palw3ey/ye3radius

By palw3ey

Updated 28 days ago

AAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready

Image
Networking
Security

166

ye3radius

AAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready

The /etc/raddb folder is persistent.

Simple usage

docker run -dt --name myradius -e Y_TEST_NAS=yes -e Y_TEST_USER=yes -p 1812-1813:1812-1813/udp docker.io/palw3ey/ye3radius

Usage with MariaDB

If you don't have a MariaDB or MySQL Server, then proceed to step 1.
If you already have a running SQL Server, then skip to step 3.
If you already have a Radius DB with data, then skip to step 7.

  1. Create MariaDB container
docker run -dt --name mymariadb -e MYSQL_ROOT_PASSWORD=mypass -p 3306:3306 mariadb:latest
  1. Create Radius database and Radius DB user
docker exec -it mymariadb mariadb --user=root --password=mypass
create database radius;
create user 'radiusDBuser'@'%' identified by 'radiusDBpassword';
GRANT ALL PRIVILEGES ON radius.* TO radiusDBuser;
quit;
  1. Import the MySQL schema
# install mariadb-client-core
sudo apt install mariadb-client-core -y

# get mymariadb container ip adress
mymariadb_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' mymariadb)

wget https://github.com/palw3ey/ye3radius/raw/main/schema.sql
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius < schema.sql
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "SHOW TABLES;"
  1. Create a NAS client
    The nas_address, below, is the IP address of the host that is requesting authentication. Use 0.0.0.0/0 to allow any IP address.
nas_address="0.0.0.0/0"
nas_secret="strongSecret"
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "INSERT INTO  nas (nasname,shortname,type,ports,secret,server,community,description) VALUES ('"$nas_address"', 'nas access sql', 'other',NULL ,'"$nas_secret"',NULL ,NULL ,'RADIUS Client');"
  1. Create a user
employee_username="tux"
employee_password="strongPassword"
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "INSERT INTO radcheck (username, attribute, op, value) VALUES ('"$employee_username"', 'Cleartext-Password', ':=', '"$employee_password"');"
  1. Include AVPair Reply (optional)
    To include Cisco-AVPair for a user
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius
INSERT INTO radreply
  (username, attribute, op, value)
VALUES
  ('tux', 'cisco-avpair', '+=', 'ipsec:dns-servers=1.1.1.1 8.8.8.8'),
  ('tux', 'cisco-avpair', '+=', 'ipsec:default-domain=example.lan');
quit;
  1. Run
    In the first run the ye3radius container will creates certificates if not exist, this may take a couple of seconds or minutes before the Radius service get ready
docker run -dt --name myradius -e Y_DB_ENABLE=yes \
	-e Y_DB_SERVER=$mymariadb_ip -e Y_DB_PORT=3306 -e Y_DB_TLS_REQUIRED=no \
	-e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword \
	-p 1812-1813:1812-1813/udp \
	palw3ey/ye3radius
  1. Test
# check if container is ready :
docker logs myradius

# get container IP :
myradius_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius)

# On a ubuntu host :
apt install freeradius-utils
radtest $employee_username $employee_password $myradius_ip:1812 0 $nas_secret -x

Test

on the host

docker exec -it myradius radtest test 1234 localhost:1812 0 testing123 -x

on Cisco IOS

configure terminal
aaa new-model
radius server ye3radius
  address ipv4 10.10.10.250 auth-port 1812 acct-port 1813
  key strongSecret
  exit
do test aaa group radius server name ye3radius test 1234 new-code

HOWTOs

  • Show freeradius log
docker exec -it myradius tail -f /var/log/radius/radius.log
# To exit : Ctrl C
  • Connect to DB
mysql --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius
  • Add a user
INSERT INTO radcheck
	(username, attribute, op, value)
VALUES
	('emily', 'Cleartext-Password', ':=', 'emilyStrongPassword');
  • Delete a user
DELETE FROM radcheck
WHERE username = 'emily';
  • Update a user password
UPDATE radcheck
SET value='emilyNewStrongPassword'
WHERE username='emily';
  • Disable a user
INSERT INTO radcheck
	(username, attribute, op, value)
VALUES
	('emily', 'Auth-Type', ':=', 'Reject');
  • Enable a previously disabled user
DELETE FROM radcheck
WHERE username='emily'
AND attribute='Auth-Type'
AND value='Reject';
  • List all user
SELECT * FROM radcheck;
  • Add the user emily to a group named Manager
INSERT INTO radusergroup (username, groupname) VALUES ('emily', 'Manager');
  • Add the Class attribute in the response, for group membership
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('Manager', 'Class', ':=', 'Manager');
  • Enable RadSec Server
# just add : -e Y_RADSEC_SERVER_ENABLE=yes -p 2083:2083/tcp
docker run -dt --name myradius -e Y_DB_ENABLE=yes \
	-e Y_DB_SERVER=$mymariadb_ip -e Y_DB_PORT=3306 -e Y_DB_TLS_REQUIRED=no \
	-e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword \
	-e Y_RADSEC_SERVER_ENABLE=yes -p 2083:2083/tcp \
	palw3ey/ye3radius
  • Create a Radius Proxy linked to a RadSec Server
# get the client key, certificate and ca in the Remote RadSec Server
(docker exec -it myradius cat /etc/raddb/certs/client.key) > client.key
(docker exec -it myradius cat /etc/raddb/certs/client.crt) > client.crt
(docker exec -it myradius cat /etc/raddb/certs/ca.pem) > ca.pem

# get the ip
myradius_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius)
echo $myradius_ip

# create the Radius Proxy with the previous files
docker run -dt --name myradius_proxy \
	-p 1812-1813:1812-1813/udp \
	-e Y_RADSEC_PROXY_ENABLE=yes \
	-e Y_RADSEC_PROXY_IPADDR=$myradius_ip \
	-e Y_RADSEC_PROXY_CLIENT_SECRET=strongProxySecret \
	-v ~/client.key:/etc/raddb/certs/proxy_client.key:ro \
	-v ~/client.crt:/etc/raddb/certs/proxy_client.crt:ro \
	-v ~/ca.pem:/etc/raddb/certs/proxy_ca.pem:ro \
	docker.io/palw3ey/ye3radius 
  • Test with radclient using custom attributes
# install freeradius-utils
sudo apt install freeradius-utils

# get the ip
myradius_proxy_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius_proxy)
echo $myradius_proxy_ip

# test authentication
radclient -x $myradius_proxy_ip:1812 auth strongProxySecret <<EOF
User-Name = "emily"
User-Password = "emilyStrongPassword"
NAS-IP-Address = 192.168.1.2
EOF

# verify authentication
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "SELECT username, packet_src_ip_address, authdate FROM radpostauth ORDER BY id DESC LIMIT 2;"

# test accounting
radclient -x $myradius_proxy_ip:1813 acct strongProxySecret <<EOF
User-Name = "emily"
NAS-IP-Address = 192.168.1.2
Framed-IP-Address = 192.168.1.3
Acct-Status-Type = Start
Acct-Session-Id = 123456789
EOF

# verify accounting
mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "SELECT radacctid, acctsessionid, acctstarttime, framedipaddress FROM radacct ORDER BY radacctid DESC LIMIT 2;"

GNS3

To run through GNS3, download and import the appliance : ye3radius.gns3a

How to connect the container in the GNS3 topology ?

Drag and drop the device in the topology. Right click on the device and select "Edit config".
If you want a static configuration, uncomment the lines just below # Static config for eth0 or otherwise # DHCP config for eth0 for a dhcp configuration. Click "Save".
Add a link to connect the device to a switch or router. Finally, right click on the device, select "Start".
To see the output, right click "Console".
To type commands, right click "Auxiliary console".

Environment Variables

These are the env variables and their default values.

variablesformatdefaultdescription
Y_LANGUAGEtextfr_FRLanguage. The list is in the folder /i18n/
Y_DEBUGyes/nonoyes, Run freeradius with debug (-X) option
Y_IGNORE_CONFIGyes/nonoyes, To not apply file changes in the /etc/raddb/ folder. A good option if you use a custom /etc/raddb folder mounted from outside
Y_PORT_AUTHport number1812Authentication port
Y_PORT_ACCTport number1813Accounting port
Y_CERT_DAYSinteger3650Certificate expiration date in days
Y_CERT_KEEPyes/noyesyes, To avoid recreating the certificates if already exist
TZtextEurope/Paristime zone, IANA format
Y_DATE_FORMATtext"%Y-%m-%dT%H:%M:%S%z"date format (strftime), mainly used for logs
Y_TEST_NASyes/nonoyes, To activate the test NAS
Y_TEST_NAS_ADDRESSip address0.0.0.0/0Test NAS address
Y_TEST_NAS_SECRETpasswordTest10203040Test NAS secret
Y_TEST_USERyes/nonoyes, To activate the test user
Y_TEST_USER_USERNAMEnametestTest user username
Y_TEST_USER_PASSWORDpassword1234Test user password
Y_DB_ENABLEyes/nonoyes, To enable SQL
Y_DB_SERVERaddressexample.comSQL server address
Y_DB_PORTport number3306SQL server port
Y_DB_LOGINnameloginSQL server login
Y_DB_PASSWORDpasswordpasswordSQL server password
Y_DB_RADIUS_DBtextradiusSQL database to use
Y_DB_TLS_REQUIREDyes/nonoyes, To connect to the SQL server with ssl option
Y_DB_READ_CLIENTSyes/noyesyes, To read NAS from SQL nas table
Y_DB_AUTHORIZEyes/noyesyes, To allow auth from SQL
Y_DB_POSTAUTHyes/noyesyes, To allow SQL postauth
Y_DB_ACCOUNTINGyes/noyesyes, To allow SQL accounting
Y_DB_WAITinteger5Number of seconds to wait between each attempt to reach the SQL server when the ye3radius container starts
Y_RADSEC_SERVER_ENABLEyes/nonoyes, To activate RadSec server
Y_RADSEC_SERVER_PORTport number2083RadSec server port
Y_RADSEC_SERVER_TYPEtextauth+acctAllowed request on the port
Y_RADSEC_SERVER_CApath'${cadir}/ca.pem'Path to the ca certificate file
Y_RADSEC_SERVER_KEYpath'${certdir}/server.key'Path to the server key file
Y_RADSEC_SERVER_KEY_PASSWORDpasswordwhateverserver key file password
Y_RADSEC_SERVER_CERTpath'${certdir}/server.pem'Path to the server certificate file
Y_RADSEC_SERVER_CLIENT_IPADDRip address0.0.0.0/0Allowed client address
Y_RADSEC_SERVER_REQUIRE_CERTyes/nonoyes, To require a client certificate
Y_RADSEC_PROXY_ENABLEyes/nonoyes, To activate Radius Proxy
Y_RADSEC_PROXY_CLIENT_IPADDRip address0.0.0.0/0Allowed client address
Y_RADSEC_PROXY_CLIENT_SECRETpasswordTest50607080NAS secret
Y_RADSEC_PROXY_IPADDRip address127.0.0.1RadSec server IP address
Y_RADSEC_PROXY_PORTport number2083RadSec server port
Y_RADSEC_PROXY_TYPEtextauth+acctAllowed request on the port
Y_RADSEC_PROXY_CApath'${cadir}/proxy_ca.pem'Path to the ca certificate file
Y_RADSEC_PROXY_KEYpath'${certdir}/proxy_client.key'Path to the client key file
Y_RADSEC_PROXY_KEY_PASSWORDpasswordwhateverclient key file password
Y_RADSEC_PROXY_CERTpath'${certdir}/proxy_client.crt'Path to the client certificate file

Compatibility

The docker image was compiled to work on these CPU architectures :

  • linux/386
  • linux/amd64
  • linux/arm/v6
  • linux/arm/v7
  • linux/arm64
  • linux/ppc64le
  • linux/s390x

Work on most computers including Raspberry Pi

Build

To customize and create your own images.

git clone https://github.com/palw3ey/ye3radius.git
cd ye3radius
# Make all your modifications, then :
docker build --no-cache --network=host -t ye3radius .
docker run -dt --name my_customized_radius ye3radius

Documentation

radiusd man page

Version

nameversion
ye3radius2.0.1
radiusd3.0.27
alpine3.21.2

Changelog

[2.0.1] - 2025-02-02

Fixed
  • add acct_pool in radsec_proxy site

[2.0.0] - 2025-02-02

Added
  • Ease of configuration for RadSec and Radius Proxy
  • new package : tini tzdata ca-certificates curl
  • include new source file in the repo : queries.conf and sqlcounter
  • ability to change timezone and date format via environment variables
Changed
  • use tini for entrypoint
  • rename bypass_docker_env.sh.dis to bypass_container_env.sh

[1.0.0] - 2023-12-01

Added
  • première : first release

ToDo

Feel free to contribute or share your ideas for new features, you can contact me here on github or by email. I speak French, you can write to me in other languages ​​I will find ways to translate.

License

MIT
author: palw3ey
maintainer: palw3ey
email: palw3ey@gmail.com
website: https://github.com/palw3ey/ye3radius
docker hub: https://hub.docker.com/r/palw3ey/ye3radius

Docker Pull Command

docker pull palw3ey/ye3radius