FreeRADIUS stands as the world’s most popular open-source RADIUS server, powering authentication, authorization, and accounting (AAA) services for millions of users worldwide. If you’re managing a network infrastructure and need robust user authentication, you’ve likely encountered the need for a reliable RADIUS solution.
Understanding RADIUS Protocol
RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. Think of it as a digital bouncer for your network – it decides who gets in, what they can access, and keeps track of their activities.
The protocol operates on a client-server model where network access servers (NAS) act as clients, forwarding user credentials to a RADIUS server for authentication. This centralized approach eliminates the need to maintain user databases on multiple devices, significantly simplifying network management.
Key Benefits of FreeRADIUS
FreeRADIUS offers several compelling advantages that make it the go-to choice for network administrators:
Cost-Effectiveness: Unlike proprietary RADIUS solutions that can cost thousands of dollars, FreeRADIUS is completely free and open-source, making it accessible to organizations of all sizes.
Scalability: The server can handle thousands of simultaneous authentication requests, making it suitable for everything from small office networks to enterprise-level deployments.
Flexibility: Support for multiple authentication methods including PAP, CHAP, MS-CHAP, EAP, and various database backends ensures compatibility with diverse network environments.
Active Development: With a vibrant community of developers and regular updates, FreeRADIUS stays current with evolving security standards and networking technologies.
Prerequisites for Installing FreeRADIUS
Before diving into the installation process, let’s ensure your system meets the necessary requirements and you have the proper access levels.
System Requirements
Your Ubuntu system should have at least 1GB of RAM and 2GB of available disk space for a basic FreeRADIUS installation. While these are minimal requirements, I recommend having 2GB of RAM and 5GB of disk space for optimal performance, especially if you plan to integrate with databases or handle high authentication volumes.
You’ll also need root or sudo access to install packages and modify system configurations. Most Ubuntu installations include sudo access for the primary user, but verify this before proceeding.
Ubuntu Version Compatibility
FreeRADIUS works excellently on Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS, and the latest Ubuntu versions. The LTS (Long Term Support) versions are particularly recommended for production environments due to their extended support lifecycle and stability.
For this guide, I’ll use Ubuntu 22.04 LTS as the reference system, but the commands and procedures remain largely identical across recent Ubuntu versions.
Preparing Your Ubuntu System
Proper system preparation ensures a smooth installation process and helps avoid potential conflicts or issues down the line.
Updating Package Lists
Start by updating your package lists to ensure you’re working with the latest available software versions:
sudo apt update
sudo apt upgrade -y
This command refreshes the package database and upgrades any outdated system packages. The -y
flag automatically confirms upgrade prompts, streamlining the process.
Installing Essential Dependencies
FreeRADIUS requires several supporting packages to function correctly. Install these dependencies before proceeding with the main installation:
sudo apt install build-essential libtalloc-dev libssl-dev -y
These packages provide compilation tools and essential libraries that FreeRADIUS uses for various operations, including SSL/TLS encryption and memory management.
Installing FreeRADIUS on Ubuntu
Now comes the main event – installing FreeRADIUS itself. Ubuntu’s package repositories include pre-compiled FreeRADIUS packages, making installation straightforward.
Using APT Package Manager
Execute the following command to install FreeRADIUS and its utilities:
sudo apt install freeradius freeradius-utils -y
This command installs both the core FreeRADIUS server and the accompanying utilities needed for testing and management. The installation process typically takes 2-3 minutes, depending on your internet connection speed.
During installation, the system automatically creates a freerad
user account and configures basic service settings. The FreeRADIUS service starts automatically upon installation completion.
Verifying the Installation
Confirm that FreeRADIUS installed correctly and is running:
sudo systemctl status freeradius
You should see output indicating that the service is active and running. If the service isn’t running, start it manually:
sudo systemctl start freeradius
sudo systemctl enable freeradius
The enable
command ensures FreeRADIUS starts automatically during system boot.
Basic FreeRADIUS Configuration
With FreeRADIUS installed, you’ll need to configure it for your specific environment. The configuration process involves several key files that control different aspects of server behavior.
Understanding Configuration Files
FreeRADIUS stores its configuration files in /etc/freeradius/3.0/
directory. The most important files include:
radiusd.conf
: Main server configurationclients.conf
: Defines RADIUS clients (NAS devices)users
: Contains user authentication informationsites-available/default
: Default virtual server configuration
These files use a straightforward syntax that’s both human-readable and highly customizable.
Configuring Clients
RADIUS clients are the network devices (like wireless access points or VPN servers) that forward authentication requests to your FreeRADIUS server. Edit the clients configuration file:
sudo nano /etc/freeradius/3.0/clients.conf
Add a new client entry at the end of the file:
client wireless_ap {
ipaddr = 192.168.1.100
secret = your_shared_secret_here
require_message_authenticator = yes
nas_type = other
}
Replace 192.168.1.100
with your actual client device IP address and choose a strong shared secret. This shared secret acts as a password between the RADIUS server and client, so make it complex and unique.
Setting Up Users
For basic testing, you can define users directly in the users file:
sudo nano /etc/freeradius/3.0/users
Add test users before the DEFAULT
entries:
testuser Cleartext-Password := "testpass"
Reply-Message := "Hello %{User-Name}, welcome to the network!"
admin Cleartext-Password := "admin123"
Reply-Message := "Administrative access granted"
These entries create two test users with cleartext passwords. In production environments, you’ll want to use more secure authentication methods or database integration.
Advanced Configuration Options
While basic configuration suffices for simple deployments, advanced options unlock FreeRADIUS’s full potential for complex environments.
Database Integration
For larger deployments, storing user information in a database offers better scalability and management capabilities. FreeRADIUS supports MySQL, PostgreSQL, SQLite, and other database systems.
To configure MySQL integration, first install the MySQL module:
sudo apt install freeradius-mysql mysql-server -y
Create a dedicated database and user for FreeRADIUS:
CREATE DATABASE radius;
CREATE USER 'radius'@'localhost' IDENTIFIED BY 'radiuspassword';
GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost';
FLUSH PRIVILEGES;
Import the FreeRADIUS schema:
mysql -u radius -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
Enable the SQL module by creating a symbolic link:
sudo ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
SSL/TLS Configuration
For secure authentication methods like EAP-TLS, you’ll need to configure SSL certificates. FreeRADIUS includes default certificates for testing, but production environments require proper certificates.
Certificate Management
Generate your own certificates using the provided scripts:
cd /etc/freeradius/3.0/certs
sudo make
This creates a complete certificate authority (CA) and server certificates. For production use, consider obtaining certificates from a trusted CA or implementing your own PKI infrastructure.
Testing Your FreeRADIUS Installation
Thorough testing ensures your FreeRADIUS server functions correctly before deploying it in production.
Local Authentication Testing
Use the radtest
utility to perform local authentication tests:
radtest testuser testpass localhost 1812 testing123
This command sends an authentication request for user “testuser” with password “testpass” to the local RADIUS server. The “testing123” parameter is the shared secret defined in clients.conf for the localhost client.
A successful authentication returns:
Received Access-Accept packet from server 127.0.0.1:1812
If authentication fails, you’ll receive an Access-Reject packet instead.
Remote Client Testing
To test from a remote client, ensure your firewall allows traffic on UDP ports 1812 (authentication) and 1813 (accounting):
sudo ufw allow 1812/udp
sudo ufw allow 1813/udp
From a remote system with RADIUS client tools installed, test connectivity:
radtest username password radius_server_ip 1812 shared_secret
Common Use Cases for FreeRADIUS
Understanding typical FreeRADIUS deployments helps you leverage its capabilities effectively.
Wi-Fi Authentication
One of the most common FreeRADIUS applications is Wi-Fi authentication using WPA2-Enterprise or WPA3-Enterprise. This setup provides individual user credentials instead of shared passwords, significantly improving security.
Configure your wireless access points to use your FreeRADIUS server for authentication, and users will need to provide their credentials when connecting to the network.
VPN Access Control
FreeRADIUS integrates seamlessly with VPN solutions like OpenVPN, IPSec, and others. This integration allows centralized user management and detailed logging of VPN access attempts.
Network Device Management
Many network devices support RADIUS authentication for administrative access. This means network administrators can use their centralized credentials to access switches, routers, and other infrastructure devices.
Troubleshooting Common Issues
Even with careful configuration, you might encounter issues. Here are solutions to common problems.
Port Conflicts
If FreeRADIUS fails to start due to port conflicts, check what’s using the RADIUS ports:
sudo netstat -ulnp | grep :1812
sudo netstat -ulnp | grep :1813
If another service is using these ports, either stop that service or configure FreeRADIUS to use alternative ports.
Permission Problems
FreeRADIUS runs as the freerad
user, which must have appropriate permissions to read configuration files and write log files. If you encounter permission errors:
sudo chown -R freerad:freerad /etc/freeradius/3.0/
sudo chmod -R 640 /etc/freeradius/3.0/
Configuration Errors
When configuration changes cause startup failures, check the FreeRADIUS logs for detailed error messages:
sudo tail -f /var/log/freeradius/radius.log
You can also run FreeRADIUS in debug mode to see detailed startup information:
sudo freeradius -X
Security Best Practices
Implementing proper security measures protects your RADIUS infrastructure from attacks and unauthorized access.
Firewall Configuration
Configure your firewall to only allow RADIUS traffic from trusted sources:
sudo ufw allow from 192.168.1.0/24 to any port 1812 proto udp
sudo ufw allow from 192.168.1.0/24 to any port 1813 proto udp
This example allows RADIUS traffic only from the 192.168.1.0/24 network. Adjust the network range to match your environment.
User Access Management
Implement strong password policies and consider using certificate-based authentication for enhanced security. Regularly audit user accounts and remove unnecessary access.
Performance Optimization Tips
For high-traffic environments, several optimizations can improve FreeRADIUS performance:
Database Connection Pooling: Configure multiple database connections to handle concurrent requests efficiently.
Caching: Enable attribute caching to reduce database queries for frequently accessed user information.
Load Balancing: Deploy multiple FreeRADIUS servers behind a load balancer for redundancy and increased capacity.
Resource Monitoring: Regularly monitor CPU, memory, and network usage to identify bottlenecks before they impact performance.
Alternatives to FreeRADIUS
While FreeRADIUS is excellent for most use cases, consider these alternatives for specific requirements:
Microsoft NPS (Network Policy Server): Ideal for Windows-centric environments with Active Directory integration.
Cisco ISE (Identity Services Engine): Enterprise-grade solution with advanced policy management and threat detection.
ClearPass: Aruba’s comprehensive network access control platform.
PacketFence: Open-source network access control solution with captive portal capabilities.
Frequently Asked Questions
Q1: Can I install FreeRADIUS on Ubuntu without root access?
A: No, FreeRADIUS installation requires root or sudo privileges because it needs to install system packages, create user accounts, and modify system configuration files. However, once installed, day-to-day administration can be performed with limited privileges.
Q2: How many users can FreeRADIUS handle simultaneously?
A: FreeRADIUS can handle thousands of concurrent authentication requests, depending on your hardware specifications and configuration. A modest server with 4GB RAM can typically handle 500-1000 simultaneous authentications, while enterprise hardware can support tens of thousands.
Q3: Is it safe to use FreeRADIUS with default certificates in production?
A: No, never use default certificates in production environments. Default certificates are widely known and provide no security. Always generate your own certificates or obtain them from a trusted certificate authority for production deployments.
Q4: Can FreeRADIUS integrate with Active Directory?
A: Yes, FreeRADIUS can integrate with Active Directory through LDAP authentication or by using the winbind
module. This allows you to leverage existing Windows user accounts and groups for RADIUS authentication.
Q5: What’s the difference between authentication ports 1812 and 1813?
A: Port 1812 handles authentication and authorization requests, determining whether users can access the network and what permissions they have. Port 1813 handles accounting requests, which track user session information like login/logout times and data usage for billing or monitoring purposes.