Wednesday, April 15, 2009

OpenSIPS+MySQL+FreeRADIUS integration and installation/configuration

I'm no expert but a humble student please feel free to contribute your expert advise and short cuts, may be we all grow in the process!!!

`` Objectives:

1. Package/Dependencies Installation
2. Database MySQL 5.0.51a Configuration
3. FreeRADIUS 2.1.4 Configuration
4. Radiusclient-ng Installaion
5. OpenSIPS 1.5.1 Configuration

Package/Dependencies Installation:

Steps In Building Ubuntu Server 8.04.2 (hardy) packages
Double check dependencies and packages on the following:
official site link

a) Install dependencies:
apt-get install autotools-dev
apt-get install debhelper
apt-get install libgdbm-dev
apt-get install libiodbc2-dev
apt-get install libkrb5-dev
apt-get install libldap2-dev
apt-get install libltdl3-dev
apt-get install libmysqlclient15-dev
apt-get install libpam0g-dev
apt-get install libpcap-dev
apt-get install libperl-dev
apt-get install libpq-dev
apt-get install libsasl2-dev
apt-get install libsnmp-dev
apt-get install libtool
apt-get install python-dev

b) Download the source of latest FreeRADIUS version :
c) Extract files in /usr/src directory.
d) switch to newly extracted directory:

Before running followings you must have following files in the directory you issue these commands:
freeradius_2.1.4-0.dsc
freeradius_2.1.4-0.tar.gz
freeradius-server-2.1.4.tar.gz
freeradius-server-2.1.4.tar.gz.sig

##... freeradius_2.1.4-0.dsc file's contents as follows:
Format: 1.0
Source: freeradius
Binary: freeradius, freeradius-krb5, freeradius-ldap, freeradius-postgresql, freeradius-mysql, freeradius-iodbc, freeradius-dialupadmin, freeradius-dbg
Architecture: any
Version: 2.1.4-0
Maintainer: Nicolas Baradakis
Standards-Version: 3.7.3.0
Build-Depends: autotools-dev, debhelper (>= 5), dpatch (>= 2), dpkg-dev (>= 1.13.19), libgdbm-dev, libiodbc2-dev, libkrb5-dev, libldap2-dev, libltdl3-dev, libmysqlclient15-dev | libmysqlclient-dev, libpam0g-dev, libpcap-dev, libperl-dev, libpq-dev, libsasl2-dev, libsnmp9-dev | libsnmp-dev, libssl-dev, libtool (>= 1.5), python-dev, snmp
Files:
42c7d892e1f2f0dfe531ed2ba7f64f1d 3762749 freeradius_2.1.4-0.tar.gz
##...

$ dpkg-source -x *.dsc
$ cd freeradius-2.1.4/

There are some changes that must be done in order to successfully build the package. Make changes in "/debian/rules" file as follows

$ vi debian/rules

From:
confflags += --without-openssl --without-rlm_eap_peap --without-rlm_eap_tls --without-rlm_eap_ttls –without-rlm_otp

To:
confflags += --with-openssl --with-rlm_eap_peap --with-rlm_eap_tls --with-m_eap_ttls --with-rlm_otp

e) Mark the following lines to remark or delete them from file:

# if dh_shlibdeps -p $$pkg -- -O grep -q libssl; then \
# echo "$$pkg links to openssl" ; \
# exit 1 ;
# fi ;
# done

Installing the binary packages
It's best to build FreeRADIUS packages using dpkg-buildpackage (Installing directly from source confuses dpkg about the files installed on the system and it's not possible to uninstall the files later) If you don't have following packages installed use aptitude to install them!!!

(snmp , dpatch, build-essential)

$ aptitude install dpkg-dev
$ aptitude install libssl-dev
$ aptitude install fakeroot

f) Now execute the following command to build binaries:

# fakeroot dpkg-buildpackage -b -uc

Got too many warnings/errors, the output is at the following link:
ERRORS LOG


OR alternatively type the following on command prompt:
$ dpkg-buildpackage -rfakeroot
$
$ radiusd -X
Exec-Program: returned: 1
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap".
/usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.
}
}
Errors initializing modules

g) Last but not least you will see the .deb files in extract directory build them one by one or all together:

$ sudo dpkg -i ../freeradius_*.deb
gpg: skipped "Alan DeKok ": secret key not available
gpg: [stdin]: clearsign failed: secret key not available
dpkg-genchanges >../freeradius_2.1.4-0_amd64.changes
dpkg-genchanges: including full source code in upload
dpkg-buildpackage: full upload; Debian-native package (full source is included)
dpkg-buildpackage: warning: Failed to sign .dsc and .changes file


Critical to create directory if it doesn't exists:
$ mkdir /var/run/radiusd

Alternative ways of Building Ubuntu packages

- Using synaptic:
$ synaptic

select the following packages:
x freeradius
x freeradius-dbg
x freeradius-dialupadmin
x freeradius-ldap
x freeradius-mysql
(It didn't work, so i moved to plan b)
- Building from source:
bash$ tar zxvf freeradius-[version].tar.gz

bash$ ./configure
bash$ make
bash$ su - root
bash# make install
bash# radiusd -X

/usr/local/etc/raddb/eap.conf[17]: Failed to link to module 'rlm_eap': libfreeradius-eap-2.1.5.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.


Database MySQL Configuration:

Configuring the FreeRADIUS with MySQL

First the MySQL bits (creating the db & its admin user).
Do the following from your shell.

On the MySQL shell type the following:
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
exit;

In my case only:
$ mysqladmin -u root -p create radius
$ cd /usr/share/doc/freeradius/examples
$ gunzip mysql.sql.gz
$ mysql -u root -p radius < mysql="" u="" root="" p="" radius="">show databases;

+--------------------+
Database
+--------------------+
information_schema
mysql
opensips
radius
+--------------------+
4 rows in set (0.00 sec)

mysql> use radius;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
Tables_in_radius
+------------------+
nas
radacct
radcheck
radgroupcheck
radgroupreply
radippool
radpostauth
radreply
usergroup
+------------------+
9 rows in set (0.00 sec)

mysql> \q
Bye

cp sql.conf /etc/freeradius/
cd /etc/freeradius/

Now edit your /etc/freeradius/sql.conf
#
# Configuration for the Freeradius SQL module using MySQL database and a
# central radacct table. To use monthly tables with auto-rotation see
# radius_accounting.conf and radius_accounting.proc
#
sql {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
login = "root"
password = "secretpwd"
radius_db = "radius"
acct_table = "radacct"
sqltrace = no
sqltracefile = ${logdir}/sqltrace-%Y%m%d.log
num_sql_socks = 25
connect_failure_retry_delay = 60

Reset the user/password/database parameters to reflect the changes (eg. radius/radpass/radius); to turn the NAS management from MySQL, search for the line...


Configuring FreeRADIUS Server:

Configuring FR servers and clients. OpenSIPS server is the client of the RADIUS server. It uses the libradiusclient-ng to connect to FR server.

i) Add OpenSIPS as FR Client:
First we define the devices (remote access gw, 802.1x switches, access points) that will send the authentication and accounting packets to the FR server. I am making SIP proxy server as the FR client, which will be sending accounting requests. Files that are going to be updated are as follows:

/etc/freeradius/clients.conf
/etc/freeradius/dictionary.conf
/etc/freeradius/radiusd.conf
/etc/freeradius/sql.conf
/etc/freeradius/sites-available/default.conf

- Edit the /etc/freeradius/clients.conf first.
Make following changes in section:
client localhost {
....
# # secret and password are mapped through the "secrets" file.
secret = opensips
shortname = OpenSIPS
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
nastype = other
....
....
}

- Enable MySQL accounting in FR by editing the cofig file
$ vi /etc/freeradius/radiusd.conf
Make following changes in sections:

security {
....
....
# PROXY CONFIGURATION
#

##?? $INCLUDE proxy.conf
$INCLUDE ${confdir}/proxy.conf

##?? $INCLUDE clients.conf
$INCLUDE ${confdir}/clients.conf
....
....
}

# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
...
$INCLUDE sql.conf
...
}

+ Edit /etc/freeradius/sites-available/default
Un comment/add the lines for auth_log, digest, sql, and ldap in accounting section.
accounting {
...
...
#???
acct_unique

#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
auth_log

#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
sql

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
...
...
}

+ Copy the OpenSIPS dictionary to /etc/freeradius
$ cp /usr/local/share/freeradius/dictionary.openser /etc/freeradius

+ Include the OpenSIPS in the RADIUS server configuration file as follows:
vi /etc/freeradius/dictionary

+ Add this line in /etc/freeradius/dictionary ...
$INCLUDE /etc/freeradius/dictionary.openser

+ Make directory and setup ownership:
$ mkdir /var/run/freeradius
$ chown freerad:freerad /var/run/freeradius/*
$ chown freerad:freerad /var/run/freeradius

+ Restart the FR server:
$ /etc/init.d/freeradius stop
$ freeradius -X
...
...

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/freeradius/freeradius.sock
Listening on proxy address * port 1814
Ready to process requests.


Radiusclient-ng
ii) Configure the RADIUS Client (radiusclient-ng):

Download tar file radiusclient-ng-0.5.6.tar.gz from official site
# tar zxvf radiusclient-ng-0.5.6.tar.gz
# cd radiusclient-ng-0.5.6

Above process failed since it couldn't find /debian/changelog

Thus i followed following steps:

The radiusclient-ng must be compiled manually, as it is not included in the Debian distribution. Here I used the version 0.5.6

1. Checkout from berlios CVS (hit ENTER when asked for the password):

$ cd /usr/local/src
$ mkdir radiusclient-ng
$ cd radiusclient-ng
$ cvs -d:pserver:anonymous@cvs.radiusclient-ng.berlios.de:/cvsroot/radiusclient-ng login
$ cvs -z3 -d:pserver:anonymous@cvs.radiusclient-ng.berlios.de:/cvsroot/radiusclient-ng co -r RELENG_0_5_6 radiusclient-ng
$ mv radiusclient-ng radiusclient-ng-5.6
$ cd radiusclient-ng-5.6

Note: change the RELENG value to the release version you want to check out, and make the appropriate alterations to the following secitons

Note: cvs often makes problems when you are behind a firewall which blocks cvs (port 2401). To test if you can reach the CVS server try with telnet: “telnet cvs.radiusclient-ng.berlios.de 2401”

2. correct version labeling

We edit the debian/changelog file to have debian packages with the correct version number: change “radiusclient-ng (0.5.0) unstable; urgency=low” to “radiusclient-ng (0.5.6) unstable; urgency=low”

3. build the Debian packages
$ dpkg-buildpackage -rfakeroot -tc


****** I got stuck at this point when i couldn't go any further, so i
went to following link and downloaded libradiusclient-ng-dev

http://packages.ubuntu.com/hardy/amd64/libradiusclient-ng-dev/download
Used the pkg installer to install and tried to install again

$ dpkg-buildpackage -rfakeroot -tc

I only got a warning but it didnt complain about .so like before
Next i followed following steps:

4. install the packages

$ cd ..
$ su (if you are not super user)
$ dpkg -i libradius-ng-dev_0.5.6_amd64.deb libradius-ng_0.5.6_amd64.deb
$ radiusclient-ng_0.5.6_amd64.deb
$ exit

NOW I got following errors:
(Reading database ... 118048 files and directories currently installed.)
Unpacking libradius-ng-dev (from libradius-ng-dev_0.5.6_amd64.deb) ...
dpkg: error processing libradius-ng-dev_0.5.6_amd64.deb (--install):
trying to overwrite `/usr/include/radiusclient-ng.h', which is also
in package libradiusclient-ng-dev
Selecting previously deselected package libradius-ng.
Unpacking libradius-ng (from libradius-ng_0.5.6_amd64.deb) ...
dpkg: error processing libradius-ng_0.5.6_amd64.deb (--install):
trying to overwrite `/usr/lib/libradiusclient-ng.so.2.0.0', which is
also in package libradiusclient-ng2
Selecting previously deselected package radiusclient-ng.
Unpacking radiusclient-ng (from radiusclient-ng_0.5.6_amd64.deb) ...
dpkg: dependency problems prevent configuration of radiusclient-ng:
radiusclient-ng depends on libradius-ng; however:
Package libradius-ng is not installed.
dpkg: error processing radiusclient-ng (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
libradius-ng-dev_0.5.6_amd64.deb
libradius-ng_0.5.6_amd64.deb
radiusclient-ng

The following is the list of files that should have been in place and datestamp should have been current but it shows older dates, it was bazar behavior.

/usr/include/radiusclient-ng.h
/usr/lib/libradiusclient-ng.a
/usr/lib/libradiusclient-ng.la
/usr/lib/libradiusclient-ng.so
/usr/share/doc/libradiusclient-ng-dev/BUGS
/usr/share/doc/libradiusclient-ng-dev/CHANGES.gz
/usr/share/doc/libradiusclient-ng-dev/README
/usr/share/doc/libradiusclient-ng-dev/README.Debian
/usr/share/doc/libradiusclient-ng-dev/README.radexample
/usr/share/doc/libradiusclient-ng-dev/changelog.Debian.gz
/usr/share/doc/libradiusclient-ng-dev/changelog.gz
/usr/share/doc/libradiusclient-ng-dev/copyright

*** ***
Somehow i got messed up with older version of radiusclient-ng, and those older files were causing conflict thus i have to remove all the .a and .la files, move .h files. Even all this didn't work it complains about files that i have moved to tmp directory but it says they are there eventhough they are not grrrrrrrr :#

Mike my mentor, my teacher, and my colleague steeped in on my request; fixed the problem magically (trade secret) and finally installed the package manually using ./configure, make, and make install :~{

Thanks a bunch Mike Spice, you are the greatest :)

Lets move on to my objective completion phases ;)

iii) Copy and edit the file
... (/etc/radiusclient-ng/dictionary):

$ cp /home/wiz/Documents/RadiusCDRTool/radiusclient-ng/dictionary.radius /etc/radiusclient-ng/dictionary.radius
$ vi /etc/radiusclient-ng/dictionary

Add the following lines at the end of file:
#***
# The file name given here should be an absolute path.
#***
$INCLUDE /etc/freeradius/dictionary.openser

iv) Edit the file (/etc/radiusclient-ng/servers):
Add the following line at the end of the file...

127.0.0.1 opensips

Now the file should look like this:
#Server Name or Client/Server pair ... Key
#---------------- ... ... ... ... ... ... ... ... ... ... ---------------
#portmaster.elemental.net ... ... ... ... hardlyasecret
#portmaster2.elemental.net ... ... ... . donttellanyone
127.0.0.1 opensips

v) Edit the file (/etc/radiusclient-ng/radiusclient.conf):
Make following changes by adding IP address of RADIUS server

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
#acctserver localhost
acctserver 127.0.0.1


Configure OpenSIPS:
The "acc" module have support for RADIUS but its not enabled thus opensips.cfg file needs additional script to enable the RADIUS support.

a) Re-compile OpenSIPS first to start the integration process:

I figured its good time to break my OpenSIPS 1.5.0 and install 1.5.1, it would resolve some of the issues I'm having.

Buckle-up...






7 comments:

Raka said...

Question: where can we download these files from?

freeradius_2.1.4-0.dsc
freeradius_2.1.4-0.tar.gz
freeradius-server-2.1.4.tar.gz
freeradius-server-2.1.4.tar.gz.sig

In this site I could only find:
ftp://ftp.freeradius.org/pub/freeradius/

freeradius-server-2.1.4.tar.gz
freeradius-server-2.1.4.tar.gz.sig

Missing the first two files mentioned in your blog.

Raka said...

Hi,

I still couldn't find freeradius_2.1.4-0.tar.gz. Not even here: http://freeradius.portal-to-web.de/old/
Maybe they changed the building mechanism, and decided to delete it?

Maybe you'd like to consider updating the manual, to reflect those (possible) changes.

This page explain how to build it http://wiki.freeradius.org/Build#Building_Packages

Khan said...

Raka,
Thanks for your input, sorry for the late reply, been busy really but I will look into the files and see if i can upload it for you. I will look at your request of changing blog too.
Khan

bassou_djerba said...

Hi Raka,

you can change your repository to install it automatically.

If you are using a debian-based distribution, you have just to change /etc/apt/sources.list

Husnain Taseer said...

Hi Khan,

I want to authenticate asterisk peer using freeradius I am using asterisk 12.0.0 and Freeradius 2.2.1. I have configured freeradius correctly as I am able to authenticate user saved in users file from the terminal by using "radclient" command from the terminal. but when I try to register peer in asterisk the freeradius authentication doesn't work. Even I don't get any request from asterisk server in radius logs.

My sip.conf configuration is :

[1000]
type=friend
context=test
auth_type=radius
host=dynamic

and user credentials are placed in /usr/local/etc/raddb/users as:

1000 Cleartext-Password := "password"

when I register Xlite softphone it gets registered without any secret.
Please Help me in this regard.

Khan said...

Sorry, I can not help at this point of time due to many projects in-hand. I did not do anything in this regards for quite a while.
Is there anyone else who can help my friend?

Khan said...

Did you tried RTP with freeRadius instead, Asterisk have limitations, i forgot what though but i remember using RTP instead and administrated through SIP Admin i believe or some other admin software.