dlostboy (at) lostinfo (dot) com 
Home | Journal | Multimedia | Files | Other | Links | About
      FreeBSD 4.X HOWTO for setting up FreeRADIUS + mySQL

Ok, so you want to use RADIUS, and you want it to authenticate off a mySQL database instead of the crummy non-scaling flat text "users" file. Livingston's RADIUS doesn't do this natively and they're out of business now. Most other vendors appear to be charging for RADIUS.. So what to do? Well some wonderful guys put out a piece of software called freeradius that just happens to have mysql support built right in. Better than that, it seems to work with almost anyone's access concentrators! (I've personally tried it with USR Total Control Chassis' and Livingston PortMaster3's).

Now, this software is not in the ports, which is a shame because it works fine in FreeBSD (even though it's written for linux), as soon as you realize you have to use "gmake" instead of "make" to build it.

At the time of writing, freeradius was at version 0.3, which sounds scary but actually works fine.

  • So head over to the website and get it. Once you have it.
  • tar -zxvf freeradius.tar.gz
  • cd freeradius-0.3

    • Now, we'll need to configure it for our system. FreeBSD varies it's layout to linux (better IMO) in that it shoves everything that didn't come with the system into the /usr/local/ tree. We'll make that happen with this distro via configure options, at the same time we'll build it as a static binary so that we can chroot it if we want to.
  • ./configure --enable-static --localstatedir=/var --with-dict-nocase --with-threads --with-mysql-include-dir=/usr/local/include/mysql/ --with-mysql-lib-dir=/usr/local/lib/mysql/ --with-mysql-dir=/usr/local/bin/ --sysconfdir=/usr/local/etc
  • gmake; gmake install
  • Add a "radius" user/group to your machine. We don't want this thing running as a privledged user

  • mkdir /var/log/radius/; chown radius.radius /var/log/radius
    • Now we'll have to make some edits on the config files. They will all be in /usr/local/etc/raddb.
  • Open radius.conf and change "pidfile" to something that the radius user will have permission to. Personally I didn't care if it was in /var/run or not so I just said "pidfile = /var/log/radius/radiusd.pid". Now verify that "port" is set to what you want it to use. My AC's use the old, unregistered 1645 for RADIUS so I set it to that. Finally, set the user/group attributes to your radius user.

    • Now if you have problems with the next part, it may pay for you to just dump your existing "users" file into /usr/local/etc/raddb/ and start the radius daemon to see if it works. I did this step so I'd have a baseline of how far I got before things stopped working..fortunately, everything went smooth.

  • I now followed the directions on this site by Scott Bartlett which *basically* says to open radius.conf and find the authorize {} section and put in the word 'sql' between "files" and "suffix". Then go to the authenticate {} section and put 'sql' in there somewhere too.
  • Now in your /freeradius-0.3/src/modules/rlm_sql/drivers/rlm_sql_mysql/ directory, there will be a "db_mysql.sql" file. I created a database in mySQL called RADIUS and ran this script on it. (I use phpMyAdmin for anything like this.) That will create the structure you'll need to use.
  • Create a mySQL username/password and grant it authorization to the radius database. Be sure to "flush priviledges" or restart mySQL for your new user/pass combo to work. You'll beat yourself into the ground diagnosing a RADIUS issue when really the problem is that mySQL doesn't know who your username is.
  • Open clients.conf and put in your Access Concentrators IP & secret. I could have used DNS names in here but that's silly in my opinion because you'd then be relying on your DNS to be working for your RADIUS to work.
  • Open your sql.conf and put in your radius username/password. If you named the database "radius" and ran that sql script, you shouldn't have to change anything else.
  • You'll have to put some data in your mySQL database to be able to test. Scott's site explains this well, but in essence, you could do this in mySQL:
        INSERT INTO usergroup VALUES('0','testuser','testgroup');
        INSERT INTO radcheck VALUES ('0','testuser','Password','testpass');
        INSERT INTO radreply VALUES ('0','testuser','Framed-IP-Address','255.255.255.254');
  • radius
  • Assuming you got no errors while trying to start RADIUS, try a utility like NTRadPing (easily found using google.com) to test the username "testuser" with password "testpass" on your system. Be sure that the IP address of your testing machine is in your clients.conf or else your RADIUS server will not respond.

    • If you got a reply then your system is working. Now, if you get the idea, radcheck is every attribute that the RADIUS server will check against, and radreply (and radreplygroup) are the attributes that get returned to the client. Since it would be foolish to build radreplys for each individual user, we build groups and only send back stuff that is unique to that user. For our setup, I made 4 groups. DialupDynamic, DialupStatic, ISDNDynamic and ISDNStatic. The DialupDynamic and ISDN Dynamic are both identical except for the Port-Limit attribute being set to 2 for ISDN customers. The DialupStatic and ISDN Static are pretty different from each other. If your users file looked like this for dialup users:

    username Password = "password"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 255.255.255.254,
    Framed-Netmask = 255.255.255.255,
    Framed-Routing = None,
    Framed-MTU = 1500,
    Idle-Timeout = 1800,
    Port-Limit=1

    Then you would want a usergroup entry for username / dialupdynamic, and then you'd want a radcheck entry for Password / password, a few radgroupreplys for dialupdynamic that went through all 8 attributes and their values. You wouldn't need any radreplys since this user is not unique in any way.

    For my system, I wrote this quick little PERL script to parse my users file into 4 separate files, one for each group. Then I ran php scrips simliar to this to actually dump the data into my radius database (I'm not a big fan of DBI for PERL).

    I know this walkthrough isn't very sympathetic to those who might not be famliar with RADIUS and how it works at all but you should certainly be famliar with RADIUS and mySQL far before you try to integrate the two. RADIUS is pretty easy to understand (and there are alot of documents out there on it) once you realize it's just a "check this, reply with that" sort of system. Good luck!

     
     

      ©2000, ©2001 LostInformation