Installing FreeRADIUS

5/19/2018 Installing FreeRADIUS

1/11

2

Installing FreeRADIUS

As with most open source software (OSS), FreeRADIUS can be installed multiple ways

including using a package manager (rpm, yum, apt-get, etc.) or building and installing from

source code. The difference with FreeRADIUS versus other OSS is when and how often you

would chose building from source code versus using a package manager. With FreeRADIUS you

are likely to choose building from source code much more often and some people always build

FreeRADIUS from source code.

Anatomy of a Linux Distribution

To understand when and why you would build FreeRADIUS from source code instead of using a

package manager, it helps to understand the FreeRADIUS development cycle and the process

used to create a Linux distribution.

FreeRADIUS is a dynamic project with a small but very active group of developers that

release new versions of FreeRADIUS two to three times a year. Each new release of

FreeRADIUS includes significant new features and bug fixes. Many FreeRADIUS users need

the new features and/or bug fixes and upgrade to the new version shortly after it is released. This

is in contrast to other OSS projects that are in maintenance mode, have few new features and a

much longer release cycle.

A Linux distribution is a collection of 1000s of software packages each with dependencies on

other software packages that must be compiled, linked and bundled together to create a running

Linux system. The creators of a Linux distribution must decide which of 1000s of software

packages to include in the distributions and which specific versions of the package to include.

They can choose to include the latest and greatest versions of each software package but they run

the risk of including software that is not stable, buggy and has security holes. They can choose

the conservative route and only include packages and versions of software that have been

running for years but they risk leaving out newer versions of which have features customers

really want. Lucky for us, there are hundreds of Linux distributions running covering the entire

spectrum from very conservative, small releases to distributions with the latest greatest software

for everything.

We will look in more detail at RedHat Enterprise Linux (RHEL), which is a popular choice

for deploying FreeRADIUS in the enterprise and on Internet Service Provider (ISP) networks.


2/11

RHEL is derived from the Fedora Linux distribution. The Fedora Project releases a new version

of Fedora every six months. Each new release of Fedora adds new software packages and

existing packages are updated to a more recent version of the underlying software.

RHEL releases a new major version every two to three years with minor versions every six to

nine months. Each major release of RHEL is derived from the then current release of the Fedora

Project and only includes a subset of the packages in Fedora. Major releases of RHEL are

supported for seven years and the base version of any software package will remain constant

throughout the life time of the distribution. When a bug or security problems are found in a

software package, the developers of the original software may have fixed the problem in a newer

release of the software. To maintain version stability, the fix to the problem is back ported to

the release of software that is included in the major release of RHEL. With each minor release

of RHEL, the quality of the software improves and the functionality does not change which

allows users to safely upgrade from one minor release to the next.

One downside of the RHEL distribution is that it does not include newer versions of

software. FreeRADIUS is an example of software that has been packaged for RHEL but the

package is built using an older version of software. RHEL 5.4 and earlier releases include

FreeRADIUS in a package namedfreeradius.The package was built using FreeRADIUS 1.1.3,

which was released in August 2006 and is no longer supported by the FreeRADIUS project.

Fortunately, RHEL 5.5 (released in March 2010) includes a new package namedfreeradius2thatwas built using FreeRADIUS 2.1.7 (released in September 2009).

Also, in November 2010, RedHat released RHEL 6, which includes an updated version of the

freeradiuspackage based on FreeRADIUS 2.1.9-3 and newer versions of other software

packages used by FreeRADIUS including MySQL 5.1. The rest of the examples in the book that

refer to RHEL will be referring to RHEL 6.

If you use RedHat Enterprise Linux (RHEL), use RHEL 6 which includes more recent versions

of FreeRADIUS and other software packages like MySQL 5.1.

CentOS

RHEL is sold on a subscription basis and includes software updates and technical support from

RedHat. Organizations that cannot afford a subscription can use CentOS

(http://www.centos.org/). CentOS is a free community version of RHEL that starts with the


3/11

source code for RHEL and strips out the RedHat branding. Although RedHat would certainly

like to sell you a subscription to RHEL, they are committed to open source and make all of the

source code to RHEL available to other organizations that want to make their own Linux

distribution. CentOS is one of those organizations and they usually release a new version of

CentOS a couple of months after RedHat releases a new version of RHEL. CentOS is binary

compatible with RHEL and packages built for RHEL will install and run on CentOS.

Installing FreeRADIUS on RedHat Enterprise Linux (RHEL) using RPMs

In general, installing software using a package manager is much easier but with FreeRADIUS,

there are so many different modules and installations options that it is difficult to create a set

packages that work for every environment. FreeRADIUS includes dozens of options for user

database, authentication method and other RADIUS features. FreeRADIUS supports all of theseoptions with modules, which are custom software libraries that often require additional 3

rdparty

libraries.

For example, FreeRADIUS includes four different modules to support four databases -

MySQL, Oracle, Microsoft SQL Server and Postgres. Each database module requires the client

library for the database and there are often different versions of the client library. The number of

packages to support the different combinations of OS, processor, database, authentication

methods, and 3rd

party libraries etc, would quickly spiral out of control with each new release of

FreeRADIUS. As more features are added to FreeRADIUS, the number of packages would

approach infinity or the number of Cisco IOS images, whichever is greater.

So, to avoid the chaos of creating a large number of packages, FreeRADIUS is released as a

source code tarball. Members of the FreeRADIUS community build packages that support the

most common options/modules for a variety of OSes including RedHat Enterprise Linux

(RHEL/CentOS), Fedora, Ubuntu, SUSE, Debian and Mac OS X.

Rather than create one monolithic FreeRADIUS package, RedHat created a base package,

calledfreeradius, and nine optional packages for utilities, databases and other authentication

methods, the Perl and Python modules and debug info.

FreeRADIUS packages in RHEL 6

freeradius

freeradius-mysql


4/11

freeradius-utils

freeradius-debuginfo

freeradius-krb5

freeradius-ldap

freeradius-perl

freeradius-postgresql

freeradius-python

freeradius-unixODBC

Installing a package is multiple step process:

1. Find the package.

2. Download the package.

3. Determine dependencies.

4. Resolve dependencies.

5. Install the package.

There are multiple package management systems used by the various Linux distributions.

Since we are installing software on RedHat Enterprise Linux, we will be using the RedHat

Package Manager (RPM) which is also used by Ubuntu and SuSE. RPM packages are files

ending in .rpm that contain binary executable files, libraries, documentation, source code,

dependencies and installation instructions. The RPM package management system includes the

rpmutility which is used to install, remove, and manage packages.

Installing FreeRADIUS using YUM

You could use the rpmutility to manually perform all five steps in the package installation

process but it can be tedious and painful. To install a package you would need to find the

package with the correct OS and processor, download the package and then run rpm to install.

The first time you run RPM, it will probably fail because a package the new software depends on

is not installed. Then you need to reiterate the process for the required package(s) to resolve all

of the dependencies. Then you try to install the original package again. Besides, you dont need

to do it manually because you can use YUM to automatically perform all five steps using a one

line command: yum install freeradius


5/11

YUM is an automatic updater and package management tool that works with RPMs. YUM

will automatically locate the package you want to install by looking in RPM repositories and

downloading the package built for the correct OS and processor. Then YUM will check for

dependencies and automatically resolve them by downloading and installing the dependent

packages. Finally, YUM installs the new package. Very nice!

Heres an example of YUM installing FreeRADIUS on an RHEL 6 system. The standard

installation of RHEL 6 has all of the software packages required by the freeradiuspackage. After

checking the dependences, YUM prompts you to confirm that you want to install the package

and any additional packages required by the new software. The entire installation process takes

less than 20 seconds.

[root@localhost freeradius]# yum install freeradius

Loaded plugins: refresh-packagekit, rhnplugin

Setting up Install Process

Resolving Dependencies

--> Running transaction check

---> Package freeradius.i686 0:2.1.9-3.el6 set to be updated

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

Package Arch Version Repository Size

================================================================================Installing:

freeradius i686 2.1.9-3.el6 rhel-i386-server-6 1.3 M

Transaction Summary

================================================================================

Install 1 Package(s)

Upgrade 0 Package(s)

Total download size: 1.3 M

Installed size: 0

Is this ok [y/N]: y

Downloading Packages:

freeradius-2.1.9-3.el6.i686.rpm | 1.3 MB 00:01

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction


6/11

Installing : freeradius-2.1.9-3.el6.i686 1/1

Installed:

freeradius.i686 0:2.1.9-3.el6

Complete!

Verify that FreeRADIUS Starts

ThefreeradiusRPM installs the FreeRADIUS server, default configuration files, client libraries,

man pages and startup scripts. The rpm configures FreeRADIUS to automatically start when the

RHEL system boots up. The next step in the process is to verify that FreeRADIUS is installed

correctly, will startup and respond to RADIUS requests.

The FreeRADIUS server can be started in debug mode from the command-line using

radiusd -X. When the server is started in debug mode, it generates 100s of lines of output

detailing the steps of the server startup process. The server startup process performs the

following tasks:

1. Read in all configurations files

2. Parse configuration files

3. Load optional modules

Open connections to databases and directories

Generate certificates

Load PERL and Python

4. Listen on IP address and ports for RADIUS requests

[root@localhost freeradius]# radiusd -X

FreeRADIUS Version 2.1.9, for host i386-redhat-linux-gnu, built on Sep 3 2010 at 12:06:43

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License v2.

Starting - reading configuration files ...

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

...

...


7/11

radiusd: #### Opening IP addresses and Ports ####

listen {

type = "auth"

ipaddr = *

port = 0

}

listen {

type = "acct"

ipaddr = *

port = 0

}

listen {

type = "control"

listen {

socket = "/var/run/radiusd/radiusd.sock"

}

}

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on command file /var/run/radiusd/radiusd.sockListening on proxy address * port 1814

Ready to process requests.

If everything is OK, the server will print out Ready to process requests. message and

wait for incoming RADIUS requests. Congratulations! You have successfully installed

FreeRADIUS.

Verify that FreeRADIUS Responds to RADIUS Requests

The next step is to verify that the server will respond to incoming RADIUS requests.

FreeRADIUS includes radtest, a utility that emulates a RADIUS client and sends RADIUS

requests to the server. radtestis not in RHELs basefreeradiuspackage and you need to install

thefreeradius-utilspackage.

We need to take a diversion to talk about RedHat and how they distribute packages to their

customers. Installing packages on an RHEL system requires a subscription to the RedHat

Network which gives your system access to the RHEL package repositories. RedHat constantly

fixes bugs and patches security holes in their supported packages. These are added to their

repository and notices are sent out to customer systems. This is one of the benefits that customers

receive when they purchase a subscription to RHEL.

RedHat segments their subscriptions into parent channels and child channels. Red Hat

Enterprise Linux Server (v. 6 for 32-bit x86) is the parent channel RHEL 6 for 32-bit x86

systems and thefreeradiuspackage is in this channel. The other ninefreeradiuspackages are in


8/11

theRHEL Server Optional (v. 6 for 32-bit x86)child channel. By default, a subscription for

RHEL 6 is subscribed to the parent channel and none of the child channels. So, on a fresh install

of RHEL 6, you will be able to install the basefreeradiuspackage but none of the other packages

unless you subscribe to the RHEL Server Optional child channel.

To subscribe toRHEL Server Optional (v. 6 for 32-bit x86)channel:

Figure X-1: Login into your account on redhat.com.


9/11

Figure X-2: Select Red Hat Network.

Figure X-3: Select the system.


10/11

Figure X-4: Select Alter Channel Subscriptions.

Figure X-5: Check RHEL Server Optional channel and click Change Subscriptions to save the changes.

Now you are ready to installfreeradius-utilspackage and radtestusing:

yum install freeradius-utils

[root@localhost freeradius]# yum install freeradius-utils

Loaded plugins: refresh-packagekit, rhnplugin

Setting up Install Process

Resolving Dependencies

--> Running transaction check

---> Package freeradius-utils.i686 0:2.1.9-3.el6 set to be updated

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

Package Arch Version Repository Size

================================================================================

Installing:

freeradius-utils i686 2.1.9-3.el6 rhel-i386-server-optional-6 102 k

Transaction Summary

================================================================================

Install 1 Package(s)

Upgrade 0 Package(s)

Total download size: 102 k

Installed size: 0


11/11

Is this ok [y/N]: y

Downloading Packages:

freeradius-utils-2.1.9-3.el6.i686.rpm | 102 kB 00:00

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running TransactionInstalling : freeradius-utils-2.1.9-3.el6.i686 1/1

Installed:

freeradius-utils.i686 0:2.1.9-3.el6

Complete!

Make sure that the server is running in debug mode (radiusd -X), then open another

shell/window on your server. Become root and issue the following command:

radtest baduser badpassword localhost 1 testing123

[root@localhost freeradius]# radtest baduser badpassword localhost 1 testing123

Sending Access-Request of id 5 to 127.0.0.1 port 1812

User-Name = "baduser"

User-Password = "badpassword"

NAS-IP-Address = 127.0.0.1

NAS-Port = 1

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=5, length=20

Installing FreeRADIUS

Documents

Transcript of Installing FreeRADIUS