Previous Section  < Day Day Up >  Next Section

Installation of FreeRADIUS

We have already discussed the AAA concept, the principal methodology behind RADIUS, and the structure of the RADIUS protocol, along with the packet structure, types, and values. Now we are going to take a more practical focus on the installation of the FreeRADIUS server. The official FreeRADIUS project site ( announces: "The FreeRADIUS Server Project is an attempt to create a high-performance and highly configurable GPL'd free RADIUS server. The server is similar to Livingston's 2.0 server. FreeRADIUS is a variant of the Cistron RADIUS server, but they don't share a lot in common. You should use it because it has a lot more features than Cistron and Livingston and is much more configurable."

For the industry and production appliances we recommend installing a stable version of this product, which at the time of writing was FreeRADIUS 0.8.1. However, you might find the latest CVS version of FreeRADIUS more suitable for your needs, as it is likely to support extra features. You can download the stable and CVS versions of the server from From this section on, we use the CVS snapshot version of FreeRADIUS taken on May 26, 2003. However, your installation procedures should be similar if you use the stable or the latest CVS snapshot.

To begin installation from sources, download and extract Free-RADIUS using your most accustomed method, like this:

arhontus:~$ wget -c graphics/ccc.gif/freeradius-snapshot-20030526.tar.gz arhontus:~$ tar -xvzf freeradius-snapshot-20030526.tar.gz arhontus:~$ cd freeradius-snapshot-20030526

To fine-tune FreeRADIUS to your specific needs, you should edit the Makefile or add required switches to the configure script. For details on the supported options you should do this:

arhontus:$ ./configure --help

Then do the following to configure and compile the sources:

arhontus:$ ./configure

arhontus:$ make

To install FreeRADIUS you need to have root privileges and execute:

arhontus:$ su

arhontus:# make install

Follow these instructions to install the binary package on your Debian Linux:

arhontus:~# dpkg -i radiusd-freeradius_0.8.1_i386.deb


arhontus:~# dpkg -i freeradius_0.8.1+0.9pre20030526-1_i386.deb

Your choice depends on whether you want to install the stable or the CVS version of FreeRADIUS, respectively. Additionally, you might want to install add-ons to the server for the purpose of integrating various authentication schemes, such as Kerberos V, SQL, or LDAP.

When the installation is successfully finished, you can move on to the next section, where we describe the configuration procedures for your newly installed RADIUS server.


At the time of writing, the configuration files for the stable version were located in /etc/raddb or /etc/freeradius for the CVS snapshot, so you might need to make some adjustments depending on the version you choose to implement. Before going any further we recommend that you get accustomed to the directory structure and the critical configuration files:

arhontus:/etc/freeradius# ls -l

total 276

-rw-r----- 1 root   freerad   936 May 26 19:06 acct_users

-rw-r----- 1 root   freerad  3454 May 26 19:06 attrs

-rw-r----- 1 root   freerad   756 May 27 02:02 clients

-rw-r----- 1 root   freerad  3062 May 24 21:05 clients.conf

-rw-r----- 1 root   freerad   607 May 26 19:06 dictionary

-rw-r----- 1 root   freerad  13995 May 26 19:06 experimental.conf

-rw-r----- 1 root   freerad  1780 May 26 19:06 hints

-rw-r----- 1 root   freerad  1604 May 26 19:06 huntgroups

-rw-r----- 1 root   freerad  2333 May 26 19:06 ldap.attrmap

-rw-r----- 1 root   freerad  8494 May 26 19:06 mssql.conf

-rw-r----- 1 root   freerad  1052 May 21 20:41 naslist

-rw-r----- 1 root   freerad   856 May 26 19:06 naspasswd

-rw-r----- 1 root   freerad  1199 May 26 19:06 oraclesql.conf

-rw-r----- 1 root   freerad  10068 May 26 19:06 postgresql.conf

-rw-r----- 1 root   freerad   378 May 26 19:06 preproxy_users

-rw-r----- 1 root   freerad  8093 May 26 19:06 proxy.conf

-rw-r----- 1 root   freerad 42818 May 27 10:16 radiusd.conf

-rw-r----- 1 root   freerad  1387 May 26 19:06 realms

-rw-r----- 1 root   freerad  1405 May 26 19:06 snmp.conf

-rw-r----- 1 root   freerad 11916 May 26 19:06 sql.conf

-rw-r----- 1 root   freerad  7356 May 27 00:07 users

-rw-r----- 1 root   freerad  7267 May 26 19:06 x99.conf

-rw-r----- 1 root   freerad  4165 May 26 19:06 x99passwd.sample

The most critical configuration files for the RADIUS operations are briefly mentioned here.


The information provided in this file overrides anything specified in the clients or naslist file. The configuration contains all of the information from those two files, as well as additional configuration features. You should change the values in this file to suit your network configuration layout. The sample file should look like this:

client {

        secret         = testing123456

        shortname      = dmz-network


It is strongly recommended that you change the default secret values to a nondictionary, mixed-character passphrase. Leaving the default values presents a significant security risk!


Next, edit the /etc/freeradius/naslist file to include the full canonical name, nickname, and the type of every NAS equipment that will address the RADIUS server. For the full list of supported NAS equipment consult either the manual pages or the naslist file itself. A sample of the file is given here:

# NAS Name              Short Name      Type

#----------------       ----------      ----    pm1.NY          livingston    pm1.LA          livingston

localhost               local           portslave          AP1             portslave          AP2             portslave          AP3             portslave


The /etc/freeradius/radiusd.conf file is the heart of the RADIUS server. It includes the majority of options and directives. A small section of the file is highlighted here for illustration purposes. You should adjust this file to meet your requirements and server needs. Additionally, you can consult our sample of a radiusd.conf file that integrates many features of the FreeRADIUS server, including LDAP, EAP-TLS, and UNIX password-style authentications.

(removed contents)

        prefix = /usr

        exec_prefix = /usr

        sysconfdir = /etc

        localstatedir = /var

        sbindir = ${exec_prefix}/sbin

        logdir = /var/log/freeradius

        raddbdir = /etc/freeradius

        radacctdir = ${logdir}/radacct

        #  Location of config and logfiles.

        confdir = ${raddbdir}

        run_dir = ${localstatedir}/run/freeradius


        #  The logging messages for the server are appended to the

        #  tail of this file.


         log_file = ${logdir}/radius.log

(removed contents)


The /etc/freeradius/realms file is useful if you intend to have several RADIUS servers and require users to roam from one server to another. In the latest versions of FreeRADIUS this file is obsolete and replaced by proxy.conf, which configures settings for RADIUS proxying.


This file identifies the methods and procedures of user authentication. Here we add various users along with the types of services they are allowed to use, as well as the default authentication mechanisms. To get more information about this file you should consult man 5 users. A sample of the file looks like this:

 "rejecteduser"   Auth-Type := Reject

          Reply-Message = "Your account has been disabled."

 "EAPuser"  Auth-Type := EAP

"morpheus" Auth-Type := Local, User-Password == "testing123456"

             Service-Type = Framed-User,

             Framed-Protocol = PPP,

             Framed-IP-Address =,

             Framed-IP-Netmask =,

             Framed-Routing = Broadcast-Listen,

             Framed-MTU = 1500,

             Framed-Compression = Van-Jacobsen-TCP-IP

 DEFAULT     Auth-Type = System

             Fall-Through = 1

 DEFAULT     Service-Type == Framed-User

             Framed-IP-Address =,

             Framed-MTU = 576,

             Service-Type = Framed-User,

             Fall-Through = Yes

 DEFAULT     Framed-Protocol == PPP

             Framed-Protocol = PPP,

             Framed-Compression = Van-Jacobson-TCP-IP

Once you have completed tailoring the configuration files to your requirements, you are ready to run the FreeRADIUS server for the first time. The installation script has prepared the startup script for you, which can usually be found in /etc/init.d/freeradius or /etc/rc.d/rc.freeradius; invoking it in the following manner starts the Free-RADIUS server:

arhontus:~# /etc/init.d/freeradius start

If the RADIUS server starts successfully, you should have similar output from the following command:

arhontus:~# netstat -lnp |grep radius

udp 0    0*       651/freeradius

udp 0    0*       651/freeradius

udp 0    0*       651/freeradius

Otherwise, run the server in the following manner to start Free-RADIUS in debugging mode so you can trace the source of the errors:

arhontus:~# /usr/sbin/freeradius -X -A

Once you have successfully started the FreeRADIUS daemon, you are ready to test user authentication, and there are several methods of doing so. The first method is to use the radtest utility, which attempts to connect to the RADIUS server with specified user credentials and then outputs the server reply. You can run the program in the following manner:

arhontus:~$ radtest andrei testing123456 10 testing123456

        Sending Access-Request of id 31 to

               User-Name = "andrei"

               User-Password = "testing123456"

               NAS-IP-Address =

               NAS-Port = 10

        rad_recv: Access-Accept packet from host, id=31, length=20

The daemon log should show an authorization logon similar to this:

Tue May 27 19:17:15 2003 : Auth: Login OK: [andrei] (from client localhost port 10)

Alternatively, for those who are dependent on Microsoft Windows, you can download a RADIUS testing utility called NTRadPing, available from The application window should look like Figure 13-2 when it authenticates the user.

Figure 13.2. NTRadPing RADIUS testing utility.


Once you have successfully tested your server, you are ready to move on to the next section, which describes the basics of RADIUS monitoring and accounting. This is important for day-to-day RADIUS administration tasks as well as incident response procedures should a successful break-in occur.

    Previous Section  < Day Day Up >  Next Section