How to Install and Set Up FreeRADIUS on CentOS 7 and Ubuntu 22.04

This simple, straightforward guide will help you set up FreeRADIUS ready for authentication within a few short minutes.

We have distinguished the difference between CentOS and Ubuntu commands.

Install FreeRADIUS and MySQL/MariaDB

CentOS 7:

yum install freeradius freeradius-mysql freeradius-utils -y

Ubuntu 22.04:

apt-get install freeradius freeradius-mysql freeradius-utils

We must install MySQL/MariaDB server to host your radius database if you haven’t already.

CentOS 7:

sudo yum install mariadb-server
sudo systemctl start mariadb
sudo systemctl enable mariadb

Ubuntu 22.04:

sudo apt update
sudo apt-get install wget software-properties-common dirmngr ca-certificates apt-transport-https -y
sudo apt install mariadb-server mariadb-client

Now on both, we need to run the secure installation script to setup your MySQL/MariaDB credentials:

sudo mysql_secure_installation
Switch to unix_socket authentication [Y/n] n
Enter current password for root (enter for none): ENTER
Set root password? [Y/n] y
New password: Enter password
Re-enter new password: Repeat password
Remove anonymous users? [Y/n]: y
Disallow root login remotely? [Y/n]: y
Remove test database and access to it? [Y/n]: y
Reload privilege tables now? [Y/n]: y

Once you have completed the secure setup, let’s log in and create the radius database you will use for authentication.

mysql -uroot -p

Then enter your MySQL root password to continue…

Now create the database and grant all privileges to the user radius:

CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";

We recommend you set a more secure password than ‘radpass’. If your SQL server is running on a different machine, you also have to replace the localhost with your radius server IP.

Now that’s done, we want to import the table schema for radius and switch to the radius DB from the MySQL command line.

use radius;

CentOS 7:

SOURCE /etc/raddb/mods-config/sql/main/mysql/schema.sql

Ubuntu 22.04:

SOURCE /etc/freeradius/mods-config/sql/main/mysql/schema.sql

Now exit using the below command.

exit

Edit /etc/raddb/mods-available/sql (on CentOS) or /etc/freeradius/mods-available/sql (on Ubuntu) and enter the driver as rlm_sql_mysql, SQL dialect as mysql, scroll down to connection info and uncomment these options. Set the server as localhost, database username radius and database password radpass (unless you changed it) to connect to your SQL server and the RADIUS database. The database and table names should be left as the defaults if you use the default schema.

For Example, under sql {

driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
	
server = "localhost"
port = 3306
login = "radius"
password = "radpass"

# Database table configuration for everything except Oracle
radius_db = "radius"

Next, enable the SQL module by executing the below commands.

CentOS 7:

cd /etc/raddb/mods-enabled
ln -s ../mods-available/sql sql

Ubuntu 22.04:

cd /etc/freeradius/mods-enabled
ln -s ../mods-available/sql sql

Edit /sites-available/default and uncomment the line containing sql in the authorize{} section. 

Additionally, edit sites-available/inner-tunnel and uncomment the line containing ‘sql’ under “authorize {}”.

If you wish to store accounting records in the database, also uncomment the line saying ‘sql’ in the accounting{} section.

Optionally add or uncomment ‘sql’ to the session{} section if you want to do Simultaneous-Use detection.

Restart FreeRADIUS:

CentOS 7:

service radiusd restart

Ubuntu 22.04:

sudo systemctl restart freeradius

Add Clients to FreeRADIUS

Now we need to add clients to FreeRADIUS. For example, VPN servers that run OpenVPN, Strongswan, OpenConnect, IPSec, Squid etc, all have radius modules for authentication.

Open up /etc/raddb/clients.conf on CentOS or /etc/freeradius/clients.conf on Ubuntu and delete all content from the file, add clients like, for example:

client VPN-01 {
ipaddr = 127.0.0.1
secret = 6vyh645hv5h
}

client VPN-02 {
ipaddr = 123.123.123.123
secret = v4h44h575h5
}

Again after adding each client restart FreeRADIUS.

You are now ready to start authenticating against FreeRADIUS. You can stop FreeRADIUS and start the service in debug mode using the below command:

Stop the service using one of the commands below:

service radiusd stop

Or:

sudo systemctl stop freeradius

Now run in debug mode:

radiusd -X

Now you can see in real-time if your authentication queries are reaching the server or the reasons why some users may be rejected authentication.

Leave a reply:

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.