RADIUSdesk

Trace: 18_install_ubuntu_freeradius_3

This is an old revision of the document!

Table of Contents

Installing FreeRADIUS version 3.x

  • Ubuntu 18.04 now comes with a FreeRADIUS 3.x release.
  • Install FreeRADIUS and MySQL module.
sudo apt-get install libdatetime-perl
sudo apt-get install freeradius freeradius-mysql
# Answer yes to install these with their dependencies
# Please note that when this package is installed there are some things generated that can take up lots of time on slower machines.
  • Enable and Start FreeRADIUS
sudo systemctl enable freeradius
sudo systemctl start freeradius
  • Check the feedback on our startup attempt.
sudo systemctl status freeradius
  • Because we have not yet configured anything; we do get some errors. This will be fixed and Coova should run fine once we configured the program.
● chilli.service - LSB: Start CoovaChilli daemon at boot time
   Loaded: loaded (/etc/init.d/chilli; generated)
   Active: active (exited) since Fri 2019-12-20 20:07:51 UTC; 1s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 14452 ExecStop=/etc/init.d/chilli stop (code=exited, status=0/SUCCESS)
  Process: 14491 ExecStart=/etc/init.d/chilli start (code=exited, status=0/SUCCESS)
 
Dec 20 20:07:51 osboxes chilli[14580]: TX queue length set to 100
Dec 20 20:07:51 osboxes coova-chilli[14585]: PID 14585 loading binary options file /var/run/chilli.14580.cfg.bin
Dec 20 20:07:51 osboxes coova-chilli[14585]: Loading modules
Dec 20 20:07:51 osboxes coova-chilli[14585]: USER root(0/0), GROUP root(0/0) CHILLI[UID 113, GID 116]
Dec 20 20:07:51 osboxes coova-chilli[14585]: Running /etc/chilli/up.sh (0/0)
Dec 20 20:07:51 osboxes chilli[14580]: No such device: ioctl(SIOCSIFFLAGS) failed on eth1
Dec 20 20:07:51 osboxes chilli[14580]: No such device: ioctl(SIOCSIFFLAGS) failed
Dec 20 20:07:51 osboxes chilli[14580]: No such device: ioctl(SIOCSIFADDR) failed
Dec 20 20:07:51 osboxes chilli[14580]: No such device: ioctl(d=2, request=35111) failed
Dec 20 20:07:51 osboxes chilli[14580]: Failed to create dhcp listener on eth1

Configuring FreeRADIUS version 3.x

  • Do the following to configure FreeRADIUS 3.x to work with RADIUSdesk
# Stop the service if it is already running
sudo systemctl stop freeradius
# Backup the original FreeRADIUSdirectory
sudo mv /etc/freeradius /etc/freeradius.orig
# Extract the AMPcore modified FreeRADIUS directory
sudo tar xzf /usr/share/nginx/html/cake2/rd_cake/Setup/Radius/freeradius-3-radiusdesk.tar.gz --one-top-level=/etc/freeradius/
sudo mv /etc/freeradius/freeradius /etc/freeradius/3.0
  • Correct some PATHs for FreeRADIUS 3.x
sudo vi /etc/freeradius/3.0/dictionary
 
# Change
$INCLUDE  /etc/freeradius/dictionary_overrides/dictionary.mikrotik
$INCLUDE  /etc/freeradius/dictionary_overrides/dictionary.chillispot
 
# To
$INCLUDE  /etc/freeradius/3.0/dictionary_overrides/dictionary.mikrotik
$INCLUDE  /etc/freeradius/3.0/dictionary_overrides/dictionary.chillispot
 
sudo vi /etc/freeradius/3.0/radiusd.conf
 
# Change
raddbdir = /etc/freeradius
 
# To
raddbdir = /etc/freeradius/3.0
  • Configure the site wide shared secret. This will be the value used by ALL Dynamic Clients.
sudo vi /etc/freeradius/3.0/sites-enabled/dynamic-clients
  • Look for this part in the file and change FreeRADIUS-Client-Secret to the value you choose to use.
#  Echo the IP address of the client.
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
 
# require_message_authenticator
FreeRADIUS-Client-Require-MA = no
 
# secret
FreeRADIUS-Client-Secret = "testing123"
 
# shortname
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
  • Comment out the following two lines in the systemd service file
sudo vi /lib/systemd/system/freeradius.service
  • See this sample to see which two lines to comment out. Failing to do this will result in a broken system with FreeRADIUS not starting up during boot
[Unit]
Description=FreeRADIUS multi-protocol policy server
After=syslog.target network.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/
 
[Service]
Type=forking
PIDFile=/run/freeradius/freeradius.pid
#EnvironmentFile=-/etc/default/freeradius
#ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5
 
[Install]
WantedBy=multi-user.target
  • After you completed these commands you can test if FreeRADIUS starts up fine.
sudo systemctl daemon-reload 
sudo systemctl restart freeradius.service
sudo systemctl status freeradius.service
  • If in future you need to run FreeRADIUS in debug mode on the terminal use this as a reference:
#Stop the current FreeRADIUS instance
sudo systemctl stop freeradius.service
#If it is perhaps stuck use killall
sudo killall freeradius
#Start it in debug mode
sudo freeradius -X

Add script to sudoers file

Failing to do this step will leave the advanced features of RADIUSdesk broken.

  • To create the ability for the web server to exercise some control over FreeRADIUS, we will have a custom script which is added to the sudoers file.
  • The correct way to edit the sudoers file is by using:
sudo visudo
  • Add the following at the bottom
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL www-data ALL = NOPASSWD:/usr/share/nginx/html/cake2/rd_cake/Setup/Scripts/radmin_wrapper.pl
  • Confirm that this line is now inside the /etc/sudoers file
sudo cat /etc/sudoers
  • This will allow the root user in RADIUSdesk to start and stop FreeRADIUS and also to do on-the-fly activation of debug traces.

Configure MESHdesk and APdesk

  • If you will be using MESHdesk or APdesk this section is for you and will make life easier for you.
  • We need to configure default settings for the Coova Chilli Captive Portal which are used in both MESHdesk and APdesk.
  • Please get the following information ready.
    • The IP Address which the server can be reached through. This will typically be a public IP Address but it can also be a private IP Address if you run RADIUSdesk on a private network.
    • The FQDN for the server if you registered in on a DNS service.
    • The site wide FreeRADIUS shared secret used by the Dynamic RADIUS Clients. This was done earlier in this page when you configured the Dynamic Clients.
    • There are two files which you need to edit to reflect your installations detail.
  • For MESHdesk:
sudo vi /usr/share/nginx/html/cake2/rd_cake/Config/MESHdesk.php
  • Look for this bit and change accordingly:
//_______________________________________________
//== Pre-set values for the Captive Portals
$config['Meshes']['captive_portal']['radius_1']         = '198.27.111.78'; // This will be the public IP Address of the FreeRADIUS / RADIUSdesk
//$config['ApProfiles']['captive_portal']['radius_2']         = '198.27.111.78'; //Optional second fallback RADIUS
$config['Meshes']['captive_portal']['radius_secret']    = 'testing123'; //Change this to the common site wide secret used by Dynamic RADIUS Clients
//Use DNS name in uam_url to looks more professional / or IP Address 
$config['Meshes']['captive_portal']['uam_url']          = 'http://198.27.111.78/cake2/rd_cake/dynamic_details/chilli_browser_detect/';
$config['Meshes']['captive_portal']['uam_secret']       = 'greatsecret'; //Usually you will not change this value
 
//$config['ApProfiles']['captive_portal']['walled_garden'] = "www.radiusdesk.com,www.google.com"; //Optional
$config['Meshes']['captive_portal']['swap_octet']       = true;
$config['Meshes']['captive_portal']['mac_auth']         = true;
//$config['Meshes']['captive_portal']['coova_optional']   = "ssid=radiusdesk";
  • For APdesk
sudo vi /usr/share/nginx/html/cake2/rd_cake/Config/ApProfiles.php
  • Look for this bit and change accordingly:
//_______________________________________________
//== Pre-set values for the Captive Portals
$config['ApProfiles']['captive_portal']['radius_1']         = '198.27.111.78'; // This will be the public IP Address of the FreeRADIUS / RADIUSdesk
//$config['ApProfiles']['captive_portal']['radius_2']         = '198.27.111.78'; //Optional second fallback RADIUS
$config['ApProfiles']['captive_portal']['radius_secret']    = 'testing123'; //Change this to the common site wide secret used by Dynamic RADIUS Clients
//Use DNS name in uam_url to look more professional / or IP Address 
$config['ApProfiles']['captive_portal']['uam_url']          = 'http://198.27.111.78/cake2/rd_cake/dynamic_details/chilli_browser_detect/';
$config['ApProfiles']['captive_portal']['uam_secret']       = 'greatsecret'; //Usually you will not change this value
 
//$config['ApProfiles']['captive_portal']['walled_garden'] = "www.radiusdesk.com,www.google.com"; //Optional
$config['ApProfiles']['captive_portal']['swap_octet']       = true;
$config['ApProfiles']['captive_portal']['mac_auth']         = true;
//$config['ApProfiles']['captive_portal']['coova_optional']   = "ssid=radiusdesk";
//__________________________________________________
  • By defining these items the Add Captive Portal Exit Point windows will be pre-populated for you, making it a snap to add new Captive Portals to either a mesh or an Access Point profile. :-D

Next steps

Last modified: 2019/12/20 22:10