Deploying FreeRADIUS for eduroam on Virtual Machine
The session describes how to deploy and set up FreeRADIUS server. We install the freeradius server on prepared VMs (NRS and IRS) and do simple test to verify installation.
Then, rest of the procedures which configures the Freeradius for NRS and IRS will be done step by step. The procedure for lab excercise will be done as below.
- Installation of FreeRADIUS and simple test.
- configuration of NRS and IRS and rad test.
You may need to scale-up the virtual machine for installation of freeRADIUS and the mimimum requirement is as below.
- 1 x vCPU
- 1GB RAM
- 20GB Storage
- 1 Network Interface (Networking and Remote access)
- Firewall : Allow connection from internet to port 1812, 1813, .....
- OS Version Ubuntu 14.04 - We prepared clean-OS(Ubuntu 14.04.4 LTS, Truty), which is already installed on VMs(NRS and IRS).
Network status check :
SSID : Marriott_CONFERENCE (P/W : asti16)
visit website ex., www.google.com, then, it requires the password for wireless access.
if SSH is not installed on your lab-top, download the remote access application (ex., window OS).
FreeRADIUS 3 Installation (with XeAP project lab environment)
- Change user root.
#sudo su -
- Note : For Ubuntu installation, the location of installed package is under /etc/freeradius. And, log is recoded to /var/log/freeradius/radius.log.
2. make and git package install
#apt-get install make git
3. Add repository to notify latest version. It is ver 3.0 in this document.
-note : if you don't add repository, previous version(ver 2.x) can be installed.
4. #apt-get update
5. #apt-get upgrade
6. Install the freeradius. Enter the 'y' to procedure the installation. Before doing it, you can check the suggested packages and following NEW installating packages.
If the installation is complete, 'OK' message is shown.
#apt-get install freeradius
7. Version check of installed freeradius. You can check the installed freeRADIUS Version 3.0.10.
cf.,) If the freeRADIUS Version is shown as 2.x, the reason causes from add-apt-repository. To solve this problem, do add repository and installation again.
8. Check the daemon status. When the installation is success, freeradius daemon is running. Check it with service freeradius status. You can also stop and start the daemon by typing 'stop' and 'start' instead of 'status'(service freeradius start|restart).
e.g,.) #service freeradius status
Run of FreeRADIUS and simple test.
1. To do simple test, first step is to add a new user with opening users file. Change the directory to /etc/freeradius and open the users file with your favorite editor (nano or vi).
Find bob which is commented out and uncomment it by deleting the '#' as shown in the captured screen. 'bob' is a user ID and 'hello' is a password. save and exit with ':wq!' in case of vi editor or 'ctrl + x' and 'y' in case of nano editor.
2. Do radtest. You can do local test with 'radtest' for the created user above. If the test is success, you can receive Access-Accept.
The comman and option for radtest is as below.
- note : It generates a list of attribute/value pairs based on the command line arguments, and feeds these into radclient. It's a fast and convenient way to test a radius server.
#service freeradius restart
#radtest -t mschap -x bob hello 127.0.0.1:1812 10000 testing123
- t : (protocol type : pap/chap/mschap/eap-md5)
-x :enables debugging output for the RADIUS client.
- bob : user id
- hello : user password
- 127.0.0.1:1812 :network address and authentication port
- 10000 : randomic nas port number
- testing123 : secret-key
3. Run the debugging mode to check listen ports. Prior to the debugging mode, stop the service daemon.
#service freeradius stop
To exit debugging mode, press 'ctl + c' button.
cf.,) For the efficient debugging mode, open the other additional terminal with ssh(e.g.,putty). The other terminal enable you to check the debug status.
To quit the debugging mode, press the 'ctrl + c' button.
cf.,) In case of TLS, debugging mod is as below.
#freeradius -fxx -l stdout
Configuration of NRS and IRS using git clone
For the configuration of NRS and IRS, we have already uploaded modified configuration files to Github. With this file, the effort for configuration of NRS and IRS cab be reduced.
1. To down the file, change to your home directoy /home/xeap. And, download the file with git clone..
#git clone https://github.com/jnucc/xeap-freeradius3
# ls - al
2. Change to the directory for the configuration. There are various configuration files especially for NRS, IRS and epol_rad_test etc.
then, you can find various files. Now, you can configure own your RADIUS server.
In case of NRS, change to directory.
#cd freeradius_NRS/freeradius --> if, NRS
in case of IRS, change to directory.
#cd freeradius_IRS/freeradius --> if, IRS
3. when you changed, there are configuration files for NRS or IRS dipending on your directory. Now, run shell script file "setup_nrs" or "setup_irs". This file creates proxy.conf and clients.conf files using templete (proxy.conf.temp and clients.conf.temp).
#sh ./setup_nrs --> if, NRS
#sh ./setup_irs -->if, IRS
then, you need input realm of TLRS and IRS and IP of TLRS and IRS step by step.
- note : press 'shift + backspace' button if you make mistake during typing.
4. When it is completed with 'done' message, all files in freeradius_NRS or IRS are copied to /etc/freeradius. This is possible through the automated shell script file.
5. Check the file of proxy.conf and clients.conf to chenk whether the file is correctly modified or not.
6. You can also confirm the correct modification of the file with below command. If it is correctly modied, you can find 'OK' message.
7.eapol_test : The most powerful testing tool to test supporting all kind of eap based protocol. Refers to the website below.
#sh test.sh ID@realm password
The result run by this shell script shows the result with testing of test.conf after creating test.conf file. You can check the files in this directory.
rad_eap_test is a shell script with various options based on eapol_test.
#sh rad_eap_test -H 127.0.0.1 -S testing123 -P 1812 -u ID@realm -p password -e PEAP -m WPA-EAP -c
9. Additional test
- Do eapol_test and rad_eap_test described in lab exercise sheet.
ex) butan IRS -> Indonesia IRS
Indonesia IRS -> maleisia IRS
2. Do eapol_test or rad_eap_test to randomic servers(country) which you want to test.