Cloud FreeRADIUS + daloRADIUS Server on Azure/AWS/GCP

Setup and Install a Cloud FreeRADIUS Server in Azure, AWS or GCP with optional daloRADIUS GUI.  Free RADIUS is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4 DHCPv6, TACACS+ and VMPS.  freeRADIUS allows authentication, authorization, and accounting (AAA) for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.

 

FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dialup, PPPoE, VPN’s, VoIP, and many others. It runs on a back-end database MariaDB/MySQL.  It supports RADIUS Active Directory authentication, Azure AD authentication and LDAP integration.

Cloud RADIUS Server with daloRADIUS Portal Management

Cloud RADIUS Solution using freeRADIUS and daloRADIUS

Cloud RADIUS solution using FreeRADIUS and daloRADIUS GUI management portal.  Supports request proxying, with fail-over and load balancing, as well as the ability to access many types of back-end databases. Different classes of authentication requests can trigger access of different authentication and authorization databases (with cascaded fall back), and Accounting records can be simultaneously recorded in multiple different storage databases and directories.

FreeRADIUS Features

  • Complete support for RFC 2865 and RFC 2866 attributes.
  • EAP with EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP, and Cisco LEAP EAP sub-types
  • Vendor Specific Attributes for almost one hundred vendors, including BinTec, Foundry, Cisco, Juniper, Lucent/Ascend, HP ProCurve, Microsoft, USR/3Com, Acc/Newbridge and many more.
  • FreeRADIUS provides a wide range of methods to select user configurations. The server can select a configuration based on any type of criteria or attribute.
  • FreeRADIUS is designed to be secure and is one of the fastest and scalable products available for RADIUS.
  • Authenticate users via simple methods (PAP, CHAP, MS-CHAP, MS-CHAPv2, SIP Digest) and all common EAP types. All client operating systems are supported
  • Both pre-authentication and post-authentication policies are supported.
  • IP addresses can be allocated through IP Pools.
  • All common accounting methods are supported
  • Any RADIUS request can be proxied.
  • Supports virtual servers
  • VLAN assignment may be done via the VMPS protocol.
  • Supports FreeRADIUS Active Directory authentication, Azure AD authentication and LDAP.
  • All known RADIUS Clients are supported.

daloRADIUS Features

daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating.

 

  • RADIUS User Management
  • Reporting
  • Accounting and visual graphs
  • RADIUS user activity reporting
  • Manage hotspots
  • Great for ISP deployments
  • Billing engine
  • Integrates with GoogleMaps for Geo-locating

Table of Contents

Step 1.) Getting Started with FreeRADIUS Server

Login to FreeRADIUS via SSH

Once your RADIUS server has been deployed, the following links explain how to connect to a Linux VM:

 

 

Once connected and logged in, the following section explains how to start using FreeRADIUS.

Step 2.) Setup MySQL/MariaDB for FreeRADIUS

As part of this RADIUS solution MariaDB server is pre-installed.  First run the following command to set your MySQL password.  Currently the password is blank, so press ‘Enter’:

				
					sudo mysql_secure_installation
				
			

Then follow the instructions to set a password and then selecting ‘Y‘ for the options that are asked.

Create database for FreeRADIUS Server

In order to run FreeRADIUS we need to create a database. Run the following commands to create a new database that we will use with freeRADIUS (Replace the green text with your chosen password):

				
					sudo mysql -u root -p
				
			
				
					CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "Somestrongpassword_321";
FLUSH PRIVILEGES;
quit;
				
			

Import FreeRADIUS database schema

Before we make any further changes you will need to stop the freeRADIUS service with the following command:

				
					sudo systemctl stop freeradius
				
			

Verify the service has stopped:

				
					sudo systemctl status freeradius
				
			
stop freeRADIUS Service
Stopping and Verifying freeradius Service

Next we need to populate the database with the RADIUS MySQL schema.

 

First, you’ll have to switch to using the root user, otherwise you’ll get Access denied when trying to import, even if we’re using sudo:

				
					sudo su -
				
			

Import the freeRADIUS MySQL schema with the following command:

				
					mysql -u root -p radius < /etc/freeradius/mods-config/sql/main/mysql/schema.sql
				
			

Lets check the tables we just created in the radius database by running the following command, and then entering your root MySQL/MariaDB password:

				
					sudo mysql -u root -p -e "use radius;show tables;"
				
			

And you should see the following output:

				
					+------------------+
| Tables_in_radius |
+------------------+
| nas              |
| radacct          |
| radcheck         |
| radgroupcheck    |
| radgroupreply    |
| radpostauth      |
| radreply         |
| radusergroup     |
+------------------+
				
			

Configure freeRADIUS SQL Module

1.) Next step is to create a soft link to the SQL module to /etc/freeradius/mods-enabled:

				
					sudo ln -s /etc/freeradius/mods-available/sql /etc/freeradius/mods-enabled/
				
			

2.) Next, you will need to configure RADIUS to use SQL. To do this open /etc/freeradius/mods-enabled/sql using the nano editor:

				
					sudo nano /etc/freeradius/mods-enabled/sql
				
			

Configure Dialect of SQL

3.) Now we need to edit some of the values in this config file.

 

  1. Change dialect = “sqlite” to mysql
  2. Uncomment the driver = “rlm_sql_${dialect}” option to enable MySQL/MariaDB backend by removing # symbol in front.
  3. Comment out driver = “rlm_sql_null” with #

Disable TLS Support for MariaDB

1.) If you use MySQL the FreeRADIUS configuration assumes the use of TLS certs by default. As you won’t be using TLS certs in this solution as MariaDB database are on the same server, so you do not need the MariaDB TLS support.  You’ll comment out the MySQL TLS section, by adding a # sign in at the beginning of every line in the tls section.The TLS section looks something like this:

In the below screenshot you can see TLS encryption is greyed out by adding #.

Disable free radius TLS
Screenshot of TLS disabled:

MariaDB Connection Details

1.) Next is to uncomment the connection info section and add in the connection details to our MySQL/MariaDB database. Remove the # from the beginning of the lines starting with server, port, login, password.

 

server – this is the server where the database is located, which will be local server so we can leave “localhost

port – is set to 3306, which is the default port for the classic MySQL protocol. Leave it as is, unless you changed the MySQL port.

login – this is the database user you created earlier for FreeRADIUS to use in the ‘Create database for FreeRADIUS Server’ section above. I created the user radius

password – the password for the MySQL user that you also created earlier.

				
					# Connection info:
#
server = "localhost"
port = 3306
login = "radius"
password = "Areallystrongpassword_321"
				
			

2.) Further down in the config we need to set the MariaDB database name for the FreeRADIUS, as shown below.  Add your database name.  In my example my database name is called “radius

				
					# Database table configuration for everything except Oracle
radius_db = "radius"
				
			

3.) Next, is to uncomment the read_clients = yes option to allow FreeRADIUS clients to read from the nas table inside the FreeRADIUS database and also uncomment client_table = “nas”.

 

Save all the changes you made and close the file.

Change Group Permissions of SQL Module

Now change the group rights of the file you just edited:

				
					sudo chgrp -h freerad /etc/freeradius/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/mods-enabled/sql
				
			

Start FreeRADIUS Service

Lastly, run the following commands to start and verify the freeradius service.

				
					sudo systemctl start freeradius.service
				
			

The following command verifys the freeradius service status

				
					sudo systemctl status freeradius
				
			
Starting and Verifying freeradius Service

Further configuration documentation can be found on. https://freeradius.org/documentation/

Step 3.) Setup FreeRADIUS GUI daloRADIUS

At this point freeRADIUS is ready, an optional feature to install is a freeRADIUS GUI that allows you to manage your RADIUS Server via a web browser interface or GUI.  I’ll share 1 popular free GUIs that you can install.

Install daloRADIUS GUI for FreeRADIUS

One of the popular free RADIUS management tools is daloRADIUSNote: However i should point out daloRADIUS doesn’t work directly with Active Directory or LDAP via the GUI, it uses local users stored in MySQL. To use LDAP, Active Directory or Azure AD you manage via the terminal. Instructions below.

daloRADIUS Features include:

daloRADIUS is an advanced RADIUS web platform aimed at managing Hotspots and general-purpose ISP deployments. It features

  • Rich user management
  • Graphical reporting
  • Accounting
  • Integrates with GoogleMaps for geo-locating (GIS).

Before we run the installation of daloRADIUS change your current directory to /var/www/html with the following command:

				
					cd /var/www/html/
				
			

Next is to install daloRADIUS on your server, by running the following commands:

				
					sudo wget https://github.com/lirantal/daloradius/archive/refs/tags/1.3.zip
				
			
				
					sudo unzip 1.3.zip
				
			
				
					sudo mv daloradius-1.3 daloradius
				
			
				
					cd daloradius
				
			

Import database schema for daloRADIUS

After extraction, run the below commands to import the database schema for daloRADIUS to the radius database and verify the list of tables on the FreeRADIUS database.

				
					sudo mysql -u root -p radius < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
				
			

Verify the database schema with the following command and you should see a list of tables for FreeRADIUS and daloRADIUS

				
					mysqlshow radius
				
			

You should see a similar output to the following tables for daloRADIUS and FreeRADIUS

FreeRADIUS-daloRADIUS-Tables
Importing and verifying the daloRADIUS database schema

Now, run the cp command below. This command copies the daloRADIUS configuration to /var/www/html/daloradius/library/daloradius.conf.php.

				
					cp /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
				
			

Next is to open daloradius.conf.php and add your database name, user and password in the config file. Run the following command to open using your nano editor:

				
					sudo nano /var/www/html/daloradius/library/daloradius.conf.php
				
			

Then edit the following fields with your database details and then save and exit:

daloRADIUS-Database
Configure database for daloRADIUS

Next, run the following commands to change permissions of the following:

 

  • Change the ownership (chown) of the /var/www/html/daloradius directory to www-data.
  • Allow Apache web-server to access daloRADIUS source code.
  • Change the permission (chmod) of the file daloradius.conf.php to 0664 to secure the configuration file.
				
					sudo chown -R www-data:www-data /var/www/html/daloradius/
				
			
				
					sudo chmod 0664 /var/www/html/daloradius/library/daloradius.conf.php
				
			
				
					sudo systemctl restart freeradius apache2
				
			

daloRADIUS Login

Open a browser and go to the following address:

				
					http://ip-address/daloradius/login.php
				
			

Default login details are:

 

Username: administrator

Password: radius

 

Once logged in, change your password.

Step 4.) Azure AD / LDAP / Active Directory Authentication

You can now configure RADIUS authentication.  You have several options, you can setup local users using daloRADIUS that are stored locally in the database or you can use different identity providers such as Azure AD, LDAP or Active Directory.  The following sections explains how to set this up depending on your environment.

FreeRADIUS Azure AD Authentication

FreeRADIUS supports Azure AD Authentication using rlm_perl to communicate with an OAuth2 identity provider backend allowing users to connect to a wireless 802.1X (WPA Enterprise) network without needing on premise systems.

 

Your OAuth2 provider must support the Resource Owner Password Credentials Grant; this means (for now) only Microsoft Azure Active Directory is supported. The Password Grant is necessary as it is the only grant flows that does not require user interaction with a web browser

Refer to the following Click here for the full setup instructions.

Note: This image you’re using has the official FreeRADIUS packages distributed by Network RADIUS so you can skip the installation step.

FreeRADIUS Active Directory Authentication

freeRADIUS Active Directory Authentication

Image Source: freeRADIUS

FreeRADIUS LDAP Authentication

To setup FreeRADIUS LDAP Authentication you can enable the rlm_ldap module.

 

Full setup instructions on: https://wiki.freeradius.org/modules/rlm_ldap

RADIUS User Reporting Solutions with InfraSOS

Another solution we have is our Active Directory / Azure AD / Office 365 reporting solution, InfraSOS which will allow you to run reports on your users for auditing purposes.  Allows you to auditing user logins for Azure AD, Office 365, monitor what locations they are logging in from, see who is enabled for MFA or not.  Check your Office 365 license utilization and so much more..

FreeRADIUS Firewall Ports

FreeRADIUS uses the following ports:

 

RADIUS Authentication and Authorization

UDP: 1812 

 

RADIUS Accounting

UDP: 1813 

 

daloRADIUS Web Portal

http 80

 

If you are using any of the cloud security groups and need to change / add ports refer to the following guides:

 

To setup AWS firewall rules refer to – AWS Security Groups

To setup Azure firewall rules refer to – Azure Network Security Groups

To setup Google GCP firewall rules refer to – Creating GCP Firewalls

FreeRADIUS Documentation / Support

For the FreeRADIUS documentation on using all the available features and configuration options can be found on:

 

https://freeradius.org/documentation/

 

daloRADIUS configuration options can be found on:

 

https://github.com/lirantal/daloradius

Disclaimer: FreeRADIUS and daloRADIUS are licensed under GNU General Public License v2.0. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user. The author is not responsible for any damage that its use could cause.

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.

5 1 vote
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x