FreeRadius 3.0.x Installation and configuration with Mysql

This document describes how to setup a FreeRADIUS server. A MySQL server is used as backend and for the user accounting.

RADIUS is an industry-standard protocol for providing authentication, authorization, and accounting services.

  • Authentication is the process of verifying a user’s identity and associating additional information (attributes) to the user’s login session.
  • Authorization is the process of determining whether the user is allowed on the network and controlling network access values based on a defined security policy.
  • Accounting is the process of generating log files that record session statistics used for billing, system diagnosis, and usage planning.

Installation:

Download freeradius source from http://freeradius.org/

tar -xzvf freeradius-server-3.0.3.tar.gz
cd freeradius
./configure –prefix=/usr/local/freeradius-server-3.0.3

make
sudo make install
sudo ldconfig

Configuration:

1.Create softlink for modules that you want to add.
cd mods-enabled/
ln -s ../mods-available/sql ./
ln -s ../mods-available/redis ./
ln -s ../mods-available/rediswho ./

2.Edit radiusd.conf
modules {
$INCLUDE mods-enabled/
}
policy {
$INCLUDE sites-enabled/
}

3. Enable SQL configuration in the default enabled site /etc/freeradius/sites-available/default:
authorize {

sql

}
accounting {

sql

}
session {

sql

}
post-auth {

sql

}
Post-Auth-Type REJECT {
sql
}

Now on to MySQL setup. First, create a database where FreeRADIUS will store AAA data. We’ll call it radius:

create database radius;

Import the MySQL schema from /mods-config/sql/main/mysql/schema.sql

mysql -u root -p < /raddb/sql/mysql/schema.sql

4.Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:
sql {
driver = “rlm_sql_mysql”
server = “192.168.1.1”
port = 3306
login = “radius”
password = “radiuspwd”
# Database table configuration for everything except Oracle
radius_db = “radius”
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = “nas”

5.Configure AAA queries (edit /mods-config/sql/main/mysql/queries.conf)

Test to see if Free Radius works by issuing the following command:
./radiusd -X

This will start FreeRadius in debug mode ( To stop it -> Ctrl+c).
FreeRADIUS has a start-up script. The following will ensure automatic start-up between reboots.

sudo cp sbin/rc.radiusd /etc/init.d/radiusd
sudo update-rc.d radiusd start 80 2 3 4 5 . stop 20 0 1 6 .

FreeRadius Detail logs under /usr/local/freeradius-server-3.0.3/var/log/radius/radacct/

All set!!!

Advertisements

36 thoughts on “FreeRadius 3.0.x Installation and configuration with Mysql

  1. Kostas September 22, 2014 / 9:14 am

    I am newbie in the Freeradius, can you clarify what do you mean by the
    2.Edit radiusd.conf
    modules {
    $INCLUDE mods-enabled/
    }
    policy {
    $INCLUDE sites-enabled/
    }
    Thanks

    • lalit September 30, 2014 / 6:51 am

      radiusd.conf is main conf file,if you want include any module in order to use with freeradius you have to mention INCLUDE path for that module under modules section.The above example will include all modules like sql,ldap,redis,etc.. under mods-enable location. same with policy, you will define policy eg. policy for user login and network access under sites-enable files and include file path under policy section.

      NOTE: Most of the %-enables directories are having symbolic link of %-available dir files.
      eg. mods-enabled/ dir contains symbolic links for mods-available dir files.

      • kostas September 30, 2014 / 7:30 am

        Thanks for you answer lalit, after a lot of search I have understood.

  2. Tuan May 21, 2015 / 5:57 am

    Hi,

    When I run command : radiusd -X
    I get error :
    ——————————
    rlm_sql (sql): Released connection (4)
    /etc/raddb/mods-enabled/redis[10]: Failed to link to module ‘rlm_redis’: rlm_redis.so: cannot open shared object file: No such file or directory
    ——————————

    Can you help?
    Thanks,

    • lalit May 30, 2015 / 5:33 am

      recheck module path under rediusd.conf or may be it’s an issue with permission or
      version mismatch for modules .so files

  3. santanablank July 12, 2015 / 1:38 pm

    Hi
    I have the following error message when issuing radiusd -X, any experience? Thanks

    Debugger not attached
    Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev – 1.0.1f release)
    Security advisory CVE-2014-0160 (Heartbleed)
    For more information see http://heartbleed.com
    Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = ‘CVE-2014-0160’

  4. Rohit August 3, 2015 / 1:16 pm

    Hi,
    I did the allow vulnerable ssl. Now I am getting the error
    Debugger not attached
    # Creating Auth-Type = digest
    radiusd: #### Instantiating modules ####
    /usr/local/etc/raddb/mods-enabled/redis[10]: Failed to link to module ‘rlm_redis’: /usr/local/lib/rlm_redis.so: cannot open shared object file: No such file or directory

    Also, there is no rlm_redis in /usr/local/lib/. Sorry, But I am new to freeradius. Thank you for your help.

    • cua October 2, 2015 / 8:08 am

      see below.

  5. Satrian August 11, 2015 / 3:51 am

    Hi Twan, did you find a solution for this issue?. I’m having the same issue

  6. imen August 12, 2015 / 1:23 pm

    would you please post the accountig query that you have implemented, because i have implemented a query but in log file i get acctinputoctets= 0 and acctoutputoctets= 0
    this is the file: sqlcounter monthlytrafficcounter {
    counter-name = Monthly-Traffic
    check-name = Max-Monthly-Traffic
    reply-name = Monthly-Traffic-Limit
    sqlmod-inst = sql
    key = User-Name
    reset = monthly
    query = “SELECT IFNULL (acctinputoctets + acctoutputoctets),0) as counter FROM radacct WHERE Username=’%{%k}’ AND UNIX_TIMESTAMP (AcctStartTime > ‘%b’ ”
    }

    i really need help !

  7. Sanjeewa September 21, 2015 / 2:37 pm

    I am also getting this error when i create above soft links,
    radiusd: #### Instantiating modules ####
    /usr/local/etc/raddb/mods-enabled/redis[10]: Failed to link to module ‘rlm_redis’: /usr/local/lib/rlm_redis.so: cannot open shared object file: No such file or directory

    • cua October 2, 2015 / 8:07 am

      You should install “libhiredis-dev” before run ./configure.
      Trye

      • Shawn October 7, 2015 / 12:10 pm

        Any idea how to make work if freeradius is all ready installed?

      • cua October 7, 2015 / 7:48 pm

        Sorry I don’t know because I’ve already downgraded to 2.2.9.
        Version 3.x wasn’t stable under Ubuntu 14.04 and I don’t have enough time to play with it and I need a working radius server in production environment 🙂
        (I tried 3.0.3, 3.0.8, 3.0.9).

  8. Shawn September 24, 2015 / 10:56 am

    same problem…centos 7

    /etc/raddb/mods-enabled/redis[10]: Failed to link to module ‘rlm_redis’: /usr/local/lib/rlm_redis.so: cannot open shared object file: No such file or directory

  9. hab November 20, 2015 / 12:39 am

    works like charm, thanks

  10. Siddhartha September 2, 2016 / 5:26 pm

    Stimulation := 1 not working
    Xutmp log file not found
    In free radius 2.2.0

  11. shashi April 5, 2017 / 6:12 am

    Hi Lalit,
    I was finding it difficult to understand, on what basis does freeradius picks up a particular module among may enabled modules for authentcation or any request.

    • lalit April 5, 2017 / 6:18 am

      It works on the basis of enabled module and as per the configuration for that module in radiusd.conf file.

      • shashi April 6, 2017 / 5:37 am

        Thanks lalit

  12. Danilo May 4, 2017 / 1:06 pm

    Hi Lalit,
    Thank you for your article but, for me, it doesn’t work.
    My SO is CentOS 7.3, I have installed freeradius 3.0.4 and MariaDB.
    When start freeradius in debugging mode I can see the accounting information in log but no in ‘raddact’ table.
    The connection Freeradius -> MariaDB is good because radius can read the user from ‘radcheck’ and ,after authentication, a line is added in ‘radpostauth’ table.
    Why ‘raddact’ table is empty?
    Thank you

  13. lalit May 7, 2017 / 9:09 am

    make sure you enabled sql for following in /etc/freeradius/sites-available/default

    accounting {

    sql

    }
    session {

    sql

    }

    Also look for sql table options in /raddb/mods-available/sql

  14. kanny d November 11, 2017 / 4:53 am

    great..its works..
    Thank you very much.. ^_^

  15. janara January 23, 2018 / 9:12 am

    Hi lalit, can you tell me why i get this error? and how to fix it?

    Could not link driver rlm_sql_mysql: /usr/local/freeradius-server-3.0.16/lib/rlm_sql_mysql.so: cannot open shared object file: No such file or directory
    Make sure it (and all its dependent libraries!) are in the search path of your system’s ld
    /usr/local/freeradius-server-3.0.16/etc/raddb/mods-enabled/sql[20]: Instantiation failed for module “sql”

    • janara January 23, 2018 / 9:15 am

      well it works. i just copied /usr/local/lib/rlm_sql_mysql.so to /usr/local/freeradius-server-3.0.16/lib

      • lalit January 24, 2018 / 11:44 am

        Great. By default, freeradius will look for lib in a compiled location, where we have all freeradius files.

  16. janara January 25, 2018 / 7:05 am

    Hi. when im testing my freeradius using sudo radtest usertest passwd localhost 0 testing123 it says:

    Sent Access-Request Id 199 from 0.0.0.0:59747 to 127.0.0.1:1812 length 78
    User-Name = “usertest”
    User-Password = “passwd”
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = “passwd”
    Sent Access-Request Id 199 from 0.0.0.0:59747 to 127.0.0.1:1812 length 78
    User-Name = “usertest”
    User-Password = “passwd”
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = “passwd”
    Sent Access-Request Id 199 from 0.0.0.0:59747 to 127.0.0.1:1812 length 78
    User-Name = “usertest”
    User-Password = “passwd”
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = “passwd”
    (0) No reply from server for ID 199 socket 3

    i made sure that i have a row in radacct that contains usertest username and passwd password.

    what could be the problem here?

    • lalit January 25, 2018 / 9:22 am

      Please use ‘127.0.0.1’ in radtest, rather than ‘localhost’ and try

      • janara January 26, 2018 / 2:37 am

        Thanks! now its getting a reply but still not good

        Sent Access-Request Id 218 from 0.0.0.0:56196 to 127.0.0.1:1812 length 78
        User-Name = “usertest”
        User-Password = “passwd”
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “passwd”
        Sent Access-Request Id 218 from 0.0.0.0:56196 to 127.0.0.1:1812 length 78
        User-Name = “usertest”
        User-Password = “passwd”
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “passwd”
        Sent Access-Request Id 218 from 0.0.0.0:56196 to 127.0.0.1:1812 length 78
        User-Name = “usertest”
        User-Password = “passwd”
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “passwd”
        Received Access-Reject Id 218 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
        (0) -: Expected Access-Accept got Access-Reject

        when i test using the accounts from “users” file i get this:

        Sent Access-Request Id 141 from 0.0.0.0:57929 to 127.0.0.1:1812 length 77
        User-Name = “testing”
        User-Password = “password”
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “password”
        Sent Access-Request Id 141 from 0.0.0.0:57929 to 127.0.0.1:1812 length 77
        User-Name = “testing”
        User-Password = “password”
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “password”
        Sent Access-Request Id 141 from 0.0.0.0:57929 to 127.0.0.1:1812 length 77
        User-Name = “testing”
        User-Password = “password”
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “password”
        Received Access-Accept Id 141 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
        radclient: Received reply to request we did not send. (id=141 socket 3)

      • janara January 26, 2018 / 2:55 am

        Also, i skipped this step: 5.Configure AAA queries (edit /mods-config/sql/main/mysql/queries.conf) because i dont know what it means…..

  17. _anox January 29, 2018 / 1:06 am

    How can i add a module like rlm_counter without reinstalling the freeradius?

    • lalit January 29, 2018 / 11:27 am

      edit radiusd.conf file
      modules {
      $INCLUDE mods-enabled/
      }

      Assuming that rlm_counter is in mods-enabled/ directory.
      Restart radius service and all set.

      If rlm_counter not complied initially then you don’t have an option.

      Take backup config files and re-compile it and later you can replace your original settings.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s