I've been wanting to demonstrate AAA for SSH login, PPPoE, and dot1x a while. Its not as fun to create a and have such a large part of the lab work like authentication, plus I like knowing the open source solutions out there. I decided to go with DaloRadius, http://www.daloradius.com/, because it has a fairly clean GUI and integrated with Freeradius. CentOS was chosen because Redhat is often the Linux of choice for most enterprises but soon found out the the latest CentOS, was using very updated versions of Freeradius and MySQL that DaloRadius was not updated to handle.
The server will be run in VirtualBox, a free version of Vmware, from a Windows 7 platform and connect to the web gui via the browser of my real computer then on another virtual NIC tie the server into GNS3 to interface with routers. You could also use real routers and switches of of your real NIC if you were to connect via the bridged adapter.
Most of the build details below were similar to the instructions for CentOS that I found here,
http://www.howtoforge.com/authentication-authorization-and-accounting-with-freeradius-and-mysql-backend-and-webbased-management-with-daloradius. The instructions had a few errors, was a little out-dated, and left out steps like fixing selinux context labels, unblocking ports in iptables, and enabling services at startup. It may, however, go into better detail on some of the steps than I will, so please feel free to refer to it and the INSTALL file in the DaloRadius source code. CLI commands will be in bold, code in italics. I will also leave out things like how to use vi to edit files, the main goal is record the settings used to be able to get DaloRadius working on CentOS 6.
- Download latest VirtualBox and extension pack (4.3.14 would not launch VMs because a bug between it and many types of antivirus)
- Download the latest GNS3
- Download the latest CentOS 6 (torrent)
- Download the latest IOS for a Cisco 3745
I am running: c3725-adventerprisek9_ivs-mz.124-15.T14.bin
B. Install Supervisors
- Install VirtualBox (Yes and next to all options) and reboot.
- Install the VirtualBox extension pack.
- Install GNS SuperPutty was not checked as an option, I did not select it. Otherwise installed with Yes and next to all options. I had to uninstall the old WinPCap and Wireshark, this was done for me by following the installer.
C. Create Server Virtual Machine
- Open VirtualBox
- Click the "New" Icon
- Name the VM -> Set type to Linux -> Set version to Red Hat (bit) -> Next
- Set Memory size -> 512Mb -> Next
- Create a virtual hard drive now -> Next
- Select file type VDI -> Next
- Set storage -> Dynamically allocated -> Next
- Set file location and size -> 8 GB -> Create
- Right click the VM. Choose settings.
- Network -> Adapter 1 -> Change to bridged
- Adapter 2 -> Enable Network Adapter -> Host Only
- Click the "Start" icon in Virtual Box
- Select start-up disk -> Set to the first iso of CentOS you downloaded - Start
- Install or upgrade an existing system (Right CTRL button will release the keyboard and
- mouse from the VM}
- Skip test.
- If you used my memory settings you will get the text version of the install.
- OK -> English -> us -> Re-initialize
- Uncheck System clock uses UTC and select your timezone -> OK
- Set your root password -> OK
- Use entire drive -> OK -> Write changes to disk
- The system will now install and prompt you for reboot
D. Prepping the VM
- Login and set up networking for updates and management of the VM (eth0/bridged)
- Login with the root account you created.
- vi /etc/sysconfig/network-scripts/ifcfg-eth0 -> Change ONBOOT=yes, BOOTPROTO=static
- Set the a static IP address to something on the same subnet as your physical NIC.IPADDR=192.168.1.55NETMASK=255.255.255.0GATEWAY=192.168.1.1Save and quit.
- vi /etc/resolv.conf -> Set your dnsnameserver 184.108.40.206nameserver 220.127.116.11Save and quit.
- service network restart
- Login to the VM via putty from your host Windows machine, and update the OS.
- yum update -y
- shutdown -r now
- Restart your putty session and setup guest editions for the VM.
- yum install gcc kernel-devel perl -y
- Goto the Virtualbox VM window and select Devices -> Insert Guest Additions CD Image
- mkdir /media/cdrom
- mount /dev/cdrom /media/cdrom
- /media/cdrom/VboxLinuxAdditions.run -> All additions should run but the X windows addition.
E. Install Freeradius, Apache, and DaloRadius; minus the configuration to make them work together.
- Install Freeradius, wget, and man pages
- yum install freeradius freeradius-mysql freeradius-utils freeradius-libs mysql-server wget man -y
- chkconfig mysqld on
- chkconfig radiusd on
- Install Apache, php, and pear
- yum install httpd php php-mysql php-pear php-gd php-pear-DB php-dba -y
- chkconfig httpd on
- pear install db -> (takes a long time)
- Unblock the incoming ports
- vi /etc/sysconfig/iptables -> Insert the following lines directly above the permit for port 22.-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A INPUT -m state --state NEW -m udp -p udp --dport 1812 -j ACCEPT-A INPUT -m state --state NEW -m udp -p udp --dport 1813 -j ACCEPTsave and quit
- service iptables restart
- Download and install Daloradius
- (wget with url was one command line)
- tar zxvf daloradius-0.9-9.tar.gz
- mv daloradius-0.9-9 /var/www -v
- chown apache:apache /var/www/daloradius-0.9-9/ -R
- chcon -R -t httpd_sys_content_t /var/www/daloradius-0.9-9/
F. Configure Freeradius to work with MySQL, DaloRadius to work with MySQL, and DaloRadius to be hosted in Apache
- Configure Freeradius to work with MySQL
- service mysqld start
- mysqladmin -u root password complexpassword
- mysql -u root -p -> will be prompted for the "complex password" you just createdCREATE DATABASE radiusdb;GRANT ALL ON radiusdb.* TO freeradius@localhost IDENTIFIED BY "freeradpass";exit;
- mysql -u root -p radiusdb < /var/www/daloradius-0.9-9/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
- mysql -u root -puse radiusdb;show tables;You should see 35 rows in setquit;
- vi /etc/raddb/radiusd.conf -> Search & uncomment this line $INCLUDE sql.conf -> save and quit
- vi /etc/raddb/sites-enabled/default -> uncomment sql from authorize and accounting sections -> save and quit
- vi /etc/raddb/sql.conf ->uncomment readclients = yeschange login = "radius" to the account you created (freeradius) ->change password = "radpass" to the password you created (freeradpass) ->change radius_db = "radius" to radius_db = "radiusdb" ->save and quit.
- service radiusd start
- Configure DaloRadius to work with MySQL
- mysql -u root -pGRANT ALL ON radiusdb.* TO dalo@localhost IDENTIFIED BY "dalopassword";exit;
- vi /var/www/daloradius-0.9-9/library/daloradius.conf.php -> Set the following values:$configValues['CONFIG_DB_USER'] = 'dalo';$configValues['CONFIG_DB_PASS'] = 'dalopassword';$configValues['CONFIG_DB_NAME'] = 'radiusdb';Save and quit.
- touch /tmp/daloradius.log
- chown apache:apache /tmp/daloradius.log
- Configure DaloRadius to be hosted in Apache
- service httpd start
vi /etc/httpd/conf/httpd.conf -> Add the following to the end of the file where 192.168.1.100 is the IP address of your host computer or the IP addresses you would like to administer DaloRadius:
Alias /myradius "/var/www/daloradius-0.9-9/"
allow from 127.0.0.1
allow from 192.168.1.100
Save and quit.
- I also changed the security context of selinux for the DaloRadius folder with the following, but found out I had another issue.
- yum install policycoreutils-python -t
- semanage fcontext -a -t public_content_rw_t '/var/www/daloradius-0.9-9/(/.*)?'
- restorecon /var/www/daloradius-0.9-9/
- chcon -R -t httpd_sys_content_t /var/www/daloradius-0.9-9/
- You should now be able to browse into your VM at http://192.168.1.55/myradius and login as administrator, password radius.
G. Put your system on the same network as a router.
- vi /etc/sysconfig/network-scripts/ifcfg-eth0 -> remove the GATEWAY line.
- vi /etc/sysconfig/network-scripts/ifcfg-eth1 -> Set up your network
- Set the a static IP address to something on the same subnet as your physical NIC.ONBOOT=yesBOOTPROTO=staticIPADDR=172.16.1.55NETMASK=255.255.255.0GATEWAY=172.16.1.1Save and quit.
- service network restart
- Open GNS3 as an administrator.
- Configure a router to use your IOS under Edit -> IOS and Hypervisors
- Configure the IDLE timeout, mine for the image above was 0x80736f38
- Add a router and a cloud to the topology. Right-Click and configure the cloud.
- Under the cloud name -> NIO Ethernet -> Generic Ethernet NIO -> Select the Host Only VirtualBox adapter -> Add -> Apply
- Make a Fast Ethernet connection from the router to the cloud.
You should now be able to configure your router as 172.16.1.1/24 and add the server into the topology. I will be posting a demonstration for authentication for login and PPPoE soon.