read: # $INCLUDE sql.conf<
# $INCLUDE sql/mysql/counter.conf
To: # $INCLUDE sql/mysql/counter.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
Update the configuration to reverberate the database username in addition to password equally chosen earlier:$INCLUDE sql/mysql/counter.conf
$vi /etc/freeradius/sql.conf
server = "localhost"
#port = 3306
login = "radiususer"
password = "radiuspass"
# Database tabular array configuration for everything except Oracle
radius_db = "radiusdb"
server = "localhost"
#port = 3306
login = "radiususer"
password = "radiuspass"
# Database tabular array configuration for everything except Oracle
radius_db = "radiusdb"
Uncomment the lines that read "sql" inwards the session, accounting in addition to authorize sections
$vi /etc/freeradius/sites-enabled/default
Uncomment sql inwards authorize{} # See “Authorization Queries” inwards sql.conf
sql
Uncomment sql inwards accounting{}sql
# See “Accounting queries” inwards sql.conf
sql
Uncomment sql inwards session{}sql
# See “Simultaneous Use Checking Queries” inwards sql.conf
sql
Uncomment sql inwards post-auth{}sql
# See “Authentication Logging Queries” inwards sql.conf
sql
sql
To exam the configuration, halt the freeradius service:
$service freeradius stop
Then run the freeradius debug console.
$freeradius -X
If it comes dorsum without whatever errors you lot tin continue.
To enable remote authentication from a Mikrotik device edit /etc/freeradius/clients.conf
Add the next to the destination of the file, changing the IP/Class equally appropriate.
$vi /etc/freeradius/clients.conf
customer 10.0.0.0/24 {
surreptitious = mikrotest
shortname = mikrotikpppoe
nastype= mikrotik
}
surreptitious = mikrotest
shortname = mikrotikpppoe
nastype= mikrotik
}
Also edit /etc/freeradius/dictionary in addition to add together mikrotik:
$vi /etc/freeradius.dictionary
in addition to add:
$INCLUDE /usr/share/freeradius/dictionary.mikrotik
$service freeradius restart
You tin immediately log inwards amongst a spider web browser on http://<raspberry-ip>/daloradius
username: administrator
password: radius
username: administrator
password: radius
