Ubuntu RADIUS Server Configuration with freeRADIUS
Ubuntu Server is one of most popular open-source Linux Server distribution. It is stable and reliable than other Linux distributions. So, enterprise level application can be hosted on Ubuntu Server. Ubuntu RADIUS Server is popularly used for remote authentication and mostly used with the freeRADIUS open source RAIDUS application.
freeRADIUS is one of the most popular and powerful AAA (Authorization, Authentication and Accounting) application. Any enterprise (specially ISP company) can use freeRADIUS for AAA solution and can develop billing system. freeRADIUS can be easily installed and configured in Ubuntu Linux Server and can be used as Ubuntu RADIUS Server.
In my previous article, I discussed how to installed Ubuntu Linux Server with LVM and in this article I am going to discuss how to install and configure freeRADIUS daemon in Ubuntu Linux Server and how to use Ubuntu RADIUS Server with freeRADIUS.
freeRADIUS installation in Ubuntu Server
freeRADIUS package is available in Ubuntu Server package repository. At the time of writing this article, the available version of freeRADIUS is freeRADIUS 3. You can find the current available version with the following command.
With the above command, you will find a lot of freeRADIUS packages available in Ubuntu Repository. Among these packages, we will only install the basic freeradius and freeradius-utils package initially.
Issue the following command to install freeRADIUS basic packages in Ubuntu Server.
Within few times, the freeRADIUS daemon will be installed in your Ubuntu Server. You can verify freeRADIUS installation in Ubuntu Server with the following command.
Managing freeRADIUS Service in Ubuntu Server
The freeradius service will be started by default after installing the freeradius package. We can see the status of the freeradius service with the following command.
We will now find that the freeradius service is active and running. To make it start automatically when Ubuntu Server rebooted, issue the following command.
We can also start or restart the freeradius service with the following two commands respectively.
If we need to stop the freeradius service for any reason, we can issue the following command.
Testing freeRADIUS Installation and Default Configuration
To test and debug freeRADIUS installation and configuration as well as freeRADIUS data send and receive, we can run freeRADIUS as debug mode. To run freeradius as debug mode in Ubuntu Server, issue the following command but make sure the freeradius service is stopped.
With the above command, you will find the following output at the bottom that means your server is ready to accept NAS authentication, authorization and accounting request.
Allowing RADIUS Ports in Firewall
From the above command, you can see that freeradius is listening the auth (Authorization and Authentication) request on UDP port 1812 and the acct (Accounting) request on UDP port 1813. So, we have to keep allowed these UDP ports in our installed firewall in Ubuntu Server. As I am fond of Firewalld daemon for firewalling in Ubuntu Server, I am showing how to enable these UDP ports in firewalld service. If you use any other firewall daemon, use that service to allow these two UDP ports.
Issue the following command to allow these ports in firewalld service (on public zone, if you have any other zone, enable these ports on that zone also if required).
freeRADIUS Server Basic Configuration in Ubuntu Server
We will now do FreeRADIUS basic configuration which includes RADIUS client (NAS) and RADIUS User configuration. In Ubuntu FreeRADIUS Server, all the configuration files are placed in /etc/freeradius/version_number directory. So, go to this directory and open clients.conf file.
In this file, a default RADIUS client named localhost is configured by default for testing purpose. So, we will use this client for testing FreeRADIUS configuration. The default configuration of the localhost client looks like the following lines.
Similarly, we can add other NAS devices such MikroTik Router, Cisco Router etc. We will discuss how to add NAS devices in clients configuration file in the upcoming tutorials. Now we will add our test users in FreeRADIUS Server.
By default, user will be authorized and authenticated from users file in FreeRADIUS Server. So, open the users file located in this directory and add the following bob user at the top of this file. Also make sure that the second and third lines are indented by a single tab character.
In the above user information, the first line contains authorization and authentication information which is user name and password, and the rest of the line contains AVPs (Attribute Value Pair) those will be returned when the user will be authenticated.
FreeRADIUS basic configuration has been completed. Now it is time to test the configuration. FreeRADIUS provides radtest and radclient tools to test user and its configuration. We will use radclient tool test our bob user.
So, reload the freeradius daemon and issue the following radclient command and observe the output of this command.
Output
Sent Access-Request Id 10 from 0.0.0.0:60243 to 127.0.0.1:1812 length 43
User-Name = “bob”
User-Password = “password”
Cleartext-Password = “password”
Received Access-Accept Id 10 from 127.0.0.1:1812 to 127.0.0.1:60243 length 38
Framed-IP-Address = 192.168.10.10
Reply-Message = “Hello, bob”
The above output of the radclient command is showing how auth request is being sent to the radius server and how the response is being sent to the Radius client.
So, Ubuntu RADIUS Server with freeRADIUS is now ready to accept Radius client (NAS) request and sent response to the NAS. In the next article, we will learn how to add MikroTik Router as NAS device of the freeRADIUS Server and authenticated RouterOS system user from Ubuntu RADIUS Server.
How to install and configure freeRADIUS Server in Ubuntu Server has been discussed in this article. I hope, you will now be able to install and configure freeRADIUS Server in Ubuntu Server. However, if you face any issue to install and to do basic configuration of freeRADIUS Server, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?