I have recently purchased a load of Ubiquiti UniFi equipment, as part of this i have the UniFi USG which in order to deploy a User VPN requires a RADUIS Server for user authentication. This article will run through how to install and set this up.

I will be using FreeRADIUS as this is the most commonly used, it supports most common authentication protocols.

Disable SELinux:
vi /etc/sysconfig/selinux

SELINUX=disabled

First we need to update our CentOS server and install the required applications:

yum install -y epel-release
yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php72
yum update -y
yum install -y freeradius freeradius-utils freeradius-mysql nginx mariadb-server mariadb php-cli php-mysqlnd php-devel php-gd php-mcrypt php-mbstring php-xml php-pear php-fpm
pear channel-update pear.php.net
pear install DB
systemctl reboot

We must now enable the FreeRADIUS, MariaDB, PHP-FPM and Nginx services to run at boot:

systemctl enable radiusd
systemctl enable nginx
systemctl enable mariadb
systemctl enable php-fpm
systemctl start mariadb

We need to configure MariaDB:

mysql_secure_installation
----
Set the root password
Remove the Anonymous User
Disable root remote login
Remove Test DBs
Reloar Privileges
----

Allow local connections only:

vim /etc/my.cnf 
----
 [mysqld]
 bind-address=127.0.0.1
----

Configure the database to work with freeRADIUS:

mysql -u root -p 
----
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radiuspassword";
FLUSH PRIVILEGES;
quit
----

We need to add Radius and HTTP ports to the firewall:

systemctl start firewalld
firewall-cmd --zone=public --add-service=radius --add-service=http --permanent
firewall-cmd --reload

Now we will run Radius in debug mode to make sure it runs correctly:

radiusd -X

Import the Radius database scheme:

mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql

Create a soft line for SQL:

ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/

configure the SQL module and change the database connection, edit the existing file, find the text below and make sure it matches:

vi /etc/raddb/mods-available/sql
----
sql {
  driver = "rlm_sql_mysql"
  dialect = "mysql"

  # Connection info:
  server = "localhost"
  port = 3306
  login = "radius"
  password = "radiuspassword"

  # Database table configuration for everything except Oracle
  radius_db = "radius"
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = “nas”
----

Change the group for the SQL folder to radiusd:

chgrp -h radiusd /etc/raddb/mods-enabled/sql

Configure PHP (update the below lines in the file):

vi /etc/php-fpm.d/www.conf
----------------
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nobody
listen.group = nobody
user = nginx
group = nginx

Configure Nginx (add the “location” :

vi /etc/nginx/conf.d/default.conf
-------------------
server {
    ##other data here

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Installing Daloradius:

wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master/ daloradius
cd daloradius

Import Daloradius MySQL:

mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql 
mysql -u root -p radius < contrib/db/mysql-daloradius.sql

Move to the httpd directory:

cd ..
mv daloradius /usr/share/nginx/html

change permissions for httpd:

chown -R nginx:nginx /usr/share/nginx/html/daloradius/
chmod 664 /usr/share/nginx/html/daloradius/library/daloradius.conf.php

Modify configuration for MySQL:

vi /usr/share/nginx/html/daloradius/library/daloradius.conf.php
----
CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME
----

To make sure everything works restart all services:

systemctl restart radiusd
systemctl restart mariadb
systemctl restart php-fpm
systemctl restart nginx

Access the web interface:

http://FQDN_IP_OF_SERVER/daloradius/login.php

Default Login:
User: Administrator
Pass: radius