This simple, straightforward guide will help you set up FreeRADIUS ready for authentication within a few short minutes.
We have distinguished the difference between OpenBSD and FreeBSD commands.
Install FreeRADIUS and MySQL/MariaDB
OpenBSD:
pkg_add -Uu
pkg_add -v freeradius freeradius-mysql
rcctl enable freeradius
rcctl start freeradius
FreeBSD:
portsnap fetch update
portsnap extract
pkg install freeradius-mysql
If you haven’t already, we must install MySQL/MariaDB server to host your radius database.
OpenBSD:
pkg_add mariadb-server
rcctl enable mysqld
mysql_install_db
rcctl start mysqld
FreeBSD:
pkg install mysql57-server
sysrc mysql_enable="YES"
service mysql-server start
Now on both, we need to run the secure installation script to setup your MySQL/MariaDB credentials:
mysql_secure_installation
OpenBSD:
Switch to unix_socket authentication [Y/n] n
Enter current password for root (enter for none): ENTER
Set root password? [Y/n] y
New password: Enter password
Re-enter new password: Repeat password
Remove anonymous users? [Y/n]: y
Disallow root login remotely? [Y/n]: y
Remove test database and access to it? [Y/n]: y
Reload privilege tables now? [Y/n]: y
FreeBSD:
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin? [Y/n] n
Enter current password for root (enter for none): ENTER
Set root password? [Y/n] y
New password: Enter password
Re-enter new password: Repeat password
Remove anonymous users? [Y/n]: y
Disallow root login remotely? [Y/n]: y
Remove test database and access to it? [Y/n]: y
Reload privilege tables now? [Y/n]: y
Once you have completed the secure setup, let’s log in and create the radius database you will use for authentication.
mysql -uroot -p
Then enter your MySQL root password to continue…
Before we continue on FreeBSD, we need to reset the password for some odd reason; use the below command to do this remember to enter your password into the command. This step is not needed on OpenBSD.
ALTER USER 'root'@'localhost' IDENTIFIED BY 'enter_your_password';
Now create the database and grant all privileges to the user radius:
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
We recommend you set a more secure password than ‘radpass’. If your SQL server is running on a different machine, you also have to replace the localhost
with your radius server IP.
Now that’s done, we want to import the table schema for radius and switch to the radius DB from the MySQL command line.
use radius;
OpenBSD:
SOURCE /etc/raddb/mods-config/sql/main/mysql/schema.sql
FreeBSD:
SOURCE /usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql
Now exit using the below command.
exit
Edit /etc/raddb/mods-available/sql (on OpenBSD) or /usr/local/etc/raddb/mods-available/sql (on FreeBSD) and enter the driver as rlm_sql_mysql, SQL dialect as mysql, scroll down to connection info and uncomment these options. Set the server as localhost, database username radius and database password radpass (unless you changed it) to connect to your SQL server and the RADIUS database. The database and table names should be left as the defaults if you use the default schema.
For Example, under sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
Next, enable the SQL module by executing the below commands.
OpenBSD:
cd /etc/raddb/mods-enabled
ln -s ../mods-available/sql sql
FreeBSD:
cd /usr/local/etc/raddb/mods-enabled
ln -s ../mods-available/sql sql
Edit /sites-available/default
and uncomment the line containing sql
in the authorize{}
section.
Additionally, edit sites-available/inner-tunnel
and uncomment the line containing ‘sql’ under “authorize {}”.
If you wish to store accounting records in the database, also uncomment the line saying ‘sql’ in the accounting{} section.
Optionally add or uncomment ‘sql’ to the session{} section if you want to do Simultaneous-Use detection.
Restart FreeRADIUS:
OpenBSD:
rcctl restart freeradius
FreeBSD:
/usr/local/etc/rc.d/radiusd onerestart
Add Clients to FreeRADIUS:
Now we need to add clients to FreeRADIUS. For example, VPN servers that run OpenVPN, Strongswan, OpenConnect, IPSec, Squid etc, all have radius modules for authentication.
Open up /etc/raddb/clients.conf on OpenBSD or /usr/local/etc/raddb/clients.conf on FreeBSD and delete all content from the file, add clients like, for example:
client VPN-01 {
ipaddr = 127.0.0.1
secret = 6vyh645hv5h
}
client VPN-02 {
ipaddr = 123.123.123.123
secret = v4h44h575h5
}
Again after adding each client restart FreeRADIUS.
You are now ready to start authenticating against FreeRADIUS.
On How to Install FreeRADIUS on OpenBSD and FreeBSD
Excellent guide