I had the pleasure
(read: gruelling chore) of setting a RADIUS server up from scratch a few weeks ago. All in all it was an educational experience, to say the least. To anyone else who’s interested, here’s a rough troubleshooting guide incase you get screwed and start screaming “WTF WHY IS IT NOT WORKING!!!”
Scope of installation: to setup an authentication server in a LAN environment NAT-ed to a public internet address, that authenticates against user info in database and logs session data to database as well.
*I am assuming a basic knowledge of bash, and that you know how to edit files with
vi or any other editor in the command line interface.
- FreeRADIUS 1.1.3
- MySQL 5.0.32-Debian_7etch8-log
- Linux version 2.6.18-6-686 (Debian 2.6.18.dfsg.1-23)
Optional packages if you want to install dialupadmin:
Important note above everything else: read FreeRADIUS Wiki on SQL integration. Twice. Even thrice!
1. Network: make sure NAT is done if the server is using a private IP address (read: RFC 1918)
Default ports to be NAT-ed:
- TCP 1812 and 1813
- UDP 1812 and 1813
- 1812 is for authentication, and 1813 for accounting. That’s if you did not customise the ports in the default config.
If you don’t know how NAT should be done, Google is your best friend.
2. Restart it: service should be restarted whenever you make changes!
RHEL (and similar distros) should use this to restart the service (via FreeRADIUS wiki):
service radiusd stop
service radiusd start
3. Protocols needed: configure
/etc/freeradius/radiusd.conf as needed for types of authentication protocol e.g. CHAP, PAP, MS-CHAP.
4. Logging: check for error messages under
5. Debugging: debug mode is very useful:
To turn it on:
*note: you have to
kill to end the process, there is no stop command.
6. Dictionary check: add the relevant dictionary for your desired NAS in
7. Dictionary include: include the file dictionary inside
This is a sample entry for dictionary abc:
8. Client check: ensure your NAS clients are listed inside
/etc/freeradius/clients.conf with a valid IP address and shared secret. NAS = Network Access Server, which is the client that’s handling the authentication. So yes, your NAS must be similarly configured.
9. Process check: Check that FreeRADIUS is running correctly.
List of processes check for
If it’s not running, you’d better find out why.
Check listening ports make sure the required UDP and TCP ports are active:
Make sure it’s listening on the right interface(s)!
10. Database check: Check that the username and and password (and related usergroup) have been inserted into the
That’s all there is to it, I wasn’t really in the mood for writing an epic saga of my woes encountered alongside the entire process. Hopefully this has been of help to you guys, so if you liked my article, please share it! Thanks as always.