https://arstech.net/daloradius-installation/ Daloradius Installation on CentOS 7 FreeRADIUS, the open source implementation of RADIUS, an IETF protocol for AAA (Authorisation, Authentication, and Accounting). For troubleshooting stop radiusd server and run radiusd -X to see messages realtime with debug info. ====Base Install====

 

Disable SELinux
# setenforce 0
Edit file  /etc/selinux/config and set:

SELINUX=disabled



# yum update
# yum install mariadb-server mariadb vim wget unzip
# yum install freeradius freeradius-utils freeradius-mysql httpd

# systemctl start httpd

# systemctl enable httpd
# systemctl enable radiusd
Start and enable MySQL service
# systemctl start mariadb
# systemctl enable mariadb
 

Improve the security of your MariaDB and set a password for root account
# mysql_secure_installation

# mysql -u root -p

CREATE DATABASE radius;

GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";

FLUSH PRIVILEGES;

\q
 

Import SQL Database and Create a Soft Link
# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
# ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
 

Install PHP
# yum install php mod_php php-cli php-mysqlnd php-devel php-gd php-mcrypt php-mbstring php-xml php-pear

# yum install php-dba
# pear channel-update pear.php.net
# pear install pear
# pear install --force DB

# apachectl restart
 

Configure Database Connection
# vim /etc/raddb/mods-available/sql
Set:
sql {
driver = “rlm_sql_mysql”
dialect = “mysql”

server = “localhost”
port = 3306
login = “radius”
password = “radiuspassword”
radius_db = “radius”
read_clients = yes
client_table = “nas”

# ln -sf /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
# chgrp -h radiusd /etc/raddb/mods-enabled/sql
Installing Daloradius GUI
# cd
# wget https://github.com/lirantal/daloradius/archive/master.zip
# unzip master.zip
# rm master.zip
# mv daloradius-master/ daloradius
# cd daloradius
 

Import Daloradius MySQL
# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
# mysql -u root -p radius < contrib/db/mysql-daloradius.sql
# cd ..
# mv daloradius /var/www/html


# chown -R apache:apache /var/www/html/daloradius/
# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
 

Change MySQL Configuration
# vim /var/www/html/daloradius/library/daloradius.conf.php
CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME

 

Open FirewallD Ports
# firewall-cmd --zone=public --add-service=radius --permanent
# firewall-cmd --zone=public --add-service=http --permanent
# firewall-cmd --reload
Restart services

# systemctl restart radiusd
# systemctl restart mariadb
# systemctl restart httpd
Access the web interface
http://FQDN_OF_SERVER/daloradius/login.php

User: administrator
Pass: radius

====Client Configuration==== In daloradius the devices/clients (switches, APs, etc) are defined by the Management -> Nas page. You can configure a unique IP/shared secret for each switch/AP/etc or use a shared one and define the IP by a subnet instead of a single host. Note: you'll need to restart radiusd each time you add/modify a Nas device. Example for single device


NAS IP/Host: 10.10.200.42
NAS Secret: thisisthepassword
NAS Type: other
NAS Shortname: Your name for the device

Example for a subnet of devices


NAS IP/Host: 10.10.200.0/24
NAS Secret: thisisthepassword
NAS Type: other
NAS Shortname: Your name for the group of devices

If doing the same thing but via the freeradius config file /etc/raddb/clients.conf


client Your-name-for-the-device {
  ipaddr = 10.10.200.42
  secret = thisisthepassword
  nas_type = other
}

client Your-name-for-the-group-of-devices {
  ipaddr = 10.10.200.0/24
  secret = thisisthepassword
  nas_type = other
}

====User Configuration==== To add users on daloradius go to Management -> Users -> New User, enter info as follows


Username: username
Password: user_password
Password Type: Cleartext-Password

In /etc/raddb/users you'd create a line such as


username	Cleartext-Password := "user_password"

====Certificates==== https://github.com/redBorder/freeradius/blob/master/raddb/certs/README https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration https://stackoverflow.com/questions/37906897/error-in-creating-certificates-for-eap-in-freeradius


MAKING A ROOT CERTIFICATE


$ vi ca.cnf
  Edit the "default_days" and "default_crl_days" to be 3650 (choose something shorter once you have an actual process to manage certificates).

  Edit the "input_password" and "output_password" fields to be the
  password for the CA certificate.

  Edit the [certificate_authority] section to have the correct values
  for your country, state, etc.

$ make ca.pem

  This step creates the CA certificate.

$ make ca.der

  This step creates the DER format of the self-signed certificate,
  which is can be imported into Windows.


		MAKING A SERVER CERTIFICATE


$ vi server.cnf

  Edit the "default_days" and "default_crl_days" to be 3650 (choose something shorter once you have an actual process to manage certificates).

  Edit the "input_password" and "output_password" fields to be the
  password for the server certificate.

  Edit the [server] section to have the correct values for your
  country, state, etc.  Be sure that the commonName field here is
  different from the commonName for the CA certificate.

$ make server.pem

  This step creates the server certificate.

  If you have an existing certificate authority, and wish to create a
  certificate signing request for the server certificate, edit
  server.cnf as above, and type the following command.

$ make server.csr

  You will have to ensure that the certificate contains the XP
  extensions needed by Microsoft clients.


		MAKING A CLIENT CERTIFICATE


  Client certificates are used by EAP-TLS, and optionally by EAP-TTLS
and PEAP.  The following steps outline how to create a client
certificate that is signed by the server certificate created above.
You will have to have the password for the server certificate in the
"input_password" and "output_password" fields of the server.cnf file.


$ vi client.cnf

  Edit the "default_days" and "default_crl_days" to be 3650 (choose something shorter once you have an actual process to manage certificates).

  Edit the "input_password" and "output_password" fields to be the
  password for the client certificate.  You will have to give these
  passwords to the end user who will be using the certificates.

  Edit the [client] section to have the correct values for your
  country, state, etc.  Be sure that the commonName field here is
  the User-Name that will be used for logins!

$ make client.pem

  The users certificate will be in "emailAddress.pem",
  i.e. "user@example.com.pem".

  To create another client certificate, just repeat the steps for
  making a client certificate, being sure to enter a different login
  name for "commonName", and a different password.

The password that you used in server.cnf needs to be updated in /etc/raddb/mods-enable/eap


private_key_password = sameas input_password/output_password in server.cnf

Restart radiusd systemctl restart radiusd ====Certificates with Windows Clients==== http://freeradius.1045715.n5.nabble.com/eap-peap-TLS-Alert-read-fatal-unknown-CA-td5747216.html https://www.draytek.com/en/faq/faq-wlan/wlan.vigorap/how-to-set-up-windows-7-clients-not-to-validate-server-certificate-when-doing-802.1x-authentication/ As of 04/05/19 Windows 10, current iOS and Blackberry OS 10 work with self signed certificates. Windows 10 and iOS will prompt you to accept the certificate. Windows 7 will not prompt for self signed certificates and will fail to connect. Either install the certificate on the computer or disable certificate verification for that wireless connection. * On Windows 7 wireless clients, go to Control Panel >> Network and Sharing Center >> Set up a new connection or network * Select Manually connect to a wireless network, then click Next * Enter the SSID in Network name, select WPA2-Enterprise as Security type, and then click Next. * Click Change connection settings * In Security tab, click Settings, un-check Validating server certificate. Click Configure... and un-check Automatically use my Windows logon name and password(and domain if any) then click OK. * Click Advanced settings, enable Specify authentication mode, and choose User or computer authentication, then click OK. * After finished the settings, connect to the wireless network. * When being prompted for the credentials, type your username/password as provided by the radius server, then you will join the network. ====Dynamic VLAN Assignment==== This is used to assign VLAN membership based on user login. This was tested with with a UNIFI controller https://community.ubnt.com/t5/UniFi-Wireless/UniFi-amp-FreeRadius-Dynamic-VLAN/td-p/2291038 https://community.ubnt.com/t5/UniFi-Wireless/I-need-help-setting-up-dynamic-vlan-assignment/td-p/1661658 https://freeradius.org/rfc/rfc2868.html#Tunnel-Type https://wiki.freeradius.org/config/Operators Edit inner-tunnel config fule to enable tunneled reply


vim /etc/raddb/sites-available/inner-tunnel

Change the (0) to (1) as shown below


        #  Instead of "use_tunneled_reply", change this "if (0)" to an
        #  "if (1)".
        #
        if (1) {
                #
                #  These attributes are for the inner-tunnel only,
                #  and MUST NOT be copied to the outer reply.
                #
                update reply {
                        User-Name !* ANY
                        Message-Authenticator !* ANY
                        EAP-Message !* ANY
                        Proxy-State !* ANY
                        MS-MPPE-Encryption-Types !* ANY
                        MS-MPPE-Encryption-Policy !* ANY
                        MS-MPPE-Send-Key !* ANY
                        MS-MPPE-Recv-Key !* ANY
                }

                #
                #  Copy the inner reply attributes to the outer
                #  session-state list.  The post-auth policy will take
                #  care of copying the outer session-state list to the                
                #  outer reply.
                #
                update {
                        &outer.session-state: += &reply:
                }
        }

In /etc/raddb/users the below example would put user joe on VLAN 18


joe             Cleartext-Password      := "thispasswordissecure"
                Tunnel-Type             = 13,
                Tunnel-Medium-Type      = 6,
                Tunnel-Private-Group-ID = 18

In daloradius to add the VLAN attributes to a user open the "Attributes" tab- > use "quickly locate attribute..." to find the following and add info per below


Tunnel-Type: 13
Op: := 
Target: reply/check

Tunnel-Medium-Type: 6
Op: :=
Target: reply/check

Tunnel-Private-Group-ID: 18
Op: :=
Target: reply/check

In the unifi controller go to Settings -> Profiles -> Your_freeradius_Profile -> check boxes "Enable RADIUS assigned VLAN..." ====phpMyadmin==== Because editing databases are fun, like playing Russian roulette... https://www.liquidweb.com/kb/how-to-install-and-configure-phpmyadmin-on-centos-7/


rpm -iUvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

yum -y update

yum -y install phpmyadmin


vim /etc/httpd/conf.d/phpMyAdmin.conf

By default, the configuration for phpMyAdmin only allows access from the server on which it is installed. Find the following sections and change each IP address to the one you found in Step 3, or another IP address that will be connecting to phpMyAdmin remotely:


Require ip 127.0.0.1

Allow from 127.0.0.1

Require ip 127.0.0.1

Allow from 127.0.0.1

Then exit and save the file with the command :wq . Restart Apache: systemctl restart httpd Fix missing columns so accounting will start working: https://sourceforge.net/p/daloradius/discussion/684102/thread/56b11486/?limit=25 Use phpMyadmin to edit radius table. Radius -> raddacct -> new -> create the following 2 columns


name: acctupdatetime (Type=DATETIME, Default=NULL, NULL box checked)
name: acctinterval (Type=Int, Length/Values=12, Default=NULL, NULL box checked)