Skip to content
/ ye3radius Public

A docker AAA Radius server based on Freeradius and Alpine for a MySQL DB. Below 20 Mb. GNS3 ready.

hub.docker.com/r/palw3ey/ye3radius

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

palw3ey/ye3radius

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Version.txt

Version.txt

 
 

bypass_docker_env.sh.dis

bypass_docker_env.sh.dis

 
 

default

default

 
 

entrypoint.sh

entrypoint.sh

 
 

schema.sql

schema.sql

 
 

sql

sql

 
 

ye3radius.gns3a

ye3radius.gns3a

 
 

Repository files navigation

ye3radius

A docker AAA Radius server based on Freeradius and Alpine for a MySQL DB. Below 20 Mb. GNS3 ready.

The /etc/raddb folder is persistent.

Simple usage

docker run -dt --name myradius -e Y_TEST_NAS=yes -e Y_TEST_USER=yes palw3ey/ye3radius

Usage with MariaDB

If you don't have a MariaDB or MySQL Server, then proceed to step 1.
If you already have a running SQL Server, then skip to step 3.
If you already have a Radius DB with data, then skip to step 7.

  1. Create MariaDB container
docker run -dt --name mymariadb -e MYSQL_ROOT_PASSWORD=mypass mariadb:latest
  1. Create Radius database and Radius DB user
docker exec -it mymariadb mariadb --user=root --password=mypass
create database radius;
create user 'radiusDBuser'@'%' identified by 'radiusDBpassword';
GRANT ALL PRIVILEGES ON radius.* TO radiusDBuser;
quit;
  1. Import the MySQL schema
wget https://github.com/palw3ey/ye3radius/raw/main/schema.sql
mariadb --host=example.com --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius < schema.sql
mariadb --host=example.com --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "SHOW TABLES;"
  1. Create a NAS client
    The nas_address, below, is the IP address of the host that is requesting authentication. Use 0.0.0.0/0 to allow any IP address.
nas_address="10.10.10.10"
nas_secret="strongSecret"
mariadb --host=example.com --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "INSERT INTO  nas (nasname,shortname,type,ports,secret,server,community,description) VALUES ('"$nas_address"', 'nas access sql', 'other',NULL ,'"$nas_secret"',NULL ,NULL ,'RADIUS Client');"
  1. Create a user
employee_username="tux"
employee_password="strongPassword"
mariadb --host=example.com --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius -e "INSERT INTO radcheck (username, attribute, op, value) VALUES ('"$employee_username"', 'Cleartext-Password', ':=', '"$employee_password"');"
  1. Include AVPair Reply (optional)
    To include Cisco-AVPair for a user
mariadb --host=example.com --port=3306 --user=radiusDBuser --password=radiusDBpassword --database=radius
INSERT INTO radreply
  (username, attribute, op, value)
VALUES
  ('tux', 'cisco-avpair', '+=', 'ipsec:dns-servers=1.1.1.1 8.8.8.8'),
  ('tux', 'cisco-avpair', '+=', 'ipsec:default-domain=example.lan');
quit;
  1. Run
    In the first run the ye3radius container will creates certificates if not exist, this may take a couple of seconds or minutes before the Radius service get ready
docker run -dt --name myradius -e Y_DB_ENABLE=yes -e Y_DB_SERVER=example.lan -e Y_DB_PORT=3306 -e Y_DB_LOGIN=radiusDBuser -e Y_DB_PASSWORD=radiusDBpassword -e Y_DB_TLS_REQUIRED=no palw3ey/ye3radius
  1. Test
# check if container is ready :
docker logs myradius

# get container IP :
docker inspect --format='{{.NetworkSettings.IPAddress}}' myradius

# On a ubuntu host :
apt install freeradius-utils
radtest $employee_username $employee_password $container_ip:1812 0 $nas_secret -x

Test

on the host

docker exec -it myradius sh --login -c "radtest test 1234 localhost:1812 0 testing123 -x"

on Cisco IOS

configure terminal
aaa new-model
radius server ye3radius
  address ipv4 10.10.10.250 auth-port 1812 acct-port 1813
  key strongSecret
  exit
do test aaa group radius server name ye3radius test 1234 new-code

HOWTOs

  • Show freeradius log
docker exec -it myradius sh --login -c "tail -f /var/log/radius/radius.log"
  • Connect to DB
mysql --host=example.com --port=3306 --user=login --password=password --database=radius
  • Add a user
INSERT INTO radcheck
	(username, attribute, op, value)
VALUES
	('user', 'Cleartext-Password', ':=', 'password');
  • Delete a user
DELETE FROM radcheck
WHERE username = 'user';
  • Update a user password
UPDATE radcheck
SET value='password'
WHERE username='user';
  • Disable a user
INSERT INTO radcheck
	(username, attribute, op, value)
VALUES
	('user', 'Auth-Type', ':=', 'Reject');
  • Enable a previously disabled user
DELETE FROM radcheck
WHERE username='user'
AND attribute='Auth-Type'
AND value='Reject';
  • List all user
SELECT * FROM radcheck;

GNS3

To run through GNS3, download and import the appliance : ye3radius.gns3a

Environment Variables

These are the env variables and their default values.

variables format default description
Y_LANGUAGE text fr_FR Language. The list is in the folder /i18n/
Y_DEBUG yes/no no yes, Run freeradius with debug (-X) option
Y_IGNORE_CONFIG yes/no no yes, To not apply file changes in the /etc/raddb/ folder. A good option if you use a custom /etc/raddb folder mounted from outside
Y_PORT_AUTH port number 1812 Authentication port
Y_PORT_ACCT port number 1813 Accounting port
Y_CERT_DAYS integer 3650 Certificate expiration date in days
Y_CERT_KEEP yes/no yes yes, To avoid recreating the certificates if already exist
Y_TEST_NAS yes/no no yes, To activate the test NAS
Y_TEST_NAS_ADDRESS ip address 0.0.0.0/0 Test NAS address
Y_TEST_NAS_SECRET password Test10203040 Test NAS secret
Y_TEST_USER yes/no no yes, To activate the test user
Y_TEST_USER_USERNAME name test Test user username
Y_TEST_USER_PASSWORD password 1234 Test user password
Y_DB_ENABLE yes/no no yes, To enable SQL
Y_DB_SERVER address example.com SQL server address
Y_DB_PORT port number 3306 SQL server port
Y_DB_LOGIN name login SQL server login
Y_DB_PASSWORD password password SQL server password
Y_DB_RADIUS_DB text radius SQL database to use
Y_DB_TLS_REQUIRED yes/no no yes, To connect to the SQL server with ssl option
Y_DB_READ_CLIENTS yes/no yes yes, To read NAS from SQL nas table
Y_DB_AUTHORIZE yes/no yes yes, To allow auth from SQL
Y_DB_POSTAUTH yes/no yes yes, To allow SQL postauth
Y_DB_ACCOUNTING yes/no yes yes, To allow SQL accounting
Y_DB_WAIT integer 5 Number of seconds to wait between each attempt to reach the SQL server when the ye3radius container starts

Compatibility

The docker image was compiled to work on these CPU architectures :

  • linux/386
  • linux/amd64
  • linux/arm/v6
  • linux/arm/v7
  • linux/arm64
  • linux/ppc64le
  • linux/s390x

Work on most computers including Raspberry Pi

Build

To customize and create your own images.

git clone https://github.com/palw3ey/ye3radius.git
cd ye3radius
# Make all your modifications, then :
docker build --no-cache --network=host -t ye3radius .
docker run -dt --name my_customized_radius ye3radius

Documentation

radiusd man page

Version

name version
ye3radius 1.0.0
radiusd 3.0.26
alpine 3.18.4

ToDo

  • need to document env variables (2023-12-12)
  • add more translation files in i18n folder. Contribute ! Send me your translations by mail ;)

Don't hesitate to send me your contributions, issues, improvements on github or by mail.

License

MIT
author: palw3ey
maintainer: palw3ey
email: [email protected]
website: https://github.com/palw3ey/ye3radius
docker hub: https://hub.docker.com/r/palw3ey/ye3radius

About

A docker AAA Radius server based on Freeradius and Alpine for a MySQL DB. Below 20 Mb. GNS3 ready.

hub.docker.com/r/palw3ey/ye3radius

Topics

docker cisco alpine mysql-server mariadb-server gns3 radius-server freeradius-server

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages