Setting up a FreeRADIUS server

Publication Date: 22 May 2023

Contents
1 Environment 2

2 Introduction 2

3 Requirements 3

4 Installation and testing 3

5 Summary 5

6 Troubleshooting 5

7 Next steps 5

1 Setting up a FreeRADIUS server

1 Environment
This document applies to the following products and product versions:

SUSE Linux Enterprise Server 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

SUSE Linux Enterprise Server for SAP Applications 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5,
12 SP4, 12 SP3

SUSE Linux Enterprise High Availability Extension 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5,
12 SP4, 12 SP3

SUSE Linux Enterprise High Performance Computing 15 SP3, 15 SP2, 15 SP1, 15 GA

SUSE Linux Enterprise Desktop 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

SUSE Linux Enterprise Real Time 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

2 Introduction
The RADIUS (Remote Authentication Dial-In User Service) protocol has long been a standard
service for manage network access. FreeRADIUS is the open source RADIUS server implemen-
tation.
FreeRADIUS performs authentication, authorization, and accounting (AAA) for very large busi-
nesses such as Internet service providers and cellular network providers, and is also popular
for small networks. It authenticates users and devices, authorizes those users and devices for
certain network services, and tracks use of services for billing and auditing. You do not have
to use all three of the AAA protocols, only the ones you need. For example, you may not need
accounting but only client authentication, or perhaps all you need is accounting, because client
authorization is managed by something else.
It is extremely efficient and manages thousands of requests per second on modest hardware.
RADIUS operates over a distributed architecture, and runs separately from the Network Access
Server (NAS). User access data is stored on a central RADIUS server that is available to multiple
NAS devices. The NAS provide the physical access to the network, such as a managed Ethernet
switch, or a wireless access point.
*

2 Setting up a FreeRADIUS server

3 Requirements
A separate machine from your NAS to install FreeRADIUS on.

The freeradius-server and freeradius-server-utils packages installed on this ma-

chine.

Install freeradius-server-utils on a another machine on your network, for testing

client functions.

4 Installation and testing

The following steps set up a simple test system. When you have verified that the server is oper-
ating correctly and you are ready to create a production configuration, you will have several
undo steps to perform before starting your production configuration.

1. Enter /etc/raddb/certs , then run the bootstrap script to create a set of test certifi-
cates:

# zypper in freeradius-server freeradius-server-utils

# cd /etc/raddb/certs
# ./bootstrap

2. When the bootstrap script has completed, start the server in debugging mode:

# radiusd -X
[...]
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 54435
Listening on proxy address :: port 58415
Ready to process requests

3. When you see the "Listening" and "Ready to process requests" lines, your server has started
correctly. If it does not start, read the output carefully because it tells you what went
wrong. You may direct the output to a text le with tee :

> radiusd -X | tee radiusd.text

*

3 Setting up a FreeRADIUS server

 4. The next step is to test authentication with a test client and user. The client is a client of the
RADIUS server, such as a wireless access point or switch. Clients are configured in /etc/
raddb/client.conf . Human users are configured in /etc/raddb/mods-config/files/
authorize .
Open /etc/raddb/mods-config/files/authorize and uncomment the following lines:

bob Cleartext-Password := "hello"

Reply-Message := "Hello, %{User-Name}"

5. A test client, client localhost , is provided in /etc/raddb/client.conf , with a secret

of testing123 . Open a second terminal, and as an unprivileged user use the radtest
command to log in as bob:

> radtest bob hello 127.0.0.1 0 testing123

Sent Access-Request Id 241 from 0.0.0.0:35234 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "hello"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "hello"
Received Access-Accept Id 241 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

6. In your radius -X terminal, a successful login looks like this:

(3) pap: Login attempt with password

(3) pap: Comparing with "known good" Cleartext-Password
(3) pap: User authenticated successfully
(3) [pap] = ok
[...]
(3) Sent Access-Accept Id 241 from 127.0.0.1:1812 to 127.0.0.1:35234 length 0
(3) Finished request
Waking up in 4.9 seconds.
(3) Cleaning up request packet ID 241 with timestamp +889

7. Now run one more login test from a different computer on your network. Create a client
configuration on your server by uncommenting and modifying the following entry in /
etc/raddb/client.conf , using the IP address of your test client machine:

client private-network-1 {
ipaddr = 192.0.2.0/24
secret = testing123-1
}
*

4 Setting up a FreeRADIUS server

 On the client machine, install freeradius-server-utils . Try logging in from the client
as bob , using the radtest command. It is better to use the IP address of the RADIUS
server rather than the hostname because it is faster:

> radtest bob hello 192.168.2.100 0 testing123-1

If the client connection test fails, see Section 6, “Troubleshooting”.

5 Summary
You now know how to set up a basic FreeRADIUS configuration for testing.

6 Troubleshooting
There are several test users and test clients provided. Make sure that your server has the correct
firewall settings. If your test logins fail, review all the output to learn what went wrong. The
configuration les are full of useful information, and we recommend studying them.

7 Next steps
When you are satisfied with your testing and ready to create a production configuration, remove
all the test certificates in /etc/raddb/certs and replace them with your own certificates,
comment out all the test users and clients, and stop radiusd by pressing Ctrl – c . Manage
the radiusd.service with systemctl , just like any other service.
To learn how to t a FreeRADIUS server in your network, see https://freeradius.org/documenta-
tion/ and https://networkradius.com/freeradius-documentation/ for in-depth references and
howtos. *

5 Setting up a FreeRADIUS server