I have recently purchased a load of Ubiquiti UniFi equipment, as part of this i have the UniFi USG which in order to deploy a User VPN requires a RADUIS Server for user authentication. This article will run through how to install and set this up.
I will be using FreeRADIUS as this is the most commonly used, it supports most common authentication protocols.
Disable SELinux:
vi /etc/sysconfig/selinux
SELINUX=disabled
First we need to update our CentOS server and install the required applications:
yum install -y epel-release yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm yum-config-manager --enable remi-php72 yum update -y yum install -y freeradius freeradius-utils freeradius-mysql nginx mariadb-server mariadb php-cli php-mysqlnd php-devel php-gd php-mcrypt php-mbstring php-xml php-pear php-fpm pear channel-update pear.php.net pear install DB systemctl reboot
We must now enable the FreeRADIUS, MariaDB, PHP-FPM and Nginx services to run at boot:
systemctl enable radiusd systemctl enable nginx systemctl enable mariadb systemctl enable php-fpm systemctl start mariadb
We need to configure MariaDB:
mysql_secure_installation ---- Set the root password Remove the Anonymous User Disable root remote login Remove Test DBs Reloar Privileges ----
Allow local connections only:
vim /etc/my.cnf ---- [mysqld] bind-address=127.0.0.1 ----
Configure the database to work with freeRADIUS:
mysql -u root -p ---- CREATE DATABASE radius; GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword"; FLUSH PRIVILEGES; quit ----
We need to add Radius and HTTP ports to the firewall:
systemctl start firewalld firewall-cmd --zone=public --add-service=radius --add-service=http --permanent firewall-cmd --reload
Now we will run Radius in debug mode to make sure it runs correctly:
radiusd -X
Import the Radius database scheme:
mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
Create a soft line for SQL:
ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
configure the SQL module and change the database connection, edit the existing file, find the text below and make sure it matches:
vi /etc/raddb/mods-available/sql ---- sql { driver = "rlm_sql_mysql" dialect = "mysql" # Connection info: server = "localhost" port = 3306 login = "radius" password = "radiuspassword" # Database table configuration for everything except Oracle radius_db = "radius" } # Set to ‘yes’ to read radius clients from the database (‘nas’ table) # Clients will ONLY be read on server startup. read_clients = yes # Table to keep radius client info client_table = “nas” ----
Change the group for the SQL folder to radiusd:
chgrp -h radiusd /etc/raddb/mods-enabled/sql
Configure PHP (update the below lines in the file):
vi /etc/php-fpm.d/www.conf ---------------- listen = /var/run/php-fpm/php-fpm.sock listen.owner = nobody listen.group = nobody user = nginx group = nginx
Configure Nginx (add the “location” :
vi /etc/nginx/conf.d/default.conf ------------------- server { ##other data here location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
Installing Daloradius:
wget https://github.com/lirantal/daloradius/archive/master.zip unzip master.zip mv daloradius-master/ daloradius cd daloradius
Import Daloradius MySQL:
mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql mysql -u root -p radius < contrib/db/mysql-daloradius.sql
Move to the httpd directory:
cd .. mv daloradius /usr/share/nginx/html
change permissions for httpd:
chown -R nginx:nginx /usr/share/nginx/html/daloradius/ chmod 664 /usr/share/nginx/html/daloradius/library/daloradius.conf.php
Modify configuration for MySQL:
vi /usr/share/nginx/html/daloradius/library/daloradius.conf.php ---- CONFIG_DB_USER CONFIG_DB_PASS CONFIG_DB_NAME ----
To make sure everything works restart all services:
systemctl restart radiusd systemctl restart mariadb systemctl restart php-fpm systemctl restart nginx
Access the web interface:
http://FQDN_IP_OF_SERVER/daloradius/login.php
Default Login:
User: Administrator
Pass: radius