getting_started:18_install_ubuntu_freeradius

Installing FreeRADIUS version 3.x
Configuring FreeRADIUS version 3.x
Add script to sudoers file
Configure MESHdesk and APdesk
Next steps

Installing FreeRADIUS version 3.x

Ubuntu 18.04 now comes with a FreeRADIUS 3.x release.
Install FreeRADIUS and MySQL module.

sudo apt-get install libdatetime-perl
sudo apt-get install freeradius freeradius-mysql
# Answer yes to install these with their dependencies
# Please note that when this package is installed there are some things generated that can take up lots of time on slower machines.

Enable and Start FreeRADIUS

sudo systemctl enable freeradius
sudo systemctl start freeradius

Configuring FreeRADIUS version 3.x

Do the following to configure FreeRADIUS 3.x to work with RADIUSdesk

# Stop the service if it is already running
sudo systemctl stop freeradius
# Backup the original FreeRADIUSdirectory
sudo mv /etc/freeradius /etc/freeradius.orig
# Extract the AMPcore modified FreeRADIUS directory
sudo tar xzf /usr/share/nginx/html/cake2/rd_cake/Setup/Radius/freeradius-3-radiusdesk.tar.gz --one-top-level=/etc/freeradius/
sudo mv /etc/freeradius/freeradius /etc/freeradius/3.0

Correct some PATHs for FreeRADIUS 3.x

sudo vi /etc/freeradius/3.0/dictionary
 
# Change
$INCLUDE  /etc/freeradius/dictionary_overrides/dictionary.mikrotik
$INCLUDE  /etc/freeradius/dictionary_overrides/dictionary.chillispot
 
# To
$INCLUDE  /etc/freeradius/3.0/dictionary_overrides/dictionary.mikrotik
$INCLUDE  /etc/freeradius/3.0/dictionary_overrides/dictionary.chillispot
 
sudo vi /etc/freeradius/3.0/radiusd.conf
 
# Change
raddbdir = /etc/freeradius
 
# To
raddbdir = /etc/freeradius/3.0

Configure the site wide shared secret. This will be the value used by ALL Dynamic Clients.

sudo vi /etc/freeradius/3.0/sites-enabled/dynamic-clients

Look for this part in the file and change FreeRADIUS-Client-Secret to the value you choose to use.

#  Echo the IP address of the client.
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
 
# require_message_authenticator
FreeRADIUS-Client-Require-MA = no
 
# secret
FreeRADIUS-Client-Secret = "testing123"
 
# shortname
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"

Comment out the following two lines in the systemd service file

sudo vi /lib/systemd/system/freeradius.service

See this sample to see which two lines to comment out. Failing to do this will result in a broken system with FreeRADIUS not starting up during boot

[Unit]
Description=FreeRADIUS multi-protocol policy server
After=syslog.target network.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/
 
[Service]
Type=forking
PIDFile=/run/freeradius/freeradius.pid
#EnvironmentFile=-/etc/default/freeradius
#ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5
 
[Install]
WantedBy=multi-user.target

After you completed these commands you can test if FreeRADIUS starts up fine.

sudo systemctl daemon-reload 
sudo systemctl restart freeradius.service
sudo systemctl status freeradius.service

If in future you need to run FreeRADIUS in debug mode on the terminal use this as a reference:

#Stop the current FreeRADIUS instance
sudo systemctl stop freeradius.service
#If it is perhaps stuck use killall
sudo killall freeradius
#Start it in debug mode
sudo freeradius -X

Add script to sudoers file

Failing to do this step will leave the advanced features of RADIUSdesk broken.

To create the ability for the web server to exercise some control over FreeRADIUS, we will have a custom script which is added to the sudoers file.
The correct way to edit the sudoers file is by using:

sudo visudo

Add the following at the bottom

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL www-data ALL = NOPASSWD:/usr/share/nginx/html/cake2/rd_cake/Setup/Scripts/radmin_wrapper.pl

Confirm that this line is now inside the /etc/sudoers file

sudo cat /etc/sudoers

This will allow the root user in RADIUSdesk to start and stop FreeRADIUS and also to do on-the-fly activation of debug traces.

Configure MESHdesk and APdesk

If you will be using MESHdesk or APdesk this section is for you and will make life easier for you.
We need to configure default settings for the Coova Chilli Captive Portal which are used in both MESHdesk and APdesk.
Please get the following information ready.
- The IP Address which the server can be reached through. This will typically be a public IP Address but it can also be a private IP Address if you run RADIUSdesk on a private network.
- The FQDN for the server if you registered in on a DNS service.
- The site wide FreeRADIUS shared secret used by the Dynamic RADIUS Clients. This was done earlier in this page when you configured the Dynamic Clients.
- There are two files which you need to edit to reflect your installations detail.
For MESHdesk:

sudo vi /usr/share/nginx/html/cake2/rd_cake/Config/MESHdesk.php

Look for this bit and change accordingly:

//_______________________________________________
//== Pre-set values for the Captive Portals
$config['Meshes']['captive_portal']['radius_1']         = '198.27.111.78'; // This will be the public IP Address of the FreeRADIUS / RADIUSdesk
//$config['ApProfiles']['captive_portal']['radius_2']         = '198.27.111.78'; //Optional second fallback RADIUS
$config['Meshes']['captive_portal']['radius_secret']    = 'testing123'; //Change this to the common site wide secret used by Dynamic RADIUS Clients
//Use DNS name in uam_url to looks more professional / or IP Address 
$config['Meshes']['captive_portal']['uam_url']          = 'http://198.27.111.78/cake2/rd_cake/dynamic_details/chilli_browser_detect/';
$config['Meshes']['captive_portal']['uam_secret']       = 'greatsecret'; //Usually you will not change this value
 
//$config['ApProfiles']['captive_portal']['walled_garden'] = "www.radiusdesk.com,www.google.com"; //Optional
$config['Meshes']['captive_portal']['swap_octet']       = true;
$config['Meshes']['captive_portal']['mac_auth']         = true;
//$config['Meshes']['captive_portal']['coova_optional']   = "ssid=radiusdesk";

For APdesk

sudo vi /usr/share/nginx/html/cake2/rd_cake/Config/ApProfiles.php

Look for this bit and change accordingly:

//_______________________________________________
//== Pre-set values for the Captive Portals
$config['ApProfiles']['captive_portal']['radius_1']         = '198.27.111.78'; // This will be the public IP Address of the FreeRADIUS / RADIUSdesk
//$config['ApProfiles']['captive_portal']['radius_2']         = '198.27.111.78'; //Optional second fallback RADIUS
$config['ApProfiles']['captive_portal']['radius_secret']    = 'testing123'; //Change this to the common site wide secret used by Dynamic RADIUS Clients
//Use DNS name in uam_url to look more professional / or IP Address 
$config['ApProfiles']['captive_portal']['uam_url']          = 'http://198.27.111.78/cake2/rd_cake/dynamic_details/chilli_browser_detect/';
$config['ApProfiles']['captive_portal']['uam_secret']       = 'greatsecret'; //Usually you will not change this value
 
//$config['ApProfiles']['captive_portal']['walled_garden'] = "www.radiusdesk.com,www.google.com"; //Optional
$config['ApProfiles']['captive_portal']['swap_octet']       = true;
$config['ApProfiles']['captive_portal']['mac_auth']         = true;
//$config['ApProfiles']['captive_portal']['coova_optional']   = "ssid=radiusdesk";
//__________________________________________________

By defining these items the Add Captive Portal Exit Point windows will be pre-populated for you, making it a snap to add new Captive Portals to either a mesh or an Access Point profile.

Next steps

Be sure to also install Node.js.
Install node.js

Table of Contents

Installing FreeRADIUS version 3.x

Configuring FreeRADIUS version 3.x

Add script to sudoers file

Configure MESHdesk and APdesk

Next steps