Prerequisites

Update and upgrade your system packages;

apt update
apt upgrade

Install LAMP Stack on Ubuntu 20.04 by following the link below;

Install other required PHP Modules;

apt install php-gd php-mail php-mail-mime php-mysql php-pear php-db php-mbstring php-x

Install and Configure FreeRADIUS on Ubuntu 20.04

Installing FreeRADIUS

Once all the prerequisites above are met, proceed to install FreeRADIUS on Ubuntu 20.04. FreeRADIUS 3.0.x is the latest stable release versions as of this writing and are available on the default Ubuntu 20.04 repos.

To install FreeRADIUS and other FreeRADIUS utilities including MySQL database backend utilities on Ubuntu 20.04, execute the command below;

apt install freeradius freeradius-mysql freeradius-utils

Running FreeRADIUS in Debug Mode

Usually, FreeRADIUS is expected to run well with the default configuration settings after the installation is done. To verify the same, run FreeRADIUS in debugging mode to confirm that is ready to process request.

Before you can run FreeRADIUS in debugging mode, you need to stop its service first (started automatically after install);

systemctl stop freeradius

Once that is done, run FreeRADIUS in debugging mode;

freeradius -X

If FreeRADIUS is running as expected, you should see a line, Ready to process requests.

   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 59191
Listening on proxy address :: port 33772
Ready to process requests

Stop the debugging mode by pressing ctrl+c.

Start and enable FreeRADIUS to run on system boot;

systemctl enable --now freeradius

Open FreeRADIUS on Firewall

FreeRADIUS uses UDP port 1812 for authentication and authorization and UDP port 1813 as the accouting port. Therefore, if UFW is running, open these ports;

ufw allow to any port 1812 proto udp
ufw allow to any port 1813 proto udp

confirm port opening by running the command below;

ss -alun4 | grep -E ':1812|:1813'

UNCONN  0       0               127.0.0.1:18120          0.0.0.0:*              
UNCONN  0       0                 0.0.0.0:1812           0.0.0.0:*              
UNCONN  0       0                 0.0.0.0:1813           0.0.0.0:*

Create FreeRADIUS MySQL Database and Database User

Login to MySQL server and create FreeRADIUS database;

mysql -u root -p

create database radiusdb;

Create FreeRADIUS database user and grant all privileges on the database created above;

create user radiusadmin@localhost identified by 'myStr0nP@ssW0rd';

grant all on radiusdb.* to radiusadmin@localhost;

Reload the privileges tables to affect the changes and exit the database.

flush privileges;
quit

Create FreeRADIUS SQL Schema

FreeRADIUS ships with the default database schema located under /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql. Import this schema to FreeRADIUS database created above;

mysql -u root -p radiusdb < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

Configuring FreeRADIUS to use SQL

To configure FreeRADIUS to use SQL modules, open the SQL module configuration file;

vim /etc/freeradius/3.0/mods-available/sql

Set the SQL dialect to mysql, and define the FreeRADIUS database connection settings as created above.

...
sql {
        #
        #  The dialect of SQL being used.
        #
        #  Allowed dialects are:
        #
        #       mssql
...
        dialect = "mysql"

        # The driver module used to execute the queries.
        #driver = "rlm_sql_null"
        driver = "rlm_sql_${dialect}"
...
        # Connection info:
        #
        server = "localhost"
        port = 3306
        login = "radiusadmin"
        password = "myStr0nP@ssW0rd"
...
        # Database table configuration for everything except Oracle
        radius_db = "radiusdb"
...

The use of MySQL database enforces use of TLS certs by default. In this demo, we do not use the TLS certs, hence commenting out the MYSQL TLS section;

...
        mysql {
                # If any of the files below are set, TLS encryption is enabled
                #tls {
                #       ca_file = "/etc/ssl/certs/my_ca.crt"
                #       ca_path = "/etc/ssl/certs/"
                #       certificate_file = "/etc/ssl/certs/private/client.crt"
                #       private_key_file = "/etc/ssl/certs/private/client.key"
                #       cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
                #
                #       tls_required = yes
                #       tls_check_cert = no
                #       tls_check_cert_cn = no
                #}

...

Enable FreeRADIUS server to read clients from database, by uncommenting (removing hash) on the line #read_clients = yes.

...
        # Set to 'yes' to read radius clients from the database ('nas' table)
        # Clients will ONLY be read on server startup.
        read_clients = yes
...

Next, enable the SQL module by creating a symbolic link of SQL mods-available to mods-enabled;

ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

Change the ownership user and group of the enabled SQL module (symbolic link) to freerad as shown below.

chown -h freerad.freerad /etc/freeradius/3.0/mods-enabled/sql

Restart the FreeRADIUS service,

systemctl restart freeradius

Verify FreeRADIUS use of SQL Database

To verify that FreeRADIUS can now work with MySQL database properly, populate the FreeRADIUS database with some dummy data. Login to FreeRADIUS database as FreeRADIUS database user created above;

mysql -u radiusadmin -p

use radiusdb;

Create a dummy user entry in radcheck table;

insert into radcheck (id,username,attribute,op,value) values("1", "demouser", "Cleartext-Password", ":=", "demopass");

To verify the same;

select * from radcheck where id="1";

+----+----------+--------------------+----+----------+
| id | username | attribute          | op | value    |
+----+----------+--------------------+----+----------+
|  1 | demouser | Cleartext-Password | := | demopass |
+----+----------+--------------------+----+----------+
1 row in set (0.01 sec)

Exit the database, stop FreeRADIUS and run it again on debug mode to verify if it is working well.

systemctl stop freeradius

freeradius -X

FreeRADIUS provides a simple test tool, radtest, which send packets to a RADIUS server and show the reply. The syntax of using the radtest command line tool is;

radtest {username} {password} {hostname} 10 {radius_secret}

Read man pages, man radtest, for more info on options used.

So while FreeRADIUS is running in a debug mode, open another terminal and run the test command below. Note: testing123 is the shared secret for the localhost client, check clients.conf.

radtest demouser demopass localhost 10 testing123

If you get the Access-Accept, response upon authenticating, then the POC is done.

Sent Access-Request Id 129 from 0.0.0.0:40930 to 127.0.0.1:1812 length 78
	User-Name = "demouser"
	User-Password = "demopass"
	NAS-IP-Address = 10.0.2.15
	NAS-Port = 10
	Message-Authenticator = 0x00
	Cleartext-Password = "demopass"
Received Access-Accept Id 129 from 127.0.0.1:1812 to 127.0.0.1:40930 length 20

Stop FreeRADIUS debugging mode and start the service.

systemctl start freeradius