In a networked environment, handling authentication, authorization, and accounting (AAA) services through a RADIUS (Remote Authentication Dial-In User Service) server is key to centralizing user access management. A well-configured RADIUS server enhances network security, simplifies user administration, and improves accountability for service usage. This article details setting up and managing a RADIUS server on Linux, emphasizing FreeRADIUS—one of the most popular open-source RADIUS servers.
Introduction to RADIUS
RADIUS operates as a client/server protocol that centrally manages user access and accounting over networks. A user’s credentials are sent from a client (often a Network Access Server, or NAS) to the RADIUS server, which verifies them against its configured database or external sources like LDAP. Once authenticated, the RADIUS server grants network access, allowing the network to apply policies or track usage data for accounting.
Choosing and Installing FreeRADIUS
FreeRADIUS stands out among RADIUS options due to its flexibility, strong support community, and compatibility with multiple network devices. On Linux systems like CentOS and Ubuntu, installing FreeRADIUS is straightforward, using either DNF or APT package managers. Before starting, ensure your server OS is up to date with:
sudo apt update && sudo apt upgrade -y # On Ubuntu/Debiansudo dnf update -y # On CentOS/RHEL
Install FreeRADIUS and utilities using the following commands:
# On Ubuntu/Debiansudo apt install freeradius freeradius-utils -y
# On CentOS/RHELsudo dnf install freeradius freeradius-utils -y
After installation, enable and start the FreeRADIUS service to initialize it:
sudo systemctl enable --now freeradius.service
Configuring FreeRADIUS for Basic Use
FreeRADIUS is configured primarily through the files located in the `/etc/raddb/` (CentOS) or `/etc/freeradius/3.0/` (Ubuntu) directory. The main files of interest are `radiusd.conf` for general server settings, `clients.conf` for network access client definitions, and `users` for setting up user credentials.
1. **Defining Clients in `clients.conf`**: RADIUS clients (e.g., routers, VPNs) must be explicitly defined, including their IP addresses and shared secrets for authentication. For example:
`
client example-nas { ipaddr = 192.168.1.100 secret = mysecret shortname = example-nas }
Replace `192.168.1.100` with the client’s IP and `mysecret` with a secure shared secret.
2. **Setting Up Users in `users` File**: Define user entries for authentication using protocols such as PAP, CHAP, or EAP. A basic entry might look like:
bob Cleartext-Password := "securepassword"
This line creates a user named “bob” with the password “securepassword.” Additional attributes like service type or IP address constraints can be configured as needed for specific network policies.
Database Integration for Centralized Authentication
For more extensive setups, FreeRADIUS can be configured to work with an SQL database like MySQL or MariaDB. This database integration centralizes user information and simplifies large-scale user management. Start by creating a RADIUS database in MariaDB:
sudo mysql -u root -pCREATE DATABASE radius;GRANT ALL ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'yourpassword';FLUSH PRIVILEGES;QUIT;
After setting up the database, FreeRADIUS’s configuration files (`mods-available/sql` on Ubuntu) should be adjusted to point to this database, enabling user management through SQL.
Testing the RADIUS Server
FreeRADIUS provides tools for testing configurations, such as `freeradius -X` to run the server in debug mode, making it easier to troubleshoot configuration errors. Additionally, `radtest` can simulate authentication requests:
radtest bob securepassword localhost 0 mysecret
Replace “bob,” “securepassword,” and “mysecret” with your actual values. Successful output indicates proper configuration, while any errors will help identify configuration issues.
Enhancing Security with Firewalls and Best Practices
For optimal security, restrict RADIUS server access to trusted IP ranges, use complex shared secrets, and ensure the firewall allows only necessary RADIUS traffic. On a server using UFW, configure the firewall as follows:
sudo ufw allow 1812/udp # For authenticationsudo ufw allow 1813/udp # For accountingsudo ufw reload
Additionally, SSL/TLS can be enabled on FreeRADIUS to secure authentication data. Implementing regular software updates and reviewing logs periodically is essential to maintaining server security.
Web Management with daloRADIUS
The daloRADIUS front-end simplifies FreeRADIUS administration, offering a GUI for user management, session tracking, and logging. Install daloRADIUS by downloading it from the repository, then configure it to interface with FreeRADIUS's database for complete web-based control.
Once installed, access the daloRADIUS interface by navigating to `http://<server-ip>/daloradius` in your browser. Log in with administrator credentials, allowing you to manage users, view active sessions, and generate reports.
Troubleshooting Common Issues
Typical FreeRADIUS issues include dependency errors, incorrect file permissions, or syntax errors in configuration files. Debugging mode (`freeradius -X`) is invaluable for real-time error detection. For example, a common error might involve permission issues on the `/var/run/freeradius/` directory, fixable with:
sudo chown -R freeradius:freeradius /var/run/freeradius/
Debugging these issues fosters a deeper understanding of FreeRADIUS operation, crucial for robust server management.
Conclusion
Setting up and managing a FreeRADIUS server on Linux offers centralized authentication and security, scaling efficiently from small setups to enterprise networks. By carefully configuring clients, users, and integrating with a SQL database, FreeRADIUS can be tailored to meet diverse authentication needs. With tools like daloRADIUS for web management, maintaining a FreeRADIUS server becomes even more manageable. Regular audits, updates, and security measures are essential to secure the AAA server and protect network integrity.
For further information on advanced configurations, visit the FreeRADIUS documentation or community forums.