FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. In this post I will try to describe basic installation and config options (at least some of them). The biggest problem for me was the lack of documentation and it was very hard to learn something about it when the latest book about Radius was published 8 years ago.
Where possible, I recommend using the packaging system that is used for your distro. The version that is supplied might be out of date, but it is likely to work “out of the box”.
RPM packages
FreeRADIUS is distributed on Fedora/RHEL/CentOS systems as a set of RPM packages. There is a main package called “freeradius” and several subpackages whose name is “freeradius-XXX” where XXX is optional functionality. For example the support needed for MySQL database backend will be found in the package “freeradius-mysql”.
On CentOS and Red Hat, “yum install freeradius” will install FreeRadius 1.1.3 which is a several years old version. Better option is to install FreeRadius 2.x with yum install freeradius2. Please see the notes above about optional packages. Also, keep in mind that all config files will be installed in /etc/raddb. More info can be found HERE.
More info about RPM versions can be found Here (Thanks J. Dennis).
[root@ms ~]# yum search freeradius Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: mirror.centos.com.ba * base: mirror.centos.com.ba * extras: mirror.centos.com.ba * rpmforge: ftp-stud.fht-esslingen.de * updates: mirror.centos.com.ba Excluding Packages in global exclude list Finished ====================== Matched: freeradius =================================== freeradius.x86_64 : High-performance and highly configurable free RADIUS server. freeradius-mysql.x86_64 : MySQL bindings for freeradius freeradius-postgresql.x86_64 : postgresql bindings for freeradius freeradius-unixODBC.x86_64 : unixODBC bindings for freeradius freeradius2.x86_64 : High-performance and highly configurable free RADIUS server freeradius2-krb5.x86_64 : Kerberos 5 support for freeradius freeradius2-ldap.x86_64 : LDAP support for freeradius freeradius2-mysql.x86_64 : MySQL support for freeradius freeradius2-perl.x86_64 : Perl support for freeradius freeradius2-postgresql.x86_64 : Postgresql support for freeradius freeradius2-python.x86_64 : Python support for freeradius freeradius2-unixODBC.x86_64 : Unix ODBC support for freeradius freeradius2-utils.x86_64 : FreeRADIUS utilities |
More info about basic settings will be shown later.
Install from source
Download the latest FreeRadius from this link. (Current version is 2.1.10)
# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.gz # tar xvzf freeradius-server-2.1.10.tar.gz # cd freeradius-server-2.1.10 # ./configure |
It is very likely that config process will fail for some reasons. To fix this, search WARNINGS lines and install the missing rpms (yum install libtood-ltdl libtool-ltdl-devel is required).
# make # make install |
This is a default installation and all config files will be located in /usr/local/etc/raddb and you should find the next files inside
[root@ms raddb]# ls -la total 220 drwxr-xr-x 7 root root 4096 Jan 27 15:54 . drwxr-xr-x 4 root root 4096 Jan 27 15:53 .. -rw-r----- 1 root root 671 Jan 27 15:54 acct_users -rw-r----- 1 root root 4174 Jan 27 15:54 attrs -rw-r----- 1 root root 513 Jan 27 15:54 attrs.access_challenge -rw-r----- 1 root root 458 Jan 27 15:54 attrs.access_reject -rw-r----- 1 root root 437 Jan 27 15:54 attrs.accounting_response -rw-r----- 1 root root 2022 Jan 27 15:54 attrs.pre-proxy drwxr-x--- 2 root root 4096 Jan 27 15:54 certs -rw-r----- 1 root root 6703 Jan 27 15:54 clients.conf -rw-r----- 1 root root 883 Jan 27 15:54 dictionary -rw-r----- 1 root root 18063 Jan 27 15:54 eap.conf -rwxr-xr-x 1 root root 4744 Jan 27 15:54 example.pl -rw-r----- 1 root root 12722 Jan 27 15:54 experimental.conf -rw-r----- 1 root root 2352 Jan 27 15:54 hints -rw-r----- 1 root root 1604 Jan 27 15:54 huntgroups -rw-r----- 1 root root 3218 Jan 27 15:54 ldap.attrmap drwxr-x--- 2 root root 4096 Jan 27 15:54 modules -rw-r----- 1 root root 2840 Jan 27 15:54 policy.conf -rw-r----- 1 root root 4873 Jan 27 15:54 policy.txt -rw-r----- 1 root root 984 Jan 27 15:54 preproxy_users -rw-r----- 1 root root 26529 Jan 27 15:54 proxy.conf -rw-r----- 1 root root 27238 Jan 27 15:54 radiusd.conf drwxr-x--- 2 root root 4096 Jan 27 15:54 sites-available drwxr-x--- 2 root root 4096 Jan 27 15:54 sites-enabled drwxr-x--- 7 root root 4096 Jan 27 15:54 sql -rw-r----- 1 root root 3042 Jan 27 15:54 sql.conf -rw-r----- 1 root root 2475 Jan 27 15:54 sqlippool.conf -rw-r----- 1 root root 3597 Jan 27 15:54 templates.conf -rw-r----- 1 root root 6524 Jan 27 15:54 users |
The default configuration is designed to work everywhere, and to provide nearly every authentication method. Do not edit the default configuration files until you understand what they do. This means reading the documentation contained in the comments of the configuration files.
When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:
# radiusd -X |
This step demonstrates that the server is installed and configured properly. If you have installed Version 2 from source, this step will also create the default certificates used for EAP authentication. If everything went OK, you should see the lines
...... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. |
To stop freeradius press Ctrl+C.
Thats all for now… In next few days I will add more articles about FreeRadius.
FreeRadius howto part 2 – http://www.serveradminblog.com/2011/03/freeradius-install-howto-2/
nice blog
i have install radius2* one linux (centos) server but can u guide me how to configure on client site or anything do more on server side
can u please help me.
Yes I can. Read all five posts about FreeRadius and you’ll find the answers.,..
Hi,
I have install radius server as per your above step also getting same result after hitting radiusd -X command but when i hitting “radtest user password 127.0.0.1 0 testing123″ get output like this ” radclient:: Failed to find IP address for Radius
radclient: Nothing to send.”
Also i have add —–user Cleartext-Password := “password”——–this line into user file but no luck please help me.
What do you have inside /etc/hosts file ?
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
#10.10.10.95 Radius
Now I have remove # prompt from hosts file now it is working fine, got result as per your document, Thanks.
Could you please tell me one more thing, how to connect Linksys switch to Radius server and in which file i need to do the Changes.
i know the Radius Settings in Linksys Router, but dont know how to do it
Edit clients.conf file and add switch IP address inside as I mentioned on this blog.
Please do not force me to repeat myself. I constantly answer the same quesions again and again.
I seriously thinking to remove the contact form and to close the comments…
I have followed your instructions for setting up Freeradius against a backend Postgresql database. in my case I have only installed via rpm’s.
My testing has proved successful after some initial learning curve, and I am now testing connections from the windows gui radtest. My confusion now is that I cannot see evidence of freeradius with support for bcrypt (via blowfish I think), can you confirm if it is possible?
Hi…
You mean for user passwords?
I can create the user passwords and store them in the backend postgres database. But when I run radiusd -X and send the user and password using the radtest gui from my pc
The message back is failed authentication.
You need to store them properly …
https://www.packtpub.com/books/content/freeradius-authentication-storing-passwords
Hi,
Perform this in my radius/postgres backend database:
==============
INSERT INTO radcheck (id ,username ,attribute ,op ,value )
VALUES (nextval(‘radcheck_id_seq’), ‘testbc’, ‘Crypt-Password’, ‘:=’, crypt(‘scoobyd00’, gen_salt(‘md5’)));
select * from radcheck;
id | username | attribute | op | value
—-+———-+——————+—-+————————————————————–
14 | testbc | Crypt-Password | := | $1$cMoGwZ53$XiPP6jDuZgbxF3prz7w8l/
=> This has stored the encrypted password with an md5 salt.
=> Testing a connection using freeradius is successful.
==============
INSERT INTO radcheck (id ,username ,attribute ,op ,value )
VALUES (nextval(‘radcheck_id_seq’), ‘testqq’, ‘Crypt-Password’, ‘:=’, crypt(‘scoobydee’, gen_salt(‘bf’)));
select * from radcheck;
id | username | attribute | op | value
—-+———-+——————+—-+————————————————————–
19 | testqq | Crypt-Password | := | $2a$06$RPoPnuEXn2qs79WcRQkz1.Ws0Iskg/ZaDyHv9eP2eD5QbWBM9Ks26
=> This has stored the encrypted password with an blowfish salt.
=> Testing a connection using freeradius FAILS.
==============
Your previous link does not mention bcrypt or blowfish??
I have a requirement to standardise on bcrypt encryption and authentication in freeradius
Hello, I know that this post is a little old, but I wanted to make a question.
I want to use radtest on an router with openwrt, but I don’t know if I need to install the entire freeradius or if I can just opkg the freeradius-utils packet.
O other hand, I would also like to know where I can find this packets, if anyone can help.