This simple, straightforward guide will help you set up FreeRADIUS ready for authentication within a few short minutes.
We have distinguished the difference between CentOS and Ubuntu commands.
Install FreeRADIUS and MySQL/MariaDB
CentOS 7:
yum install freeradius freeradius-mysql freeradius-utils -y
Ubuntu 22.04:
apt-get install freeradius freeradius-mysql freeradius-utils
We must install MySQL/MariaDB server to host your radius database if you haven’t already.
CentOS 7:
sudo yum install mariadb-server
sudo systemctl start mariadb
sudo systemctl enable mariadb
Ubuntu 22.04:
sudo apt update
sudo apt-get install wget software-properties-common dirmngr ca-certificates apt-transport-https -y
sudo apt install mariadb-server mariadb-client
Now on both, we need to run the secure installation script to setup your MySQL/MariaDB credentials:
sudo mysql_secure_installation
Switch to unix_socket authentication [Y/n] n
Enter current password for root (enter for none): ENTER
Set root password? [Y/n] y
New password: Enter password
Re-enter new password: Repeat password
Remove anonymous users? [Y/n]: y
Disallow root login remotely? [Y/n]: y
Remove test database and access to it? [Y/n]: y
Reload privilege tables now? [Y/n]: y
Once you have completed the secure setup, let’s log in and create the radius database you will use for authentication.
mysql -uroot -p
Then enter your MySQL root password to continue…
Now create the database and grant all privileges to the user radius:
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
We recommend you set a more secure password than ‘radpass’. If your SQL server is running on a different machine, you also have to replace the localhost
with your radius server IP.
Now that’s done, we want to import the table schema for radius and switch to the radius DB from the MySQL command line.
use radius;
CentOS 7:
SOURCE /etc/raddb/mods-config/sql/main/mysql/schema.sql
Ubuntu 22.04:
SOURCE /etc/freeradius/mods-config/sql/main/mysql/schema.sql
Now exit using the below command.
exit
Edit /etc/raddb/mods-available/sql (on CentOS) or /etc/freeradius/mods-available/sql (on Ubuntu) and enter the driver as rlm_sql_mysql, SQL dialect as mysql, scroll down to connection info and uncomment these options. Set the server as localhost, database username radius and database password radpass (unless you changed it) to connect to your SQL server and the RADIUS database. The database and table names should be left as the defaults if you use the default schema.
For Example, under sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
Next, enable the SQL module by executing the below commands.
CentOS 7:
cd /etc/raddb/mods-enabled
ln -s ../mods-available/sql sql
Ubuntu 22.04:
cd /etc/freeradius/mods-enabled
ln -s ../mods-available/sql sql
Edit /sites-available/default
and uncomment the line containing sql
in the authorize{}
section.
Additionally, edit sites-available/inner-tunnel
and uncomment the line containing ‘sql’ under “authorize {}”.
If you wish to store accounting records in the database, also uncomment the line saying ‘sql’ in the accounting{} section.
Optionally add or uncomment ‘sql’ to the session{} section if you want to do Simultaneous-Use detection.
Restart FreeRADIUS:
CentOS 7:
service radiusd restart
Ubuntu 22.04:
sudo systemctl restart freeradius
Add Clients to FreeRADIUS
Now we need to add clients to FreeRADIUS. For example, VPN servers that run OpenVPN, Strongswan, OpenConnect, IPSec, Squid etc, all have radius modules for authentication.
Open up /etc/raddb/clients.conf on CentOS or /etc/freeradius/clients.conf on Ubuntu and delete all content from the file, add clients like, for example:
client VPN-01 {
ipaddr = 127.0.0.1
secret = 6vyh645hv5h
}
client VPN-02 {
ipaddr = 123.123.123.123
secret = v4h44h575h5
}
Again after adding each client restart FreeRADIUS.
You are now ready to start authenticating against FreeRADIUS. You can stop FreeRADIUS and start the service in debug mode using the below command:
Stop the service using one of the commands below:
service radiusd stop
Or:
sudo systemctl stop freeradius
Now run in debug mode:
radiusd -X
Now you can see in real-time if your authentication queries are reaching the server or the reasons why some users may be rejected authentication.