Setup freeRADIUS + mySQL + daloRADIUS for dynamic VLAN assignment on Unifi

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello this is Andrew with missing remote a while back I did a guide around how to assign VLANs dynamically in unify using radius the solution as it was provided it works great but it doesn't scale very well as the number of devices that you want to assign to different VLANs goes up or from a maintenance perspective when you add one of the assign of client you have to you have to bounce the radius server so it just doesn't scale very well it's not a great it's not an easy thing to support if you have a lot of clients or you're messing around a lot so the solution to that is to use a sequel back-end for your free radius server so this guide is about how to set up a my sequel back-end for free radius and then optionally how to set up Dallow radius user interface on top of that if you'd rather manage the sequel through the browser instead of using sequel commands directly so let's get to dig in I have here a boon to 20 LTS server I'm gonna use him boot Eisen boot - most of my Linux installations you can use pretty much anything you want you from a Linux perspective just note that the commands are a little bit different if you're using a version of Linux that isn't based on Debian I'll put a link in the description that kind of describes what those differences are what the commands are the main one is is that instead of free radius it's like rad free or free red or something like that but check that out if you're not using the blue tube or you're not using some kind of debian-based Linux system so the first thing we're gonna do is we're gonna escalate privilege because everything we were going to do from here on requires escalated privileges or most of the things we're gonna do from here on it requires escalated privileges so instead of having to type my password a lot we're just going to do that now we install my sequel now you can use Maria dbb or you may be tempted to use Maria DB instead of my sequel but at least on go to 20 I didn't tested on any other versions of them one to Maria doesn't work with free radius when you're using free radius as a service I'm sure that you could get it to work but I don't really see the point in futzin around there like why not just work use something that works so we're just going to use my sequel if you want to mess around with Maria to be have at it but just be aware that if you get a segfault I warned you installing my sequel will take a little while so this is a great time to go get a coffee or a beer or whatever hang on when you're doing this so let's just make sure that my sequel installed properly we can see that it did and then let's just also make sure that before moving on that it'll start when the server reboots the next step is to secure your my sequel installation and you do that by typing my sequel underscore secure installation I'm going to put all the commands that I used here I'll link to them put them on this remote calm so that you can just copy them in like I am now you'll want to use valid information here for how you want it to work I think it's best to use strong passwords so I am doing that now we log in to my sequel and we create our radiused database now we create our user that we will use with this database and give it permissions to the radius or the radius database and then make sure that we flush the privileges so it'll work and then we're done with sequel for now now we need to install free radius with free radius installed now we want to apply the phrase free radius schema to our my sequel database with the schema applied now we need to turn on or enable my sequel support in free radius which is to file the sequel driver I guess that's not what you would call it is sorted et Cie free radius 3.0 mods available sequel again free radius here that is probably going to be different on bluetooth slash Debian systems we need to go down and change a few things in this file the first one is the dialect we need to make that my sequel then here in the driver we need to uncomment the null and make it so that it will work with the driver that we just set or the dialogue we just said and then we go down to our my sequel section and we're gonna turn off TLS if you are running this in a different kind of environment you probably don't want to do this but I don't want to I don't need to generate all these certificates so in this case we're just gonna leave that alone that's a different topic then we should set up our login information which is down a bit father oh and we passed it this is the account that we created in my sequel a couple steps ago the last step is to enable read clients in the file and then we can just exit it and save and now we're going to create a symbolic link which crazy relationship between the file we just edited and enabled mods and so let's have a quick look at that file or that folder where we put it we can see here that our permissions or the groups not right so we need to set that check it again and now we can see that the free rad user has rights to this file the next step is to configure our clients and what we want to do here and this is the same as we did in the other guide is to create a client for our unify installation here I just set it to any device in the 192.168.1.10 plus the net mask does and then this secret here you'll use in unify when you set up the radio server and that's the thing that is used to encrypt the data that gets sent between the access points which are doing requesting authorization and authentication and this radius server so you'll need to change whatever this value is to the specifics of your network we will leave the rest of this the same and is and just save this an exit the next step is to edit our queries what we're going to do here is we're going to enable the default behavior I'm doing this part because I want devices that aren't specified in my device list my MAC address device list to get a default VLAN so we're gonna go down here to the default user profile and we're gonna turn that on and what happens here is that when it doesn't find the device it queries the for a group using default and we'll see that in a little bit so we're gonna save that and exit now we're gonna stop our free radius server so that we can see what's going on in the front end if you don't want to see what's going on the front end you would just restart free radius here instead of doing what I'm doing which is making it run in the in the user space so if all you want to do is setup sequel for free radius you're kind of done at this point we can go down here to another window on this server and use our rad test and we'll we can see that it rejected it it's because I haven't set up the defaults in sequel yet and so we're gonna do that now you can do all of the sequel stuff that I'm going to show you next in from the command line you don't have to use the tool that I'm using if you want to do it from the command line you would just log in to my sequel with your free radius account like so and then just make sure that you set the database like that so this shows us all the tables that are created right now you can use the command line to do everything that I'm going to show next but to make it a little easier to visualize what's going on and see the tables themselves we're going to use a different tool and that's my sequel workbench I have a connection set up here already we can look at that and what it does is it tunnels the my sequel over SSH so you don't have to expose your sequel insulation to the broader network and so you just use the standard tcp over ssh and you set it up kind of like how i have it here with a root username sorry the IP of the server i'm using your ssh username goes to stage password and then make sure you put localhost or 127.0.0.1 as my sequel host name and then you put in your the user of my sequel credentials in this section here i'm going to connect to that so here we see the tables that free radius creates when we ran that schema creation script we're not going to use all of them but we are going to use a good number of them the way that i'm going to do this isn't the only way to do this but i think it's the best and easiest way and so you know if you have a different opinion that's great i will explain why i'm doing it the way that i am so that I think it'll make a little bit more sense but there are other ways to do that I just wanted to put that out there so these check tape we're gonna talk a little bit here about the scheme of the check tables are the tables that are used for authentication and authorization and then the reply tables group reply and rad reply are contain the data that we're going to send back in the reply from our radius from free radius I like to create the veal and replies as a group and the reason why is that then I can create that one time and then I assign a user to that group and I don't have to create that reply again for the user you can do it that way it's just a lot more work to do it that way so these are the two groups I have two VLANs then I'm going to set up here if you have multiple VLANs you would just create another one of these as a group and then just make sure you name it something obvious we're going to run those and then if we want to we can go to group reply select and we can see that these are all set up a reading these queries or these rows are going to create our default behavior and it is worth discussing this a little bit because this is maybe a little bit complicated do you recall back we uncommented a line that created the default group or whatever the name is in this case it was default this this line here inserts a row which creates a relationship between default and VLAN 20 one VLAN twenty one then becomes the default VLAN for any device where we have not entered their MAC address into the radcheck table this red group check then is where we say VLAN 21 anything on VLAN 21 we just accept it this should look very similar to the stuff we put into into that users file and the other guide where the default it will all type equals except it's the same concept it just works slightly differently so we're going to go ahead and insert those and now if we go back here let's exit out if we run this test we can see that we get our VLAN is 21 so now let's set up our other clients or other devices so these are the queries that create the devices and then a line or create a relationship between the device and the VLAN that it's going to be assigned to so for every device you will have a pair of these queries one to add the device data and one to create a relationship between the device and the VLAN this should be pretty self-explanatory we have the device the username for the device which is the MAC address and the VLAN group that we want to assign it to this here should also be relatively self-explanatory because we have the map addresses the username and then we have the MAC address as the password now you don't have to do it this way but this is the way that I do it because that's the way that unify is radius server works and if I ever want to flip back it's a lot easier to do it in a consistent way so we're gonna go ahead and actually before we run these queries let's just make sure that the behavior that we expect is the behavior that we see so we go back to our rat test and we use that MAC address and it should just get assigned to VLAN 21 which is what happens so let's go back to sequel and run the queries that insert these rows and we'll just quickly show here's the two rows there and here's the relationship between the device and the VLAN so now if we go back here and we run that test again we get the thirty ten VLAN instead of twenty one so if you're comfortable here using my sequel workbench or running all the commands on the command line then you can stop and you notice I didn't read announce the server I didn't have to restart free radius in order to make all that stuff work and that that's one of the the massive things the great things about using sequel is that you don't have to restart the service it just because queries in real time it works we also get a really easy way to see what's going on in sequel and that that is this rad post off everything every query that comes in here gets logged and so here we can see before we added that default behavior it rejected and then after we added the default it worked and then for our client we get the accepts for these unfortunately it doesn't tell us what group they ended up in but if we really wanted to change that we could and that would add some more advanced topic you back to that queries kampf and you manipulate the queries there and you would then add a I'm here to tell them to store what group it ended up in I'm not that interested in that now but if somebody really if you really want me to show how to do that just let me know and I it's not a complicated thing to do so if you're comfortable with this stop here if you're want the web interface then let's carry on so let's get started with our dalla radius installation so we need to stop free radius and then we need to install a whole bunch of dependencies in order to make this work the big ones are Apache and PHP but again I'll put a link to the all the commands that you have to run in order to make this work I'm missing a road so we're gonna go ahead and install that this will take a while so go get a cup of coffee or something okay that took a little while but let's go ahead and download della radius and then we need to unzip it then we're going to move it to the web route for Apache and for simplicity we're just gonna go to that folder so dala radius has its own sequel table schema it sits next to free radiuses it's important to note that anything that you have in your radius database up to this point is going to go away when we run these commands so if you have something important back it out first there are two schema commands we're just gonna run them both next step is to make it so that our Apache account sww data count has rights to the del radius files and then we are going to mod 664 the config file for del radius we're going to make a folder for the log to sit in we're going to create that log file and then we are going to do the same thing that we just did so that ww owns it and WW can ride it now we're going to edit our dollar radius Kumpf a PHP file so they connect to our database it defaults to my sequel so we don't need to touch that all this other stuff is is correct we really just need to enter in our username which is that account that we created a while back a free radius account and the password we can leave the database name the same because that's what we went with and then we will change the log file location because by default it writes to a log file location that doesn't exist where is it there we go so we will set it to that file that we just created you can save that and now while we're here we will start free radius we will make sure that it is enabled and we will restart apache so that it can load the dollar radius site now we're going to go to our dollar radius server installation which in this case is the IP of the whatever machine you are using which in my case is 192.168.1.2 for slash della radius login dot PHP and we are going to enter our username and password the user name is administrator the default password is radius which obviously not super secure so the first thing we're going to do is we're going to change that so we're gonna go to config operators list operators select administrator and you can see here is the password radius and we are going to change that to a more secure password now go to management you can see that we really don't have anything like all our users were gone our profiles are gone which is the thing that well the profiles we created are gone the dalla radius disabled user profile or group name exists that was created when we've ran those schema scripts let's quickly set up some data so we're gonna authenticate again we can see that it gets rejected if we go to to our home we can see last connection attempts and we can see basically that table that we looked at before which has the rejected data in it or the access except access reject that's where it shows up here so that we can see it really easily in the user interface what this does is it makes it possible for us to just copy this go to management go to users and create a user with that MAC address now and that becomes a lot more maintainable it's a lot easier to maintain but before we start creating users we need you should set up our groups and our default behavior again you can do your profile stuff through here but since we already have all of our sequel scripts already written it's a lot easier just to go back to sequel and do all of that stuff in sequel again so for convenience I'm just gonna go ahead and copy and paste all of it in here the one difference between the stock free radius installation and when you're using dollar radius is that this table this user info table from is a del radius table so you want to add your MAC addresses for the devices that you've created accounts for in that table but all of this other stuff above here this is the same stuff where we create our our groups or our profiles create our default behavior and then we create our radius user and the relationship between our radius user and the group so go ahead and run these and now if we go back to our dollar radius go back to our profiles list profiles you can see that we have our VLANs set up here and if I select this to edit it reply attributes these are those the VLAN reply attributes that we need to have so let's go back and we'll just test this real quick to make sure that it's working and so here we see that we get the VLAN that we expect that's it if you create if you want to create more users you would just go to here and then your user and then just assign it to the VLAN group and that's where these using the groups to define our VLAN attributes become so much more convenient from a maintenance perspective is that I don't have to do that every time I want to define a user I don't have to recreate all three of those attributes hopefully you found that useful if you did go ahead and like the video and subscribe to the channel if you have any questions or comments just drop those below and I will get to them as soon as I can Thanks
Info
Channel: Missing Remote
Views: 9,740
Rating: undefined out of 5
Keywords: Ubiquiti Unifi Dynamic Wireless VLAN Assignment, Unifi, MAC, VLAN, Wireless, freeRADIUS, daloRADIUS
Id: aJcjGzH3hwI
Channel Id: undefined
Length: 24min 52sec (1492 seconds)
Published: Thu May 14 2020
Related Videos
Open Source Logging: Getting Started with Graylog Tutorial
Lawrence Systems
79K
Setup FreeRADIUS on Kali Linux for 802.1X Authentication
SemFio Networks - Wireless Consulting Services Canada
39K
How to setup FreeRadius with Mysql and Daloradius web front end secure access for wifi vpn and more.
JDs Tech Tips
12K
Radius Server - FreeRadius 3 and MySQL 8 - Ubuntu Server
La Tech
8K
Wind Turbine Farm Installation From Scratch | Engineering On Another Level
Quantum Tech HD
22M
Monitoring 101 - SolarWinds Lab #37
solarwindsinc
45K
Transport Layer Security (TLS) - Computerphile
Computerphile
267K
UniFi Enterprise Networking
Crosstalk Solutions
153K
How to Mix METAL SINGING VOCALS Like PERIPHERY [Start to Finish]
Raytown Productions
4.7K
Ubiquiti Unifi Dynamic Wireless VLAN Assignment
Missing Remote
6K
How to Virtualize Your Home Router / Firewall Using pfSense
Techno Tim
101K
Fortigate Free Radius MySql Part II : manage user by damrongradius
ดำรงศักดิ์ บุญพันธ์
764
MySQL Tutorial for Beginners [Full Course]
Programming with Mosh
5.2M
Freeradius 3 : dynamic VLAN (assignment) and EAP-TLS configuration
La Tech
597
Radius Server - FreeRadius and Clients - CentOS 8
Christian Augusto Romero Goyzueta II
6.8K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.