Radius Server

From Network Security Wiki
Jump to navigation Jump to search

Installing FreeRadius

Installing freeradius in Ubuntu 16.10:

Source: blog.moatazthenervous.com

sudo apt-get install freeradius


Edit the freeradius users:

sudo nano /etc/freeradius/users  

Uncomment the user 'John Doe':

"John Doe" Auth-Type := Local, User-Password == "hello"
Reply-Message = "Hello, %u"  

Add a new User with Group Name:

aman            Cleartext-Password := "pwd123"
                Citrix-User-Groups = "S_UA_G_Superuser",
                Reply-Message = "Hello, %{User-Name}"

Test the connectivity from local machine:

sudo radtest "John Doe" hello 0 testing123  

Remote access to the radius server

sudo nano /etc/freeradius/clients.conf  

And add the following snippet:

client {  
  secret = "mysecret"
  shortname = name

Now from another machine, try the following:

radtest "John Doe" "hello" 0 "mysecret"

You will get Access-Accept packet and "Hello, John Doe" messages.


Source: wiki.freeradius.org The "log" section of the radiusd.conf file is where the primary logging configuration for the FreeRADIUS server is located.

log {
    destination = files
    file = ${logdir}/radius.log     # If Server is running in debugging mode, this file is NOT used.
#   requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
    syslog_facility = daemon
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
#   msg_goodpass = ""
#   msg_badpass = ""

Destination options:

files - log to "file", as defined below.
syslog - send log messages to syslog 
stdout - log to standard output.
stderr - log to standard error.



Source: ubuntugeek.com



sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5 php-mail

Freeradius Installation:

sudo apt-get install freeradius freeradius-mysql freeradius-utils


Create Freeradius Database

sudo mysql -u root -p
mysql> create database radius;
mysql> grant all on radius.* to radius@localhost identified by "password";

Insert the freeradius database scheme:

sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql 
sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql 

Create new user for radius database

sudo mysql -u root -p
mysql> use radius;
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘sqltest', ‘Password', ‘testpwd');
mysql> exit


You need to edit /etc/freeradius/sql.conf file

sudo nano /etc/freeradius/sql.conf

Make sure you have the following details

database = mysql
login = radius
password = password

Uncomment the following

readclients = yes

Now you need to edit the /etc/freeradius/sites-enabled/default file

sudo vi /etc/freeradius/sites-enabled/default

Uncomment the sql option in the following sections


# See “Authorization Queries” in sql.conf



# See “Authorization Queries” in sql.conf



# See “Authorization Queries” in sql.conf


Now edit /etc/freeradius/radiusd.conf file

sudo nano /etc/freeradius/radiusd.conf 

Uncomment the following option

   $INCLUDE sql.conf

Restart freeradius server:

sudo /etc/init.d/freeradius stop

Run freeradius in debugging mode. If there is no error, you are ready to go.

sudo freeradius -X

Start the freeradius using the following command

sudo /etc/init.d/freeradius start

Test the radius server using the following command

sudo radtest sqltest testpwd localhost 18128 testing123

Output as follows

Sending Access-Request of id 68 to port 1812
User-Name = "sqltest"
User-Password = "testpwd"
NAS-IP-Address =
NAS-Port = 18128
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host port 1812, id=68, length=20

Daloradius Installation

Download the Daloradius latest version:

wget https://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
tar xvfz daloradius-0.9-9.tar.gz
mv daloradius-0.9-9 daloradius
mv daloradius /var/www

Change Permissions

sudo chown www-data:www-data /var/www/daloradius -R
sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php

Mysql database need to setup for daloradius by importing the daloradius scheme into 'radius' database.

cd /var/www/daloradius/contrib/db

sudo mysql -u root -p radius < mysql-daloradius.sql

Configure the following daloradius setting:

sudo nano /var/www/daloradius/library/daloradius.conf.php 

Change the database password

$configValues['CONFIG_DB_PASS'] = 'password'; 

Now you need to configure daloradius website under

   sudo nano /etc/apache2/sites-available/daloradius.conf

add the following lines

Alias /daloradius "/var/www/daloradius/"

<Directory /var/www/daloradius/>
Options None
Order allow,deny
allow from all

Enable and Activate daloradius website using the following command

sudo a2ensite daloradius
sudo service apache2 reload

Daloradius Web GUI

Use the following login details

username: administrator
password: radius

Troubleshooting Daloradius

  • If you get permission denied error when importing schema:
aman@ubuntu:~$ mysql -u root -ppwd@123 radius < /etc/freeradius/sql/mysql/schema.sql
-bash: /etc/freeradius/sql/mysql/schema.sql: Permission denied

Copy the files to home dir & change the file owner:

sudo cp /etc/freeradius/sql/mysql/schema.sql ~
sudo cp /etc/freeradius/sql/mysql/nas.sql ~
sudo chown aman:aman ~/*.sql

  • If the page stops loading after login, and you get similar errors in apache error logs:
[Sat Aug 05 20:10:51.734692 2017] [:error] [pid 22226] [client] PHP Warning:  include_once(DB.php): failed to open stream: No such file or directory in /var/www/daloradius/library/opendb.php on line 84, referer:
[Sat Aug 05 20:10:51.734877 2017] [:error] [pid 22226] [client] PHP Warning:  include_once(): Failed opening 'DB.php' for inclusion (include_path='.:/usr/share/php') in /var/www/daloradius/library/opendb.php on line 84, referer:
[Sat Aug 05 20:10:51.734988 2017] [:error] [pid 22226] [client] PHP Fatal error:  Uncaught Error: Class 'DB' not found in /var/www/daloradius/library/opendb.php:86\nStack trace:\n#0 /var/www/daloradius/dologin.php(49): include()\n#1 {main}\n  thrown in /var/www/daloradius/library/opendb.php on line 86, referer:

Check if all the dependencies are installed or not:

php -m

If DB is missing, install it:

sudo pear install DB
  • If above issue still persists, then the Problem is, i had PHP7.0 installed, but daloradius is only supported until 5.0

So we have to change the rules for syntax reading:

Make Sure you got all necessary packages

sudo apt-get install php-common php-gd php-curl php-mail php-mail-mime php-pear php-db
pear install DB

Change Syntax:

cd /var/www/html/daloradius/library/
vim daloradius.conf.php -> CONFIG_DB_ENGINE auf "mysqli"         # from mysql to mysqli
vim opendb.php -> $dbSocket->query("SET GLOBAL sql_mode = ;"); #append this line at the end of the file

Now we have to give the db-user freeradius super rights with:

mysql -u root -p 
mysql> GRANT SUPER ON *.* TO 'freeradius'@'localhost' IDENTIFIED BY 'password';
mysql> flush privileges;

You might have to import a mysql schema with:

cd /var/www/html/daloradius/contrib/db/
mysql -u root -p radius <mysql-daloradius.sql
  • If you get DB connection failed error:
sudo nano /var/www/daloradius/library/daloradius.conf.php
$configValues['CONFIG_DB_USER'] = 'root';
$configValues['CONFIG_DB_PASS'] = 'ppwd@123';

Saving the file will allow you in the Landing page.

  • If you happen to run into this issue
rad_recv: Access-Reject packet from host port 1812

Then edit the below file:

sudo nano /etc/freeradius/sites-available/default

~ line 177 and uncomment sql

# Look in an SQL database. The schema of the database
# is meant to mirror the “users” file.
# See “Authorization Queries” in sql.conf


If you are unable to use radtest from other servers, check credentials for in below file:

sudo nano clients.conf


sudo service freeradius stop
sudo freeradius -X


Generating Access-Challenge requests:

test@test-ubuntu:~$ sudo radtest -t eap-md5 aman2 pwd123 0 testing123
Sending Access-Request packet to host port 1812, id=46, length=0
       User-Name = "aman2"
       User-Password = "pwd123"
       NAS-IP-Address =
       NAS-Port = 0
       Message-Authenticator = 0x00
       EAP-Code = Response
       EAP-Type-Identity = 0x616d616e32
       EAP-Message = 0x022d000a01616d616e32
Received Access-Challenge packet from host port 1812, id=46, length=80
       EAP-Message = 0x012e001604105b198df62a06f8e8b6f45c6e97221cbb
       Message-Authenticator = 0x85003a7abf1656a3064b38be08c17409
       State = 0xa3a3b720a38db3e96a996e0bad7460b2
       EAP-Id = 46
       EAP-Code = Request
       EAP-Type-MD5-Challenge = 0x105b198df62a06f8e8b6f45c6e97221cbb
Sending Access-Request packet to host port 1812, id=47, length=87
       User-Name = "aman2"
       User-Password = "pwd123"
       NAS-IP-Address =
       NAS-Port = 0
       Message-Authenticator = 0x00000000000000000000000000000000
       EAP-Code = Response
       EAP-Type-MD5-Challenge = 0x10c09519c41c4c2384e79a1242928c5f31
       EAP-Id = 46
       State = 0xa3a3b720a38db3e96a996e0bad7460b2
       EAP-Message = 0x022e00160410c09519c41c4c2384e79a1242928c5f31
Received Access-Accept packet from host port 1812, id=47, length=51
       EAP-Message = 0x032e0004
       Message-Authenticator = 0xfc73020acc54cd6b85a82c8f52c094f5
       User-Name = "aman2"
       EAP-Id = 46
       EAP-Code = Success

Packet flow is as follows:

22:40:29.222278 IP > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2e length: 87
22:40:29.240517 IP ubuntu.radius > RADIUS, Access-Challenge (11), id: 0x2e length: 80
22:40:29.242083 IP > ubuntu.radius: RADIUS, Access-Request (1), id: 0x2f length: 117
22:40:29.292782 IP ubuntu.radius > RADIUS, Access-Accept (2), id: 0x2f length: 51

Similar Packet capture file: RADIUS2

Forcing EAP for a user:

   Paste.png     This section is under construction.

Forcing just EAP

   Paste.png     This section is under construction.


blog comments powered by Disqus