Upgrading Ubuntu 16.04 installation of privacyIDEA from FreeRADIUS 2.2.8 to FreeRADIUS 3.0.15+


#1

Assistance credit goes to Cornelius for his article on CentOS 7, which provided the starting point for these steps.
Two-Factor-Authentication with OTP on CentOS 7 - privacyID3A

These steps assume that you haven’t made many changes to the configuration files within FreeRADIUS, however in most cases you can retrieve your changes from the files that are backed up in the first couple of steps and re-implement them in the new files.
All of these steps are meant to be executed either from an SSH session or via a direct terminal session on your privacyIDEA server.

  1. Backup your files. The following commands copy all of the FreeRADIUS config files, the perl module config file and the perl module itself to a folder called radiusfiles in your home directory.

cd ~
mkdir radiusfiles
cd radiusfiles
sudo cp -r /etc/freeradius .
cp /usr/share/privacyidea/freeradius/privacyidea_radius.pm .
sudo cp /etc/privacyidea/rlm_perl.ini .

  1. Use apt-get to remove FreeRADIUS 2.2.8, add the FreeRADIUS 3.0 Repository and install FreeRADIUS 3.0.15+

apt-get purge libfreeradius2 freeradius-common
sudo rm -rf /etc/freeradius
sudo add-apt-repository ppa:freeradius/stable-3.0
sudo apt-get update
sudo apt-get install freeradius
sudo systemctl enable freeradius.service
sudo systemctl start freeradius

  1. Copy the perl module and settings files into appropriate locations.

sudo cp privacyidea_radius.pm /etc/freeradius/mods-config/perl/
sudo cp rlm_perl.ini /etc/privacyidea/

  1. Edit the mods-available file (located in /etc/freeradius/mods-available/perl). Comment out the example.pl entry and create a new entry pointed to the privacyIDEA perl module.

#filename = ${modconfdir}/${.:instance}/example.pl
filename = ${modconfdir}/${.:instance}/privacyidea_radius.pm

  1. Edit the clients.conf file located in /etc/freeradius/clients.conf. Use your previous clients.conf file as a sample, but make sure to alter entries that have the IP address in the name to have the IP address inside the config block instead.
    Change entries like this:

client 192.168.0.0/16 {
secret = some-secret1234
}

To this:

client local192 {
ipaddr = 192.168.0.0/16
secret = some-secret1234
}

  1. Edit the privacyidea RADIUS settings file. It will be a new file located at /etc/freeradius/sites-available/privacyidea
    Paste the following block of text into the new file.

server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
preprocess
digest
suffix
ntdomain
files
expiration
logintime
pap
update control {
Auth-Type := Perl
}
}
authenticate {
Auth-Type Perl {
perl
}
digest
}
preacct {
suffix
files
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}

  1. Run these commands to enable the perl module and remove the unprotected default sites

sudo ln -s /etc/freeradius/mods-available/perl /etc/freeradius/mods-enabled/
sudo ln -s /etc/freeradius/sites-available/privacyidea /etc/freeradius/sites-enabled/
sudo rm /etc/freeradius/sites-enabled/default
sudo rm /etc/freeradius/sites-enabled/inner-tunnel
sudo rm /etc/freeradius/mods-enabled/eap

  1. Restart the FreeRADIUS service and you can be on your way!

sudo service freeradius restart