8 Setting up a freeRADIUS server #
The RADIUS (Remote Authentication Dial-In User Service) protocol has long been a standard service for manage network access. It provides authentication, authorization and accounting (AAA) for large businesses such as Internet service providers and cellular network providers, and is also popular for small networks. It authenticates users and devices, authorizes those users and devices for certain network services, and tracks use of services for billing and auditing. You do not have to use all three of the AAA protocols, but only the ones you need. For example, you may not need accounting but only client authentication, or perhaps all you want is accounting, and client authorization is managed by something else.
It is efficient and manages thousands of requests on modest hardware. It works for all network protocols and not just dial-up, but the name remains the same.
RADIUS operates in a distributed architecture, sitting separately from the Network Access Server (NAS). User access data is stored on a central RADIUS server that is available to multiple NAS. The NAS provides the physical access to the network, such as a managed Ethernet switch, or wireless access point.
FreeRADIUS is the open source RADIUS implementation, and is the most widely used RADIUS server. In this chapter you learn how to install and test a FreeRADIUS server. Because of the numerous use cases, after your initial setup is working correctly, your next stop is the official documentation, which is detailed and thorough (see https://freeradius.org/documentation/).
8.1 Installation and testing on SUSE Linux Enterprise Server #
The following steps set up a simple test system. When you have verified that the server is operating correctly and you are ready to create a production configuration, you have several undo steps to perform before starting your production configuration.
        First install the freeradius-server and
        freeradius-server-utils
        packages. Then enter /etc/raddb/certs and run
        the bootstrap script to create a set of test
        certificates:
    
#zypper in freeradius-server freeradius-server-utils#cd /etc/raddb/certs#./bootstrap
        The README in the certs directory contains a
        great deal of useful information. When the
        bootstrap script has completed, start the server
        in debugging mode:
    
#radiusd -X[...] Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 54435 Listening on proxy address :: port 58415 Ready to process requests
        When you see the Listening and Ready to process requests lines,
        your server has started correctly. If it does not start, read the
        output carefully because it tells you what went wrong. You may direct
        the output to a text file with tee:
    
>radiusd -X | tee radiusd.text
        The next step is to test authentication with a test client and user.
        The client is a client of the RADIUS server, such as a wireless
        access point or switch. Clients are configured in
        /etc/raddb/client.conf. Human users are
        configured in
        /etc/raddb/mods-config/files/authorize.
    
        Open
        /etc/raddb/mods-config/files/authorize and
        uncomment the following lines:
    
bob   Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
        A test client, client localhost, is provided in
        /etc/raddb/client.conf, with a secret of
        testing123. Open a second terminal, and as an
        unprivileged user use the radtest command to log
        in as bob:
    
>radtest bob hello 127.0.0.1 0 testing123Sent Access-Request Id 241 from 0.0.0.0:35234 to 127.0.0.1:1812 length 73 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Accept Id 241 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
        In your radius -X terminal, a successful login looks
        like this:
    
(3) pap: Login attempt with password (3) pap: Comparing with "known good" Cleartext-Password (3) pap: User authenticated successfully (3) [pap] = ok [...] (3) Sent Access-Accept Id 241 from 127.0.0.1:1812 to 127.0.0.1:35234 length 0 (3) Finished request Waking up in 4.9 seconds. (3) Cleaning up request packet ID 241 with timestamp +889
        Now run one more login test from a different computer on your
        network. Create a client configuration on your server by uncommenting
        and modifying the following entry in
        clients.conf, using the IP address of your test
        machine:
    
client private-network-1 }
  ipaddr          = 192.0.2.0/24
  secret          = testing123-1
  {
        On the client machine, install
        freeradius-server-utils. Try logging in from the client as bob, using the radtest command. It
        is better to use the IP address of the RADIUS server rather than the
        hostname because it is faster:
    
>radtest bob hello 192.168.2.100 0 testing123-1
        If your test logins fail, review all the output to learn what went
        wrong. There are several test users and test clients provided. The
        configuration files are full of useful information, and we recommend
        studying them. When you are satisfied with your testing and ready to
        create a production configuration, remove all the test certificates
        in /etc/raddb/certs and replace them with your
        own certificates, comment out all the test users and clients, and
        stop radiusd by pressing
        Ctrl–C. Manage
        the radiusd.service with
        systemctl, just like any other service.
    
To learn how to fit a FreeRADIUS server in your network, see https://freeradius.org/documentation/ and https://networkradius.com/freeradius-documentation/ for in-depth references and howtos.