Linux HOWTOs

About | Home | Search


HOWTO: freeradius
Description: Radius server, successor to Cistron
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# FreeRADIUS 3.0.15
# =================
# If you have libtool 2.x installed, you may need to use the FreeRADIUS
# currently in GIT rather than version 2.1.8 (or downgrade libtool to
# 1.5.26)

# Prerequisites:
# Perl
# net-snmp (optional)
# collect client library (optional)
# locate (configure uses it)
# OpenSSL (optional)
# tcpdump's libpcap (optional)
# readline
# libMemcached (optional; for rlm_cache_memcached)
# gdbm or ndbm (optional)
# EAP-IKEv2 (optional; for rlm_eap_ikev2)
# TNC@FHH (optional; for rlm_eap_tnc)
# Kerberos (optional; for rlm_krb5)
# OpenLDAP (optional; for rlm_ldap)
# Samba 4.x (optional; for auth via winbind)
# PAM (optional; for rlm_pam)
# Python (optional)
# curl (optional)
# json-c (optional; for rlm_rest)
# iODBC (optional; for rlm_sql_iodbc)
# MySQL/MariaDB (optional; for rlm_sql_mysql)
# PostgreSQL (optional; for rlm_sql_postgresql)
# Oracle (optional; for rlm_sql_oracle)
# unixODBC (optional; for rlm_sql_unixodbc)
# SQLite (optional; for rlm_sql_sqlite)
# FreeTDS (optional; for rlm_sql_freetds)
# shadow (optional; for rlm_unix)
# Yubikey C Client Library (optional; for rlm_yubikey)
# HIREDIS (optional; for rlm_redis, rlm_rediswho)

# Release Notes 3.0.15

# Get it
cd
test -f installed/freeradius-server-3.0.15.tar.bz2 &&
 mv installed/freeradius-server-3.0.15.tar.bz2 .
test ! -f freeradius-server-3.0.15.tar.bz2 &&
 wget ftp://ftp.freeradius.org/pub/freeradius/\
freeradius-server-3.0.15.tar.bz2

# Verify tarball w/ sha1sum:
# (this came from my gpg-verified tarball)
echo "f651142a31b514fc80d888fe8ab5040cbfdd546e  freeradius-server-3.0.15.tar\
.bz2" | sha1sum -c

# Verify tarball w/ sha256sum:
# (this came from my gpg-verified tarball)
echo "23267d8505e7b2909f5bdbf3938ca077c1fe122290dc969304d4f3b594f7e3ba  free\
radius-server-3.0.15.tar.bz2" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 995B4F85 > /dev/null 2>&1 || gpg --recv-keys 995B4F85 ) &&
 wget -nc ftp://ftp.freeradius.org/pub/freeradius/\
freeradius-server-3.0.15.tar.bz2.sig &&
  gpg --verify freeradius-server-3.0.15.tar.bz2.sig &&
   rm freeradius-server-3.0.15.tar.bz2.sig

# Extract the source
mkdir -p -m 0700 src
cd src
find -maxdepth 1 -type d -name "freeradius-?.*" -exec rm -r {} \;
find -maxdepth 1 -type d -name "freeradius-server-*" -exec rm -r {} \;
tar xjvf ~/freeradius-server-3.0.15.tar.bz2
cd freeradius-server-3.0.15
test $UID = 0 && chown -R root:root .

# Read ./README.rst and ./INSTALL.rst
# If this is an upgrade, read doc/ChangeLog and raddb/README.rst
# Some of the information available online:
# - Wiki (Getting started, FAQ, HOWTO, etc.)
# - freeradius-users mailing list
# - The FreeRADIUS Technical Guide (PDF)

# If you don't build it with OpenSSL, or if your OpenSSL isn't installed in
# the usual (source) place (/usr/local/ssl), like a distribution package that
# puts it in the /usr prefix, you can leave off the
# --with-openssl-(includ|lib)-dir parts below.  If you use OpenSSL
# >= 1.1.0 installed from source, the libraries and includes may no longer be
# under /usr/local/ssl with the other files located in there, they may now
# be under /usr/local/include and /usr/local/lib*, no longer requiring
# the configure flags.

# If you do not require MySQL/MariaDB support, or yours is not installed
# under /usr/local/mysql (e.g. /usr), you can leave off the
# -with-mysql-(include|lib)-dir parts below

# If you have a /usr/local/share/man symlink pointing to /usr/local/man,
# you can leave off the --mandir part below

# See "./configure --help" for all of the configure flags

# Configure the build for 64-bit:
test $(uname -m) = 'x86_64' &&
./configure --disable-static \
--docdir=/usr/local/doc/freeradius \
--localstatedir=/var \
--mandir=/usr/local/man \
--with-mysql-include-dir=/usr/local/mysql/include \
--with-mysql-lib-dir=/usr/local/mysql/lib64 \
--with-openssl-include-dir=/usr/local/ssl/include \
--with-openssl-lib-dir=/usr/local/ssl/lib64

# Configure the build for anything else:
test $(uname -m) != 'x86_64' &&
./configure --disable-static \
--docdir=/usr/local/doc/freeradius \
--libdir=/usr/local/lib64 \
--localstatedir=/var \
--mandir=/usr/local/man \
--with-mysql-include-dir=/usr/local/mysql/include \
--with-mysql-lib-dir=/usr/local/mysql/lib \
--with-openssl-include-dir=/usr/local/ssl/include \
--with-openssl-lib-dir=/usr/local/ssl/lib

# Build it
make

# Become root to clean up old files and to install it
su

# If you need to back up your dictionary (if you've modified them) and
# config files, run this.  Dictionary files will be overwritten when you run
# 'make install', configuration files will not be.
test -d /usr/local/etc/raddb &&
 mkdir -p -m 0700 ~/backup/freeradius &&
  tar cjvf ~/backup/freeradius/freeradius-raddb-`date +%Y%m%d`.tar.bz2 \
  /usr/local/etc/raddb
test -d /usr/local/share/freeradius &&
 mkdir -p -m 0700 ~/backup/freeradius &&
  tar cjvf ~/backup/freeradius/freeradius-share-`date +%Y%m%d`.tar.bz2 \
  /usr/local/share/freeradius

# Here we clean up old library files from previous versions.  Make sure you
# don't have anything else that uses the name /usr/local/lib/rlm_* before
# you do this (ls -las /usr/local/lib*/rlm_*, if they all have the same
# date/time, the same date as libradius.*, then they're all probably from
# FreeRADIUS) - the odds that anything else would use that name are slim,
# but you never know.
rm -f /usr/local/lib*/libradius-* /usr/local/lib*/rlm_*

# Clean up old documentation ('make install' will install new docs)
test -d /usr/local/doc/freeradius && rm -r /usr/local/doc/freeradius
test -d /usr/local/share/doc/freeradius &&
 rm -r /usr/local/share/doc/freeradius
find /usr/local/doc -maxdepth 1 -type d -name "freeradius-*" \
-exec rm -r {} \;
find /usr/local/share/doc -maxdepth 1 -type d -name "freeradius-*" \
-exec rm -r {} \;

# Make sure the 'openssl' program is in your PATH, 'make install' will
# run it
test -f /etc/profile.d/openssl.sh && . /etc/profile.d/openssl.sh

# Install it
# It does not seem to use some of the configure flags, so we override
# them here
make \
docdir=/usr/local/doc/freeradius \
libdir=/usr/local/lib64 \
install

ldconfig

# Fix and install the sample rc.radiusd startup script.  If you run a recent
# version of Slackware that supports SysV init style scripts, do this.
# If not, add something to /etc/rc.d/rc.local to start it.
test -f /etc/rc.d/rc.sysvinit &&
 ( cd /etc/rc.d
   mkdir -p init.d rc0.d rc1.d rc2.d rc3.d rc4.d rc5.d rc6.d
   cat /usr/local/sbin/rc.radiusd | \
    sed 's%/etc/init.d/\$RADIUS%/etc/rc.d/init.d/radiusd%' > init.d/radiusd
   chown root:root init.d/radiusd
   chmod 700 init.d/radiusd
   for rl in 2 3 4 5; do
     ( cd rc${rl}.d ; ln -sf ../init.d/radiusd S88radiusd )
   done
   for rl in 0 1; do
     ( cd rc${rl}.d ; ln -sf ../init.d/radiusd K10radiusd )
   done
 )

# If you have a recent version of Slackware with logrotate:
test -d /etc/logrotate.d &&
 ( cat << EOF > /etc/logrotate.d/freeradius
/var/log/radius/radius.log {
    rotate 6
    daily
    #create 0640 root wheel
    copytruncate
}
EOF
)

# You'll find config files in /usr/local/etc/raddb
# Log files in /var/log/radius
# Pid in /var/run/radiusd
# Dictionary files in /usr/local/share/freeradius

# Read the docs, you will definitely not be able to get it going quickly
# if you've never done it before

# If you are 64-bit and libraries are in /usr/local/lib64, edit
# /usr/local/etc/raddb/radiusd.conf and fix the libdir line

# You will need to do things like this to make modules available
# (or just link all of them)
( cd /usr/local/raddb/mods-enabled
  ln -s ../mods-available/chap
  ln -s ../mods-available/detail
  ln -s ../mods-available/detail.log
  ln -s ../mods-available/expiration
  ln -s ../mods-available/expr
  ln -s ../mods-available/files
  ln -s ../mods-available/logintime
  ln -s ../mods-available/mschap
  ln -s ../mods-available/pap
  ln -s ../mods-available/preprocess
  ln -s ../mods-available/unix ) 

# You will need to do things like this to make sites (virtual servers)
# available (then edit the file as needed)
( cd /usr/local/raddb/sites-enabled ; cp -a ../sites-available/default )

# You'll need to alter the configuration, but see if it fires up
test -x /etc/rc.d/init.d/radiusd && /etc/rc.d/init.d/radiusd start

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+rw .

# Become yourself again
exit

# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/freeradius-*.tar.*
mv freeradius-server-3.0.15.tar.bz2 installed/


# If you ever want to uninstall FreeRADIUS, this should do it:
# If you specified docdir= and libdir= as above, do that with
# 'make uninstall' too
su
cd
su
test -d src/freeradius-server-* &&
 ( cd src/freeradius-server--*
   docdir=/usr/local/doc/freeradius libdir=/usr/local/lib64 uninstall )
( cd /usr/local/bin
  rm -f rad_counter radattr radclient radcrypt radeapclient radlast \
   radsniff radsqlrelay radtest radwho radzap rlm_ippool_tool smbencrypt )
test -d /usr/local/doc/freeradius && rm -r /usr/local/doc/freeradius
test -d /usr/local/etc/raddb && rm -r /usr/local/etc/raddb
test -d /usr/local/include/freeradius && rm -r /usr/local/include/freeradius
( cd /usr/local/lib ; rm -f libfreeradius-* rlm_* )
test -d /usr/local/lib64 &&
 ( cd /usr/local/lib64 ; rm -f libfreeradius-* rlm_* )
( cd /usr/local/man/man1
  rm -f cyradm.1 rad_counter.1 radclient.1 radeapclient.1 radlast.1 \
   radtest.1 radwho.1 radzap.1 )
( cd /usr/local/sbin
  rm -f checkrad raddebug radiusd radmin rc.radiusd )
test -d /usr/local/share/doc/freeradius &&
 rm -r /usr/local/share/doc/freeradius
test -d /var/log/radius && rm -r /var/log/radius
test -d /var/run/radiusd && rm -r /var/run/radiusd
test -d /usr/local/share/freeradius && rm -r /usr/local/share/freeradius
find ~/src -maxdepth 1 -type d -name "freeradius-*" -exec rm -r {} \;
test -f ~/installed/freeradius-*.tar.* && rm ~/installed/freeradius-*.tar.*
exit

Back to the list


Last updated: Wed, 29 Apr 2020 22:04:50 -0400
Jason Englander <jason at englanders dot us>