Build and configure FreeRADIUS 3 with SQLITE support
Good day, dear.
I want to share with you the solution of one creative task. I hope someone will be useful.
So,
low-power hardware with an arm processor and assembled for it and installed by Debian 7 wheezy.
put FreeRADIUS 3.0.X, configure it to work with SQLITE database. That is, user accounts (which need to be authenticated) RADIUS must be taken from the SQLITE database.
The figure shows a high-level diagram of the interaction of components.
')
Why did I decide to describe this solution?
Faced with this task and starting to google, I was surprised that there are simply no detailed descriptions of the freeradius build, much less with SQLITE support. Therefore, I decided to take notes on myself and others.
Consists of 3 parts:
1) Build Freeradius 3.0.3 (I chose this version, in later versions everything will look similar) with SQLite support;
2) Configuring the Freeradius and SQLite bundles;
3) Setting up a server on which users are authenticated (in the picture above - “server”).
To successfully build radius 3.0.3, you need to complete the following steps:
1.1 Download the source code: ftp.freeradius.org/pub/freeradius/old/freeradius-server-3.0.3.tar.gz , unpack into a separate folder;
1.2 Install the following packages via apt-get: libtalloc2, libtalloc-dev, libssl-dev, libperl-dev, libpam0g-dev, libsqlite3-dev, libgdbm-dev (if you need support for other databases, you must deliver the corresponding dev package, for example mysql -dev);
1.3 Go to the folder with the unpacked archive with source codes and, trivially,
If the first time ./configure does not work out, it is possible that the system still lacks some packages, read the output carefully and install them.
To configure the freeradius + sqlite bundle, follow these steps:
2.1.1 Create a sqlite database and schema in the database with which radius will work:
/etc/raddb/sqlite_rad.db is the path to the database file, you can place it in any convenient place.
2.1.2 Create a user UZ in the database:
With the above query in the database, we fill in the radcheck table, which stores information about the UZ of users with the following information:
Unique user ID = 1; username = user; attribute KM = Cleartext-Password; operator = “: =”; attribute value = “secret”. If in Russian, then we set the password for the UZ user, which will be stored as plaintext and its value is “secret”. More details about attribute-value pairs (av pair) and comparison operators can be found in the official documentation for radius and unlang. freeradius.org/radiusd/man/unlang.html
2.2.1 Configuration files of all available radius modules are in / etc / raddb / mods-available. To enable them, you need to create a link to the module in the / etc / raddb / mods-enabled folder:
2.2.2 Edit / etc / raddb / mods-enabled / sql, as follows:
The variable filename should point to the database file created in clause 2.1.1.
2.2.3 Register the client radius, i.e. that server (or network equipment) whose users will be authenticated through this radius. To do this, add the lines to the /etc/raddb/clients.conf file:
The secret in this case is the secret word radius by which it authenticates the client.
shortname is an arbitrary “short name”, this value can even be omitted.
2.2.4 Check that in the “authorize” section of the / etc / raddb / sites-enabled / default file there is a “-sql”:
3.1 Install the pam_radius package on the client:
3.2 In the /etc/pam_radius_auth.conf file on the client, add the line:
where other-server is the IP address of the server radius, other-secret is the secret word from item 2.2.3 of the settings:
3.3 In the /etc/pam.d/sshd file above the lines
add line
That's all. Launch RADIUS and enjoy PROFIT.
I want to share with you the solution of one creative task. I hope someone will be useful.
So,
DANO:
low-power hardware with an arm processor and assembled for it and installed by Debian 7 wheezy.
TASK:
put FreeRADIUS 3.0.X, configure it to work with SQLITE database. That is, user accounts (which need to be authenticated) RADIUS must be taken from the SQLITE database.
The figure shows a high-level diagram of the interaction of components.
')
Why did I decide to describe this solution?
Faced with this task and starting to google, I was surprised that there are simply no detailed descriptions of the freeradius build, much less with SQLITE support. Therefore, I decided to take notes on myself and others.
DECISION:
Consists of 3 parts:
1) Build Freeradius 3.0.3 (I chose this version, in later versions everything will look similar) with SQLite support;
2) Configuring the Freeradius and SQLite bundles;
3) Setting up a server on which users are authenticated (in the picture above - “server”).
1 Build Freeradius 3.0.3 with SQLite support
To successfully build radius 3.0.3, you need to complete the following steps:
1.1 Download the source code: ftp.freeradius.org/pub/freeradius/old/freeradius-server-3.0.3.tar.gz , unpack into a separate folder;
1.2 Install the following packages via apt-get: libtalloc2, libtalloc-dev, libssl-dev, libperl-dev, libpam0g-dev, libsqlite3-dev, libgdbm-dev (if you need support for other databases, you must deliver the corresponding dev package, for example mysql -dev);
1.3 Go to the folder with the unpacked archive with source codes and, trivially,
./configure make checkinstall If the first time ./configure does not work out, it is possible that the system still lacks some packages, read the output carefully and install them.
2 Setting up a bunch of Freeradius and SQLite
To configure the freeradius + sqlite bundle, follow these steps:
2.1 Create and configure a sqlite user database
2.1.1 Create a sqlite database and schema in the database with which radius will work:
sqlite3 /etc/raddb/sqlite_rad.db < /etc/raddb/mods-config/sql/main/sqlite/schema.sql /etc/raddb/sqlite_rad.db is the path to the database file, you can place it in any convenient place.
2.1.2 Create a user UZ in the database:
sqlite3 /etc/raddb/sqlite_rad.db insert into radcheck values ('1','user','Cleartext-Password',':=','secret'); With the above query in the database, we fill in the radcheck table, which stores information about the UZ of users with the following information:
Unique user ID = 1; username = user; attribute KM = Cleartext-Password; operator = “: =”; attribute value = “secret”. If in Russian, then we set the password for the UZ user, which will be stored as plaintext and its value is “secret”. More details about attribute-value pairs (av pair) and comparison operators can be found in the official documentation for radius and unlang. freeradius.org/radiusd/man/unlang.html
2.2 Configure freeradius:
2.2.1 Configuration files of all available radius modules are in / etc / raddb / mods-available. To enable them, you need to create a link to the module in the / etc / raddb / mods-enabled folder:
cd /etc/raddb/mods-enabled ln -s /etc/raddb/mods-available/sql sql 2.2.2 Edit / etc / raddb / mods-enabled / sql, as follows:
sql { ………… driver = "rlm_sql_sqlite" ………… sqlite { filename = "/etc/raddb/sqlite_rad.db" } ………… dialect = "sqlite" ……….. The variable filename should point to the database file created in clause 2.1.1.
2.2.3 Register the client radius, i.e. that server (or network equipment) whose users will be authenticated through this radius. To do this, add the lines to the /etc/raddb/clients.conf file:
client 192.168.0.4 { secret = testing123 shortname = new_server } The secret in this case is the secret word radius by which it authenticates the client.
shortname is an arbitrary “short name”, this value can even be omitted.
2.2.4 Check that in the “authorize” section of the / etc / raddb / sites-enabled / default file there is a “-sql”:
authorize { ........ -sql ........ 3 Configuring a RADIUS Client
3.1 Install the pam_radius package on the client:
apt-get install libpam-radius-auth 3.2 In the /etc/pam_radius_auth.conf file on the client, add the line:
other-server other-secret 3 where other-server is the IP address of the server radius, other-secret is the secret word from item 2.2.3 of the settings:
192.168.0.2 testing123 3 3.3 In the /etc/pam.d/sshd file above the lines
# Standard Un*x authentication. @include common-auth add line
auth sufficient pam_radius_auth.so That's all. Launch RADIUS and enjoy PROFIT.
Source: https://habr.com/ru/post/274251/
All Articles