Setup freeRADIUS + mySQL + daloRADIUS for dynamic VLAN assignment on Unifi
ฝัง
- เผยแพร่เมื่อ 21 พ.ย. 2024
- Using the text based user files in our other freeRADIUS + Unifi = Dynamic VLAN Assignment guide works great for small installations, but in a larger or more fluid environment it's much easier to use a database backend for the freeRADIUS server. This guide walks through the steps to configure that, and optionally setup a daloRADIUS UI for freeRADIUS.
Commands: www.missingrem...
freeRADIUS: wiki.freeradiu...
Dude this video was awesome, thanks a lot for making it. I played around slightly with FreeRadius in the past and hated having to restart the radius service after adding a new user. A lot of ISPs would benefit from this solution since they can automate new customer sign ups. If their website does PHP SQL INSERTs into the DB then the customers account would be automated on sign up and ready to go assuming the Infrastructure is in place. Nice stuff.
Just commenting to say that his video has helped me again when I had to build another FreeRadius server. A note mainly for myself, but don't forget to systemctl enable freeradius when done so it starts on boot (Also, other stuff to do). You're a legend Andrew :)
I was trying to do this a couple of years back, with daloradius but I abandoned it. I was managing a site which had many SSID/VLAN, so my idea was to have 1 SSID. I never knew Unifi had this feature! I was using Cisco and it looked like I would need - WLC/ISE/RADIUS/SQL/DALO. You could technically do all this in Unifi. Effectively you could have 2 x SSID. 1 for Guest (other) and 1 for the dynamic VLANS. Only draw back would be the management in Unifi, they could do with a Radius user groups so you can manage it better.
The main problem in the end was the randomised MAC's. I noticed if you kept the SSID the same, then the MAC's were randomised the same each time to the SSID, but you wouldnt know what the MAC was until it first connected.
It is a really cool feature but I think companies will just do the dynamic vlan assignment via username/pass on an AD or something rather than using MAC addresses. Also MAC's can be easily spoofed so it seems kind of dangerous too? Imagine everyone has the password for the Wifi network, all you need to do is spoof your MAC and you're on another VLAN!
That is a very real concern. If you make the default network the most restrictive, that alleviates some of the issue. To get on a less restrictive network, you would need to spoof a known elevated MAC, which while not impossible, the bar is a little higher. If you need to configure a really secure wireless network it would be better to use something like PKI based RADUIS for authentication, and assign the VLAN based on the user/certificate credential.
I would be interested in the modifications to show the group assignment in the radpostauth table... Thanks for the great video!
LMK if this answers your question: th-cam.com/video/fXlUtwnWRQ8/w-d-xo.html
@@MissingRemote Yes, thank you! And that makes sense about showing the group names increasing complexity. The modification to show the vlan worked like a charm.
Thank you so much for this excellent tutorial - it's the best I've seen so far! I have been able to get it all to work with one small exception: when I connect to the network (using an iPhone in this case), I am prompted for a username and password, rather than that information automatically being the MAC address of the iPhone. It does work by manually entering the MAC as the u/p at the prompt, but I need the automatic pass-through to work. I am using a Unifi controller (but no USG) with the WIFI set to WPA2 Enterprise and RADIUS MAC Authentication enabled. Any hints? Thank you!
Try WPA2 or WPA2/WPA3 instead of WPA2 Enterprise. IIRC, Enterprise requires a locally provided credential.
@@MissingRemote Thank you for the fast response! When changing to WPA2, it now requires a PSK. So, my guess is WPA2-Enterprise is required. When I look at the info stream from "freeradius -X", I can see that the correct MAC is used and checked against the DB, and the correct response is provided including VLAN information. And all that happens without filling out the pop-ups asking for u/p. So, it seems that the correct information is passing back and forth - except that something is triggering (what I think is) a CHAP pop-up box. The only other weird thing in the "freeradius -X" is that after the SQL-User-Name is set correctly, the connection times-out 5 times before connecting to MySQL (successfully), followed by successful authentication (even though the pop-up is still open on the client). Could it be a Unifi Controller setting? Very confused...
@@davidyackness9808 There are two things at play here. Authentication and personalization. WPA2 is an authentication mechanism. When you use WPA2 Personal, you use a PSK to authenticate. When you use WPA2 Enterprise, each client has discrete credentials (sometimes client = person, and sometimes it = device in this context). That can be a certificate, LDAP account, row in a SQL table, etc. Dynamic VLAN assignment is personalization. Once you're authenticated, the MAC is used to determine which VLAN to tag your traffic with. NEVER use MAC for authentication. MAC addresses are not credentials, they are easy to change. If you want to use WPA2 Enterprise, MAC based personalization isn't the right way to set the VLAN. You can do that as part of the RADIUS transaction using the client credentials.
@@MissingRemote Wow! That makes so much more sense... the term "radius authentication" is used frequently, and is obviously conflated in this context. Your explanation clears things up perfectly. Thank you so much for taking the time to record this tutorial and answer my novice questions! All is working now.
@@davidyackness9808 YW. Yeah, we're kind of cheating here, leveraging an authentication mechanism to do personalization :).
Hi, Great video. Please how to use Simultaneous-Use option ? Doesn't work with tuto. I need it to stop clients who use same login simutaneously .
Awesome video; so incredibly helpful.
Thank you for this video. I am new to RADIUS servers and this helped get me up and running. I followed your instructions to the letter. The only difference was I left the Default User Profile setting commented. I created NAS's with the IP's of my gateway's default and test VLAN as well as the IP's of the AP's. I used Daloradius to create profiles with the appropriate attributes 13, 6, 'VLAN ID' and = and reply. I created my user and added to the group/profile. I have Wireless Network VLAN support as well as 802.1x turned on for global switch settings. My SSID is set to the default VLAN. Switch Port is trunked allowing all VLANS. No matter what I do, I can't get assigned the appropriate VLAN per the profile/attribute settings. Could you please help steer me in the right direction?
In eap.conf on the FR server enabling tunneled reply for EAP-PEAP and EAP-TTLS solved my issue.
This thank you@@Perdue12345
Thank you man! this video was super Helpfull.
Thanks! Very helpful!
Thanks for the video, very helpful. have followed process but hit a wall at daloradius. I am getting error that library/daloradius.conf.php does not exist.
have gone back and checked and all steps followed?
I did a little looking into this, it might be an issue with the latest version of daloRADIUS (github.com/lirantal/daloradius/issues/426).
@@MissingRemote if you use the download v1.3 and adjust the unzip and mv instructions as required, everything works perfect! 🙂
Thank you very much for taking the time to make this video
I have a question
Can this RADIUS server be used to login Mikrotik users?
I mean, is it possible to authenticate Mikrotik login users through this RADIUS server?
And if possible, can they be limited to single users?
My general purpose is to use SSH VPN tunnel
Sorry, I have no experience with Mikrotik hardware.
Hello this works and it is very helpful THANK YOU:) but I have a short scenario for all of us.
What if the user has 2 assigned vlans in daloradius/freeradius (Profile) VLAN10 VLAN20. Freeradius always gives him first vlan no matter what VLAN10.
How to determine when and how which vlan is added depend of some kind of rule or check attribute?
Maybe some kind of rule when X then VLAN10 when Y then VLAN20 it especially helps when you have many Unifi SSIDs with different subnets, vlans etc.
Thanks:)
Something is going wrong in the matching rules if you're getting two VLANs back. I've never run across that issue, but I have to think the problem is with the SQL query which returns the rows. Running freeRADIUS in user space so you can see what it's doing in real time is going to be the best way to figure that problem out.
@@MissingRemote Hello, Im getting always first vlan added back. Only one the first one even the user has in the progile group many vlans. I need to find a way to get back specific vlan not always first. I will stay in touch of the results
Do you do freelancing? I need OpenVPN/FreeRADIUS/daloRADIUS setup.
Very thanks. best guide!
hi thank you for the great tutorial. i watched the entire video before starting on my raspberry pi. one quick question when i try to install mysql server i get this response "Package mysql-server is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source. However the following packages replace it: mariadb-server-10.0" is mysql been replaced? and if so can i still follow the information you provided here with Mariadb (you were saying in the video that it might cause some problems down the line thats why i was trying to stick with what you did) again thank you and great tutorial
Yep, you should be fine with mariadb. I expect that issues I was having are probably x86 specific, rPi would use the ARM build.
I have received access-reject while testing the user connection that I made in daloradius.. do you know how to solve it?
I would double check the credentials. They are case sensitive.
how? is there a solution?
Hello! Please help me! I watched your video until 10:23 and then you switch from the terminal to mysqlworbranch. Question: Could I continue in the ubuntu terminal without switching to mysql and the second question is how do I do this?
Yep. You just need to run the SQL commands I showed using the mysql command line.
@@MissingRemote I launched the command line with mysql -u root -p Now what should I write there? you can write in turn and I really need to finish this work. Please help tell me what time you will be free, I will open remote access to my computer and you will connect to finish my work with the databases. Please, help.
@@farruxubaydullayev2739 You would use the commands I show in the video. It doesn't matter if you use a GUI tool or the command line. The process is the same.
Hi
Can you do dynamic vlan with cisco swicth
Or the vmps server in freeradius
Many Cisco (and other OEMs as well) support VLAN assignment via RADIUS response messages. You would want to check the documentation for your specific switch to know whether it does.
such well done video, awesome detail! very helpful!
Very good make more stuff like this.
Excuse me, if you need to install dolaradius for freeradius+openLDAP+802.1x, is there any difference from the operation method you mentioned in the video?
Should be the same.
@@MissingRemote Thank you for your reply. I have a problem now. Now I don't have openLDAP user data. I built daloradius and database, and created users on daloradius. When I tested 802.1x authentication, I used The user can join the wireless normally, but daloradius does not show that the user is online, how to deal with this?
hello friend, is there any way to know in which vlan the equipment is located, I would appreciate it
I'm not sure I understand the question.
@@MissingRemote Excuse me, how could I see what mac address is associated with a certain vlan, see the vlan connections in other words
@@luantony12 I thought that I had documented this, but I can't find it anywhere so I must not have. I do this by modifying the post-auth section of queries.conf to modify the VALUES section to include the VLAN assignment. So change '%{reply:Packet-Type}', \ to '%{reply:Packet-Type} (%{reply:Tunnel-Private-Group-ID})', \.
When I enter the password for mysql no matter what I put, I always get an error, how can I solve it?
You need to have root to set the password, are you running as root?
Great Video Step By Step Tutorial. You Have Made It Look Very Simple As Compared To Other Video Channels Or Online Tutorials. However The Missingremote COMMANDS Link Is Broken. Please Do Respond With A Working Link.
Not sure what happened there. Link fixed in the description and here it is too ->
www.missingremote.com/guide/2020/05/setup-freeradius-mysql-daloradius-for-dynamic-vlan-assignment-on-unifi
@@MissingRemote excellent thanks for the tutorial... do you teach on udemy?
@@johnthoithi5052 Nope. Just a random geek :).
I'm pretty sure I've configured this as shown but when trying to get a client on the default vlan im getting
Aug 27 19:08:57 UBNT daemon.notice switch: DOT1X: EAP message not received from server.RADIUS server did not send required EAP message.
Any ideas?
Assuming you've already double checked the configuration on the freeradius and unifi servers. Start at the beginning (even if you've already done that) and find the place where it breaks.
1) run freeradius in the user space so you can see the messages
2) test auth with a valid mac using radtest
3) ssh into the AP and get the log going
4) try connecting
Only move to the next step if the one before worked. If you are still having issues, email the logs (freeradius & AP), and I can have a look.
thankyou !
How do i connect this radius to the edgerouter?
help.ui.com/hc/en-us/articles/115010185167-EdgeRouter-RADIUS-User-Authentication
@@MissingRemote thanks!!
Just curious if you could tell me what I might do to get this working correctly. I enabled the DEFAULT profile and set the user-group mapping to a group profile that I defined some default parameters for unauthenticated users to get. That works fine. It sets auth-type := Accept, a 5M rate limit, and a default pool separate from other users to get an IP from. The problem is though it checks every user, even ones I have specific usernames and groups set up for that follow different rules. This messes up my specific created users. I tried to set the priority of the group profile to 5 so it would check other groups first and ignore the default if it is a created user that matches, however this didn't fix it. Still every user inherits the DEFAULT settings if the profile is enabled.
How can I make it so the default user profile only initiates if it doesn't match an already existing user?
In my setup, DEFAULT only applies if one of the other groups doesn't match. I don't know if that's because I modified the way the queries work to provide the functionality I wanted, or if there's some other configuration difference. IIRC, group matching is controlled using the SQL queries embedded in the config files. Whatever the behavior is, you should be able to change it to work the way you want by changing the queries to return the values you want. When I was trying to figure out how to make freeRADIUS work the way I wanted, I had it output the logs to the terminal so I could see the queries and behaviors, then took those queries into MySQL Workbench to modify them to do what I wanted. That approach should work here as well.
@@MissingRemote What file did you modify to change the way the queries work? This is a brand new setup so we haven't modified anything yet. Would you mind, if it's not too much of an issue, posting the code you setup to do that? I'm good enough to get around and do things in linux but I'm not terrribly good with programming or scripting.
@@KarlKeim /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
The various commands and file references can be found here : www.missingremote.com/guide/2020/05/setup-freeradius-mysql-daloradius-for-dynamic-vlan-assignment-on-unifi
@@MissingRemote Thanks so much. I appreciate it.
When I log into dalo it says that the DB cannot be found. Ran the commands again and checked .conf.php.sample (how it came in my install). Any suggestions?
Assuming you can connect to the DB from the cmd line using the credential set, I would double check the sql file to ensure that the protocol and connection details are configured correctly.
have you fixed it, my problem is similar
@@buildpcngu4623 I was not able to fix it. Everything was put in right. I ended up just writing a web page with some php to update the database.
hello sir very nice tutorial. can i ask a little help for "Setup freeRADIUS + mySQL + daloRADIUS + unifi controller on raspberry pi 3b+. application home-network. thank you
Using the rPi should be the same as any other Debian (or Ubuntu) based install. I don't think the underlying platform architecture differences (ARM vs x86-64) would matter.
@@MissingRemote hi sir, thank you very much but i guess unifi controller wont work on ubuntu 20.04 due to the mogodb is no longer supported. so i have to invest for another rPi separately. again thank you so much, very big help understanding daloRadius :)
I run one of my controllers on Ubuntu 20.04. I don't remember doing anything special to get it installed.
@@MissingRemote hello sir, this is what i follow to install unifi controller "community.ui.com/questions/Step-By-Step-Tutorial-Guide-Raspberry-Pi-with-UniFi-Controller-and-Pi-hole-from-scratch-headless/e8a24143-bfb8-4a61-973d-0b55320101dc". after running the command "dpkg -i unifi_sysvinit_all.deb; sudo apt-get install -f -y" i've got this error message " The following packages will be REMOVED:
unifi
0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
1 not fully installed or removed.
After this operation, 281 MB disk space will be freed.
(Reading database ... 102796 files and directories currently installed.)
Removing unifi (6.0.27-14276-1) ...
"
@@renerexrasimo8211 It could be that I'm running the 5.14.x controller not 6.0.27. Let me see if I can reproduce on a VM, don't have a rPit 3/4 handy to test it with.