Installing FreeRADIUS
Installing FreeRADIUS
Installing FreeRADIUS
Installing FreeRADIUS
As with most open source software (OSS), FreeRADIUS can be installed multiple ways
including using a package manager (rpm, yum, apt-get, etc.) or building and installing from
source code. The difference with FreeRADIUS versus other OSS is when and how often you
would chose building from source code versus using a package manager. With FreeRADIUS you
are likely to choose building from source code much more often and some people always build
FreeRADIUS from source code.
Anatomy of a Linux Distribution
To understand when and why you would build FreeRADIUS from source code instead of using a
package manager, it helps to understand the FreeRADIUS development cycle and the process
used to create a Linux distribution.
FreeRADIUS is a dynamic project with a small but very active group of developers that
release new versions of FreeRADIUS two to three times a year. Each new release of
FreeRADIUS includes significant new features and bug fixes. Many FreeRADIUS users need
the new features and/or bug fixes and upgrade to the new version shortly after it is released. This
is in contrast to other OSS projects that are in maintenance mode, have few new features and a
much longer release cycle.
A Linux distribution is a collection of 1000s of software packages each with dependencies on
other software packages that must be compiled, linked and bundled together to create a running
Linux system. The creators of a Linux distribution must decide which of 1000s of software
packages to include in the distributions and which specific versions of the package to include.
They can choose to include the latest and greatest versions of each software package but they run
the risk of including software that is not stable, buggy and has security holes. They can choose
the conservative route and only include packages and versions of software that have been
running for years but they risk leaving out newer versions of which have features customers
really want. Lucky for us, there are hundreds of Linux distributions running covering the entire
spectrum from very conservative, small releases to distributions with the latest greatest software
for everything.
We will look in more detail at RedHat Enterprise Linux (RHEL), which is a popular choice
for deploying FreeRADIUS in the enterprise and on Internet Service Provider (ISP) networks.
RHEL is derived from the Fedora Linux distribution. The Fedora Project releases a new version
of Fedora every six months. Each new release of Fedora adds new software packages and
existing packages are updated to a more recent version of the underlying software.
RHEL releases a new major version every two to three years with minor versions every six to
nine months. Each major release of RHEL is derived from the then current release of the Fedora
Project and only includes a subset of the packages in Fedora. Major releases of RHEL are
supported for seven years and the base version of any software package will remain constant
throughout the life time of the distribution. When a bug or security problems are found in a
software package, the developers of the original software may have fixed the problem in a newer
release of the software. To maintain version stability, the fix to the problem is back ported to
the release of software that is included in the major release of RHEL. With each minor release
of RHEL, the quality of the software improves and the functionality does not change which
allows users to safely upgrade from one minor release to the next.
One downside of the RHEL distribution is that it does not include newer versions of
software. FreeRADIUS is an example of software that has been packaged for RHEL but the
package is built using an older version of software. RHEL 5.4 and earlier releases include
FreeRADIUS in a package named freeradius. The package was built using FreeRADIUS 1.1.3,
which was released in August 2006 and is no longer supported by the FreeRADIUS project.
Fortunately, RHEL 5.5 (released in March 2010) includes a new package named freeradius2 that
was built using FreeRADIUS 2.1.7 (released in September 2009).
Also, in November 2010, RedHat released RHEL 6, which includes an updated version of the
freeradius package based on FreeRADIUS 2.1.9-3 and newer versions of other software
packages used by FreeRADIUS including MySQL 5.1. The rest of the examples in the book that
refer to RHEL will be referring to RHEL 6.
If you use RedHat Enterprise Linux (RHEL), use RHEL 6 which includes more recent versions
of FreeRADIUS and other software packages like MySQL 5.1.
CentOS
RHEL is sold on a subscription basis and includes software updates and technical support from
RedHat. Organizations that cannot afford a subscription can use CentOS
(http://www.centos.org/). CentOS is a free community version of RHEL that starts with the
source code for RHEL and strips out the RedHat branding. Although RedHat would certainly
like to sell you a subscription to RHEL, they are committed to open source and make all of the
source code to RHEL available to other organizations that want to make their own Linux
distribution. CentOS is one of those organizations and they usually release a new version of
CentOS a couple of months after RedHat releases a new version of RHEL. CentOS is binary
compatible with RHEL and packages built for RHEL will install and run on CentOS.
Installing FreeRADIUS on RedHat Enterprise Linux (RHEL) using RPMs
In general, installing software using a package manager is much easier but with FreeRADIUS,
there are so many different modules and installations options that it is difficult to create a set
packages that work for every environment. FreeRADIUS includes dozens of options for user
database, authentication method and other RADIUS features. FreeRADIUS supports all of these
options with modules, which are custom software libraries that often require additional 3
rd
party
libraries.
For example, FreeRADIUS includes four different modules to support four databases -
MySQL, Oracle, Microsoft SQL Server and Postgres. Each database module requires the client
library for the database and there are often different versions of the client library. The number of
packages to support the different combinations of OS, processor, database, authentication
methods, and 3
rd
party libraries etc, would quickly spiral out of control with each new release of
FreeRADIUS. As more features are added to FreeRADIUS, the number of packages would
approach infinity or the number of Cisco IOS images, whichever is greater.
So, to avoid the chaos of creating a large number of packages, FreeRADIUS is released as a
source code tarball. Members of the FreeRADIUS community build packages that support the
most common options/modules for a variety of OSes including RedHat Enterprise Linux
(RHEL/CentOS), Fedora, Ubuntu, SUSE, Debian and Mac OS X.
Rather than create one monolithic FreeRADIUS package, RedHat created a base package,
called freeradius, and nine optional packages for utilities, databases and other authentication
methods, the Perl and Python modules and debug info.
FreeRADIUS packages in RHEL 6
freeradius
freeradius-mysql
freeradius-utils
freeradius-debuginfo
freeradius-krb5
freeradius-ldap
freeradius-perl
freeradius-postgresql
freeradius-python
freeradius-unixODBC
Installing a package is multiple step process:
1. Find the package.
2. Download the package.
3. Determine dependencies.
4. Resolve dependencies.
5. Install the package.
There are multiple package management systems used by the various Linux distributions.
Since we are installing software on RedHat Enterprise Linux, we will be using the RedHat
Package Manager (RPM) which is also used by Ubuntu and SuSE. RPM packages are files
ending in .rpm that contain binary executable files, libraries, documentation, source code,
dependencies and installation instructions. The RPM package management system includes the
rpm utility which is used to install, remove, and manage packages.
Installing FreeRADIUS using YUM
You could use the rpm utility to manually perform all five steps in the package installation
process but it can be tedious and painful. To install a package you would need to find the
package with the correct OS and processor, download the package and then run rpm to install.
The first time you run RPM, it will probably fail because a package the new software depends on
is not installed. Then you need to reiterate the process for the required package(s) to resolve all
of the dependencies. Then you try to install the original package again. Besides, you dont need
to do it manually because you can use YUM to automatically perform all five steps using a one
line command: yum install freeradius
YUM is an automatic updater and package management tool that works with RPMs. YUM
will automatically locate the package you want to install by looking in RPM repositories and
downloading the package built for the correct OS and processor. Then YUM will check for
dependencies and automatically resolve them by downloading and installing the dependent
packages. Finally, YUM installs the new package. Very nice!
Heres an example of YUM installing FreeRADIUS on an RHEL 6 system. The standard
installation of RHEL 6 has all of the software packages required by the freeradius package. After
checking the dependences, YUM prompts you to confirm that you want to install the package
and any additional packages required by the new software. The entire installation process takes
less than 20 seconds.
[root@localhost freeradius]# yum install freeradius
Loaded plugins: refresh-packagekit, rhnplugin
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package freeradius.i686 0:2.1.9-3.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
freeradius i686 2.1.9-3.el6 rhel-i386-server-6 1.3 M
Transaction Summary
================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 1.3 M
Installed size: 0
Is this ok [y/N]: y
Downloading Packages:
freeradius-2.1.9-3.el6.i686.rpm | 1.3 MB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : freeradius-2.1.9-3.el6.i686 1/1
Installed:
freeradius.i686 0:2.1.9-3.el6
Complete!
Verify that FreeRADIUS Starts
The freeradius RPM installs the FreeRADIUS server, default configuration files, client libraries,
man pages and startup scripts. The rpm configures FreeRADIUS to automatically start when the
RHEL system boots up. The next step in the process is to verify that FreeRADIUS is installed
correctly, will startup and respond to RADIUS requests.
The FreeRADIUS server can be started in debug mode from the command-line using
radiusd -X. When the server is started in debug mode, it generates 100s of lines of output
detailing the steps of the server startup process. The server startup process performs the
following tasks:
1. Read in all configurations files
2. Parse configuration files
3. Load optional modules
Open connections to databases and directories
Generate certificates
Load PERL and Python
4. Listen on IP address and ports for RADIUS requests
[root@localhost freeradius]# radiusd -X
FreeRADIUS Version 2.1.9, for host i386-redhat-linux-gnu, built on Sep 3 2010 at 12:06:43
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
...
...
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
If everything is OK, the server will print out Ready to process requests. message and
wait for incoming RADIUS requests. Congratulations! You have successfully installed
FreeRADIUS.
Verify that FreeRADIUS Responds to RADIUS Requests
The next step is to verify that the server will respond to incoming RADIUS requests.
FreeRADIUS includes radtest, a utility that emulates a RADIUS client and sends RADIUS
requests to the server. radtest is not in RHELs base freeradius package and you need to install
the freeradius-utils package.
We need to take a diversion to talk about RedHat and how they distribute packages to their
customers. Installing packages on an RHEL system requires a subscription to the RedHat
Network which gives your system access to the RHEL package repositories. RedHat constantly
fixes bugs and patches security holes in their supported packages. These are added to their
repository and notices are sent out to customer systems. This is one of the benefits that customers
receive when they purchase a subscription to RHEL.
RedHat segments their subscriptions into parent channels and child channels. Red Hat
Enterprise Linux Server (v. 6 for 32-bit x86) is the parent channel RHEL 6 for 32-bit x86
systems and the freeradius package is in this channel. The other nine freeradius packages are in
the RHEL Server Optional (v. 6 for 32-bit x86) child channel. By default, a subscription for
RHEL 6 is subscribed to the parent channel and none of the child channels. So, on a fresh install
of RHEL 6, you will be able to install the base freeradius package but none of the other packages
unless you subscribe to the RHEL Server Optional child channel.
To subscribe to RHEL Server Optional (v. 6 for 32-bit x86) channel:
Figure X-1: Login into your account on redhat.com.
Figure X-2: Select Red Hat Network.
Figure X-3: Select the system.
Figure X-4: Select Alter Channel Subscriptions.
Figure X-5: Check RHEL Server Optional channel and click Change Subscriptions to save the changes.
Now you are ready to install freeradius-utils package and radtest using:
yum install freeradius-utils
[root@localhost freeradius]# yum install freeradius-utils
Loaded plugins: refresh-packagekit, rhnplugin
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package freeradius-utils.i686 0:2.1.9-3.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
freeradius-utils i686 2.1.9-3.el6 rhel-i386-server-optional-6 102 k
Transaction Summary
================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 102 k
Installed size: 0
Is this ok [y/N]: y
Downloading Packages:
freeradius-utils-2.1.9-3.el6.i686.rpm | 102 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : freeradius-utils-2.1.9-3.el6.i686 1/1
Installed:
freeradius-utils.i686 0:2.1.9-3.el6
Complete!
Make sure that the server is running in debug mode (radiusd -X), then open another
shell/window on your server. Become root and issue the following command:
radtest baduser badpassword localhost 1 testing123
[root@localhost freeradius]# radtest baduser badpassword localhost 1 testing123
Sending Access-Request of id 5 to 127.0.0.1 port 1812
User-Name = "baduser"
User-Password = "badpassword"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=5, length=20