How to setup FreeRadius with Mysql and Daloradius web front end secure access for wifi vpn and more.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone today we're going to set up a free radius server free radius is a aaa authentication and accounting and access server that controls and verifies access from various network devices and wi-fi access points and clients and it can be integrated with a myriad of network devices such as switches or vpn providers or isps and it's very common and chances are you've probably used this unbeknownst when you're you know logged onto a wi-fi connection or a vpn service from one of the popular providers so we've set up a small ubuntu 20 box on digit lotion we're going to install free radius today with a mysql back end and a dallow radius web gui then we're going to run through configuring our devices in this case we're going to use a ubiquiti access point as a test device we're going to add some clients to that run out of mobile client and a desktop client and authenticate using the radius server to show you how this works and again this is applicable for lots of many devices that support radius okay so as per usual all the links will be in the description for everything we've used so let's get started so as i mentioned we've provisioned an entry level of 1 to 20 bucks and we're gonna use up to get the initial prerequisites for the free radius install so let's go so you can see here we have sshdn now we've just as you do opt install and we have a list of prerequisites there again these are in the description below and we'll just hit yes here to continue and it runs through its install okay and then we're just going to install free radius free radius mysql on the utils as well here because we're going to use mysql as our database backend it just just takes a few seconds just to run through i'll cut out various sections here just to speed things up as well so we're just going to stop the free radius in and then what we're going to do is we're going to do a free radius minus x to just run it in debug mode to see the output and as you can see it's successfully started so just press ctrl and c and that'll stop and we're just going to enable it at boot okay so we're just going to do sdo apt-get install mysql server so yes and then once that's loaded we're gonna do uh mysql minus user root there's no password on the default install we're gonna change that now and uh run the save mysql script just to set a root password first we'll run the mysql underscore secure underscore installation script and we're just going to run through this and just set a default root password for our mysql instance okay let's confirm our password okay and we're done gonna remove the anonymous users and we're gonna get rid of the remote route logon so now we're just going to log in with using our updated mysql password here we're going to create our radius database initially a blank database and we populate this in a few seconds time with some of the free radius install scripts and later on with the delo radius scripts as well we're just going to do a create database radius and then we're going to create a user called radius adm you can use any user you like here we're just going to give it a password as well and then we're going to grant privileges on everything for that user with the grant option i'm going to press ok i'm just going to exit out of there after we flush privileges okay so we've set up our database it's blank we've added a mysql user for that now we're going to run one of the sql mysql schema scripts to populate that database so these commands are in the description um we've just gone mysql minus u or password and imported the script and then we're gonna edit the free radius mods available sql file to enter a couple of details i'm going to set the engine to be mysql here and then we're going to scroll down a little bit further we're just going to set some additional parameters so the driver here we want to set for mysql here so we just uncomment this one and we'll comment the line above out okay and then a little bit further down there's some more parameters here there's some tls entries here which we're going to comment out it's for mysql communication we're on the same box here so this doesn't really apply in our case and again it's a demo system so we're just going to comment these guys out it's not needed in our scenario and then down the bottom here we have one more entry to change okay so under the connection section here we need to obviously put in our server which in this case is localhost the default port and then our logon on our password here this is the user we created earlier on our radius adm and the password we gave that user earlier on okay now we just need to change that to our database name if you've named it any different it's just called radius so we don't need to make any changes there okay so now we're going to enable our sql mod under the mods enables we're just going to add a sim link to it just tell free radius that we're using the sql module um and it's going to be in mod enabled okay we're just going to change it to freerad.3rad which is the user it runs under and we're going to system ctl restart free radius we got no errors there so it indicates probably started okay we'll check that later on so we'll just log in with our radius admin user we created we just have a look to see if the database is there and it's populated now after we've run our scripts just to be sure it should be we're going to use radius we'll show tables okay so you can see it's populated the tables there okay so i'm just going to insert a test user here into the radcheck table which is just a test table allows you just to check the authentication okay again all these commands are in the description below we've just created a test user literally with a clear text password we just do a query we can see it's entered into the table here and now what we're going to do is we're going to just run a command just to run free radius in interactive mode again with the minus x we're going to split the screens and on the top screen we've opened another shell and in the bottom screen we have our free radius sitting in interactive mode we're going to use a rad test which is a test utility that's built in to test the user we've created just to make sure that the free radio server is up and it's authenticating at least locally initially so we just entered this command here you can see in yellow we've got an accept here and you can see the actual server output in the screen below where it's also giving us a bit more detail and it's accepted the authentication request and access okay so we now know that our radius server is at least up running and accepting local requests okay so now we're going to download the dallow free radius okay this is the web front end for the free radius database it just makes the administration of free radius a lot easier a lot more straightforward you can easily add a network access servers or clients and users by a web gui and if you were to operate in any sort of scale you need a web front end like this or similar okay so we just downloaded it we just need to install apache here as well so i just realized i'd forgotten to install it there's also a couple of php dependencies as well and we'll install in just a moment as well just for dollar is gooey that's what we're gonna do is we'll unzip the dollar radius download into vrw html just get that in there and give it the right permissions first okay so you can see we've unzipped it into rww html in apache it's on by root so we'll just change this first to ww data so let's do a champ minus or www hyphen data dot www away from datavar wwe html radius okay let's give it the correct operations so apache can access it now just do a clear okay so we've two scripts we've got to import into our existing free radius database that we created earlier on so you can see here i've issued two commands here just to input the contents of the two sql files again these are in the description below and that'll allow the radius database to have the additional tables that dollar radius needs to run on top of free radius we're just going to change mod radiusconf.php file and now we're just going to edit it i'm going to scroll down i'm going to change a couple of parameters we're going to change the user and password to what we created there earlier on there right a minute our password okay radius mint on our password database name is radius already so we shouldn't need to change that okay we'll just save that file okay i'm just going to restart free radius again okay so we're just going to add the couple of apache php dependencies we forgot that earlier on so now if we just go to our ip address slash dollar radius log on you can see we have our web front end for our dollar radius default password is just radius and we'll change that in a minute and you can see the various tabs you can also see in management you can accountant bill and gis you have a whole lot of features in here again i'll leave the links for the radius and the dollar radius websites in the description and you can explore these in a bit more detail we can see our nas which is our network access device you can list your existing nozzles or your new ones we're going to be adding one uh which will be your local wi-fi access point on my lan it can be various other devices obviously as well this is just for demonstration and we're going to add a couple of users and that's that minus a nlp here just and we just verify that the two radius ports are there and they're listening which they are okay we're just going to check our ufw 4 while it's not enabled yet so we are going to just turn our firewall on on the device because it is out on the web we're just going to allow those two ports in and access to our https port and just from my specific one ip address so that'll just allow authentication to be available for everyone and the administration just to be available from my static one address okay so first we're going to just jump onto our access point or our nas as it's going to be known as in a dollar radius web front end so i'm just going to go down to settings and we're just going to set up a radius profile so we just have two existing networks here where we are going to create a profile and then create a new wireless network uh and assign it this profile afterwards so let's just go and we'll select great new radius profile let's call it my radio server i'm going to give it the ip address of our server out in digit lotion this is our demo box we're working on at the moment that's our radius server and we'll leave it at the default port and then we're going to give it a password this is also a password we're going to enter in when we create the nas device on the web front end in a few minutes i'm just going to enter that in i'm just going to flick across here to our dollar radius box we're going to go to nas which is the the network authentication server which is the device that's going to be passing the access from the clients out through the device to free radius server so this is our access point this address here is actually my one address at home so that's the address it's going to come from and again here's the details we've entered in our radius profile on the access point to allow the access point to first ought to the free radius box and then in turn the users will pass authentication through that box through the free radius server for authentication okay so if we listen as there's the nails we've created uh we'll just call it unify ap that's the secret password we've used my one of the addresses in as that the art ip allow communication from so we're just going to add a new user we'll create a second one in a minute one we'll use for mobile phone uh wi-fi authentication and one off my desktop as well our laptop okay so we're just gonna go leave just in the default groups we don't need to add any other groups at this stage this is just a demonstration okay so there's our user there's our test user one two three exclamation mark password save the radius profile see it's here we've created our test wi-fi network let's see it here and now this device should be authorized as a nas device on the free radius server okay so i just want to point something else out here you probably notice at the top here we now are displaying our ssl padlock and we've got a fully qualified domain name associated and with our dollar radius server i added an a record to the dns for this box and have ra run through the let's script installation and set up to put an ssl cert on the box i haven't covered it here there's a link in the description to a digital lotion tutorial that i followed it'll just make the video too long and complicated if i add anything else in so just in case you notice this that's what it is you can also see there's an additional test user one that's here so now we're going to get on with just testing our authentication okay so i put my mobile phone in you can see here on the right hand side that we have our test wi-fi network we created our putty ssh session is open in the background and we're just going to try and authenticate here using people with the username and password we created so we're going to say don't validate we're not looking to deploy certificates to the client and this is just demonstration purposes you can absolutely do that and require each client to have a certificate in addition to the username and password which is a secure radio and things but again this is just a demonstration so it just proves the point okay so you can see here that we couldn't connect so saying the password was invalid and you can also see that in the output on the screen on the left so let's just correct our error here and we put in the proper password if i can spell test user correctly just change that or or for t okay so we've test user one two three extra match mark which is the password used so now we should be able to connect and get authenticated okay so you can see here it's now telling us that we're authenticated i've highlighted the actual output on the free radius server here where it says accept and you can see we can just browse the web using the authenticated connection okay so in the next section we're just going to do the same thing uh just on a windows 10 uh laptop and so we'll just show you here again it's the same procedure pretty much we'll use our other test user for this one so here's our test accounts getting prompted for username and password again this is passing to the wi-fi box uh our ubiquity access point and it's then authenticating through uh to our free radius box out on the web again we're connected there's also a log of our access and we're coming through an authenticated or pre-authenticated device so it's a much secure more scalable way um especially when deployed with certificate authentication as well to manage wi-fi networks or tie into other applications or devices that support radius authentication okay we've reached the end of the video thank you for watching please remember to like and subscribe and check out the links in the description and also on the recommended video you

Info

Channel: JDs Tech Tips

Views: 12,291

Rating: 4.9111109 out of 5

Keywords: freeradius, daloradius, digitalocean, secure wifi, network security, daloradius tutorial, daloradius configuration, daloradius cisco authentication, radius server, radius, freeradius installation and configuration, freeradius gui, ubuntu

Id: 0cD_S-9UDvw

Channel Id: undefined

Length: 21min 20sec (1280 seconds)

Published: Sun Sep 27 2020