Friday, November 18, 2016

Howto Create HTTP File Sharing Server with Freeradius Backend + [Daloradius Frontend Optional]


        
Following is a complete guide on howto setup Apache to use FreeRadiusauthentication module along with DALORADIUS as a front-end. You can also use this guide to create full featured RADIUS server for your MIKROTIK or any other NAS which have external RADIUS authentication support in it.
Also this guide will illustrate you howto configure DALORADIUS. which is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine. It  is basically an nice GUI Frontend to control FREERADIUS. Using DR, you can create single/batch users, hotspot tickets, create plans n packages etc etc.
In the end I will show you howto create a APACHE base file sharing server which will use FREERADIUS for authentication :) 
Few months back , @ my friend’s cable.network , I installed  Mikrotik along with DMASOFTLAB RADIUS MANAGER which also uses FREERADIUS as backend authentication mechanism. They also had a 4 TB of windows IIS base FTP sharing server for Videos, Mp3, Games and etc for LAN users. All network was running on private ips, so setting authentication on sharing server so only valid users can access FTP was a headache, so for the time being I placed FTP server behind Mikrotik DMZ so that only pppoe dialer connected users can access them, BUTthis topology had a negative impact on overall Mikrotik performance because huge amount of (JUNK FTP) irrelevant traffic was going through the router which was increasing overall load on MT, so I decided to overcome this problem by changing the sharing server operating system from Microsoft Windows to UBUNTU Linux, and then I placed  it on users subnet and then link this sharing server [apache] authentication with freeradius. This way I managed to solve the problem. This guide will show you how I exactly did this.
Here we go . . .
We will divide this article in two categories.

1) FREERADIUS + MYSQL + DALORADIUS

2) How to authenticate Apache 2 with Radius
[Please note that I am using UBUNTU 10.4 and ip address is 192.168.2.1, all packages are installed in this single box for testing purpose,  you can separate them as per your requirements]
1) Installing FREERADIUS Server along with MYSQL+DALORADIUS :
I prefer installing the whole pre-requisite LAMP package (lamp-server stands for Linux-Apache-MySQL-PHP server). First We install lamp-server using the command below:
1
sudo tasksel install lamp-server
(you will need to enter root password, which is “123”  in my case , to continue the installation)
Now Install freeradius package
1
sudo apt-get install freeradius
Install freeradius ldap authentication
1
sudo apt-get install freeradius-ldap
Install freeradius to run with mysql
1
sudo apt-get install freeradius-mysql
After finishing the above installations, restart the FreeRADIUS service
1
sudo /etc/init.d/freeradius restart
If you are using Ubuntu, remove /commend the IPV6 entry from /etc/hosts
1
2
3
nano /etc/hosts
# The following lines are desirable for IPv6 capable hosts
# ::1     localhost ip6-localhost ip6-loopback
Now, you can test the Radius Server using radtest package, the command will be as below:
1
2
3
4
5
radtest radius 123 localhost 1812 123
(you will see its result something like below)
Sending Access-Request of id 198 to 127.0.0.1 port 1812
User-Name = "radius"  User-Password = "123" NAS-IP-Address = 127.0.1.1
NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=198, length=20
Which shows your RADIUS Server is in working condition. 
Now Download DALORADIUS which is hosted on sourceforge at the address of http://sourceforge.net/projects/daloradius/ and you may get the latest release from there ( I used 0.9.9) or use the wget command to download in any temp folder e.g /temp
1
2
3
4
5
6
7
mkdir /temp
cd /temp
tar -zxvf daloradius-0.9-9.tar.gz
mv daloradius-0.9-9.tar.gz daloradius
cp daloradius/ /var/www -R
chown www-data:www-data /var/www/daloradius -R chmod 644 /var/www/daloradius/library/daloradius.conf.php
MYSQL Database Setup
Now, we create the database for FreeRADIUS and an user account which will be used by FreeRADIUS to access into database. then import both freeradius and daloradius tables using this schema:
We will run the following command to Login MySQL Database
1
2
3
4
mysql -u root -p123
CREATE DATABASE radius;
grant all privileges on radius.* to 'radius'@'localhost';
quit
Now Import Daloradius mysql tables . . .
1
2
3
cd /var/www/daloradius/contrib/db/
mysql -u root -p radius < fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p radius < mysql-daloradius.sql
Database Connection SetupNow, simply adjust the MySQL database information in daloRADIUS’s config file.
1
2
3
4
5
cd /var/www/daloradius/library/
nano -w daloradius.conf.php
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_PASS'] = '123';
$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';
Freeradius + mysql + daloradius Installation Complete.
Point your browser to

Login to the management:
1
2
username: administrator
password: radius
Here you can add users / plans etc etc. Please see daloraidus web site for more support info. Add some test users so that you test it later when apache ask authentication.You can also test this user with radtest.

1
radtest testuser testpassword localhost 1812 123

How to authenticate Apache 2 with RADIUS.

First we will install Apache radius module :
1
2
apt-get install libapache2-mod-auth-radius
a2enmod auth_radius
Now open /etc/apache2/apache2.conf and add the following lines to end of file,
1
2
AddRadiusAuth localhost:1812 123 5:3
AddRadiusCookieValid 1
Now For example we have mounted our 1 TB sharing Harddisk in /mnt/test and we want that if user try to open http://192.168.2.1/test in there browser , an Authentication Popup must appear to force user enter there valid radius user id password to further proceed, then Add the following lines in /etc/apache2/apache2.conf  in the end.
1
2
3
4
5
6
7
8
9
10
Alias /test /mnt/test
<Directory /mnt/test>
Options Indexes FollowSymlinks
AuthType Basic
AuthName "AA File Server Authentication"
AuthBasicAuthoritative Off
AuthBasicProvider radius
AuthRadiusAuthoritative on
AuthRadiusActive On
Require valid-user </Directory>


Now Point your browser to http://192.168.2.1/test and you will see authentication popup window , something like below image.
If the user supply wrong id password, he will see
If user enters valid id password, he will see the content of test folder.

No comments: