blog

Deploying an Active-Active FreeRadius Cluster with MySQL NDB or Galera

Ashraf Sharif

Published:

MySQL Cluster is a popular backend for FreeRADIUS, as it provides a scalable backend to store user and accounting data. However, there are situations when the backend database becomes a centralized datastore for additional applications and services, and needs to take a more general-purpose role. NDB usually works very well for FreeRADIUS data, but for wider use cases and reporting type applications, InnoDB can be a better storage engine. For users who need to keep their data in InnoDB and still benefit from a highly available clustered datastore, Galera Cluster can be an appropriate alternative.

In this post, we will show you how to deploy FreeRadius both with MySQL Cluster and Galera Cluster to store user and accounting data. All servers are running CentOS 6.4 64bit.

FreeRadius Deployment with Galera

We will deploy a two-node FreeRadius cluster running on dual active mode, communicating to a three-node Galera Cluster through load balancers (HAproxy) with automatic IP failover using virtual IP (Keepalived). Both FreeRadius nodes are able to serve RADIUS queries from clients. Following figure illustrates the architecture:

Our hosts definition in all nodes:

192.168.197.150		virtual_ip
192.168.197.141		freeradius1 haproxy1
192.168.197.142		freeradius2 haproxy2 clustercontrol
192.168.197.151		galera1
192.168.197.152		galera2
192.168.197.153		galera3

Deploying MySQL Galera Cluster, HAproxy and Keepalived (Virtual IP)

1. Use the Galera Configurator to deploy a three-node Galera Cluster. Use galera1, galera2 and galera3 for the MySQL nodes, and freeradius2 (192.168.197.142) for the Clusterc

ontrol node.

Once deployed, enable passwordless SSH from the Clustercontrol node to freeradius1 so Clustercontrol can provision the node:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.197.141

2. Add haproxy1 and haproxy2 into load balancing set by using Add Load Balancer wizard.

3. Install Keepalived and configure an appropriate virtual IP for HAproxy failover, similar to screenshot below:

At the end of the deployment, the top summary bar in the Clustercontrol UI should look like the below:

4. Create a schema for FreeRadius by using Manage >> Schema and Users >> Create a database called “radius”. Then assign all privileges to the schema with a wildcard host (‘%’).

At the moment, MySQL Galera Cluster is load balanced with virtual IP, 192.168.197.150 listening on port 33306.

Installing FreeRadius

The following steps should be performed on freeradius1 and freeradius2 unless specified otherwise.

1. Install FreeRadius and mysql client packages on freeradius1:

$ yum install -y freeradius freeradius-mysql freeradius-utils mysql

On freeradius2, install FreeRadius packages without mysql client package (Clustercontrol had it installed already):

$ yum install -y freeradius freeradius-mysql freeradius-utils

2. On freeradius1, import FreeRadius MySQL tables:

$ for i in `ls /etc/raddb/sql/mysql/*.sql`do mysql -f -uradius -pradiuspassword -h virtual_ip -P33306 radius < $idone

3. On freeradius1, connect to the MySQL server to alter some tables to suit Galera Cluster:

$ mysql -uradius -p -h virtual_ip -P33306

We need to convert table cui storage engine to InnoDB and add an auto-increment primary key column in radusergroup table:

ALTER TABLE radius.cui ENGINE='InnoDB'<span>;< span="">
ALTER TABLE radius.radusergroup ADD COLUMN `id` BIGINT PRIMARY KEY AUTO_INCREMENT NOT NULL FIRST<span>;< span=""></span>;<></span>;<>

4. Open /etc/raddb/sql.conf and update the MySQL connection info accordingly:

        # Connection info:
        server = "virtual_ip"
        port = 33306
        login = "radius"
        password = "radiuspassword"

5. Find and uncomment the following line inside /etc/raddb/radiusd.conf under modules section:

$INCLUDE sql.conf

6. Edit /etc/raddb/sites-available/default and /etc/raddb/sites-available/inner-tunnel and uncomment the line containing ‘sql’ in the authorize{}, accounting{} and session{}.

7. Generate a shared secret:

$ openssl rand -hex 10
4aceee54f42a249171ad

And update the secret value in /etc/raddb/clients.conf with the generated shared secret:

secret = 4aceee54f42a249171ad

8. Enable radiusd on boot and start the service:

$ chkconfig radiusd on
$ service radiusd start

That’s it. If you want to test your FreeRadius setup with Galera, scroll down to the ‘Testing’ section of this post.

FreeRadius Deployment with MySQL Cluster (NDB)

We will deploy a two-node FreeRadius cluster running on dual active mode, talking to a four-node MySQL Cluster through load balancers (HAproxy) with automatic IP failover using virtual IP (Keepalived). Both FreeRadius nodes would be able to serve RADIUS queries from clients. The following figure illustrates the architecture:

Our hosts definition in all nodes:

192.168.197.160		virtual_ip
192.168.197.141		freeradius1 haproxy1
192.168.197.142		freeradius2 haproxy2 clustercontrol
192.168.197.161		sql1 mgmd1
192.168.197.162		sql2 mgmd2
192.168.197.163		data1
192.168.197.164		data2

Deploying MySQL Cluster, HAproxy and Keepalived (Virtual IP)

1. Use our MySQL Cluster Configurator to deploy a three-node MySQL Galera Cluster. Once deployed, enable passwordless SSH from Clustercontrol node to freeradius1 so Clustercontrol can provision the node:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.197.141

2. Add haproxy1 and haproxy2 into load balancing set by using Add Load Balancer wizard.

3. Install Keepalived and configure an appropriate virtual IP for HAproxy failover, similar to the screenshot below:

At the end of the deployment, the top summary bar in the Clustercontrol UI should look like the below:

4. Create a schema for FreeRadius by using Manage >> Schema and Users >> Create Database called “radius”. Then assign all privileges to the schema with a wildcard host (‘%’).

At the moment, MySQL Cluster is load balanced with virtual IP, 192.168.197.160 listening on port 33306.

Installing FreeRadius

The following steps should be performed on freeradius1 and freeradius2 unless specified.

1. Install FreeRadius and mysql client packages on freeradius1:

$ yum install -y freeradius freeradius-mysql freeradius-utils mysql

On freeradius2, install FreeRadius packages without mysql client package (Clustercontrol had it installed already):

$ yum install -y freeradius freeradius-mysql freeradius-utils

2. On freeradius1, import FreeRadius MySQL tables for NDB:

$ for i in `ls /etc/raddb/sql/ndb/*.sql`do mysql -f -uradius -pradiuspassword -h virtual_ip -P33306 radius < $idone

3. Open /etc/raddb/sql.conf and update the MySQL connection info accordingly:

        # Connection info:
        server = "virtual_ip"
        port = 33306
        login = "radius"
        password = "radiuspassword"

5. Find and uncomment following line inside /etc/raddb/radiusd.conf under modules section:

$INCLUDE sql.conf

6. Edit /etc/raddb/sites-available/default and /etc/raddb/sites-available/inner-tunnel and uncomment the line containing ‘sql’ in the authorize{}, accounting{} and session{}.

7. Generate a shared secret:

$ openssl rand -hex 10
4aceee54f42a249171ad

And edit the secret value in /etc/raddb/clients.conf with the generated secret:

secret = 4aceee54f42a249171ad

8. Enable radiusd on boot and start the service:

$ chkconfig radiusd on
$ service radiusd start

That’s it, we’ve now installed FreeRadius with NDB Cluster. In the following section, we’ll test our setup.

Testing

Let’s have an FTP user and authenticate it with external PAM Radius servers. Connect to MySQL server:

$ mysql -uradius -p -h virtual_ip -P 33306

And create an FTP user called ftp_user with password “myFTPpassword”:

mysql> INSERT INTO radius.radcheck (`username`, `attribute`, `op`, `value`) VALUES ('ftp_user','User-Password',':=','myFTPpassword')<span>;< span=""></span>;<>

To test it locally, use radtest command with the shared secret for localhost (which has been configured under /etc/raddb/clients.conf):

$ radtest ftp_user myFTPpassword localhost 0 4aceee54f42a249171ad

If it succeeds, you should get the Accept-Accept packet as below:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=0, length=20

1. Install FTP server and PAM Radius module (available in EPEL repository):

$ rpm -Uhv http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
$ yum install -y vsftpd ftp pam_radius

2. Define the RADIUS hosts, shared secret and timeout value inside /etc/pam_radius.conf:

127.0.0.1       secret             1
192.168.197.141    4aceee54f42a249171ad       3
192.168.197.142    4aceee54f42a249171ad       3

3. Edit the /etc/pam.d/vsftpd to use PAM RADIUS authentication:

#%PAM-1.0
auth       required     pam_radius_auth.so
account    required     pam_radius_auth.so
session    required     pam_loginuid.so

4. Edit vsftpd configuration file, /etc/vsftpd/vsftpd.conf with following options:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
user_sub_token=$USER
local_root=/var/ftp/$USER
chroot_local_user=YES
hide_ids=YES
guest_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
log_ftp_protocol=YES
xferlog_std_format=NO
virtual_use_local_privs=YES
write_enable=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

5. Create a default directory for ftp_user and assign correct permission:

$ mkdir /var/ftp/ftp_user
$ chown ftp.ftp /var/ftp/ftp_user

6. Restart vsftpd daemon:

$ service vsftpd restart

7. Add following lines into /etc/raddb/clients.conf to allow the local network (including FTP server) to query as RADIUS client:

client 192.168.197.0/24 {
        secret         = 4aceee54f42a249171ad
        shortname      = local-network
}

8. Restart radiusd daemon:

$ service radiusd restart

9. Verify that authentication is working:

$ ftp 192.168.197.161
Connected to 192.168.197.161 (192.168.197.161).
220 (vsFTPd 2.2.2)
Name (192.168.197.161:root): ftp_user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Congratulations, you have now deployed and tested your highly available active-active FreeRadius Cluster!

Subscribe below to be notified of fresh posts