Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/palw3ey/ye3radius

AAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready
https://github.com/palw3ey/ye3radius

alpine cisco docker freeradius-server gns3 mariadb-server mysql-server radius-server

Last synced: about 1 month ago
JSON representation

AAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready

Awesome Lists containing this project

README 

        
# ye3radius



AAA Radius, RadSec and RadSec Proxy server based on Freeradius and Alpine for SQL DB. GNS3 ready



The /etc/raddb folder is persistent.



# Simple usage



```bash

docker run -dt --name myradius -e Y_TEST_NAS=yes -e Y_TEST_USER=yes -p 1812-1813:1812-1813/udp docker.io/palw3ey/ye3radius

```



# Usage with MariaDB 



If you don't have a MariaDB or MySQL Server, then proceed to step 1.  

If you already have a running SQL Server, then skip to step 3.  

If you already have a Radius DB with data, then skip to step 7.  



1. Create MariaDB container

```bash

docker run -dt --name mymariadb -e MYSQL_ROOT_PASSWORD=mypass -p 3306:3306 mariadb:latest

```



2. Create Radius database and Radius DB user

```bash

docker exec -it mymariadb mariadb --user=root --password=mypass

```

```sql

create database radius;

create user 'radiusDBuser'@'%' identified by 'radiusDBpassword';

GRANT ALL PRIVILEGES ON radius.* TO radiusDBuser;

quit;

```



3. Import the MySQL schema

```bash

# install mariadb-client-core

sudo apt install mariadb-client-core -y



# get mymariadb container ip adress

mymariadb_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' mymariadb)



wget https://github.com/palw3ey/ye3radius/raw/main/schema.sql

mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius < schema.sql

mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "SHOW TABLES;"

```



4. Create a NAS client  

The nas_address, below, is the IP address of the host that is requesting authentication. Use 0.0.0.0/0 to allow any IP address.

```bash

nas_address="0.0.0.0/0"

nas_secret="strongSecret"

mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "INSERT INTO  nas (nasname,shortname,type,ports,secret,server,community,description) VALUES ('"$nas_address"', 'nas access sql', 'other',NULL ,'"$nas_secret"',NULL ,NULL ,'RADIUS Client');"

```



5. Create a user

```bash

employee_username="tux"

employee_password="strongPassword"

mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "INSERT INTO radcheck (username, attribute, op, value) VALUES ('"$employee_username"', 'Cleartext-Password', ':=', '"$employee_password"');"

```



6. Include AVPair Reply  (optional)  

To include Cisco-AVPair for a user

```bash

mariadb --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius

```

```sql

INSERT INTO radreply

  (username, attribute, op, value)

VALUES

  ('tux', 'cisco-avpair', '+=', 'ipsec:dns-servers=1.1.1.1 8.8.8.8'),

  ('tux', 'cisco-avpair', '+=', 'ipsec:default-domain=example.lan');

quit;

```



7. Run  

In the first run the ye3radius container will creates certificates if not exist, this may take a couple of seconds or minutes before the Radius service get ready

```bash

docker run -dt --name myradius -e Y_DB_ENABLE=yes \

	-e Y_DB_SERVER=$mymariadb_ip -e Y_DB_PORT=3306 -e Y_DB_TLS_REQUIRED=no \

	-e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword \

	-p 1812-1813:1812-1813/udp \

	palw3ey/ye3radius

```



8. Test

```bash

# check if container is ready :

docker logs myradius



# get container IP :

myradius_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius)



# On a ubuntu host :

apt install freeradius-utils

radtest $employee_username $employee_password $myradius_ip:1812 0 $nas_secret -x

```



# Test



on the host

```bash

docker exec -it myradius radtest test 1234 localhost:1812 0 testing123 -x

```



on Cisco IOS

```

configure terminal

aaa new-model

radius server ye3radius

  address ipv4 10.10.10.250 auth-port 1812 acct-port 1813

  key strongSecret

  exit

do test aaa group radius server name ye3radius test 1234 new-code

```



# HOWTOs

- Show freeradius log

```bash

docker exec -it myradius tail -f /var/log/radius/radius.log

# To exit : Ctrl C

```



- Connect to DB

```bash

mysql --host=$mymariadb_ip --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius

```



- Add a user

```sql

INSERT INTO radcheck

	(username, attribute, op, value)

VALUES

	('emily', 'Cleartext-Password', ':=', 'emilyStrongPassword');

```



- Delete a user

```sql

DELETE FROM radcheck

WHERE username = 'emily';

```



- Update a user password

```sql

UPDATE radcheck

SET value='emilyNewStrongPassword'

WHERE username='emily';

```



- Disable a user

```sql

INSERT INTO radcheck

	(username, attribute, op, value)

VALUES

	('emily', 'Auth-Type', ':=', 'Reject');

```



- Enable a previously disabled user

```sql

DELETE FROM radcheck

WHERE username='emily'

AND attribute='Auth-Type'

AND value='Reject';

```



- List all user

```sql

SELECT * FROM radcheck;

```



- Add the user emily to a group named Manager

```sql

INSERT INTO radusergroup (username, groupname) VALUES ('emily', 'Manager');

```



- Add the Class attribute in the response, for group membership

```sql

INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('Manager', 'Class', ':=', 'Manager');

```



- Enable RadSec Server

```bash

# just add : -e Y_RADSEC_SERVER_ENABLE=yes -p 2083:2083/tcp

docker run -dt --name myradius -e Y_DB_ENABLE=yes \

	-e Y_DB_SERVER=$mymariadb_ip -e Y_DB_PORT=3306 -e Y_DB_TLS_REQUIRED=no \

	-e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword \

	-e Y_RADSEC_SERVER_ENABLE=yes -p 2083:2083/tcp \

	palw3ey/ye3radius

```



- Create a Radius Proxy linked to a RadSec Server

```bash

# get the client key, certificate and ca in the Remote RadSec Server

(docker exec -it myradius cat /etc/raddb/certs/client.key) > client.key

(docker exec -it myradius cat /etc/raddb/certs/client.crt) > client.crt

(docker exec -it myradius cat /etc/raddb/certs/ca.pem) > ca.pem



# get the ip

myradius_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius)

echo $myradius_ip



# create the Radius Proxy with the previous files

docker run -dt --name myradius_proxy \

	-p 1812-1813:1812-1813/udp \

	-e Y_RADSEC_PROXY_ENABLE=yes \

	-e Y_RADSEC_PROXY_IPADDR=$myradius_ip \

	-e Y_RADSEC_PROXY_CLIENT_SECRET=strongProxySecret \

	-v ~/client.key:/etc/raddb/certs/proxy_client.key:ro \

	-v ~/client.crt:/etc/raddb/certs/proxy_client.crt:ro \

	-v ~/ca.pem:/etc/raddb/certs/proxy_ca.pem:ro \

	docker.io/palw3ey/ye3radius 

```



- Test with radclient using custom attributes

```bash

# install freeradius-utils

sudo apt install freeradius-utils



# get the ip

myradius_proxy_ip=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius_proxy)

echo $myradius_proxy_ip



# test authentication

radclient -x $myradius_proxy_ip:1812 auth strongProxySecret <