Cloud FreeRADIUS + daloRADIUS Server on Azure/AWS/GCP
Setup and Install a Cloud FreeRADIUS Server in Azure, AWS or GCP with optional daloRADIUS GUI. Free RADIUS is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4 DHCPv6, TACACS+ and VMPS. freeRADIUS allows authentication, authorization, and accounting (AAA) for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.
FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dialup, PPPoE, VPN’s, VoIP, and many others. It runs on a back-end database MariaDB/MySQL. It supports RADIUS Active Directory authentication, Azure AD authentication and LDAP integration.
Cloud RADIUS Server with daloRADIUS Portal Management
Setup FreeRADIUS on Azure
Setup FreeRADIUS on AWS
Setup FreeRADIUS on GCP
Cloud RADIUS Solution using freeRADIUS and daloRADIUS
Cloud RADIUS solution using FreeRADIUS and daloRADIUS GUI management portal. Supports request proxying, with fail-over and load balancing, as well as the ability to access many types of back-end databases. Different classes of authentication requests can trigger access of different authentication and authorization databases (with cascaded fall back), and Accounting records can be simultaneously recorded in multiple different storage databases and directories.
FreeRADIUS Features
- Complete support for RFC 2865 and RFC 2866 attributes.
- EAP with EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP, and Cisco LEAP EAP sub-types
- Vendor Specific Attributes for almost one hundred vendors, including BinTec, Foundry, Cisco, Juniper, Lucent/Ascend, HP ProCurve, Microsoft, USR/3Com, Acc/Newbridge and many more.
- FreeRADIUS provides a wide range of methods to select user configurations. The server can select a configuration based on any type of criteria or attribute.
- FreeRADIUS is designed to be secure and is one of the fastest and scalable products available for RADIUS.
- Authenticate users via simple methods (PAP, CHAP, MS-CHAP, MS-CHAPv2, SIP Digest) and all common EAP types. All client operating systems are supported
- Both pre-authentication and post-authentication policies are supported.
- IP addresses can be allocated through IP Pools.
- All common accounting methods are supported
- Any RADIUS request can be proxied.
- Supports virtual servers
- VLAN assignment may be done via the VMPS protocol.
- Supports FreeRADIUS Active Directory authentication, Azure AD authentication and LDAP.
- All known RADIUS Clients are supported.
daloRADIUS Features
daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating.
- RADIUS User Management
- Reporting
- Accounting and visual graphs
- RADIUS user activity reporting
- Manage hotspots
- Great for ISP deployments
- Billing engine
- Integrates with GoogleMaps for Geo-locating
Table of Contents
Step 1.) Getting Started with FreeRADIUS Server
Login to FreeRADIUS via SSH
Once your RADIUS server has been deployed, the following links explain how to connect to a Linux VM:
- How to connect to a Linux VM on Azure
- How to connect to a Linux VM on AWS
- How to connect to a Linux VM on GCP
Once connected and logged in, the following section explains how to start using FreeRADIUS.
Step 2.) Setup MySQL/MariaDB for FreeRADIUS
As part of this RADIUS solution MariaDB server is pre-installed. First run the following command to set your MySQL password. Currently the password is blank, so press ‘Enter’:
sudo mysql_secure_installation
Then follow the instructions to set a password and then selecting ‘Y‘ for the options that are asked.
Create database for FreeRADIUS Server
In order to run FreeRADIUS we need to create a database. Run the following commands to create a new database that we will use with freeRADIUS (Replace the green text with your chosen password):
sudo mysql -u root -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "Somestrongpassword_321";
FLUSH PRIVILEGES;
quit;
Import FreeRADIUS database schema
Before we make any further changes you will need to stop the freeRADIUS service with the following command:
sudo systemctl stop freeradius
Verify the service has stopped:
sudo systemctl status freeradius
Next we need to populate the database with the RADIUS MySQL schema.
First, you’ll have to switch to using the root user, otherwise you’ll get Access denied when trying to import, even if we’re using sudo:
sudo su -
Import the freeRADIUS MySQL schema with the following command:
mysql -u root -p radius < /etc/freeradius/mods-config/sql/main/mysql/schema.sql
Lets check the tables we just created in the radius database by running the following command, and then entering your root MySQL/MariaDB password:
sudo mysql -u root -p -e "use radius;show tables;"
And you should see the following output:
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
Configure freeRADIUS SQL Module
1.) Next step is to create a soft link to the SQL module to /etc/freeradius/mods-enabled:
sudo ln -s /etc/freeradius/mods-available/sql /etc/freeradius/mods-enabled/
2.) Next, you will need to configure RADIUS to use SQL. To do this open /etc/freeradius/mods-enabled/sql using the nano editor:
sudo nano /etc/freeradius/mods-enabled/sql
Configure Dialect of SQL
3.) Now we need to edit some of the values in this config file.
- Change dialect = “sqlite” to “mysql”
- Uncomment the driver = “rlm_sql_${dialect}” option to enable MySQL/MariaDB backend by removing # symbol in front.
- Comment out driver = “rlm_sql_null” with #
Disable TLS Support for MariaDB
1.) If you use MySQL the FreeRADIUS configuration assumes the use of TLS certs by default. As you won’t be using TLS certs in this solution as MariaDB database are on the same server, so you do not need the MariaDB TLS support. You’ll comment out the MySQL TLS section, by adding a # sign in at the beginning of every line in the tls section.The TLS section looks something like this:
In the below screenshot you can see TLS encryption is greyed out by adding #.
MariaDB Connection Details
1.) Next is to uncomment the connection info section and add in the connection details to our MySQL/MariaDB database. Remove the # from the beginning of the lines starting with server, port, login, password.
server – this is the server where the database is located, which will be local server so we can leave “localhost”
port – is set to 3306, which is the default port for the classic MySQL protocol. Leave it as is, unless you changed the MySQL port.
login – this is the database user you created earlier for FreeRADIUS to use in the ‘Create database for FreeRADIUS Server’ section above. I created the user radius.
password – the password for the MySQL user that you also created earlier.
# Connection info:
#
server = "localhost"
port = 3306
login = "radius"
password = "Areallystrongpassword_321"
2.) Further down in the config we need to set the MariaDB database name for the FreeRADIUS, as shown below. Add your database name. In my example my database name is called “radius“
# Database table configuration for everything except Oracle
radius_db = "radius"
3.) Next, is to uncomment the read_clients = yes option to allow FreeRADIUS clients to read from the nas table inside the FreeRADIUS database and also uncomment client_table = “nas”.
Save all the changes you made and close the file.
Change Group Permissions of SQL Module
Now change the group rights of the file you just edited:
sudo chgrp -h freerad /etc/freeradius/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/mods-enabled/sql
Start FreeRADIUS Service
Lastly, run the following commands to start and verify the freeradius service.
sudo systemctl start freeradius.service
The following command verifys the freeradius service status
sudo systemctl status freeradius
Further configuration documentation can be found on. https://freeradius.org/documentation/
Step 3.) Setup FreeRADIUS GUI daloRADIUS
At this point freeRADIUS is ready, an optional feature to install is a freeRADIUS GUI that allows you to manage your RADIUS Server via a web browser interface or GUI. I’ll share 1 popular free GUIs that you can install.
Install daloRADIUS GUI for FreeRADIUS
One of the popular free RADIUS management tools is daloRADIUS. Note: However i should point out daloRADIUS doesn’t work directly with Active Directory or LDAP via the GUI, it uses local users stored in MySQL. To use LDAP, Active Directory or Azure AD you manage via the terminal. Instructions below.
daloRADIUS Features include:
daloRADIUS is an advanced RADIUS web platform aimed at managing Hotspots and general-purpose ISP deployments. It features
- Rich user management
- Graphical reporting
- Accounting
- Integrates with GoogleMaps for geo-locating (GIS).
Before we run the installation of daloRADIUS change your current directory to /var/www/html with the following command:
cd /var/www/html/
Next is to install daloRADIUS on your server, by running the following commands:
sudo wget https://github.com/lirantal/daloradius/archive/refs/tags/1.3.zip
sudo unzip 1.3.zip
sudo mv daloradius-1.3 daloradius
cd daloradius
Import database schema for daloRADIUS
After extraction, run the below commands to import the database schema for daloRADIUS to the radius database and verify the list of tables on the FreeRADIUS database.
sudo mysql -u root -p radius < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
Verify the database schema with the following command and you should see a list of tables for FreeRADIUS and daloRADIUS
mysqlshow radius
You should see a similar output to the following tables for daloRADIUS and FreeRADIUS
Now, run the cp command below. This command copies the daloRADIUS configuration to /var/www/html/daloradius/library/daloradius.conf.php.
cp /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
Next is to open daloradius.conf.php and add your database name, user and password in the config file. Run the following command to open using your nano editor:
sudo nano /var/www/html/daloradius/library/daloradius.conf.php
Then edit the following fields with your database details and then save and exit:
Next, run the following commands to change permissions of the following:
- Change the ownership (chown) of the /var/www/html/daloradius directory to www-data.
- Allow Apache web-server to access daloRADIUS source code.
- Change the permission (chmod) of the file daloradius.conf.php to 0664 to secure the configuration file.
sudo chown -R www-data:www-data /var/www/html/daloradius/
sudo chmod 0664 /var/www/html/daloradius/library/daloradius.conf.php
sudo systemctl restart freeradius apache2
daloRADIUS Login
Open a browser and go to the following address:
http://ip-address/daloradius/login.php
Default login details are:
Username: administrator
Password: radius
Once logged in, change your password.
Read more on daloRADIUS Configurations
Step 4.) Azure AD / LDAP / Active Directory Authentication
You can now configure RADIUS authentication. You have several options, you can setup local users using daloRADIUS that are stored locally in the database or you can use different identity providers such as Azure AD, LDAP or Active Directory. The following sections explains how to set this up depending on your environment.
FreeRADIUS Azure AD Authentication
FreeRADIUS supports Azure AD Authentication using rlm_perl to communicate with an OAuth2 identity provider backend allowing users to connect to a wireless 802.1X (WPA Enterprise) network without needing on premise systems.
Your OAuth2 provider must support the Resource Owner Password Credentials Grant; this means (for now) only Microsoft Azure Active Directory is supported. The Password Grant is necessary as it is the only grant flows that does not require user interaction with a web browser
Refer to the following Click here for the full setup instructions.
Note: This image you’re using has the official FreeRADIUS packages distributed by Network RADIUS so you can skip the installation step.
FreeRADIUS Active Directory Authentication
Image Source: freeRADIUS
Refer to our detailed guide on – Setup freeRADIUS Active Directory Authentication Integration
FreeRADIUS LDAP Authentication
To setup FreeRADIUS LDAP Authentication you can enable the rlm_ldap module.
Full setup instructions on: https://wiki.freeradius.org/modules/rlm_ldap
RADIUS User Reporting Solutions with InfraSOS
Another solution we have is our Active Directory / Azure AD / Office 365 reporting solution, InfraSOS which will allow you to run reports on your users for auditing purposes. Allows you to auditing user logins for Azure AD, Office 365, monitor what locations they are logging in from, see who is enabled for MFA or not. Check your Office 365 license utilization and so much more..
FreeRADIUS Firewall Ports
FreeRADIUS uses the following ports:
RADIUS Authentication and Authorization
UDP: 1812
RADIUS Accounting
UDP: 1813
daloRADIUS Web Portal
http 80
If you are using any of the cloud security groups and need to change / add ports refer to the following guides:
To setup AWS firewall rules refer to – AWS Security Groups
To setup Azure firewall rules refer to – Azure Network Security Groups
To setup Google GCP firewall rules refer to – Creating GCP Firewalls
FreeRADIUS Documentation / Support
For the FreeRADIUS documentation on using all the available features and configuration options can be found on:
https://freeradius.org/documentation/
daloRADIUS configuration options can be found on:
Disclaimer: FreeRADIUS and daloRADIUS are licensed under GNU General Public License v2.0. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user. The author is not responsible for any damage that its use could cause.
