palw3ey/ye3radius
AAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready
166
AAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready
The /etc/raddb folder is persistent.
docker run -dt --name myradius -e Y_TEST_NAS=yes -e Y_TEST_USER=yes -p 1812-1813:1812-1813/udp docker.io/palw3ey/ye3radius
If you don't have a MariaDB or MySQL Server, then proceed to step 1.
If you already have a running SQL Server, then skip to step 3.
If you already have a Radius DB with data, then skip to step 7.
docker run -dt --name mymariadb -e MYSQL_ROOT_PASSWORD=mypass -p 3306:3306 mariadb:latest
docker exec -it mymariadb mariadb --user=root --password=mypass
create database radius;
create user 'radiusDBuser'@'%' identified by 'radiusDBpassword';
GRANT ALL PRIVILEGES ON radius.* TO radiusDBuser;
quit;
# install mariadb-client-core
sudo apt install mariadb-client-core -y
# get mymariadb container ip adress
mymariadb_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' mymariadb)
wget https://github.com/palw3ey/ye3radius/raw/main/schema.sql
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius < schema.sql
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "SHOW TABLES;"
nas_address="0.0.0.0/0"
nas_secret="strongSecret"
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "INSERT INTO nas (nasname,shortname,type,ports,secret,server,community,description) VALUES ('"$nas_address"', 'nas access sql', 'other',NULL ,'"$nas_secret"',NULL ,NULL ,'RADIUS Client');"
employee_username="tux"
employee_password="strongPassword"
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "INSERT INTO radcheck (username, attribute, op, value) VALUES ('"$employee_username"', 'Cleartext-Password', ':=', '"$employee_password"');"
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius
INSERT INTO radreply
(username, attribute, op, value)
VALUES
('tux', 'cisco-avpair', '+=', 'ipsec:dns-servers=1.1.1.1 8.8.8.8'),
('tux', 'cisco-avpair', '+=', 'ipsec:default-domain=example.lan');
quit;
docker run -dt --name myradius -e Y_DB_ENABLE=yes \
-e Y_DB_SERVER=$mymariadb_ip -e Y_DB_PORT=3306 -e Y_DB_TLS_REQUIRED=no \
-e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword \
-p 1812-1813:1812-1813/udp \
palw3ey/ye3radius
# check if container is ready :
docker logs myradius
# get container IP :
myradius_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius)
# On a ubuntu host :
apt install freeradius-utils
radtest $employee_username $employee_password $myradius_ip:1812 0 $nas_secret -x
on the host
docker exec -it myradius radtest test 1234 localhost:1812 0 testing123 -x
on Cisco IOS
configure terminal
aaa new-model
radius server ye3radius
address ipv4 10.10.10.250 auth-port 1812 acct-port 1813
key strongSecret
exit
do test aaa group radius server name ye3radius test 1234 new-code
docker exec -it myradius tail -f /var/log/radius/radius.log
# To exit : Ctrl C
mysql --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius
INSERT INTO radcheck
(username, attribute, op, value)
VALUES
('emily', 'Cleartext-Password', ':=', 'emilyStrongPassword');
DELETE FROM radcheck
WHERE username = 'emily';
UPDATE radcheck
SET value='emilyNewStrongPassword'
WHERE username='emily';
INSERT INTO radcheck
(username, attribute, op, value)
VALUES
('emily', 'Auth-Type', ':=', 'Reject');
DELETE FROM radcheck
WHERE username='emily'
AND attribute='Auth-Type'
AND value='Reject';
SELECT * FROM radcheck;
INSERT INTO radusergroup (username, groupname) VALUES ('emily', 'Manager');
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('Manager', 'Class', ':=', 'Manager');
# just add : -e Y_RADSEC_SERVER_ENABLE=yes -p 2083:2083/tcp
docker run -dt --name myradius -e Y_DB_ENABLE=yes \
-e Y_DB_SERVER=$mymariadb_ip -e Y_DB_PORT=3306 -e Y_DB_TLS_REQUIRED=no \
-e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword \
-e Y_RADSEC_SERVER_ENABLE=yes -p 2083:2083/tcp \
palw3ey/ye3radius
# get the client key, certificate and ca in the Remote RadSec Server
(docker exec -it myradius cat /etc/raddb/certs/client.key) > client.key
(docker exec -it myradius cat /etc/raddb/certs/client.crt) > client.crt
(docker exec -it myradius cat /etc/raddb/certs/ca.pem) > ca.pem
# get the ip
myradius_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius)
echo $myradius_ip
# create the Radius Proxy with the previous files
docker run -dt --name myradius_proxy \
-p 1812-1813:1812-1813/udp \
-e Y_RADSEC_PROXY_ENABLE=yes \
-e Y_RADSEC_PROXY_IPADDR=$myradius_ip \
-e Y_RADSEC_PROXY_CLIENT_SECRET=strongProxySecret \
-v ~/client.key:/etc/raddb/certs/proxy_client.key:ro \
-v ~/client.crt:/etc/raddb/certs/proxy_client.crt:ro \
-v ~/ca.pem:/etc/raddb/certs/proxy_ca.pem:ro \
docker.io/palw3ey/ye3radius
# install freeradius-utils
sudo apt install freeradius-utils
# get the ip
myradius_proxy_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius_proxy)
echo $myradius_proxy_ip
# test authentication
radclient -x $myradius_proxy_ip:1812 auth strongProxySecret <<EOF
User-Name = "emily"
User-Password = "emilyStrongPassword"
NAS-IP-Address = 192.168.1.2
EOF
# verify authentication
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "SELECT username, packet_src_ip_address, authdate FROM radpostauth ORDER BY id DESC LIMIT 2;"
# test accounting
radclient -x $myradius_proxy_ip:1813 acct strongProxySecret <<EOF
User-Name = "emily"
NAS-IP-Address = 192.168.1.2
Framed-IP-Address = 192.168.1.3
Acct-Status-Type = Start
Acct-Session-Id = 123456789
EOF
# verify accounting
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "SELECT radacctid, acctsessionid, acctstarttime, framedipaddress FROM radacct ORDER BY radacctid DESC LIMIT 2;"
Test on Windows
Download NTRadPing
Manage radius database using a web interface
ye3radius-frontend by Kilowatt-W
To run through GNS3, download and import the appliance : ye3radius.gns3a
Drag and drop the device in the topology. Right click on the device and select "Edit config".
If you want a static configuration, uncomment the lines just below # Static config for eth0
or otherwise # DHCP config for eth0
for a dhcp configuration. Click "Save".
Add a link to connect the device to a switch or router. Finally, right click on the device, select "Start".
To see the output, right click "Console".
To type commands, right click "Auxiliary console".
These are the env variables and their default values.
variables | format | default | description |
---|---|---|---|
Y_LANGUAGE | text | fr_FR | Language. The list is in the folder /i18n/ |
Y_DEBUG | yes/no | no | yes, Run freeradius with debug (-X) option |
Y_IGNORE_CONFIG | yes/no | no | yes, To not apply file changes in the /etc/raddb/ folder. A good option if you use a custom /etc/raddb folder mounted from outside |
Y_PORT_AUTH | port number | 1812 | Authentication port |
Y_PORT_ACCT | port number | 1813 | Accounting port |
Y_CERT_DAYS | integer | 3650 | Certificate expiration date in days |
Y_CERT_KEEP | yes/no | yes | yes, To avoid recreating the certificates if already exist |
TZ | text | Europe/Paris | time zone, IANA format |
Y_DATE_FORMAT | text | "%Y-%m-%dT%H:%M:%S%z" | date format (strftime), mainly used for logs |
Y_TEST_NAS | yes/no | no | yes, To activate the test NAS |
Y_TEST_NAS_ADDRESS | ip address | 0.0.0.0/0 | Test NAS address |
Y_TEST_NAS_SECRET | password | Test10203040 | Test NAS secret |
Y_TEST_USER | yes/no | no | yes, To activate the test user |
Y_TEST_USER_USERNAME | name | test | Test user username |
Y_TEST_USER_PASSWORD | password | 1234 | Test user password |
Y_DB_ENABLE | yes/no | no | yes, To enable SQL |
Y_DB_SERVER | address | example.com | SQL server address |
Y_DB_PORT | port number | 3306 | SQL server port |
Y_DB_LOGIN | name | login | SQL server login |
Y_DB_PASSWORD | password | password | SQL server password |
Y_DB_RADIUS_DB | text | radius | SQL database to use |
Y_DB_TLS_REQUIRED | yes/no | no | yes, To connect to the SQL server with ssl option |
Y_DB_READ_CLIENTS | yes/no | yes | yes, To read NAS from SQL nas table |
Y_DB_AUTHORIZE | yes/no | yes | yes, To allow auth from SQL |
Y_DB_POSTAUTH | yes/no | yes | yes, To allow SQL postauth |
Y_DB_ACCOUNTING | yes/no | yes | yes, To allow SQL accounting |
Y_DB_WAIT | integer | 5 | Number of seconds to wait between each attempt to reach the SQL server when the ye3radius container starts |
Y_RADSEC_SERVER_ENABLE | yes/no | no | yes, To activate RadSec server |
Y_RADSEC_SERVER_PORT | port number | 2083 | RadSec server port |
Y_RADSEC_SERVER_TYPE | text | auth+acct | Allowed request on the port |
Y_RADSEC_SERVER_CA | path | '${cadir}/ca.pem' | Path to the ca certificate file |
Y_RADSEC_SERVER_KEY | path | '${certdir}/server.key' | Path to the server key file |
Y_RADSEC_SERVER_KEY_PASSWORD | password | whatever | server key file password |
Y_RADSEC_SERVER_CERT | path | '${certdir}/server.pem' | Path to the server certificate file |
Y_RADSEC_SERVER_CLIENT_IPADDR | ip address | 0.0.0.0/0 | Allowed client address |
Y_RADSEC_SERVER_REQUIRE_CERT | yes/no | no | yes, To require a client certificate |
Y_RADSEC_PROXY_ENABLE | yes/no | no | yes, To activate Radius Proxy |
Y_RADSEC_PROXY_CLIENT_IPADDR | ip address | 0.0.0.0/0 | Allowed client address |
Y_RADSEC_PROXY_CLIENT_SECRET | password | Test50607080 | NAS secret |
Y_RADSEC_PROXY_IPADDR | ip address | 127.0.0.1 | RadSec server IP address |
Y_RADSEC_PROXY_PORT | port number | 2083 | RadSec server port |
Y_RADSEC_PROXY_TYPE | text | auth+acct | Allowed request on the port |
Y_RADSEC_PROXY_CA | path | '${cadir}/proxy_ca.pem' | Path to the ca certificate file |
Y_RADSEC_PROXY_KEY | path | '${certdir}/proxy_client.key' | Path to the client key file |
Y_RADSEC_PROXY_KEY_PASSWORD | password | whatever | client key file password |
Y_RADSEC_PROXY_CERT | path | '${certdir}/proxy_client.crt' | Path to the client certificate file |
The docker image was compiled to work on these CPU architectures :
Work on most computers including Raspberry Pi
To customize and create your own images.
git clone https://github.com/palw3ey/ye3radius.git
cd ye3radius
# Make all your modifications, then :
docker build --no-cache --network=host -t ye3radius .
docker run -dt --name my_customized_radius ye3radius
name | version |
---|---|
ye3radius | 2.0.1 |
radiusd | 3.0.27 |
alpine | 3.21.2 |
Feel free to contribute or share your ideas for new features, you can contact me here on github or by email. I speak French, you can write to me in other languages I will find ways to translate.
MIT
author: palw3ey
maintainer: palw3ey
email: palw3ey@gmail.com
website: https://github.com/palw3ey/ye3radius
docker hub: https://hub.docker.com/r/palw3ey/ye3radius
docker pull palw3ey/ye3radius