RADIUSdesk

• Ubuntu is still sticking with FreeRADIUS version 2.x even with the 16.04 LTS release.
• Fortunately adding the repository with the version 3.x packages of FreeRADIUS is a snap and super easy.
• https://launchpad.net/~freeradius/+archive/ubuntu/stable-3.0
• Add the Personal Package Archive (PPA) for the version 3 of FreeRADIUS.

sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:freeradius/stable-3.0
#Answer yes to include the PPA with it's keys
#Update all the reposiories
sudo apt-get update

• Install the following FreeRADIUS packages.

sudo apt-get install freeradius freeradius-mysql
#Answer yes to install thse with their dependencies
#Please note that when this package is installed there is some things generated that can take up lots of time on slower machines.

• Enable and start freeradius

sudo systemctl enable freeradius.service
sudo systemctl start freeradius.service

• Do the following to configure FreeRADIUS 3.x to work with RADIUSdesk

#Stop the service if it might be running
sudo systemctl stop freeradius.service
#Backup the original
sudo mv /etc/freeradius /etc/freeradius.orig
#Copy the RADIUSdesk specific one
sudo cp /usr/share/nginx/html/cake2/rd_cake/Setup/Radius/freeradius-3-radiusdesk.tar.gz /etc/
cd /etc
#Extract it
sudo tar -xzvf freeradius-3-radiusdesk.tar.gz

• Configure the site wide shared secret. This will be the value used by ALL Dynamic Clients.

sudo vi /etc/freeradius/sites-enabled/dynamic-clients

• Look for this part in the file and change FreeRADIUS-Client-Secret to the value you choose to use.

#  Echo the IP address of the client.
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
 
# require_message_authenticator
FreeRADIUS-Client-Require-MA = no
 
# secret
FreeRADIUS-Client-Secret = "testing123"
 
# shortname
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"

• Comment out the following two lines in the systemd service file

sudo vi /lib/systemd/system/freeradius.service

• See this sample to see which two lines to comment out. Failing to do this will result in a broken system with FreeRADIUS not starting up during boot

[Unit]
Description=FreeRADIUS multi-protocol policy server
After=syslog.target network.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/
 
[Service]
Type=forking
PIDFile=/run/freeradius/freeradius.pid
#EnvironmentFile=-/etc/default/freeradius
#ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5
 
[Install]
WantedBy=multi-user.target

• After you completed these commands you can test if FreeRADIUS starts up fine.

sudo systemctl daemon-reload 
sudo systemctl restart freeradius.service
sudo systemctl status freeradius.service

#Stop the current FreeRADIUS instance
sudo systemctl stop freeradius.service
#If it is perhaps stuck use killall
sudo killall freeradius
#Start it in debug mode
sudo freeradius -X

• To create the ability for the web server to exercise some control over FreeRADIUS, we will have a custom script which is added to the sudoers file.
• The correct way to edit the sudoers file is by using:

sudo visudo

• Add the following at the bottom

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL www-data ALL = NOPASSWD:/usr/share/nginx/html/cake2/rd_cake/Setup/Scripts/radmin_wrapper.pl

• Confirm that this line is now inside the /etc/sudoers file

sudo cat /etc/sudoers

• This will allow the root user in RADIUSdesk to start and stop FreeRADIUS and also to do on-the-fly activation of debug traces.

• If you will be using MESHdesk or APdesk this section is for you and will make life easier for you.
• We need to configure default settings for the Coova Chilli Captive Portal which are used in both MESHdesk and APdesk.
• Please get the following information ready.
  • The IP Address which the server can be reached through. This will typically be a public IP Address but it can also be a private IP Address if you run RADIUSdesk on a private network.
  • The FQDN for the server if you registered in on a DNS service.
  • The site wide FreeRADIUS shared secret used by the Dynamic RADIUS Clients. This was done earlier in this page when you configured the Dynamic Clients.
  • There are two files which you need to edit to reflect your installations detail.
• For MESHdesk:

sudo vi /usr/share/nginx/html/cake2/rd_cake/Config/MESHdesk.php

• Look for this bit and change accordingly:

//_______________________________________________
//== Pre-set values for the Captive Portals
$config['Meshes']['captive_portal']['radius_1']         = '198.27.111.78'; // This will be the public IP Address of the FreeRADIUS / RADIUSdesk
//$config['ApProfiles']['captive_portal']['radius_2']         = '198.27.111.78'; //Optional second fallback RADIUS
$config['Meshes']['captive_portal']['radius_secret']    = 'testing123'; //Change this to the common site wide secret used by Dynamic RADIUS Clients
//Use DNS name in uam_url to looks more professional / or IP Address 
$config['Meshes']['captive_portal']['uam_url']          = 'http://198.27.111.78/cake2/rd_cake/dynamic_details/chilli_browser_detect/';
$config['Meshes']['captive_portal']['uam_secret']       = 'greatsecret'; //Usually you will not change this value
 
//$config['ApProfiles']['captive_portal']['walled_garden'] = "www.radiusdesk.com,www.google.com"; //Optional
$config['Meshes']['captive_portal']['swap_octet']       = true;
$config['Meshes']['captive_portal']['mac_auth']         = true;
//$config['Meshes']['captive_portal']['coova_optional']   = "ssid=radiusdesk";

• For APdesk

sudo vi /usr/share/nginx/html/cake2/rd_cake/Config/ApProfiles.php

• Look for this bit and change accordingly:

//_______________________________________________
//== Pre-set values for the Captive Portals
$config['ApProfiles']['captive_portal']['radius_1']         = '198.27.111.78'; // This will be the public IP Address of the FreeRADIUS / RADIUSdesk
//$config['ApProfiles']['captive_portal']['radius_2']         = '198.27.111.78'; //Optional second fallback RADIUS
$config['ApProfiles']['captive_portal']['radius_secret']    = 'testing123'; //Change this to the common site wide secret used by Dynamic RADIUS Clients
//Use DNS name in uam_url to look more professional / or IP Address 
$config['ApProfiles']['captive_portal']['uam_url']          = 'http://198.27.111.78/cake2/rd_cake/dynamic_details/chilli_browser_detect/';
$config['ApProfiles']['captive_portal']['uam_secret']       = 'greatsecret'; //Usually you will not change this value
 
//$config['ApProfiles']['captive_portal']['walled_garden'] = "www.radiusdesk.com,www.google.com"; //Optional
$config['ApProfiles']['captive_portal']['swap_octet']       = true;
$config['ApProfiles']['captive_portal']['mac_auth']         = true;
//$config['ApProfiles']['captive_portal']['coova_optional']   = "ssid=radiusdesk";
//__________________________________________________

• By defining these items the Add Captive Portal Exit Point windows will be pre-populated for you, making it a snap to add new Captive Portals to either a mesh or an Access Point profile.

• Be sure to also install Node.js.
• Install node.js