Following is a complete guide on howto setup Apache to use FreeRadius authentication module along with DALORADIUS as a front-end. You can also use this guide to create full featured RADIUS server for your MIKROTIK or any other NAS which have external RADIUS authentication support in it.
Also this guide will illustrate you howto configure DALORADIUS. which is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine. It is basically an nice GUI Frontend to control FREERADIUS. Using DR, you can create single/batch users, hotspot tickets, create plans n packages etc etc.
In the end I will show you howto create a APACHE base file sharing server which will use FREERADIUS for authentication Also this guide will illustrate you howto configure DALORADIUS. which is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine. It is basically an nice GUI Frontend to control FREERADIUS. Using DR, you can create single/batch users, hotspot tickets, create plans n packages etc etc.
Few months back , @ my friend’s cable.network , I installed Mikrotik along with DMASOFTLAB RADIUS MANAGER which also uses FREERADIUS as backend authentication mechanism. They also had a 4 TB of windows IIS base FTP
sharing server for Videos, Mp3, Games and etc for LAN users. All
network was running on private ips, so setting authentication on sharing
server so only valid users can access FTP was a headache, so for the time being I placed FTP server behind Mikrotik DMZ so that only pppoe dialer connected users can access them, BUT this topology had a negative impact on overall Mikrotik
performance because huge amount of (JUNK FTP) irrelevant traffic was
going through the router which was increasing overall load on MT, so I decided to overcome this problem by changing the sharing server operating system from Microsoft Windows to UBUNTU Linux, and then I placed it on users subnet and then link this sharing server [apache] authentication with freeradius. This way I managed to solve the problem. This guide will show you how I exactly did this.
Here we go . . .
We will divide this article in two categories.
1) FREERADIUS + MYSQL + DALORADIUS
2) How to authenticate Apache 2 with Radius
1) FREERADIUS + MYSQL + DALORADIUS
2) How to authenticate Apache 2 with Radius
[Please note that I am using UBUNTU 10.4 and ip address is 192.168.2.1, all packages are installed in this single box for testing purpose, you can separate them as per your requirements]
1) Installing FREERADIUS Server along with MYSQL+DALORADIUS :
I prefer installing the whole pre-requisite LAMP package (lamp-server stands for Linux-Apache-MySQL-PHP server). First We install lamp-server using the command below:
1
| sudo tasksel install lamp-server |
Now Install freeradius package
1
| sudo apt-get install freeradius |
1
| sudo apt-get install freeradius-ldap |
1
| sudo apt-get install freeradius-mysql |
1
| sudo /etc/init.d/freeradius restart |
If you are using Ubuntu, remove /commend the IPV6 entry from /etc/hosts
1
2
3
| nano /etc/hosts# The following lines are desirable for IPv6 capable hosts# ::1 localhost ip6-localhost ip6-loopback |
Now, you can test the Radius Server using radtest package, the command will be as below:
1
2
3
4
5
| radtest radius 123 localhost 1812 123(you will see its result something like below)Sending Access-Request of id 198 to 127.0.0.1 port 1812User-Name = "radius" User-Password = "123" NAS-IP-Address = 127.0.1.1NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=198, length=20 |
Which shows your RADIUS Server is in working condition.
Now Download DALORADIUS which is hosted on sourceforge at the address of http://sourceforge.net/projects/daloradius/ and you may get the latest release from there ( I used 0.9.9) or use the wget command to download in any temp folder e.g /temp
1
2
3
4
5
6
7
| mkdir /tempcd /temptar -zxvf daloradius-0.9-9.tar.gzmv daloradius-0.9-9.tar.gz daloradiuscp daloradius/ /var/www -Rchown www-data:www-data /var/www/daloradius -R chmod 644 /var/www/daloradius/library/daloradius.conf.php |
MYSQL Database Setup
Now, we create the database for FreeRADIUS and an user account which
will be used by FreeRADIUS to access into database. then import both
freeradius and daloradius tables using this schema:We will run the following command to Login MySQL Database
1
2
3
4
| mysql -u root -p123CREATE DATABASE radius;grant all privileges on radius.* to 'radius'@'localhost';quit |
1
2
3
| cd /var/www/daloradius/contrib/db/mysql -u root -p radius < fr2-mysql-daloradius-and-freeradius.sqlmysql -u root -p radius < mysql-daloradius.sql |
1
2
3
4
5
| cd /var/www/daloradius/library/nano -w daloradius.conf.php$configValues['FREERADIUS_VERSION'] = '2';$configValues['CONFIG_DB_PASS'] = '123';$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; |
Point your browser to
Login to the management:
1
2
| username: administratorpassword: radius |
You can also test this user with radtest.
1
| radtest testuser testpassword localhost 1812 123 |
How to authenticate Apache 2 with RADIUS.
First we will install Apache radius module :
1
2
| apt-get install libapache2-mod-auth-radiusa2enmod auth_radius |
1
2
| AddRadiusAuth localhost:1812 123 5:3AddRadiusCookieValid 1 |
1
2
3
4
5
6
7
8
9
10
| Alias /test /mnt/test<Directory /mnt/test>Options Indexes FollowSymlinksAuthType BasicAuthName "AA File Server Authentication"AuthBasicAuthoritative OffAuthBasicProvider radiusAuthRadiusAuthoritative onAuthRadiusActive OnRequire valid-user </Directory> |
Now Point your browser to http://192.168.2.1/test and you will see authentication popup window , something like below image.
If the user supply wrong id password, he will see
If user enters valid id password, he will see the content of test folder.
Alhamdolillah
Allah Hafiz,
Regard’s
Naveed Ahmad
0 comments:
Post a Comment