Freeradius is a modular, full featured, rock solid RADIUS server. It’s one of the best free software, and certainly the most widely used RADIUS implementation in the world. horoa Skills around freeradius allow tight integration in many heterogenous environnements. As an example this article presents a clean way of makinng freeradius work with Oracle on Debian systems.
Freeradius is the most widely used RADIUS server in the world. However , in ancient times, situation was a lot different. It took some time to freeradius to proove in industry its reliability. Nowadays this GPL’ed code is a ‘must try’ when thinking about deploying AAA infrastucture (Authentication, Authorization, Accouting). To my knowledge, Freeradius is the radius server that support the biggest range of EAP types. It also supports many authentication mecanism like PAP, CHAP, MS-CHAP v1 et v2, Digest, PAM ; and several backends for storing users data: SQL, LDAP . Another goodies of freeradius is that the source is maintained by networkradius, headed by Alan Dekok, who was involved in writing of RFC of RADIUS and DIAMETER. NetworkRadius sells high quality professional support support (I can tell you this as I used to be a GOLD supported customer).
In the following lines, I’ll try to clear a quite undocumented part of freeradius: Oracle SGBD Interface!
Maybe it’s because of Oracle being non-free software, but documentation of this SGBD in freeradius litterature is quite lightweigh and varies a lot across the web. So, let’s see how to make it work efficiently on debian systems!
Preparing the compil theater:
Basicly we need a working Debian OS… Debian Squeeze is a good option. First we install the necessary tools for compilation and installation:
sudo apt-get install build-essential unzip libtool automake dpkg-dev debhelper quilt libssl-dev libpam0g-dev libmysqlclient-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev libperl-dev libpcap-dev python-dev libsnmp-dev libpq-dev
Oracle component installation
At this stage , Oracle libs and headers files are not installed, whereas we need them in order to compil freeradius with Oracel support. Oracle does not publish source code for their SGBD client libraries (Yes Oracle, that owns MySQL, openoffice.org, sun…). Then we must install manually binary package distributed, by Oracle. There are at least two ways to do this.
- You can setup a full Orcale instance (including server side): eg, Oracle 11g (untested with Oracle XE). Carefully note the $ORACLE_HOME variable as this path will be needed to compil freeradius
- Or you can install Oracle instant_client, distributed for no charge, by Oracle as binaries (sign-up required)
In this document will use the second, cheaper, method. Go to the Oracle website, in the download section, and choose the instantclient version matching yur Linux host as well as its SDK: http://www.oracle.com/technetwork/database/features/instant-client/
Here, let’s says host is an x86_64 host, then we fetch:
instantclient-basic-linux-x86-64-11.2.0.2.0.zip
instantclient-sdk-linux-x86-64-11.2.0.2.0.zip
Unpack this to a target directory dedicated to oracle componenets (here /opt/oracle):
sudo mkdir /opt/oracle
sudo unzip -d /opt/oracle/ instantclient-basic-linux-x86-64-11.2.0.2.0.zip
sudo unzip -d /opt/oracle/ instantclient-sdk-linux-x86-64-11.2.0.2.0.zip
We need to tweak the install a little bit , in order to compil and run freeradius flawlessly. If you miss this step compil would fail or server crash when load the oracle module:
cd /opt/oracle/instantclient_11_2/
sudo ln -s libclntsh.so.11.1 libclntsh.so
/opt/oracle/instantclient_11_2
sudo ldconfig
Oracle components are correctly setup, let’s compil FreeRadius.:
FreeRadius Installation
Grab the sources! Using at least version 2.1.10 will help a lot, as it contains bugfixes, and more particularily patches for Oracle compilation. Even better, use git to checkout the source tree.
http://freeradius.org/download.html
cd
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.bz2
tar jxvf freeradius-server-2.1.10.tar.bz2
If you choose the official 2.1.10 release, you’ll need a little patch I wrote to allow compilation to work with with of Oracle other than 10g. This patch has been merged upstream (2.1.11).
Independantly of the patch, you’ll need few files to build freeradius-oracle debian package. Thoose files are contained in the following archive. Unpack it and apply the patches as follow:
wget http://www.horoa.net/wp-content/uploads/2011/06/freeradius-oracle.tar.gz
tar zvxf freeradius-oracle.tar.gz
cd freeradius-server-2.1.10
cp ../freeradius-oracle/freeradius-oracle.* debian/
patch -p0 < ../freeradius-oracle/debian.oracle_enabled.patch
Be aware that the patch applyed above is meant to work with Oracle instantclient 11.2, installed in /opt/oracle. if you need diffrents pathes or versions, adjust the file debian/rules according to your needs.
As I previously pointed out, using 2.1.10 official release, also require another patch to be applied:
patch -p0 < ../freeradius-oracle/oracle_versionlibs.patch
We need to re-generate configure script before building the package
cd src/modules/rlm_sql/drivers/rlm_sql_oracle
autoreconf
cd -
sudo dpkg-buildpackage -b -uc
when finished, you should find plenty of deb files in the parent directory, among thoose: freeradius-oracle_2.1.10+git_amd64.deb
At this stage, installation is a quite simple process:
sudo apt-get install libaio1 openssl-blacklist ssl-cert
sudo dpkg -i ../libfreeradius2_2.1.10+git_amd64.deb ../freeradius_2.1.10+git_amd64.deb ../freeradius-common_2.1.10+git_all.deb ../freeradius-oracle_2.1.10+git_amd64.deb
To avoid our worl to be over-ridden by any wild update, we configure dpkg hold packges related to freeradius
sudo dpkg --get-selections | grep freeradius | sed 's/install$/hold/' | sudo dpkg --set-selections
What comes next highly depends on your setup as it is freeradius configuration itself. Mainly, to activate oracle, you’ll need to uncomment this line in /etc/freeradius/radiusd.conf:
$INCLUDE sql.conf
and configure your sql instance in /etc/freeradius/sql.confusing the oracle driver and the required connection string (or tnsname):
sql {
database = "oracle"
driver = "rlm_sql_${database}"
login = "scott"
password = "tiger"
radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=A.B.C.D)(PORT=1521))(CONNECT_DATA=(SID=GEN1)))"
...
}
You can test the setup using
sudo freeradius -X -C
Leave a Reply to Marco Cancel reply