Install FreeRadius on CentOs 5 and 6, Using Mysql, with NT-Hash passwd’s for Wifi Routers
install freeRadius
# source http://safesrv.net/install-and-setup-freeradius-on-centos-5/
CentOS 5: yum install freeradius2 freeradius2-mysql freeradius2-utils mysql-server -y
CentOS 6: yum install freeradius freeradius-mysql freeradius-utils mysql-server -y
They should install without any problems. To setup MySQL, start the service by running below:
CentOS: service mysqld start
Now run the following to set your password and security settings:
/usr/bin/mysql_secure_installation
mysql -uroot -p CREATE DATABASE radius; GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY "radpass"; flush privileges;
mysql> use radius;
CentOS: SOURCE /etc/raddb/sql/mysql/schema.sql
Now open up CentOS: /etc/raddb/sql.conf and enter your mysql database details you just created, Example: # Connection info: server = "localhost" #port = 3306 login = "radius" password = "radpass"
# Database table configuration for everything except Oracle radius_db = “radius”
In /etc/raddb/radiusd.conf ensure that the line saying:
$INCLUDE sql.conf is uncommented.
Edit /etc/raddb/sites-available/default and uncomment the line containing
‘sql’ in the authorize{} section and ‘sql’ in the accounting {} section, also uncomment ‘sql’ under session {}.
Additionally, edit /etc/raddb/sites-available/inner-tunnel and uncomment the line containing
‘sql’ under “authorize {}” and under session {}.
Open up /etc/raddb/clients.conf set your secret to something a bit more random, example:
Change:
secret = testing123 To something like: secret = 3c23498n349c3yt290y93b4t3
service radiusd restart service radiusd stop
To add clients (External VPN Servers) you would edit CentOS: /etc/raddb/clients.conf Ubuntu: /etc/freeradius/clients.conf and directly under this line: # coa_server = coa } Add a block such as this:
client VPN_SERVER_IP { secret = YOUR SECRET HERE shortname = yourVPN nastype = other }
To allow external servers and software to authenticate off your FreeRADIUS, this has to be done every time you setup an external server to use this FreeRADIUS database.
Everytime you add a client or change a value in the config files you need to restart radius like this:
CentOS:
service radiusd restart
Add a test user to the radius database, first you need to login to your mysql radius database:
mysql -uroot -pyourrootpass
Switch to the radius database:
use radius;
Once there execute the below commands:
# overview of the user table
desc radcheck -> ; +———–+————–+——+—–+——————–+—————-+ | Field | Type | Null | Key | Default | Extra | +———–+————–+——+—–+——————–+—————-+ | id | int(11) | NO | PRI | NULL | auto_increment | | username | varchar(64) | NO | MUL | | | | attribute | varchar(64) | YES | | Cleartext-Password | | | op | char(2) | YES | | := | | | value | varchar(253) | NO | | | | +———–+————–+——+—–+——————–+—————-+ 5 rows in set (0.04 sec)
if you want “plain passwd’s you can use this.
mysql> INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1,'test','Cleartext-Password',':=','test');
radtest test test 127.0.0.1 0 mysecret
If you see “rad_recv: Access-Accept” then your installation is working fine.
If you want to use “NT-Hash passwd” it’s more save then plain-text. (not 100% save)
INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1,’test’,’NT-Password’,’:=’,’0CB6948805F797BF2A82807973B89537′);
With the following command you can add users into the mysql table (perl and libraries required)
you need to :
yum install perl-Crypt-SmbHash.noarch perl-Class-DBI-mysql.noarch libdbi-dbd-mysql.x86_64
( raduseradd.cgi download here)
#!/usr/local/bin/perl use DBI; use Crypt::SmbHash; # script by Marcel Kraan $dserver = "localhost"; $ddatabase = "radius"; $duser = "radius"; $dpassword = "radpass"; undef $usercheck; undef $doublecheck; $dbh = DBI->connect("DBI:mysql:database=$ddatabase;host=$dserver", "$duser", "$dpassword")||die "login/dbase/passwd/host error"; $username = $ARGV[0]; $password = $ARGV[1]; if ( !$password ) { print "Not enough arguments\n"; print "Usage: $0 username password\n"; exit 1; } ntlmgen $password, $lm, $nt; $query = "SELECT username from radcheck where username = '$username'"; $sth = $dbh->prepare("$query"); die $dbh->errstr unless $sth && $sth->execute; while(@row = $sth->fetchrow) { $usercheck = $row[0]; } if ($usercheck){ print "user: $username already exist\n"; }else{ &useradd; $query = "SELECT username from radcheck where username = '$username'"; $sth = $dbh->prepare("$query"); die $dbh->errstr unless $sth && $sth->execute; while(@row = $sth->fetchrow) { $doublecheck = $row[0]; } if ($doublecheck){ print "user $username succesfully added to the database\n"; } } sub useradd { $query = "INSERT INTO radcheck (username,attribute,value) VALUES ('$username','NT-Password','$nt')"; $sth = $dbh->prepare("$query"); die $dbh->errstr unless $sth && $sth->execute; }
If you have any problems with FreeRADIUS you can run FreeRADIUS in debug mode to help pinpoint any issues, to do that just do the following:
CentOS:
service radiusd stop radiusd -X
Leave a Reply
Want to join the discussion?Feel free to contribute!