I've been wanting to
demonstrate AAA for SSH login, PPPoE, and dot1x a while. Its not as
fun to create a and have such a large part of the lab work like
authentication, plus I like knowing the open source solutions out
there. I decided to go with DaloRadius, http://www.daloradius.com/,
because it has a fairly clean GUI and integrated with Freeradius.
CentOS was chosen because Redhat is often the Linux of choice for
most enterprises but soon found out the the latest CentOS, was using
very updated versions of Freeradius and MySQL that DaloRadius was not
updated to handle.
The server will be
run in VirtualBox, a free version of Vmware, from a Windows 7
platform and connect to the web gui via the browser of my real
computer then on another virtual NIC tie the server into GNS3 to
interface with routers. You could also use real routers and switches
of of your real NIC if you were to connect via the bridged adapter.
Most of the build
details below were similar to the instructions for CentOS that I
found here,
http://www.howtoforge.com/authentication-authorization-and-accounting-with-freeradius-and-mysql-backend-and-webbased-management-with-daloradius.
The instructions had a few errors, was a little out-dated, and left
out steps like fixing selinux context labels, unblocking ports in
iptables, and enabling services at startup. It may, however, go into
better detail on some of the steps than I will, so please feel free
to refer to it and the INSTALL file in the DaloRadius source code.
CLI commands will be in bold, code in italics. I will
also leave out things like how to use vi to edit files, the main goal
is record the settings used to be able to get DaloRadius working on
CentOS 6.
A. Downloads
- Download latest VirtualBox and extension pack (4.3.14 would not launch VMs because a bug between it and many types of antivirus)
- Download the latest GNS3
- Download the latest CentOS 6 (torrent)
- Download the latest IOS for a Cisco 3745
I am running:
c3725-adventerprisek9_ivs-mz.124-15.T14.bin
B. Install
Supervisors
- Install VirtualBox (Yes and next to all options) and reboot.
- Install the VirtualBox extension pack.
- Install GNS SuperPutty was not checked as an option, I did not select it. Otherwise installed with Yes and next to all options. I had to uninstall the old WinPCap and Wireshark, this was done for me by following the installer.
C. Create Server
Virtual Machine
- Open VirtualBox
- Click the "New" Icon
- Name the VM -> Set type to Linux -> Set version to Red Hat (bit) -> Next
- Set Memory size -> 512Mb -> Next
- Create a virtual hard drive now -> Next
- Select file type VDI -> Next
- Set storage -> Dynamically allocated -> Next
- Set file location and size -> 8 GB -> Create
- Right click the VM. Choose settings.
- Network -> Adapter 1 -> Change to bridged
- Adapter 2 -> Enable Network Adapter -> Host Only
- OK
- Click the "Start" icon in Virtual Box
- Select start-up disk -> Set to the first iso of CentOS you downloaded - Start
- Install or upgrade an existing system (Right CTRL button will release the keyboard and
- mouse from the VM}
- Skip test.
- If you used my memory settings you will get the text version of the install.
- OK -> English -> us -> Re-initialize
- Uncheck System clock uses UTC and select your timezone -> OK
- Set your root password -> OK
- Use entire drive -> OK -> Write changes to disk
- The system will now install and prompt you for reboot
D. Prepping the VM
- Login and set up networking for updates and management of the VM (eth0/bridged)
- Login with the root account you created.
- vi /etc/sysconfig/network-scripts/ifcfg-eth0 -> Change ONBOOT=yes, BOOTPROTO=static
- Set the a static IP address to something on the same subnet as your physical NIC.IPADDR=192.168.1.55NETMASK=255.255.255.0GATEWAY=192.168.1.1Save and quit.
- vi /etc/resolv.conf -> Set your dnsnameserver 8.8.8.8nameserver 4.2.2.2Save and quit.
- service network restart
- Login to the VM via putty from your host Windows machine, and update the OS.
- yum update -y
- shutdown -r now
- Restart your putty session and setup guest editions for the VM.
- yum install gcc kernel-devel perl -y
- Goto the Virtualbox VM window and select Devices -> Insert Guest Additions CD Image
- mkdir /media/cdrom
- mount /dev/cdrom /media/cdrom
- /media/cdrom/VboxLinuxAdditions.run -> All additions should run but the X windows addition.
E. Install
Freeradius, Apache, and DaloRadius; minus the configuration to make
them work together.
- Install Freeradius, wget, and man pages
- yum install freeradius freeradius-mysql freeradius-utils freeradius-libs mysql-server wget man -y
- chkconfig mysqld on
- chkconfig radiusd on
- Install Apache, php, and pear
- yum install httpd php php-mysql php-pear php-gd php-pear-DB php-dba -y
- chkconfig httpd on
- pear install db -> (takes a long time)
- Unblock the incoming ports
- vi /etc/sysconfig/iptables -> Insert the following lines directly above the permit for port 22.-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A INPUT -m state --state NEW -m udp -p udp --dport 1812 -j ACCEPT-A INPUT -m state --state NEW -m udp -p udp --dport 1813 -j ACCEPTsave and quit
- service iptables restart
- Download and install Daloradius
- (wget with url was one command line)
- tar zxvf daloradius-0.9-9.tar.gz
- mv daloradius-0.9-9 /var/www -v
- chown apache:apache /var/www/daloradius-0.9-9/ -R
- chcon -R -t httpd_sys_content_t /var/www/daloradius-0.9-9/
F. Configure
Freeradius to work with MySQL, DaloRadius to work with MySQL, and
DaloRadius to be hosted in Apache
- Configure Freeradius to work with MySQL
- service mysqld start
- mysqladmin -u root password complexpassword
- mysql -u root -p -> will be prompted for the "complex password" you just createdCREATE DATABASE radiusdb;GRANT ALL ON radiusdb.* TO freeradius@localhost IDENTIFIED BY "freeradpass";exit;
- mysql -u root -p radiusdb < /var/www/daloradius-0.9-9/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
- mysql -u root -puse radiusdb;show tables;You should see 35 rows in setquit;
- vi /etc/raddb/radiusd.conf -> Search & uncomment this line $INCLUDE sql.conf -> save and quit
- vi /etc/raddb/sites-enabled/default -> uncomment sql from authorize and accounting sections -> save and quit
- vi /etc/raddb/sql.conf ->uncomment readclients = yeschange login = "radius" to the account you created (freeradius) ->change password = "radpass" to the password you created (freeradpass) ->change radius_db = "radius" to radius_db = "radiusdb" ->save and quit.
- service radiusd start
- Configure DaloRadius to work with MySQL
- mysql -u root -pGRANT ALL ON radiusdb.* TO dalo@localhost IDENTIFIED BY "dalopassword";exit;
- vi /var/www/daloradius-0.9-9/library/daloradius.conf.php -> Set the following values:$configValues['CONFIG_DB_USER'] = 'dalo';$configValues['CONFIG_DB_PASS'] = 'dalopassword';$configValues['CONFIG_DB_NAME'] = 'radiusdb';Save and quit.
- touch /tmp/daloradius.log
- chown apache:apache /tmp/daloradius.log
- Configure DaloRadius to be hosted in Apache
- service httpd start
vi
/etc/httpd/conf/httpd.conf
-> Add the following to the end
of the file where 192.168.1.100 is the IP address of your host
computer or the IP addresses you would like to administer
DaloRadius:
Alias /myradius
"/var/www/daloradius-0.9-9/"
<Directory
/var/www/daloradius-0.9-9/>
Options
None
order
allow,deny
allow from
127.0.0.1
allow from
192.168.1.100
</Directory>
Save and quit.
- I also changed the security context of selinux for the DaloRadius folder with the following, but found out I had another issue.
- yum install policycoreutils-python -t
- semanage fcontext -a -t public_content_rw_t '/var/www/daloradius-0.9-9/(/.*)?'
- restorecon /var/www/daloradius-0.9-9/
- chcon -R -t httpd_sys_content_t /var/www/daloradius-0.9-9/
- You should now be able to browse into your VM at http://192.168.1.55/myradius and login as administrator, password radius.
G. Put your system
on the same network as a router.
- vi /etc/sysconfig/network-scripts/ifcfg-eth0 -> remove the GATEWAY line.
- vi /etc/sysconfig/network-scripts/ifcfg-eth1 -> Set up your network
- Set the a static IP address to something on the same subnet as your physical NIC.ONBOOT=yesBOOTPROTO=staticIPADDR=172.16.1.55NETMASK=255.255.255.0GATEWAY=172.16.1.1Save and quit.
- service network restart
- Open GNS3 as an administrator.
- Configure a router to use your IOS under Edit -> IOS and Hypervisors
- Configure the IDLE timeout, mine for the image above was 0x80736f38
- Add a router and a cloud to the topology. Right-Click and configure the cloud.
- Under the cloud name -> NIO Ethernet -> Generic Ethernet NIO -> Select the Host Only VirtualBox adapter -> Add -> Apply
- Make a Fast Ethernet connection from the router to the cloud.
You should now be able to configure your router as 172.16.1.1/24 and
add the server into the topology. I will be posting a demonstration
for authentication for login and PPPoE soon.