diff --git a/freeradius/Dockerfile b/freeradius/Dockerfile index 4dab0dd..eed513b 100644 --- a/freeradius/Dockerfile +++ b/freeradius/Dockerfile @@ -7,27 +7,17 @@ MAINTAINER kev RUN set -xe \ && apk add --no-cache freeradius \ + freeradius-mysql \ freeradius-radclient \ - freeradius-sqlite \ - sqlite \ + && rm -f /etc/raddb/mods-enabled/eap \ && ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/sql \ - && sed -i -e 's@driver =.*@driver = "rlm_sql_sqlite"@' \ - -e 's@dialect =.*@dialect = "sqlite"@' \ - -e '/sqlite {$/,/}$/{s@^#@@;s@/tmp@/etc/raddb@}' \ + && sed -i -e 's@driver =.*@driver = "rlm_sql_mysql"@' \ + -e 's@dialect =.*@dialect = "mysql"@' \ + -e '/Connection info:/,/^$/{s@^#@@;s@localhost@mysql@}' \ /etc/raddb/mods-available/sql -RUN set -xe \ - && cd /etc/raddb \ - && sqlite3 freeradius.db < /etc/raddb/mods-config/sql/main/sqlite/schema.sql \ - && echo "INSERT INTO radcheck VALUES('0','user','Cleartext-Password',':=','pass');" | sqlite3 freeradius.db \ - && radiusd \ - && radtest user pass localhost 0 testing123 \ - && echo "DELETE FROM radcheck WHERE id='0';" | sqlite3 freeradius.db - VOLUME /etc/raddb -EXPOSE 1812/udp \ - 1813/udp \ - 47132/udp +EXPOSE 1812/udp 1813/udp -CMD ["radiusd", "-f"] +CMD ["radiusd", "-fl", "stdout"] diff --git a/freeradius/Dockerfile.sqlite b/freeradius/Dockerfile.sqlite new file mode 100644 index 0000000..7ee042b --- /dev/null +++ b/freeradius/Dockerfile.sqlite @@ -0,0 +1,33 @@ +# +# Dockerfile for freeradius +# + +FROM alpine +MAINTAINER kev + +RUN set -xe \ + && apk add --no-cache freeradius \ + freeradius-radclient \ + freeradius-sqlite \ + sqlite \ + && ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/sql \ + && sed -i -e 's@driver =.*@driver = "rlm_sql_sqlite"@' \ + -e 's@dialect =.*@dialect = "sqlite"@' \ + -e '/sqlite {$/,/}$/{s@^#@@;s@/tmp@/etc/raddb@}' \ + /etc/raddb/mods-available/sql + +RUN set -xe \ + && cd /etc/raddb \ + && sqlite3 freeradius.db < mods-config/sql/main/sqlite/schema.sql \ + && echo "INSERT INTO radcheck VALUES('0','user','Cleartext-Password',':=','pass');" | sqlite3 freeradius.db \ + && radiusd \ + && radtest user pass localhost 0 testing123 \ + && echo "DELETE FROM radcheck WHERE id='0';" | sqlite3 freeradius.db + +VOLUME /etc/raddb + +EXPOSE 1812/udp \ + 1813/udp \ + 47132/udp + +CMD ["radiusd", "-f"] diff --git a/freeradius/README.md b/freeradius/README.md new file mode 100644 index 0000000..c4e0b64 --- /dev/null +++ b/freeradius/README.md @@ -0,0 +1,90 @@ +FreeRadius +========== + +[FreeRADIUS][1] includes a RADIUS server, a BSD licensed client library, a PAM +library, and an Apache module. In most cases, the word FreeRADIUS refers to the +RADIUS server. + +## docker-compose.yml + +```yaml +freeradius: + image: vimagick/freeradius + ports: + - "1812:1812/udp" + - "1813:1813/udp" + links: + - mysql + restart: always + +mysql: + image: mysql + volumes: + - ./mysql:/docker-entrypoint-initdb.d + environment: + - MYSQL_ROOT_PASSWORD=root + restart: always +``` + +## Server Setup + +```bash +$ docker-compose up -d mysql +$ docker-compose exec mysql mysql -uroot -proot radius +>>> show tables; ++------------------+ +| Tables_in_radius | ++------------------+ +| nas | +| radacct | +| radcheck | +| radgroupcheck | +| radgroupreply | +| radpostauth | +| radreply | +| radusergroup | ++------------------+ +8 rows in set (0.00 sec) + +>>> SHOW GRANTS FOR radius; ++----------------------------------------------------------------+ +| Grants for radius@% | ++----------------------------------------------------------------+ +| GRANT USAGE ON *.* TO 'radius'@'%' | +| GRANT SELECT ON `radius`.* TO 'radius'@'%' | +| GRANT ALL PRIVILEGES ON `radius`.`radacct` TO 'radius'@'%' | +| GRANT ALL PRIVILEGES ON `radius`.`radpostauth` TO 'radius'@'%' | ++----------------------------------------------------------------+ +5 rows in set (0.00 sec) + +>>> INSERT INTO radcheck(id, username, attribute, op, value) VALUES(0, 'user', 'Cleartext-Password', ':=', 'pass'); +Query OK, 1 row affected (0.00 sec) + +>>> EXIT +Bye + +$ docker-compose up -d freeradius +$ docker-compose exec freeradius sh +>>> vi /etc/raddb/clients.conf +>>> exit +$ docker-compose restart freeradius +``` + +``` +# /etc/raddb/clients.conf + +client testing { + ipaddr = 0.0.0.0/0 + secret = testing321 +} +``` + +## Client Setup + +```bash +# ssh root@192.168.31.231 +$ pacman -S freeradius freeradius-client +$ radtest user pass 192.168.31.234 0 testing321 +``` + +[1]: http://freeradius.org/ diff --git a/freeradius/docker-compose.yml b/freeradius/docker-compose.yml new file mode 100644 index 0000000..5546008 --- /dev/null +++ b/freeradius/docker-compose.yml @@ -0,0 +1,16 @@ +freeradius: + image: vimagick/freeradius + ports: + - "1812:1812/udp" + - "1813:1813/udp" + links: + - mysql + restart: always + +mysql: + image: mysql + volumes: + - ./mysql:/docker-entrypoint-initdb.d + environment: + - MYSQL_ROOT_PASSWORD=root + restart: always diff --git a/freeradius/mysql/00-setup.sql b/freeradius/mysql/00-setup.sql new file mode 100644 index 0000000..2108b55 --- /dev/null +++ b/freeradius/mysql/00-setup.sql @@ -0,0 +1,24 @@ +# -*- text -*- +## +## admin.sql -- MySQL commands for creating the RADIUS user. +## +## WARNING: You should change '%' and 'radpass' +## to something else. Also update raddb/sql.conf +## with the new RADIUS password. +## +## $Id: aff0505a473c67b65cfc19fae079454a36d4e119 $ + +# +# Create default administrator for RADIUS +# +CREATE USER 'radius'@'%'; +SET PASSWORD FOR 'radius'@'%' = PASSWORD('radpass'); + +# The server can read any table in SQL +GRANT SELECT ON radius.* TO 'radius'@'%'; + +# The server can write to the accounting and post-auth logging table. +# +# i.e. +GRANT ALL on radius.radacct TO 'radius'@'%'; +GRANT ALL on radius.radpostauth TO 'radius'@'%'; diff --git a/freeradius/mysql/01-schema.sql b/freeradius/mysql/01-schema.sql new file mode 100644 index 0000000..8fad00c --- /dev/null +++ b/freeradius/mysql/01-schema.sql @@ -0,0 +1,153 @@ +CREATE DATABASE radius; +USE radius; + +########################################################################### +# $Id: ca5ac77aa03dbb86ef714d1a1af647f7e63fda00 $ # +# # +# schema.sql rlm_sql - FreeRADIUS SQL Module # +# # +# Database schema for MySQL rlm_sql module # +# # +# To load: # +# mysql -uroot -prootpass radius < schema.sql # +# # +# Mike Machado # +########################################################################### +# +# Table structure for table 'radacct' +# + +CREATE TABLE radacct ( + radacctid bigint(21) NOT NULL auto_increment, + acctsessionid varchar(64) NOT NULL default '', + acctuniqueid varchar(32) NOT NULL default '', + username varchar(64) NOT NULL default '', + groupname varchar(64) NOT NULL default '', + realm varchar(64) default '', + nasipaddress varchar(15) NOT NULL default '', + nasportid varchar(15) default NULL, + nasporttype varchar(32) default NULL, + acctstarttime datetime NULL default NULL, + acctupdatetime datetime NULL default NULL, + acctstoptime datetime NULL default NULL, + acctinterval int(12) default NULL, + acctsessiontime int(12) unsigned default NULL, + acctauthentic varchar(32) default NULL, + connectinfo_start varchar(50) default NULL, + connectinfo_stop varchar(50) default NULL, + acctinputoctets bigint(20) default NULL, + acctoutputoctets bigint(20) default NULL, + calledstationid varchar(50) NOT NULL default '', + callingstationid varchar(50) NOT NULL default '', + acctterminatecause varchar(32) NOT NULL default '', + servicetype varchar(32) default NULL, + framedprotocol varchar(32) default NULL, + framedipaddress varchar(15) NOT NULL default '', + PRIMARY KEY (radacctid), + UNIQUE KEY acctuniqueid (acctuniqueid), + KEY username (username), + KEY framedipaddress (framedipaddress), + KEY acctsessionid (acctsessionid), + KEY acctsessiontime (acctsessiontime), + KEY acctstarttime (acctstarttime), + KEY acctinterval (acctinterval), + KEY acctstoptime (acctstoptime), + KEY nasipaddress (nasipaddress) +) ENGINE = INNODB; + +# +# Table structure for table 'radcheck' +# + +CREATE TABLE radcheck ( + id int(11) unsigned NOT NULL auto_increment, + username varchar(64) NOT NULL default '', + attribute varchar(64) NOT NULL default '', + op char(2) NOT NULL DEFAULT '==', + value varchar(253) NOT NULL default '', + PRIMARY KEY (id), + KEY username (username(32)) +); + +# +# Table structure for table 'radgroupcheck' +# + +CREATE TABLE radgroupcheck ( + id int(11) unsigned NOT NULL auto_increment, + groupname varchar(64) NOT NULL default '', + attribute varchar(64) NOT NULL default '', + op char(2) NOT NULL DEFAULT '==', + value varchar(253) NOT NULL default '', + PRIMARY KEY (id), + KEY groupname (groupname(32)) +); + +# +# Table structure for table 'radgroupreply' +# + +CREATE TABLE radgroupreply ( + id int(11) unsigned NOT NULL auto_increment, + groupname varchar(64) NOT NULL default '', + attribute varchar(64) NOT NULL default '', + op char(2) NOT NULL DEFAULT '=', + value varchar(253) NOT NULL default '', + PRIMARY KEY (id), + KEY groupname (groupname(32)) +); + +# +# Table structure for table 'radreply' +# + +CREATE TABLE radreply ( + id int(11) unsigned NOT NULL auto_increment, + username varchar(64) NOT NULL default '', + attribute varchar(64) NOT NULL default '', + op char(2) NOT NULL DEFAULT '=', + value varchar(253) NOT NULL default '', + PRIMARY KEY (id), + KEY username (username(32)) +); + + +# +# Table structure for table 'radusergroup' +# + +CREATE TABLE radusergroup ( + username varchar(64) NOT NULL default '', + groupname varchar(64) NOT NULL default '', + priority int(11) NOT NULL default '1', + KEY username (username(32)) +); + +# +# Table structure for table 'radpostauth' +# +CREATE TABLE radpostauth ( + id int(11) NOT NULL auto_increment, + username varchar(64) NOT NULL default '', + pass varchar(64) NOT NULL default '', + reply varchar(32) NOT NULL default '', + authdate timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, + PRIMARY KEY (id) +) ENGINE = INNODB; + +# +# Table structure for table 'nas' +# +CREATE TABLE nas ( + id int(10) NOT NULL auto_increment, + nasname varchar(128) NOT NULL, + shortname varchar(32), + type varchar(30) DEFAULT 'other', + ports int(5), + secret varchar(60) DEFAULT 'secret' NOT NULL, + server varchar(64), + community varchar(50), + description varchar(200) DEFAULT 'RADIUS Client', + PRIMARY KEY (id), + KEY nasname (nasname) +); diff --git a/freeradius/mysql/README.md b/freeradius/mysql/README.md new file mode 100644 index 0000000..86aa2d5 --- /dev/null +++ b/freeradius/mysql/README.md @@ -0,0 +1,46 @@ +FreeRadius MySQL +================ + +## SQL Patch + +``` +$ wget https://github.com/FreeRADIUS/freeradius-server/raw/release_3_0_11/raddb/mods-config/sql/main/mysql/setup.sql +$ wget https://github.com/FreeRADIUS/freeradius-server/raw/release_3_0_11/raddb/mods-config/sql/main/mysql/schema.sql +``` + +File: 00-setup.sql + +```diff +# +# Create default administrator for RADIUS +# +CREATE USER [-'radius'@'localhost';-]{+'radius'@'%';+} +SET PASSWORD FOR [-'radius'@'localhost'-]{+'radius'@'%'+} = PASSWORD('radpass'); + +# The server can read any table in SQL +GRANT SELECT ON radius.* TO [-'radius'@'localhost';-]{+'radius'@'%';+} + +# The server can write to the accounting and post-auth logging table. +# +# i.e. +GRANT ALL on radius.radacct TO [-'radius'@'localhost';-]{+'radius'@'%';+} +GRANT ALL on radius.radpostauth TO [-'radius'@'localhost';-]{+'radius'@'%';+} +``` + +File: 01-schema.sql + +```diff +@@ -1,5 +1,8 @@ ++CREATE DATABASE radius; ++USE radius; +``` + +## MySQL Setup + +```ini +server = "mysql" +port = 3306 +login = "radius" +password = "radpass" +radius_db = "radius" +```