How to Install FreeRADIUS on Ubuntu

Install FreeRADIUS on Ubuntu

FreeRADIUS stands as the world’s most popular open-source RADIUS server, powering authentication, authorization, and accounting (AAA) services for millions of users worldwide. If you’re managing a network infrastructure and need robust user authentication, you’ve likely encountered the need for a reliable RADIUS solution.

Understanding RADIUS Protocol

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. Think of it as a digital bouncer for your network – it decides who gets in, what they can access, and keeps track of their activities.

The protocol operates on a client-server model where network access servers (NAS) act as clients, forwarding user credentials to a RADIUS server for authentication. This centralized approach eliminates the need to maintain user databases on multiple devices, significantly simplifying network management.

Key Benefits of FreeRADIUS

FreeRADIUS offers several compelling advantages that make it the go-to choice for network administrators:

Cost-Effectiveness: Unlike proprietary RADIUS solutions that can cost thousands of dollars, FreeRADIUS is completely free and open-source, making it accessible to organizations of all sizes.

Scalability: The server can handle thousands of simultaneous authentication requests, making it suitable for everything from small office networks to enterprise-level deployments.

Flexibility: Support for multiple authentication methods including PAP, CHAP, MS-CHAP, EAP, and various database backends ensures compatibility with diverse network environments.

Active Development: With a vibrant community of developers and regular updates, FreeRADIUS stays current with evolving security standards and networking technologies.

Prerequisites for Installing FreeRADIUS

Before diving into the installation process, let’s ensure your system meets the necessary requirements and you have the proper access levels.

System Requirements

Your Ubuntu system should have at least 1GB of RAM and 2GB of available disk space for a basic FreeRADIUS installation. While these are minimal requirements, I recommend having 2GB of RAM and 5GB of disk space for optimal performance, especially if you plan to integrate with databases or handle high authentication volumes.

You’ll also need root or sudo access to install packages and modify system configurations. Most Ubuntu installations include sudo access for the primary user, but verify this before proceeding.

Ubuntu Version Compatibility

FreeRADIUS works excellently on Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS, and the latest Ubuntu versions. The LTS (Long Term Support) versions are particularly recommended for production environments due to their extended support lifecycle and stability.

For this guide, I’ll use Ubuntu 22.04 LTS as the reference system, but the commands and procedures remain largely identical across recent Ubuntu versions.

Preparing Your Ubuntu System

Proper system preparation ensures a smooth installation process and helps avoid potential conflicts or issues down the line.

Updating Package Lists

Start by updating your package lists to ensure you’re working with the latest available software versions:

sudo apt update
sudo apt upgrade -y

This command refreshes the package database and upgrades any outdated system packages. The -y flag automatically confirms upgrade prompts, streamlining the process.

Installing Essential Dependencies

FreeRADIUS requires several supporting packages to function correctly. Install these dependencies before proceeding with the main installation:

sudo apt install build-essential libtalloc-dev libssl-dev -y

These packages provide compilation tools and essential libraries that FreeRADIUS uses for various operations, including SSL/TLS encryption and memory management.

Installing FreeRADIUS on Ubuntu

Now comes the main event – installing FreeRADIUS itself. Ubuntu’s package repositories include pre-compiled FreeRADIUS packages, making installation straightforward.

Using APT Package Manager

Execute the following command to install FreeRADIUS and its utilities:

sudo apt install freeradius freeradius-utils -y

This command installs both the core FreeRADIUS server and the accompanying utilities needed for testing and management. The installation process typically takes 2-3 minutes, depending on your internet connection speed.

During installation, the system automatically creates a freerad user account and configures basic service settings. The FreeRADIUS service starts automatically upon installation completion.

Verifying the Installation

Confirm that FreeRADIUS installed correctly and is running:

sudo systemctl status freeradius

You should see output indicating that the service is active and running. If the service isn’t running, start it manually:

sudo systemctl start freeradius
sudo systemctl enable freeradius

The enable command ensures FreeRADIUS starts automatically during system boot.

Basic FreeRADIUS Configuration

With FreeRADIUS installed, you’ll need to configure it for your specific environment. The configuration process involves several key files that control different aspects of server behavior.

Understanding Configuration Files

FreeRADIUS stores its configuration files in /etc/freeradius/3.0/ directory. The most important files include:

  • radiusd.conf: Main server configuration
  • clients.conf: Defines RADIUS clients (NAS devices)
  • users: Contains user authentication information
  • sites-available/default: Default virtual server configuration

These files use a straightforward syntax that’s both human-readable and highly customizable.

Configuring Clients

RADIUS clients are the network devices (like wireless access points or VPN servers) that forward authentication requests to your FreeRADIUS server. Edit the clients configuration file:

sudo nano /etc/freeradius/3.0/clients.conf

Add a new client entry at the end of the file:

client wireless_ap {
    ipaddr = 192.168.1.100
    secret = your_shared_secret_here
    require_message_authenticator = yes
    nas_type = other
}

Replace 192.168.1.100 with your actual client device IP address and choose a strong shared secret. This shared secret acts as a password between the RADIUS server and client, so make it complex and unique.

Setting Up Users

For basic testing, you can define users directly in the users file:

sudo nano /etc/freeradius/3.0/users

Add test users before the DEFAULT entries:

testuser Cleartext-Password := "testpass"
    Reply-Message := "Hello %{User-Name}, welcome to the network!"

admin Cleartext-Password := "admin123"
    Reply-Message := "Administrative access granted"

These entries create two test users with cleartext passwords. In production environments, you’ll want to use more secure authentication methods or database integration.

Advanced Configuration Options

While basic configuration suffices for simple deployments, advanced options unlock FreeRADIUS’s full potential for complex environments.

Database Integration

For larger deployments, storing user information in a database offers better scalability and management capabilities. FreeRADIUS supports MySQL, PostgreSQL, SQLite, and other database systems.

To configure MySQL integration, first install the MySQL module:

sudo apt install freeradius-mysql mysql-server -y

Create a dedicated database and user for FreeRADIUS:

CREATE DATABASE radius;
CREATE USER 'radius'@'localhost' IDENTIFIED BY 'radiuspassword';
GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost';
FLUSH PRIVILEGES;

Import the FreeRADIUS schema:

mysql -u radius -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

Enable the SQL module by creating a symbolic link:

sudo ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

SSL/TLS Configuration

For secure authentication methods like EAP-TLS, you’ll need to configure SSL certificates. FreeRADIUS includes default certificates for testing, but production environments require proper certificates.

Certificate Management

Generate your own certificates using the provided scripts:

cd /etc/freeradius/3.0/certs
sudo make

This creates a complete certificate authority (CA) and server certificates. For production use, consider obtaining certificates from a trusted CA or implementing your own PKI infrastructure.

Testing Your FreeRADIUS Installation

Thorough testing ensures your FreeRADIUS server functions correctly before deploying it in production.

Local Authentication Testing

Use the radtest utility to perform local authentication tests:

radtest testuser testpass localhost 1812 testing123

This command sends an authentication request for user “testuser” with password “testpass” to the local RADIUS server. The “testing123” parameter is the shared secret defined in clients.conf for the localhost client.

A successful authentication returns:

Received Access-Accept packet from server 127.0.0.1:1812

If authentication fails, you’ll receive an Access-Reject packet instead.

Remote Client Testing

To test from a remote client, ensure your firewall allows traffic on UDP ports 1812 (authentication) and 1813 (accounting):

sudo ufw allow 1812/udp
sudo ufw allow 1813/udp

From a remote system with RADIUS client tools installed, test connectivity:

radtest username password radius_server_ip 1812 shared_secret

Common Use Cases for FreeRADIUS

Understanding typical FreeRADIUS deployments helps you leverage its capabilities effectively.

Wi-Fi Authentication

One of the most common FreeRADIUS applications is Wi-Fi authentication using WPA2-Enterprise or WPA3-Enterprise. This setup provides individual user credentials instead of shared passwords, significantly improving security.

Configure your wireless access points to use your FreeRADIUS server for authentication, and users will need to provide their credentials when connecting to the network.

VPN Access Control

FreeRADIUS integrates seamlessly with VPN solutions like OpenVPN, IPSec, and others. This integration allows centralized user management and detailed logging of VPN access attempts.

Network Device Management

Many network devices support RADIUS authentication for administrative access. This means network administrators can use their centralized credentials to access switches, routers, and other infrastructure devices.

Troubleshooting Common Issues

Even with careful configuration, you might encounter issues. Here are solutions to common problems.

Port Conflicts

If FreeRADIUS fails to start due to port conflicts, check what’s using the RADIUS ports:

sudo netstat -ulnp | grep :1812
sudo netstat -ulnp | grep :1813

If another service is using these ports, either stop that service or configure FreeRADIUS to use alternative ports.

Permission Problems

FreeRADIUS runs as the freerad user, which must have appropriate permissions to read configuration files and write log files. If you encounter permission errors:

sudo chown -R freerad:freerad /etc/freeradius/3.0/
sudo chmod -R 640 /etc/freeradius/3.0/

Configuration Errors

When configuration changes cause startup failures, check the FreeRADIUS logs for detailed error messages:

sudo tail -f /var/log/freeradius/radius.log

You can also run FreeRADIUS in debug mode to see detailed startup information:

sudo freeradius -X

Security Best Practices

Implementing proper security measures protects your RADIUS infrastructure from attacks and unauthorized access.

Firewall Configuration

Configure your firewall to only allow RADIUS traffic from trusted sources:

sudo ufw allow from 192.168.1.0/24 to any port 1812 proto udp
sudo ufw allow from 192.168.1.0/24 to any port 1813 proto udp

This example allows RADIUS traffic only from the 192.168.1.0/24 network. Adjust the network range to match your environment.

User Access Management

Implement strong password policies and consider using certificate-based authentication for enhanced security. Regularly audit user accounts and remove unnecessary access.

Performance Optimization Tips

For high-traffic environments, several optimizations can improve FreeRADIUS performance:

Database Connection Pooling: Configure multiple database connections to handle concurrent requests efficiently.

Caching: Enable attribute caching to reduce database queries for frequently accessed user information.

Load Balancing: Deploy multiple FreeRADIUS servers behind a load balancer for redundancy and increased capacity.

Resource Monitoring: Regularly monitor CPU, memory, and network usage to identify bottlenecks before they impact performance.

Alternatives to FreeRADIUS

While FreeRADIUS is excellent for most use cases, consider these alternatives for specific requirements:

Microsoft NPS (Network Policy Server): Ideal for Windows-centric environments with Active Directory integration.

Cisco ISE (Identity Services Engine): Enterprise-grade solution with advanced policy management and threat detection.

ClearPass: Aruba’s comprehensive network access control platform.

PacketFence: Open-source network access control solution with captive portal capabilities.

Frequently Asked Questions

Q1: Can I install FreeRADIUS on Ubuntu without root access?
A: No, FreeRADIUS installation requires root or sudo privileges because it needs to install system packages, create user accounts, and modify system configuration files. However, once installed, day-to-day administration can be performed with limited privileges.

Q2: How many users can FreeRADIUS handle simultaneously?
A: FreeRADIUS can handle thousands of concurrent authentication requests, depending on your hardware specifications and configuration. A modest server with 4GB RAM can typically handle 500-1000 simultaneous authentications, while enterprise hardware can support tens of thousands.

Q3: Is it safe to use FreeRADIUS with default certificates in production?
A: No, never use default certificates in production environments. Default certificates are widely known and provide no security. Always generate your own certificates or obtain them from a trusted certificate authority for production deployments.

Q4: Can FreeRADIUS integrate with Active Directory?
A: Yes, FreeRADIUS can integrate with Active Directory through LDAP authentication or by using the winbind module. This allows you to leverage existing Windows user accounts and groups for RADIUS authentication.

Q5: What’s the difference between authentication ports 1812 and 1813?
A: Port 1812 handles authentication and authorization requests, determining whether users can access the network and what permissions they have. Port 1813 handles accounting requests, which track user session information like login/logout times and data usage for billing or monitoring purposes.

Marshall Anthony is a professional Linux DevOps writer with a passion for technology and innovation. With over 8 years of experience in the industry, he has become a go-to expert for anyone looking to learn more about Linux.

Related Posts