Install FreeRadius on CentOs 5 and 6, Using Mysql, with NT-Hash passwd’s for Wifi Routers

install freeRadius
# source http://safesrv.net/install-and-setup-freeradius-on-centos-5/

CentOS 5:
 yum install freeradius2 freeradius2-mysql freeradius2-utils mysql-server -y
CentOS 6:
 yum install freeradius freeradius-mysql freeradius-utils mysql-server -y

They should install without any problems. To setup MySQL, start the service by running below:

CentOS:
 service mysqld start

Now run the following to set your password and security settings:

 /usr/bin/mysql_secure_installation
mysql -uroot -p
 CREATE DATABASE radius;
 GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
 flush privileges;
mysql> use radius;
CentOS:
 SOURCE /etc/raddb/sql/mysql/schema.sql
Now open up CentOS: /etc/raddb/sql.conf and enter your mysql database details you just created, Example:  # Connection info: server = "localhost" #port = 3306 login = "radius" password = "radpass"

# Database table configuration for everything except Oracle radius_db = “radius”

In /etc/raddb/radiusd.conf ensure that the line saying:
$INCLUDE sql.conf is uncommented.
Edit /etc/raddb/sites-available/default and uncomment the line containing
 ‘sql’ in the authorize{} section and ‘sql’ in the accounting {} section, also uncomment ‘sql’ under session {}.
Additionally, edit /etc/raddb/sites-available/inner-tunnel and uncomment the line containing
 ‘sql’ under “authorize {}” and under session {}.
Open up /etc/raddb/clients.conf set your secret to something a bit more random, example:
Change:
secret = testing123 To something like: secret = 3c23498n349c3yt290y93b4t3
service radiusd restart
 service radiusd stop
To add clients (External VPN Servers) you would edit CentOS: /etc/raddb/clients.conf Ubuntu: /etc/freeradius/clients.conf and directly under this line:
 
 # coa_server = coa
 } Add a block such as this:
client VPN_SERVER_IP { secret = YOUR SECRET HERE shortname = yourVPN nastype = other }

To allow external servers and software to authenticate off your FreeRADIUS, this has to be done every time you setup an external server to use this FreeRADIUS database.

Everytime you add a client or change a value in the config files you need to restart radius like this:

CentOS:

service radiusd restart

Add a test user to the radius database, first you need to login to your mysql radius database:
mysql -uroot -pyourrootpass

Switch to the radius database:

use radius;

Once there execute the below commands:

# overview of the user table

desc radcheck -> ; +———–+————–+——+—–+——————–+—————-+ | Field | Type | Null | Key | Default | Extra | +———–+————–+——+—–+——————–+—————-+ | id | int(11) | NO | PRI | NULL | auto_increment | | username | varchar(64) | NO | MUL | | | | attribute | varchar(64) | YES | | Cleartext-Password | | | op | char(2) | YES | | := | | | value | varchar(253) | NO | | | | +———–+————–+——+—–+——————–+—————-+ 5 rows in set (0.04 sec)

if you want “plain passwd’s you can use this.

mysql> INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1,'test','Cleartext-Password',':=','test');
radtest test test 127.0.0.1 0 mysecret

If you see “rad_recv: Access-Accept” then your installation is working fine.

If you want to use “NT-Hash passwd” it’s more save then plain-text. (not 100% save)

INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1,’test’,’NT-Password’,’:=’,’0CB6948805F797BF2A82807973B89537′);

With the following command you can add users into the mysql table (perl and libraries required)
you need to :

yum install perl-Crypt-SmbHash.noarch perl-Class-DBI-mysql.noarch libdbi-dbd-mysql.x86_64

 ( raduseradd.cgi download here)
 
#!/usr/local/bin/perl

use DBI;
use Crypt::SmbHash;
# script by Marcel Kraan 
$dserver        =       "localhost";
$ddatabase      =       "radius";
$duser          =       "radius";
$dpassword      =       "radpass";
undef $usercheck;
undef $doublecheck;

$dbh = DBI->connect("DBI:mysql:database=$ddatabase;host=$dserver", "$duser", "$dpassword")||die "login/dbase/passwd/host error";

$username = $ARGV[0];
$password = $ARGV[1];
if ( !$password ) {
        print "Not enough arguments\n";
        print "Usage: $0 username password\n";
        exit 1;
}
ntlmgen $password, $lm, $nt;

$query = "SELECT username from radcheck where username = '$username'";
$sth = $dbh->prepare("$query");
die $dbh->errstr unless $sth && $sth->execute;
while(@row = $sth->fetchrow) {
        $usercheck          =       $row[0];
}

if ($usercheck){
        print "user: $username already exist\n";
}else{
        &useradd;
        $query = "SELECT username from radcheck where username = '$username'";
        $sth = $dbh->prepare("$query");
        die $dbh->errstr unless $sth && $sth->execute;
        while(@row = $sth->fetchrow) {
                $doublecheck          =       $row[0];
        }
        if ($doublecheck){
                print "user $username succesfully added to the database\n";
        }
}

sub useradd {
        $query = "INSERT INTO radcheck (username,attribute,value) VALUES ('$username','NT-Password','$nt')";
        $sth = $dbh->prepare("$query");
        die $dbh->errstr unless $sth && $sth->execute;
}

If you have any problems with FreeRADIUS you can run FreeRADIUS in debug mode to help pinpoint any issues, to do that just do the following:
CentOS:

 service radiusd stop
 radiusd -X
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *