FreeRadius install howto (1)

FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. In this post I will try to describe basic installation and config options (at least some of them). The biggest problem for me was the lack of documentation and it was very hard to learn something about it when the latest book about Radius was published 8 years ago.

Where possible, I recommend using the packaging system that is used for your distro. The version that is supplied might be out of date, but it is likely to work “out of the box”.

RPM packages

FreeRADIUS is distributed on Fedora/RHEL/CentOS systems as a set of RPM packages. There is a main package called “freeradius” and several subpackages whose name is “freeradius-XXX” where XXX is optional functionality. For example the support needed for MySQL database backend will be found in the package “freeradius-mysql”.

On CentOS and Red Hat, “yum install freeradius” will install FreeRadius 1.1.3 which is a several years old version. Better option is to install FreeRadius 2.x with yum install freeradius2. Please see the notes above about optional packages. Also, keep in mind that all config files will be installed in /etc/raddb. More info can be found HERE.

More info about RPM versions can be found Here (Thanks J. Dennis).

[root@ms ~]# yum search freeradius
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * addons:
 * base:
 * extras:
 * rpmforge:
 * updates:
Excluding Packages in global exclude list
====================== Matched: freeradius ===================================
freeradius.x86_64 : High-performance and highly configurable free RADIUS server.
freeradius-mysql.x86_64 : MySQL bindings for freeradius
freeradius-postgresql.x86_64 : postgresql bindings for freeradius
freeradius-unixODBC.x86_64 : unixODBC bindings for freeradius
freeradius2.x86_64 : High-performance and highly configurable free RADIUS server
freeradius2-krb5.x86_64 : Kerberos 5 support for freeradius
freeradius2-ldap.x86_64 : LDAP support for freeradius
freeradius2-mysql.x86_64 : MySQL support for freeradius
freeradius2-perl.x86_64 : Perl support for freeradius
freeradius2-postgresql.x86_64 : Postgresql support for freeradius
freeradius2-python.x86_64 : Python support for freeradius
freeradius2-unixODBC.x86_64 : Unix ODBC support for freeradius
freeradius2-utils.x86_64 : FreeRADIUS utilities

More info about basic settings will be shown later.

Install from source

Download the latest FreeRadius from this link. (Current version is 2.1.10)

# wget
# tar xvzf freeradius-server-2.1.10.tar.gz
# cd freeradius-server-2.1.10
# ./configure

It is very likely that config process will fail for some reasons. To fix this, search WARNINGS lines and install the missing rpms (yum install libtood-ltdl libtool-ltdl-devel is required).

# make
# make install

This is a default installation and all config files will be located in /usr/local/etc/raddb and you should find the next files inside

[root@ms raddb]# ls -la
total 220
drwxr-xr-x 7 root root  4096 Jan 27 15:54 .
drwxr-xr-x 4 root root  4096 Jan 27 15:53 ..
-rw-r----- 1 root root   671 Jan 27 15:54 acct_users
-rw-r----- 1 root root  4174 Jan 27 15:54 attrs
-rw-r----- 1 root root   513 Jan 27 15:54 attrs.access_challenge
-rw-r----- 1 root root   458 Jan 27 15:54 attrs.access_reject
-rw-r----- 1 root root   437 Jan 27 15:54 attrs.accounting_response
-rw-r----- 1 root root  2022 Jan 27 15:54 attrs.pre-proxy
drwxr-x--- 2 root root  4096 Jan 27 15:54 certs
-rw-r----- 1 root root  6703 Jan 27 15:54 clients.conf
-rw-r----- 1 root root   883 Jan 27 15:54 dictionary
-rw-r----- 1 root root 18063 Jan 27 15:54 eap.conf
-rwxr-xr-x 1 root root  4744 Jan 27 15:54
-rw-r----- 1 root root 12722 Jan 27 15:54 experimental.conf
-rw-r----- 1 root root  2352 Jan 27 15:54 hints
-rw-r----- 1 root root  1604 Jan 27 15:54 huntgroups
-rw-r----- 1 root root  3218 Jan 27 15:54 ldap.attrmap
drwxr-x--- 2 root root  4096 Jan 27 15:54 modules
-rw-r----- 1 root root  2840 Jan 27 15:54 policy.conf
-rw-r----- 1 root root  4873 Jan 27 15:54 policy.txt
-rw-r----- 1 root root   984 Jan 27 15:54 preproxy_users
-rw-r----- 1 root root 26529 Jan 27 15:54 proxy.conf
-rw-r----- 1 root root 27238 Jan 27 15:54 radiusd.conf
drwxr-x--- 2 root root  4096 Jan 27 15:54 sites-available
drwxr-x--- 2 root root  4096 Jan 27 15:54 sites-enabled
drwxr-x--- 7 root root  4096 Jan 27 15:54 sql
-rw-r----- 1 root root  3042 Jan 27 15:54 sql.conf
-rw-r----- 1 root root  2475 Jan 27 15:54 sqlippool.conf
-rw-r----- 1 root root  3597 Jan 27 15:54 templates.conf
-rw-r----- 1 root root  6524 Jan 27 15:54 users

The default configuration is designed to work everywhere, and to provide nearly every authentication method. Do not edit the default configuration files until you understand what they do. This means reading the documentation contained in the comments of the configuration files.

When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:

# radiusd -X

This step demonstrates that the server is installed and configured properly. If you have installed Version 2 from source, this step will also create the default certificates used for EAP authentication. If everything went OK, you should see the lines

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

To stop freeradius press Ctrl+C.

Thats all for now… In next few days I will add more articles about FreeRadius.

15 thoughts on “FreeRadius install howto (1)”

  1. nice blog
    i have install radius2* one linux (centos) server but can u guide me how to configure on client site or anything do more on server side
    can u please help me.

  2. Hi,

    I have install radius server as per your above step also getting same result after hitting radiusd -X command but when i hitting “radtest user password 0 testing123″ get output like this ” radclient:: Failed to find IP address for Radius
    radclient: Nothing to send.”
    Also i have add —–user Cleartext-Password := “password”——–this line into user file but no luck please help me.

  3. localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

    # Radius

  4. Now I have remove # prompt from hosts file now it is working fine, got result as per your document, Thanks.
    Could you please tell me one more thing, how to connect Linksys switch to Radius server and in which file i need to do the Changes.

    i know the Radius Settings in Linksys Router, but dont know how to do it

  5. Edit clients.conf file and add switch IP address inside as I mentioned on this blog.

    Please do not force me to repeat myself. I constantly answer the same quesions again and again.

    I seriously thinking to remove the contact form and to close the comments…

  6. I have followed your instructions for setting up Freeradius against a backend Postgresql database. in my case I have only installed via rpm’s.
    My testing has proved successful after some initial learning curve, and I am now testing connections from the windows gui radtest. My confusion now is that I cannot see evidence of freeradius with support for bcrypt (via blowfish I think), can you confirm if it is possible?

  7. I can create the user passwords and store them in the backend postgres database. But when I run radiusd -X and send the user and password using the radtest gui from my pc
    The message back is failed authentication.

  8. Hi,
    Perform this in my radius/postgres backend database:
    INSERT INTO radcheck (id ,username ,attribute ,op ,value )
    VALUES (nextval(‘radcheck_id_seq’), ‘testbc’, ‘Crypt-Password’, ‘:=’, crypt(‘scoobyd00’, gen_salt(‘md5’)));
    select * from radcheck;
    id | username | attribute | op | value
    14 | testbc | Crypt-Password | := | $1$cMoGwZ53$XiPP6jDuZgbxF3prz7w8l/
    => This has stored the encrypted password with an md5 salt.
    => Testing a connection using freeradius is successful.
    INSERT INTO radcheck (id ,username ,attribute ,op ,value )
    VALUES (nextval(‘radcheck_id_seq’), ‘testqq’, ‘Crypt-Password’, ‘:=’, crypt(‘scoobydee’, gen_salt(‘bf’)));
    select * from radcheck;
    id | username | attribute | op | value
    19 | testqq | Crypt-Password | := | $2a$06$RPoPnuEXn2qs79WcRQkz1.Ws0Iskg/ZaDyHv9eP2eD5QbWBM9Ks26
    => This has stored the encrypted password with an blowfish salt.
    => Testing a connection using freeradius FAILS.
    Your previous link does not mention bcrypt or blowfish??
    I have a requirement to standardise on bcrypt encryption and authentication in freeradius

  9. Hello, I know that this post is a little old, but I wanted to make a question.
    I want to use radtest on an router with openwrt, but I don’t know if I need to install the entire freeradius or if I can just opkg the freeradius-utils packet.
    O other hand, I would also like to know where I can find this packets, if anyone can help.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.