Build FreeRadius 3 on Raspberry Pi

January 24, 2018

Background

I had freeradius 2.1 running on raspberry pi. I need to upgrade to 3.0 for some reason. The apt-get repository of freeradius is too old and I have to compile from source instead.

It is a pain in the ass and took me like 2 days to troubleshoot everything and make it works.

The features I installed to FreeRadius 2 and need to be restored in FreeRadius 3 below

  • EAP-TLS
  • LDAP

OpenSSL

OpenSSL installed version 1.0.1e. FreeRadius 3 reject to works with openssl up to 1.0.1t due to heartbleed issue. The version that the apt-get repository is still 1.0.1t. A bit newer than the version I installed, but still, not working with FR3.

Anyway I’m still upgrading it.

# sudo su
# apt-get update
# apt-get install --only-upgrade openssl

Installing Dependencies

FR3 requires openssl library (because I need EAP-TLS for 802.1X authentication) and ldap library (because I need LDAP to authenticate openvpn connectivity) to compile.

# sudo su
# apt-get install libssl-dev
# apt-get install libldap-dev

According to freeradius.org, FR3 use a lot of talloc library.

# sudo su
# wget https://www.samba.org/ftp/talloc/talloc-2.1.0.tar.gz
# tar zxvf talloc-2.1.0.tar.gz
# cd talloc-2.1.0
# ./configure --without-gettext
# make
# make install


Compiling FreeRadius 3.0.16

Because I already have freeradius 2 installed, I’ll install FreeRadius 3 to /etc/freeradius3 directory instead.

# sudo su
# mkdir /etc/freeradius3
# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.16.tar.gz
# tar xvzf freeradius-server-3.0.16.tar.gz
# cd freeradius-server-3.0.16
# ./configure --prefix=/etc/freeradius3 --with-modules="rlm_ldap"
# make
# make install
# cp /etc/freeradius3/etc/raddb/mods-available/*  /etc/freeradius3/etc/raddb/mods-enabled/
# cp /etc/freeradius3/etc/raddb/sites-available/default /etc/freeradius3/etc/raddb/sites-enabled/
# cp /etc/freeradius3/etc/raddb/sites-available/inner-tunnel /etc/freeradius3/etc/raddb/sites-enabled/

Now FreeRadius 3 is installed, but it reject to run due to openssl version.

Edit the radiusd.conf to bypass the limitation.

# vi /etc/freeradius3/etc/raddb/radiusd.conf

Look up the security section, update allow_vulnerable_openssl to ‘CVE-2016-6304’

        #
        #  allow_vulnerable_openssl: Allow the server to start with
        #  versions of OpenSSL known to have critical vulnerabilities.
        #
        #  This check is based on the version number reported by libssl
        #  and may not reflect patches applied to libssl by
        #  distribution maintainers.
        #
        allow_vulnerable_openssl = yes
        allow_vulnerable_openssl = 'CVE-2016-6304'

Trial run

# /etc/init.d/freeradius stop
# /etc/freeradius3/sbin/radiusd -X

I got the error

port 1812 bound to server default: Address family not supported by protocol

After some googling, I figure out the IPV6 things have to be comment out from sites-enabled/default

# vi /etc/freeradius3/etc/raddb/sites-enabled/default
# .
# ..
# ...
#
# IPv6 versions of the above - read their full config to understand options
#listen {
#       type = auth
#       ipv6addr = ::   # any.  ::1 == localhost
#       port = 1812
##      interface = eth0
##      clients = per_socket_clients
#       limit {
#             max_connections = 16
#             lifetime = 0
#             idle_timeout = 30
#       }
#}
#listen {
#       ipv6addr = ::
#       port = 0
#       type = acct
##      interface = eth0
##      clients = per_socket_clients

#       limit {
##              max_pps = 0
##              idle_timeout = 0
##              lifetime = 0
##              max_connections = 0
#       }
#}

Now run the server again

# sudo su
# /etc/freeradius3/sbin/radiusd -X

If no error then proceed to install the auto run script below

# sudo su
# cd /etc/init.d/
# cp /etc/freeradius3/sbin/rc.radiusd radiusd
# update-rc.d radiusd defaults



Leave a Reply

Your email address will not be published. Required fields are marked *