{"id":708,"date":"2012-09-26T15:59:00","date_gmt":"2012-09-26T13:59:00","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=708"},"modified":"2012-09-26T15:59:00","modified_gmt":"2012-09-26T13:59:00","slug":"freeradius-mysql-en-debian-squeeze","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=708","title":{"rendered":"Freeradius + mysql en debian squeeze"},"content":{"rendered":"

Hoy toca instalar un freeradius en un cliente, para authenticar los accesos de unos hotspots Mikrotik.
\nPara la parte gr\u00e1fica, usaremos el DaloRadius… de esta manera, no tendremos que andar con los ficheros de texto.
\nSuponemos que tenemos instalado ya nuestro Debian Squeeze y, vamos a instalar unos paquetes:
\n
\n# aptitude install mysql-server php5 php5-mysql php5-gd php-pear php-db freeradius freeradius-mysql subversion
\n<\/code>
\nCreamos usuario para mysql y la bbdd para radius:
\n
\n# mysql -u root -ppassword
\nmysql> GRANT ALL PRIVILEGES ON *.* TO 'radius'@'%' IDENTIFIED BY 'radius' WITH GRANT OPTION;
\nFLUSH PRIVILEGES;
\nmysql> create database radius;
\n<\/code>
\nAhora bajamos el DaloRadius, en la carpeta \/usr\/src:
\n
\n# cd \/usr\/src
\n# svn co httpss:\/\/daloradius.svn.sourceforge.net\/svnroot\/daloradius\/trunk daloradius
\n<\/code>
\nAhora movemos los directorios:
\n
\n# cp daloradius\/ \/var\/www -R
\n# chown www-data:www-data \/var\/www\/daloradius -R
\n# chmod 644 \/var\/www\/daloradius\/library\/daloradius.conf.php
\n<\/code>
\nCreamos la estructura de la BBDD de radius:
\n
\nroot@radius:\/var\/www\/daloradius\/contrib\/db# mysql -u radius -pradius radius < fr2-mysql-daloradius-and-freeradius.sql\n<\/code>
\nEditamos el fichero de configuraci\u00f3n de daloRadius, para que se conecte a mysql:
\n
\n# nano \/var\/www\/daloradius\/library\/daloradius.conf.php
\n$configValues['CONFIG_DB_ENGINE'] = 'mysql';
\n$configValues['CONFIG_DB_HOST'] = 'localhost';
\n$configValues['CONFIG_DB_PORT'] = '3306';
\n$configValues['CONFIG_DB_USER'] = 'radius';
\n$configValues['CONFIG_DB_PASS'] = 'radius';
\n$configValues['CONFIG_DB_NAME'] = 'radius';
\n<\/code>
\nAhora vamos modificando los ficheros de freeradius, para que se conecte a mysql.
\nEn el directorio \/etc\/freeradius, editamos sql.conf<\/strong> y lo dejamos tal que:
\n
\nsql {
\n #
\n # Set the database to one of:
\n #
\n # mysql, mssql, oracle, postgresql
\n #
\n database = \"mysql\"
\n #
\n # Which FreeRADIUS driver to use.
\n #
\n driver = \"rlm_sql_${database}\"
\n # Connection info:
\n server = \"localhost\"
\n #port = 3306
\n login = \"radius\"
\n password = \"radius\"
\n<\/code>
\nEl siguiente paso, es que las consultas de usuarios, en vez de mirar en los ficheros locales, haga las consultas en las tablas de mysql. Para ello, modificaremos el fichero:
\n
\nroot@radius:\/etc\/freeradius\/sites-enabled# nano default
\n<\/code>
\nY modificamos:
\n
\n### authorization Section
\n #
\n # Look in an SQL database. The schema of the database
\n # is meant to mirror the \"users\" file.
\n #
\n # See \"Authorization Queries\" in sql.conf
\n sql
\n### accounting section
\n #
\n # Log traffic to an SQL database.
\n #
\n # See \"Accounting queries\" in sql.conf
\n sql
\n<\/code>
\nY en el fichero \/etc\/freeradius\/radiusd.conf<\/strong>, habilitamos la parte de sql:
\n
\n # Include another file that has the SQL-related configuration.
\n # This is another file only because it tends to be big.
\n #
\n $INCLUDE sql.conf
\n<\/code>
\nPor \u00faltimo, modificamos el fichero clients.conf, con el NAS<\/strong> localhost y una pass para probar .... (nas := network access server \ud83d\ude09 )<\/em> y lo dejamos tal que:
\n
\n# -*- text -*-
\n##
\n## clients.conf -- client configuration directives
\n##
\n## $Id$
\n#######################################################################
\n#
\n# Define RADIUS clients (usually a NAS, Access Point, etc.).
\nclient localhost {
\n ipaddr = 127.0.0.1
\n secret = testing123
\n nastype = other # localhost isn't usually a NAS...
\n}
\n<\/code>
\nCreamos ahora, desde la interfaz daloRadius, un usuario, para ello, accedemos al daloradius w\u00ed\u00ada web:
\nhttps:\/\/ip.del.servidor.radius\/daloradius
\nY nos aparecer\u00e1 algo tal que:
\n\"\"<\/a>
\nUsuario: administrator
\npass: radius
\nEn el apartado Management \/ Users<\/em><\/strong> , hacemos click en New User<\/em><\/strong>
\n\"\"<\/a>
\nCreamos un usuario, con su password y lo probaremos en la consola.
\nParamos el servicio freeradius
\n
\n# \/etc\/init.d\/freeradius stop
\n<\/code>
\nLanzamos el servicio en modo debug:
\n
\n# freeradius -X
\n............
\nModule: Checking session {...} for more modules to load
\n Module: Checking post-proxy {...} for more modules to load
\n Module: Checking post-auth {...} for more modules to load
\n } # modules
\n} # server
\nradiusd: #### Opening IP addresses and Ports ####
\nlisten {
\n\ttype = \"auth\"
\n\tipaddr = *
\n\tport = 0
\n}
\nlisten {
\n\ttype = \"acct\"
\n\tipaddr = *
\n\tport = 0
\n}
\nlisten {
\n\ttype = \"auth\"
\n\tipaddr = 127.0.0.1
\n\tport = 18120
\n}
\nListening on authentication address * port 1812
\nListening on accounting address * port 1813
\nListening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
\nListening on proxy address * port 1814
\nReady to process requests.
\n<\/code>
\nY ahora desde otra consola, hacemos una prueba con la utilidad radtest<\/strong> :
\n
\nroot@radius:~# radtest pruebas pruebas01 localhost:1812 0 testing123
\nSending Access-Request of id 49 to 127.0.0.1 port 1812
\n\tUser-Name = \"pruebas\"
\n\tUser-Password = \"pruebas01\"
\n\tNAS-IP-Address = 127.0.1.1
\n\tNAS-Port = 0
\nrad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=49, length=20
\nroot@radius:~#
\n<\/code>
\nNuestros datos:
\nUsername: pruebas
\npass:pruebas01
\nNasKey:testing123 (lo hemos puesto en el apartado nas, anteriormente, en localhost
\nPuerto Radius: 1812
\nY el freeradius, nos responde con:
\n
\nReady to process requests.
\nrad_recv: Access-Request packet from host 127.0.0.1 port 37927, id=49, length=59
\n\tUser-Name = \"process\"
\n\tUser-Password = \"control10\"
\n\tNAS-IP-Address = 127.0.1.1
\n\tNAS-Port = 0
\n# Executing section authorize from file \/etc\/freeradius\/sites-enabled\/default
\n+- entering group authorize {...}
\n++[preprocess] returns ok
\n++[chap] returns noop
\n++[mschap] returns noop
\n++[digest] returns noop
\n[suffix] No '@' in User-Name = \"pruebas\", looking up realm NULL
\n[suffix] No such realm \"NULL\"
\n++[suffix] returns noop
\n[eap] No EAP-Message, not doing EAP
\n++[eap] returns noop
\n++[files] returns noop
\n[sql] \texpand: %{User-Name} -> pruebas
\n[sql] sql_set_user escaped user --> 'pruebas'
\nrlm_sql (sql): Reserving sql socket id: 4
\n[sql] \texpand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pruebas' ORDER BY id
\n[sql] User found in radcheck table
\n[sql] \texpand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pruebas' ORDER BY id
\n[sql] \texpand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pruebas' ORDER BY priority
\nrlm_sql (sql): Released sql socket id: 4
\n++[sql] returns ok
\n++[expiration] returns noop
\n++[logintime] returns noop
\n++[pap] returns updated
\nFound Auth-Type = PAP
\n# Executing group from file \/etc\/freeradius\/sites-enabled\/default
\n+- entering group PAP {...}
\n[pap] login attempt with password \"pruebas01\"
\n[pap] Using clear text password \"pruebas01\"
\n[pap] User authenticated successfully
\n++[pap] returns ok
\n# Executing section post-auth from file \/etc\/freeradius\/sites-enabled\/default
\n+- entering group post-auth {...}
\n++[exec] returns noop
\nSending Access-Accept of id 49 to 127.0.0.1 port 37927
\nFinished request 0.
\nGoing to the next request
\nWaking up in 4.9 seconds.
\nCleaning up request 0 ID 49 with timestamp +177
\nReady to process requests.
\n<\/code>
\nY vemos como hace la consulta en mysql.
\nEnjoy your radius \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"

Hoy toca instalar un freeradius en un cliente, para authenticar los accesos de unos hotspots Mikrotik. Para la parte gr\u00e1fica, usaremos el DaloRadius… de esta manera, no tendremos que andar con los ficheros de texto. Suponemos que tenemos instalado ya nuestro Debian Squeeze y, vamos a instalar unos paquetes: # aptitude install mysql-server php5 php5-mysql […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,8],"tags":[58,80,102],"class_list":["post-708","post","type-post","status-publish","format-standard","hentry","category-linux","category-varios","tag-debian","tag-freeradius","tag-linux-2"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=708"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/708\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}