Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Setting up a FreeRADIUS server

Setting up a FreeRADIUS server

Publication Date: 22 Mar 2023

1 Environment

 

This document applies to the following products and product versions:

  • SUSE Linux Enterprise Server 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

  • SUSE Linux Enterprise Server for SAP Applications 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

  • SUSE Linux Enterprise High Availability Extension 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

  • SUSE Linux Enterprise High Performance Computing 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise Desktop 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

  • SUSE Linux Enterprise Real Time 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

2 Introduction

 

The RADIUS (Remote Authentication Dial-In User Service) protocol has long been a standard service for manage network access. FreeRADIUS is the open source RADIUS server implementation.

FreeRADIUS performs authentication, authorization, and accounting (AAA) for very large businesses such as Internet service providers and cellular network providers, and is also popular for small networks. It authenticates users and devices, authorizes those users and devices for certain network services, and tracks use of services for billing and auditing. You do not have to use all three of the AAA protocols, only the ones you need. For example, you may not need accounting but only client authentication, or perhaps all you need is accounting, because client authorization is managed by something else.

It is extremely efficient and manages thousands of requests per second on modest hardware.

RADIUS operates over a distributed architecture, and runs separately from the Network Access Server (NAS). User access data is stored on a central RADIUS server that is available to multiple NAS devices. The NAS provide the physical access to the network, such as a managed Ethernet switch, or a wireless access point.

3 Requirements

 

  • A separate machine from your NAS to install FreeRADIUS on.

  • The freeradius-server and freeradius-server-utils packages installed on this machine.

  • Install freeradius-server-utils on a another machine on your network, for testing client functions.

4 Installation and testing

 

The following steps set up a simple test system. When you have verified that the server is operating correctly and you are ready to create a production configuration, you will have several undo steps to perform before starting your production configuration.

  1. Enter /etc/raddb/certs, then run the bootstrap script to create a set of test certificates: 

    # zypper in freeradius-server freeradius-server-utils
# cd /etc/raddb/certs
# ./bootstrap

  2. When the bootstrap script has completed, start the server in debugging mode: 

    # radiusd -X
[...]
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 54435
Listening on proxy address :: port 58415
Ready to process requests

  3. When you see the "Listening" and "Ready to process requests" lines, your server has started correctly. If it does not start, read the output carefully because it tells you what went wrong. You may direct the output to a text file with tee: 

    > radiusd -X | tee radiusd.text

  4. The next step is to test authentication with a test client and user. The client is a client of the RADIUS server, such as a wireless access point or switch. Clients are configured in /etc/raddb/client.conf. Human users are configured in /etc/raddb/mods-config/files/authorize.

    Open /etc/raddb/mods-config/files/authorize and uncomment the following lines: 

    bob   Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"

  5. A test client, client localhost, is provided in /etc/raddb/client.conf, with a secret of testing123. Open a second terminal, and as an unprivileged user use the radtest command to log in as bob: 

    > radtest bob hello 127.0.0.1 0 testing123
Sent Access-Request Id 241 from 0.0.0.0:35234 to 127.0.0.1:1812 length 73
        User-Name = "bob"
        User-Password = "hello"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "hello"
Received Access-Accept Id 241 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

  6. In your radius -X terminal, a successful login looks like this: 

    (3) pap: Login attempt with password
(3) pap: Comparing with "known good" Cleartext-Password
(3) pap: User authenticated successfully
(3)     [pap] = ok
[...]
(3) Sent Access-Accept Id 241 from 127.0.0.1:1812 to 127.0.0.1:35234 length 0
(3) Finished request
Waking up in 4.9 seconds.
(3) Cleaning up request packet ID 241 with timestamp +889

  7. Now run one more login test from a different computer on your network. Create a client configuration on your server by uncommenting and modifying the following entry in /etc/raddb/client.conf, using the IP address of your test client machine: 

    client private-network-1 {
  ipaddr          = 192.0.2.0/24
  secret          = testing123-1
  }

    On the client machine, install freeradius-server-utils. Try logging in from the client as bob, using the radtest command. It is better to use the IP address of the RADIUS server rather than the hostname because it is faster: 

    > radtest bob hello 192.168.2.100 0 testing123-1

If the client connection test fails, see Section 6, “Troubleshooting”.

5 Summary

 

You now know how to set up a basic FreeRADIUS configuration for testing.

6 Troubleshooting

 

There are several test users and test clients provided. Make sure that your server has the correct firewall settings. If your test logins fail, review all the output to learn what went wrong. The configuration files are full of useful information, and we recommend studying them.

7 Next steps

 

When you are satisfied with your testing and ready to create a production configuration, remove all the test certificates in /etc/raddb/certs and replace them with your own certificates, comment out all the test users and clients, and stop radiusd by pressing Ctrlc. Manage the radiusd.service with systemctl, just like any other service.

To learn how to fit a FreeRADIUS server in your network, see https://freeradius.org/documentation/ and https://networkradius.com/freeradius-documentation/ for in-depth references and howtos.