Ubuntu RADIUS Server Configuration with freeRADIUS

Ubuntu Server is one of most popular open-source Linux Server distribution. It is stable and reliable than other Linux distributions. So, enterprise level application can be hosted on Ubuntu Server. Ubuntu RADIUS Server is popularly used for remote authentication and mostly used with the freeRADIUS open source RAIDUS application.

freeRADIUS is one of the most popular and powerful AAA (Authorization, Authentication and Accounting) application. Any enterprise (specially ISP company) can use freeRADIUS for AAA solution and can develop billing system. freeRADIUS can be easily installed and configured in Ubuntu Linux Server and can be used as Ubuntu RADIUS Server.

In my previous article, I discussed how to installed Ubuntu Linux Server with LVM and in this article I am going to discuss how to install and configure freeRADIUS daemon in Ubuntu Linux Server and how to use Ubuntu RADIUS Server with freeRADIUS.

How to install and configure freeRADIUS in Ubuntu Server
How to install and configure freeRADIUS in Ubuntu Server

freeRADIUS installation in Ubuntu Server 

freeRADIUS package is available in Ubuntu Server package repository. At the time of writing this article, the available version of freeRADIUS is freeRADIUS 3. You can find the current available version with the following command.

# sudo apt search freeradius

With the above command, you will find a lot of freeRADIUS packages available in Ubuntu Repository. Among these packages, we will only install the basic freeradius and freeradius-utils package initially.

Issue the following command to install freeRADIUS basic packages in Ubuntu Server.

# sudo apt install freeradius freeradius-utils -y

Within few times, the freeRADIUS daemon will be installed in your Ubuntu Server. You can verify freeRADIUS installation in Ubuntu Server with the following command.

# sudo apt list –installed | grep freeradius

Managing freeRADIUS Service in Ubuntu Server

The freeradius service will be started by default after installing the freeradius package. We can see the status of the freeradius service with the following command.

# sudo systemctl status freeradius

We will now find that the freeradius service is active and running. To make it start automatically when Ubuntu Server rebooted, issue the following command.

# sudo systemctl enable freeradius

We can also start or restart the freeradius service with the following two commands respectively.

# sudo systemctl start freeradius
# sudo systemctl restart freeradius

If we need to stop the freeradius service for any reason, we can issue the following command.

# sudo systemctl stop freeradius

Testing freeRADIUS Installation and Default Configuration

To test and debug freeRADIUS installation and configuration as well as freeRADIUS data send and receive, we can run freeRADIUS as debug mode. To run freeradius as debug mode in Ubuntu Server, issue the following command but make sure the freeradius service is stopped.

# sudo freeradius -X

With the above command, you will find the following output at the bottom that means your server is ready to accept NAS authentication, authorization and accounting request.

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 54279
Listening on proxy address :: port 52868
Ready to process requests

Allowing RADIUS Ports in Firewall

From the above command, you can see that freeradius is listening the auth (Authorization and Authentication) request on UDP port 1812 and the acct (Accounting) request on UDP port 1813. So, we have to keep allowed these UDP ports in our installed firewall in Ubuntu Server. As I am fond of Firewalld daemon for firewalling in Ubuntu Server, I am showing how to enable these UDP ports in firewalld service. If you use any other firewall daemon, use that service to allow these two UDP ports.

Issue the following command to allow these ports in firewalld service (on public zone, if you have any other zone, enable these ports on that zone also if required).

# sudo firewall-cmd –zone=public –add-port=1812/udp
# sudo firewall-cmd –zone=public –add-port=1813/udp

freeRADIUS Server Basic Configuration in Ubuntu Server

We will now do FreeRADIUS basic configuration which includes RADIUS client (NAS) and RADIUS User configuration. In Ubuntu FreeRADIUS Server, all the configuration files are placed in /etc/freeradius/version_number directory. So, go to this directory and open clients.conf file.

# cd /etc/freeradius/3.0/
# vim clients.conf

In this file, a default RADIUS client named localhost is configured by default for testing purpose. So, we will use this client for testing FreeRADIUS configuration. The default configuration of the localhost client looks like the following lines.

client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nas_type = other
}

Similarly, we can add other NAS devices such MikroTik Router, Cisco Router etc. We will discuss how to add NAS devices in clients configuration file in the upcoming tutorials. Now we will add our test users in FreeRADIUS Server.

By default, user will be authorized and authenticated from users file in FreeRADIUS Server. So, open the users file located in this directory and add the following bob user at the top of this file. Also make sure that the second and third lines are indented by a single tab character.

# vim users
“bob” Cleartext-Password := “password”
   Framed-IP-Address = 192.168.10.10,
   Reply-Message = “Hello, %{User-Name}”

In the above user information, the first line contains authorization and authentication information which is user name and password, and the rest of the line contains AVPs (Attribute Value Pair) those will be returned when the user will be authenticated.

FreeRADIUS basic configuration has been completed. Now it is time to test the configuration. FreeRADIUS provides radtest and radclient tools to test user and its configuration. We will use radclient tool test our bob user.

So, reload the freeradius daemon and issue the following radclient command and observe the output of this command.

# systemctl restart freeradius
# echo “User-Name=bob,User-Password=password” |  /usr/bin/radclient -x 127.0.0.1:1812 auth testing123

Output

Sent Access-Request Id 10 from 0.0.0.0:60243 to 127.0.0.1:1812 length 43

        User-Name = “bob”

        User-Password = “password”

        Cleartext-Password = “password”

Received Access-Accept Id 10 from 127.0.0.1:1812 to 127.0.0.1:60243 length 38

        Framed-IP-Address = 192.168.10.10

        Reply-Message = “Hello, bob”

The above output of the radclient command is showing how auth request is being sent to the radius server and how the response is being sent to the Radius client.

So, Ubuntu RADIUS Server with freeRADIUS is now ready to accept Radius client (NAS) request and sent response to the NAS.  In the next article, we will learn how to add MikroTik Router as NAS device of the freeRADIUS Server and authenticated RouterOS system user from Ubuntu RADIUS Server.

How to install and configure freeRADIUS Server in Ubuntu Server has been discussed in this article.  I hope, you will now be able to install and configure freeRADIUS Server in Ubuntu Server. However, if you face any issue to install and to do basic configuration of freeRADIUS Server, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.

Why not a Cup of COFFEE if the solution?

ubuntu-radius-server-configuration-with-freeradius

ABU SAYEED

I am a system administrator and like to share knowledge that I am learning from my daily experience. I usually work on MikroTik, Redhat/CentOS Linux, Windows Server, physical server and storage, virtual technology and other system related topics. Follow Me: Facebook, Twitter and Linkedin.

Your name can also be listed here. Have an IT topic? Submit it here to become a System Zone author.

Leave a Reply

Your email address will not be published. Required fields are marked *

*