{"id":15173922,"url":"https://github.com/palw3ey/ye3radius","last_synced_at":"2025-04-11T19:57:24.342Z","repository":{"id":210971121,"uuid":"727328294","full_name":"palw3ey/ye3radius","owner":"palw3ey","description":"AAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready","archived":false,"fork":false,"pushed_at":"2025-02-02T20:42:22.000Z","size":66,"stargazers_count":0,"open_issues_count":1,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-25T15:53:04.201Z","etag":null,"topics":["alpine","cisco","docker","freeradius-server","gns3","mariadb-server","mysql-server","radius-server"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/palw3ey/ye3radius","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/palw3ey.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-04T16:38:16.000Z","updated_at":"2025-02-02T20:36:41.000Z","dependencies_parsed_at":"2024-01-13T17:41:20.577Z","dependency_job_id":"342db196-11b7-4e92-b9e1-0a179c97d747","html_url":"https://github.com/palw3ey/ye3radius","commit_stats":{"total_commits":10,"total_committers":1,"mean_commits":10.0,"dds":0.0,"last_synced_commit":"43fa5a695b7e258d2fcc7f0c8353ab5792833675"},"previous_names":["palw3ey/ye3radius"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palw3ey%2Fye3radius","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palw3ey%2Fye3radius/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palw3ey%2Fye3radius/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palw3ey%2Fye3radius/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/palw3ey","download_url":"https://codeload.github.com/palw3ey/ye3radius/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248473112,"owners_count":21109628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alpine","cisco","docker","freeradius-server","gns3","mariadb-server","mysql-server","radius-server"],"created_at":"2024-09-27T11:04:52.434Z","updated_at":"2025-04-11T19:57:24.309Z","avatar_url":"https://github.com/palw3ey.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ye3radius\n\nAAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready\n\nThe /etc/raddb folder is persistent.\n\n# Simple usage\n\n```bash\ndocker run -dt --name myradius -e Y_TEST_NAS=yes -e Y_TEST_USER=yes -p 1812-1813:1812-1813/udp docker.io/palw3ey/ye3radius\n```\n\n# Usage with MariaDB \n\nIf you don't have a MariaDB or MySQL Server, then proceed to step 1.  \nIf you already have a running SQL Server, then skip to step 3.  \nIf you already have a Radius DB with data, then skip to step 7.  \n\n1. Create MariaDB container\n```bash\ndocker run -dt --name mymariadb -e MYSQL_ROOT_PASSWORD=mypass -p 3306:3306 mariadb:latest\n```\n\n2. Create Radius database and Radius DB user\n```bash\ndocker exec -it mymariadb mariadb --user=root --password=mypass\n```\n```sql\ncreate database radius;\ncreate user 'radiusDBuser'@'%' identified by 'radiusDBpassword';\nGRANT ALL PRIVILEGES ON radius.* TO radiusDBuser;\nquit;\n```\n\n3. Import the MySQL schema\n```bash\n# install mariadb-client-core\nsudo apt install mariadb-client-core -y\n\n# get mymariadb container ip adress\nmymariadb_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' mymariadb)\n\nwget https://github.com/palw3ey/ye3radius/raw/main/schema.sql\nmariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius \u003c schema.sql\nmariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e \"SHOW TABLES;\"\n```\n\n4. Create a NAS client  \nThe nas_address, below, is the IP address of the host that is requesting authentication. Use 0.0.0.0/0 to allow any IP address.\n```bash\nnas_address=\"0.0.0.0/0\"\nnas_secret=\"strongSecret\"\nmariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e \"INSERT INTO  nas (nasname,shortname,type,ports,secret,server,community,description) VALUES ('\"$nas_address\"', 'nas access sql', 'other',NULL ,'\"$nas_secret\"',NULL ,NULL ,'RADIUS Client');\"\n```\n\n5. Create a user\n```bash\nemployee_username=\"tux\"\nemployee_password=\"strongPassword\"\nmariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e \"INSERT INTO radcheck (username, attribute, op, value) VALUES ('\"$employee_username\"', 'Cleartext-Password', ':=', '\"$employee_password\"');\"\n```\n\n6. Include AVPair Reply  (optional)  \nTo include Cisco-AVPair for a user\n```bash\nmariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius\n```\n```sql\nINSERT INTO radreply\n  (username, attribute, op, value)\nVALUES\n  ('tux', 'cisco-avpair', '+=', 'ipsec:dns-servers=1.1.1.1 8.8.8.8'),\n  ('tux', 'cisco-avpair', '+=', 'ipsec:default-domain=example.lan');\nquit;\n```\n\n7. Run  \nIn the first run the ye3radius container will creates certificates if not exist, this may take a couple of seconds or minutes before the Radius service get ready\n```bash\ndocker run -dt --name myradius -e Y_DB_ENABLE=yes \\\n\t-e Y_DB_SERVER=$mymariadb_ip -e Y_DB_PORT=3306 -e Y_DB_TLS_REQUIRED=no \\\n\t-e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword \\\n\t-p 1812-1813:1812-1813/udp \\\n\tpalw3ey/ye3radius\n```\n\n8. Test\n```bash\n# check if container is ready :\ndocker logs myradius\n\n# get container IP :\nmyradius_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius)\n\n# On a ubuntu host :\napt install freeradius-utils\nradtest $employee_username $employee_password $myradius_ip:1812 0 $nas_secret -x\n```\n\n# Test\n\non the host\n```bash\ndocker exec -it myradius radtest test 1234 localhost:1812 0 testing123 -x\n```\n\non Cisco IOS\n```\nconfigure terminal\naaa new-model\nradius server ye3radius\n  address ipv4 10.10.10.250 auth-port 1812 acct-port 1813\n  key strongSecret\n  exit\ndo test aaa group radius server name ye3radius test 1234 new-code\n```\n\n# HOWTOs\n- Show freeradius log\n```bash\ndocker exec -it myradius tail -f /var/log/radius/radius.log\n# To exit : Ctrl C\n```\n\n- Connect to DB\n```bash\nmysql --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius\n```\n\n- Add a user\n```sql\nINSERT INTO radcheck\n\t(username, attribute, op, value)\nVALUES\n\t('emily', 'Cleartext-Password', ':=', 'emilyStrongPassword');\n```\n\n- Delete a user\n```sql\nDELETE FROM radcheck\nWHERE username = 'emily';\n```\n\n- Update a user password\n```sql\nUPDATE radcheck\nSET value='emilyNewStrongPassword'\nWHERE username='emily';\n```\n\n- Disable a user\n```sql\nINSERT INTO radcheck\n\t(username, attribute, op, value)\nVALUES\n\t('emily', 'Auth-Type', ':=', 'Reject');\n```\n\n- Enable a previously disabled user\n```sql\nDELETE FROM radcheck\nWHERE username='emily'\nAND attribute='Auth-Type'\nAND value='Reject';\n```\n\n- List all user\n```sql\nSELECT * FROM radcheck;\n```\n\n- Add the user emily to a group named Manager\n```sql\nINSERT INTO radusergroup (username, groupname) VALUES ('emily', 'Manager');\n```\n\n- Add the Class attribute in the response, for group membership\n```sql\nINSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('Manager', 'Class', ':=', 'Manager');\n```\n\n- Enable RadSec Server\n```bash\n# just add : -e Y_RADSEC_SERVER_ENABLE=yes -p 2083:2083/tcp\ndocker run -dt --name myradius -e Y_DB_ENABLE=yes \\\n\t-e Y_DB_SERVER=$mymariadb_ip -e Y_DB_PORT=3306 -e Y_DB_TLS_REQUIRED=no \\\n\t-e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword \\\n\t-e Y_RADSEC_SERVER_ENABLE=yes -p 2083:2083/tcp \\\n\tpalw3ey/ye3radius\n```\n\n- Create a Radius Proxy linked to a RadSec Server\n```bash\n# get the client key, certificate and ca in the Remote RadSec Server\n(docker exec -it myradius cat /etc/raddb/certs/client.key) \u003e client.key\n(docker exec -it myradius cat /etc/raddb/certs/client.crt) \u003e client.crt\n(docker exec -it myradius cat /etc/raddb/certs/ca.pem) \u003e ca.pem\n\n# get the ip\nmyradius_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius)\necho $myradius_ip\n\n# create the Radius Proxy with the previous files\ndocker run -dt --name myradius_proxy \\\n\t-p 1812-1813:1812-1813/udp \\\n\t-e Y_RADSEC_PROXY_ENABLE=yes \\\n\t-e Y_RADSEC_PROXY_IPADDR=$myradius_ip \\\n\t-e Y_RADSEC_PROXY_CLIENT_SECRET=strongProxySecret \\\n\t-v ~/client.key:/etc/raddb/certs/proxy_client.key:ro \\\n\t-v ~/client.crt:/etc/raddb/certs/proxy_client.crt:ro \\\n\t-v ~/ca.pem:/etc/raddb/certs/proxy_ca.pem:ro \\\n\tdocker.io/palw3ey/ye3radius \n```\n\n- Test with radclient using custom attributes\n```bash\n# install freeradius-utils\nsudo apt install freeradius-utils\n\n# get the ip\nmyradius_proxy_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius_proxy)\necho $myradius_proxy_ip\n\n# test authentication\nradclient -x $myradius_proxy_ip:1812 auth strongProxySecret \u003c\u003cEOF\nUser-Name = \"emily\"\nUser-Password = \"emilyStrongPassword\"\nNAS-IP-Address = 192.168.1.2\nEOF\n\n# verify authentication\nmariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e \"SELECT username, packet_src_ip_address, authdate FROM radpostauth ORDER BY id DESC LIMIT 2;\"\n\n# test accounting\nradclient -x $myradius_proxy_ip:1813 acct strongProxySecret \u003c\u003cEOF\nUser-Name = \"emily\"\nNAS-IP-Address = 192.168.1.2\nFramed-IP-Address = 192.168.1.3\nAcct-Status-Type = Start\nAcct-Session-Id = 123456789\nEOF\n\n# verify accounting\nmariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e \"SELECT radacctid, acctsessionid, acctstarttime, framedipaddress FROM radacct ORDER BY radacctid DESC LIMIT 2;\"\n```\n\n- Test on Windows  \n[Download NTRadPing](https://community.microfocus.com/cfs-file/__key/communityserver-wikis-components-files/00-00-00-01-70/ntradping.zip)\n\n- Manage radius database using a web interface  \n[ye3radius-frontend by Kilowatt-W](https://github.com/palw3ey/ye3radius-frontend)\n\n# GNS3\n\nTo run through GNS3, download and import the appliance : [ye3radius.gns3a](https://raw.githubusercontent.com/palw3ey/ye3radius/master/ye3radius.gns3a)\n\n## How to connect the container in the GNS3 topology ?\nDrag and drop the device in the topology. Right click on the device and select \"Edit config\".  \nIf you want a static configuration, uncomment the lines just below `# Static config for eth0` or otherwise `# DHCP config for eth0` for a dhcp configuration. Click \"Save\".  \nAdd a link to connect the device to a switch or router. Finally, right click on the device, select \"Start\".  \nTo see the output, right click \"Console\".  \nTo type commands, right click \"Auxiliary console\".  \n\n# Environment Variables\n\nThese are the env variables and their default values.  \n\n| variables | format | default | description |\n| :- |:- |:- |:- |\n|Y_LANGUAGE | text | fr_FR | Language. The list is in the folder /i18n/ |\n|Y_DEBUG | yes/no | no | yes, Run freeradius with debug (-X) option |\n|Y_IGNORE_CONFIG | yes/no | no | yes, To not apply file changes in the /etc/raddb/ folder. A good option if you use a custom /etc/raddb folder mounted from outside |\n|Y_PORT_AUTH | port number | 1812 | Authentication port |\n|Y_PORT_ACCT | port number | 1813 | Accounting port |\n|Y_CERT_DAYS | integer | 3650 | Certificate expiration date in days |\n|Y_CERT_KEEP | yes/no | yes | yes, To avoid recreating the certificates if already exist | \n|TZ | text | Europe/Paris | time zone, IANA format | \n|Y_DATE_FORMAT | text | \"%Y-%m-%dT%H:%M:%S%z\" | date format (strftime), mainly used for logs | \n|Y_TEST_NAS | yes/no | no | yes, To activate the test NAS |\n|Y_TEST_NAS_ADDRESS | ip address | 0.0.0.0/0 | Test NAS address |\n|Y_TEST_NAS_SECRET | password | Test10203040 | Test NAS secret |\n|Y_TEST_USER | yes/no | no | yes, To activate the test user |\n|Y_TEST_USER_USERNAME | name | test | Test user username |\n|Y_TEST_USER_PASSWORD | password | 1234 | Test user password |\n|Y_DB_ENABLE | yes/no | no | yes, To enable SQL |\n|Y_DB_SERVER | address | example.com | SQL server address |\n|Y_DB_PORT | port number | 3306 | SQL server port |\n|Y_DB_LOGIN | name | login | SQL server login |\n|Y_DB_PASSWORD | password | password | SQL server password |\n|Y_DB_RADIUS_DB | text | radius | SQL database to use |\n|Y_DB_TLS_REQUIRED | yes/no | no | yes, To connect to the SQL server with ssl option |\n|Y_DB_READ_CLIENTS | yes/no | yes | yes, To read NAS from SQL nas table |\n|Y_DB_AUTHORIZE | yes/no | yes | yes, To allow auth from SQL |\n|Y_DB_POSTAUTH | yes/no | yes | yes, To allow SQL postauth |\n|Y_DB_ACCOUNTING | yes/no | yes | yes, To allow SQL accounting |\n|Y_DB_WAIT | integer | 5 | Number of seconds to wait between each attempt to reach the SQL server when the ye3radius container starts |\n|Y_RADSEC_SERVER_ENABLE | yes/no | no | yes, To activate RadSec server |\n|Y_RADSEC_SERVER_PORT | port number | 2083 | RadSec server port |\n|Y_RADSEC_SERVER_TYPE | text | auth+acct | Allowed request on the port |\n|Y_RADSEC_SERVER_CA | path | '${cadir}/ca.pem' | Path to the ca certificate file |\n|Y_RADSEC_SERVER_KEY | path | '${certdir}/server.key' | Path to the server key file |\n|Y_RADSEC_SERVER_KEY_PASSWORD | password | whatever | server key file password |\n|Y_RADSEC_SERVER_CERT | path | '${certdir}/server.pem' | Path to the server certificate file |\n|Y_RADSEC_SERVER_CLIENT_IPADDR | ip address | 0.0.0.0/0 | Allowed client address |\n|Y_RADSEC_SERVER_REQUIRE_CERT | yes/no | no | yes, To require a client certificate |\n|Y_RADSEC_PROXY_ENABLE | yes/no | no | yes, To activate Radius Proxy |\n|Y_RADSEC_PROXY_CLIENT_IPADDR | ip address | 0.0.0.0/0 | Allowed client address |\n|Y_RADSEC_PROXY_CLIENT_SECRET | password | Test50607080 | NAS secret |\n|Y_RADSEC_PROXY_IPADDR | ip address | 127.0.0.1 | RadSec server IP address |\n|Y_RADSEC_PROXY_PORT | port number | 2083 | RadSec server port |\n|Y_RADSEC_PROXY_TYPE | text | auth+acct | Allowed request on the port |\n|Y_RADSEC_PROXY_CA | path | '${cadir}/proxy_ca.pem' | Path to the ca certificate file |\n|Y_RADSEC_PROXY_KEY | path | '${certdir}/proxy_client.key' | Path to the client key file |\n|Y_RADSEC_PROXY_KEY_PASSWORD | password | whatever | client key file password |\n|Y_RADSEC_PROXY_CERT | path | '${certdir}/proxy_client.crt' | Path to the client certificate file |\n\n# Compatibility\n\nThe docker image was compiled to work on these CPU architectures :\n\n- linux/386\n- linux/amd64\n- linux/arm/v6\n- linux/arm/v7\n- linux/arm64\n- linux/ppc64le\n- linux/s390x\n\nWork on most computers including Raspberry Pi\n\n# Build\n\nTo customize and create your own images.\n\n```bash\ngit clone https://github.com/palw3ey/ye3radius.git\ncd ye3radius\n# Make all your modifications, then :\ndocker build --no-cache --network=host -t ye3radius .\ndocker run -dt --name my_customized_radius ye3radius\n```\n\n# Documentation\n\n[radiusd man page](https://freeradius.org/radiusd/man/)\n\n# Version\n\n| name | version |\n| :- |:- |\n|ye3radius | 2.0.1 |\n|radiusd | 3.0.27 |\n|alpine | 3.21.2 |\n\n# Changelog\n\n## [2.0.1] - 2025-02-02\n### Fixed\n- add acct_pool in radsec_proxy site\n## [2.0.0] - 2025-02-02\n### Added\n- Ease of configuration for RadSec and Radius Proxy \n- new package : tini tzdata ca-certificates curl\n- include new source file in the repo : queries.conf and sqlcounter\n- ability to change timezone and date format via environment variables\n### Changed \n- use tini for entrypoint\n- rename bypass_docker_env.sh.dis to bypass_container_env.sh \n## [1.0.0] - 2023-12-01\n### Added\n- première : first release\n\n# ToDo\n\nFeel free to contribute or share your ideas for new features, you can contact me here on github or by email. I speak French, you can write to me in other languages ​​I will find ways to translate.\n\n# License\n\nMIT  \nauthor: palw3ey  \nmaintainer: palw3ey  \nemail: palw3ey@gmail.com  \nwebsite: https://github.com/palw3ey/ye3radius  \ndocker hub: https://hub.docker.com/r/palw3ey/ye3radius\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpalw3ey%2Fye3radius","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpalw3ey%2Fye3radius","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpalw3ey%2Fye3radius/lists"}