A Comprehensive Guide to Installing FreeRADIUS and daloRADIUS on Ubuntu 20.04
Setting up a robust Authentication, Authorization, and Accounting (AAA) system is a cornerstone of modern network security. FreeRADIUS is the world’s most popular open-source RADIUS server, providing powerful and flexible control over network access. However, managing it through the command line can be cumbersome. This is where daloRADIUS comes in—a user-friendly web interface that makes managing users, tracking accounting, and viewing reports incredibly simple.
This guide will walk you through the complete process of installing and configuring FreeRADIUS and integrating it with the daloRADIUS web management panel on an Ubuntu 20.04 server. By the end, you’ll have a fully functional AAA server ready to manage network authentication.
Prerequisites
Before we begin, ensure you have the following:
- An Ubuntu 20.04 server.
- A user with
sudoor root privileges. - A static IP address configured on your server.
Step 1: Install and Configure the LAMP Stack
daloRADIUS is a web application that requires a web server, a database, and PHP. The most common combination for this is the LAMP (Linux, Apache, MySQL, PHP) stack.
First, update your server’s package repository to ensure you get the latest versions.
sudo apt update
sudo apt upgrade
Next, install Apache, PHP, and the necessary PHP extensions for daloRADIUS and MySQL to communicate effectively.
sudo apt install apache2 php php-common php-gd php-mail php-mail-mime php-mysql php-pear php-db libapache2-mod-php -y
Now, let’s install and secure the MySQL database server.
sudo apt install mysql-server -y
Once the installation is complete, it is critical to run the security script that comes with MySQL. This will help you set a root password, remove anonymous users, and enhance the overall security of your database.
sudo mysql_secure_installation
Follow the on-screen prompts. It is highly recommended to answer “yes” to all questions for a secure setup.
With the database server secured, log in to MySQL to create a dedicated database and user for FreeRADIUS.
sudo mysql -u root -p
Enter the root password you just set. Now, execute the following SQL commands to create the radius database and a user named radius_admin with a strong password.
Remember to replace 'YourStrongPassword' with a secure password of your own.
CREATE DATABASE radius;
CREATE USER 'radius_admin'@'localhost' IDENTIFIED BY 'YourStrongPassword';
GRANT ALL PRIVILEGES ON radius.* TO 'radius_admin'@'localhost';
FLUSH PRIVILEGES;
EXIT;
Your web server and database are now ready for the main event.
Step 2: Install and Configure FreeRADIUS
Now we will install the FreeRADIUS server itself, along with the specific module that allows it to communicate with our MySQL database.
sudo apt install freeradius freeradius-mysql -y
By default, FreeRADIUS is not configured to use MySQL for authentication. We need to activate the MySQL module. The primary configuration file for FreeRADIUS is /etc/freeradius/3.0/mods-available/sql. First, create a symbolic link to enable this module.
sudo ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Next, you must edit the SQL module’s configuration file to tell FreeRADIUS how to connect to the database we created earlier.
sudo nano /etc/freeradius/3.0/mods-available/sql
Inside this file, find the sql { block and update the connection_info section with your database details.
# Connection info:
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection data
server = "localhost"
port = 3306
login = "radius_admin"
password = "YourStrongPassword"
# Database table configuration
radius_db = "radius"
After saving the file, you need to change the file ownership to the FreeRADIUS user to avoid permission issues.
sudo chown -R freerad:freerad /etc/freeradius/3.0/
Step 3: Install and Configure daloRADIUS
With the backend in place, it’s time to set up the daloRADIUS web interface.
First, download the latest version of daloRADIUS. You can grab the download link from the project’s official source on SourceForge.
cd /tmp
wget https://sourceforge.net/projects/daloradius/files/daloradius/daloradius-1.3.zip
Unzip the file and move its contents to your web server’s root directory.
sudo apt install unzip -y
unzip daloradius-1.3.zip
sudo mv daloradius-1.3 /var/www/html/daloradius
daloRADIUS provides a SQL schema that you need to import into your radius database. This schema creates all the necessary tables for managing users, groups, and accounting data.
sudo mysql -u root -p radius < /var/www/html/daloradius/contrib/db/fr3-mysql-daloradius-and-freeradius.sql
Next, configure the daloRADIUS application itself. Copy the sample configuration file to create your own.
sudo cp /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
Now, edit the new configuration file to input your database credentials.
sudo nano /var/www/html/daloradius/library/daloradius.conf.php
Find these lines and update them with the database name, username, and password you configured earlier.
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_USER'] = 'radius_admin';
$configValues['CONFIG_DB_PASS'] = 'YourStrongPassword';
$configValues['CONFIG_DB_NAME'] = 'radius';
Finally, set the correct permissions for the web directory so that the Apache server can read and write files as needed.
sudo chown -R www-data:www-data /var/www/html/daloradius
sudo chmod 644 /var/www/html/daloradius/library/daloradius.conf.php
Step 4: Finalizing and Testing the Setup
To apply all the changes, restart both the Apache and FreeRADIUS services.
sudo systemctl restart apache2
sudo systemctl restart freeradius
Your RADIUS server should now be operational. The best way to test it is with the radtest utility, a command-line tool that simulates an authentication request. The default test user created by the daloRADIUS SQL schema is test with the password test. The default RADIUS secret is testing123.
radtest test test localhost 0 testing123
If everything is configured correctly, you should receive a successful response:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=...
This confirms that FreeRADIUS is successfully authenticating users against the MySQL database.
You can now access the daloRADIUS web interface by navigating to http://your_server_ip/daloradius in your browser. The default login credentials are:
- Username: administrator
- Password: radius
Essential Security Best Practices
Your AAA server is now running, but for a production environment, you must take additional security steps:
- Change All Default Passwords: Immediately log in to daloRADIUS and change the
administratorpassword. Also, change the default RADIUS secret in/etc/freeradius/3.0/clients.conffromtesting123to a long, complex string. - Use a Strong RADIUS Secret: The RADIUS secret is a shared key between your network devices (like routers or Wi-Fi access points) and the RADIUS server. It must be unique and highly complex for each device.
- Secure the daloRADIUS Interface: The admin panel should not be exposed to the public internet. Secure it using an
.htaccessfile for an extra layer of password protection, or better yet, place it behind a VPN or restrict access to specific administrative IP addresses. - Implement Firewall Rules: Configure your firewall (like UFW) to only allow RADIUS traffic (UDP ports 1812 and 1813) from your trusted network devices. Block all other access to these ports.
Conclusion
You have successfully deployed a powerful and easy-to-manage AAA server on Ubuntu 20.04. With FreeRADIUS as the engine and daloRADIUS as the dashboard, you have a scalable solution for managing user authentication for Wi-Fi, VPNs, switches, and other network services. By following these steps and implementing the security best practices, you’ve built a solid foundation for centralized network access control.
Source: https://kifarunix.com/install-freeradius-with-daloradius-on-ubuntu-20-04/
