Tech: 10 tips for FreeRADIUS server configuration

I had the pleasure (read: gruelling chore) of setting a RADIUS server up from scratch a few weeks ago. All in all it was an educational experience, to say the least. To anyone else who’s interested, here’s a rough troubleshooting guide incase you get screwed and start screaming “WTF WHY IS IT NOT WORKING!!!”

Scope of installation: to setup an authentication server in a LAN environment NAT-ed to a public internet address, that authenticates against user info in database and logs session data to database as well.

*I am assuming a basic knowledge of bash, and that you know how to edit files with vi or any other editor in the command line interface.

Packages used:

  • FreeRADIUS 1.1.3
  • MySQL 5.0.32-Debian_7etch8-log
  • Linux version 2.6.18-6-686 (Debian 2.6.18.dfsg.1-23)

Optional packages if you want to install dialupadmin:

  • Apache
  • PHP

Important note above everything else: read FreeRADIUS Wiki on SQL integration. Twice. Even thrice!

1. Network: make sure NAT is done if the server is using a private IP address (read: RFC 1918)

Default ports to be NAT-ed:

  • TCP 1812 and 1813
  • UDP 1812 and 1813
  • 1812 is for authentication, and 1813 for accounting. That’s if you did not customise the ports in the default config.

If you don’t know how NAT should be done, Google is your best friend.

2. Restart it: service should be restarted whenever you make changes!

To stop:
/etc/init.d/freeradius stop

To start:
/etc/init.d/freeradius start

RHEL (and similar distros) should use this to restart the service (via FreeRADIUS wiki):
service radiusd stop
service radiusd start

3. Protocols needed: configure /etc/freeradius/radiusd.conf as needed for types of authentication protocol e.g. CHAP, PAP, MS-CHAP.

4. Logging: check for error messages under /var/log/freeradius/radius.log

5. Debugging: debug mode is very useful:

To turn it on:
freeradius -X

*note: you have to kill to end the process, there is no stop command.

6. Dictionary check: add the relevant dictionary for your desired NAS in /usr/share/freeradius/

7. Dictionary include: include the file dictionary inside /etc/freeradius/dictionary

This is a sample entry for dictionary abc:

$INCLUDE /usr/share/freeradius/

8. Client check: ensure your NAS clients are listed inside /etc/freeradius/clients.conf with a valid IP address and shared secret. NAS = Network Access Server, which is the client that’s handling the authentication. So yes, your NAS must be similarly configured.

9. Process check: Check that FreeRADIUS is running correctly.

List of processes check for freeradius:
ps -ef

If it’s not running, you’d better find out why.

Check listening ports make sure the required UDP and TCP ports are active:
netstat -tunelp

Make sure it’s listening on the right interface(s)!

10. Database check: Check that the username and and password (and related usergroup) have been inserted into the usergroup and radcheck tables.

That’s all there is to it, I wasn’t really in the mood for writing an epic saga of my woes encountered alongside the entire process. Hopefully this has been of help to you guys, so if you liked my article, please share it! Thanks as always.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.