FreeRadius can integrate with Active Directory and Novell eDirectory for identity management, and is a good option if Internet Authentication Server (IAS) - found in Windows Server 2003 or Network Policy Server (NPS) in Windows Server 2008 - is not good enough for you. RADIUS Server for Windows. EAP Methods MySQL, PostgreSQL, MSSQL plus ODBC LDAP, Kerberos, Hiredis NTLM Python, Perl. Welcome to WinRADIUS.
FreeRADIUS is a modular, high performance and highly customizable open source RADIUS server. Anyone can use FreeRADIUS without any charge and can customize his RADIUS server according to his organizational requirements. In my previous article, I discussed how to install and configure user manager RADIUS server developed by MikroTik. The main disadvantage of user manager RADIUS server is ‘it is not customizable and not suitable for medium or large organization’. On the other hand, FreeRADIUS is giving facility to customize your RADIUS server according to your organization requirements. But you have to customize your FreeRADIUS server by yourself. So, in this article I will show how to install and configure FreeRADIUS server on CentOS 7 and in my few next articles I will also show how to connect FreeRADIUS server with MikroTik Router and manage MikroTik PPP and Hotspot user with FreeRADIUS server.
FreeRADIUS Server Installation on CentOS 7
We will now install freeRADIUS on CentOS 7 Linux Server. We will install freeRADIUS from YUM repository. So, before going to start freeRADIUS installation, you should have CentOS 7 ready so that it can access CentOS Yum repository. In my previous article, I discussed how to install CentOS 7 and how to configure CentOS 7 network from very beginning. If you are new in CentOS Linux distribution, feel free to visit those articles and make ready your CentOS 7 to install freeRADIUS server. The next section is assumed that your CentOS 7 server is ready to install freeRADIUS suit from YUM repository.
Before going to start freeRADIUS installation, we will first check the available freeRADIUS packages in CentOS YUM repository. For this, issue the following command from your CentOS 7 command prompt with root user privilege.
[root@freeradius ~]# yum search freeradius
Loaded plugins: fastestmirror, langpacks
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Loaded plugins: fastestmirror, langpacks
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Loading mirror speeds from cached hostfile
* base: mirror.dhakacom.com
* epel: mirror.xeonbd.com
* extras: mirror.dhakacom.com
* updates: mirror.dhakacom.com
N/S matched: freeradius
freeradius-devel.i686 : FreeRADIUS development files
freeradius-devel.x86_64 : FreeRADIUS development files
freeradius-doc.x86_64 : FreeRADIUS documentation
freeradius-krb5.x86_64 : Kerberos 5 support for freeradius
freeradius-ldap.x86_64 : LDAP support for freeradius
freeradius-mysql.x86_64 : MySQL support for freeradius
freeradius-perl.x86_64 : Perl support for freeradius
freeradius-postgresql.x86_64 : Postgresql support for freeradius
freeradius-python.x86_64 : Python support for freeradius
freeradius-sqlite.x86_64 : SQLite support for freeradius
freeradius-unixODBC.x86_64 : Unix ODBC support for freeradius
freeradius-utils.x86_64 : FreeRADIUS utilities
freeradius.x86_64 : High-performance and highly configurable free RADIUS server
radcli-compat-devel.x86_64 : Development files for compatibility with radiusclient-ng and freeradius-client
The search command will show you the available packages that can be installed like the above output. Among the listed packages, we will only install freeradius, freeradius-utils, freeradius-mysql and freeradius-perl packages. So, issue the following command from your CentOS command prompt to install these packages.
[root@freeradius ~]# yum install freeradius freeradius-utils freeradius-mysql freeradius-perl –y
Within few moments, your desired freeRADIUS packages will be installed and you will get an installation complete message. To ensure your packages installation, issue the following command that will show installed freeRADIUS packages.
[root@freeradius ~]# rpm -qa | grep freeradius
freeradius-utils-3.0.13-9.el7_5.x86_64
freeradius-perl-3.0.13-9.el7_5.x86_64
freeradius-3.0.13-9.el7_5.x86_64
freeradius-mysql-3.0.13-9.el7_5.x86_64
If you get the above message, your freeRADIUS suit and required packages have been installed successfully. The above message is also informed you that you are using freeRADIUS version 3. Now we will check whether our freeRADIUS server is working or not with the following command.
[root@freeradius ~]# radiusd –X
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 47697
Listening on proxy address :: port 60842
Ready to process requests
If you got the above message, your freeRADIUS server is ready to accept RADIUS client request and provide reply.
Before going to start configuration, we will now check whether our RADIUS server is running or not with the following command where radiusd is freeRADIUS daemon in CentOS Linux Distribution.
[root@freeradius ~]# systemctl status radiusd
If you found that your radius daemon (radiusd) is not running, issue the following command to start radius daemon.
Now you will find that your RADIUS server in running if you issue the status command again. Also issue the following command so that your radius daemon can run at the time of system restart.
[root@freeradius ~]# systemctl enable radiusd
Whenever you update your radius configuration, you have to restart your radius daemon otherwise your configuration will not be applied. To restart or reload your configuration, issue the following command from your CentOS 7 command prompt.
RADIUS Server listen Authentication request on UDP port 1812 and Accounting request on UDP port 1813. So, you have to allow these ports from your CentOS 7 Firewall. To allow these ports, issue the following command from your CentOS 7 command prompt.
[root@freeradius ~]# firewall-cmd –zone=public –add-port=1812/udp
[root@freeradius ~]# firewall-cmd –zone=public –add-port=1813/udp
[root@freeradius ~]# firewall-cmd –zone=public –add-port=1813/udp
To make this configuration permanent, issue the following command.
[root@freeradius ~]# firewall-cmd –zone=public –permanent –add-port=1812/udp
[root@freeradius ~]# firewall-cmd –zone=public –permanent –add-port=1813/udp
[root@freeradius ~]# firewall-cmd –zone=public –permanent –add-port=1813/udp
Here, it is assumed that your active firewall zone is public. If you use another zone as your active firewall zone, change the zone name accordingly.
If you wish not to add ports manually, you can add radius service that will allow these ports for you. Issue the following commands to allow radius service in your active firewall zone.
[root@freeradius ~]# firewall-cmd –zone=public –add-service=radius
[root@freeradius ~]# firewall-cmd –zone=public –permanent –add-service=radius
[root@freeradius ~]# firewall-cmd –zone=public –permanent –add-service=radius
Among these two firewall methods, choose one firewall method which is suitable for you .
FreeRADIUS Server Basic Configuration
After successful freeRADIUS installation, we will now do a basic configuration where localhost will be defined as a NAS device (RADIUS client) and bob will be defined a test user. After we have defined the client and the test user, we will use the radtest program to fill the role of a RADIUS client and test the authentication of bob.
FreeRADIUS is set up by modifying configuration files. The default location of freeRADIUS configuration file in CentOS 7 is /etc/raddb. So, go to this directory and issue ls command to view available configuration files and directories.
[root@freeradius raddb]# cd /etc/raddb
[root@freeradius raddb]# ls
[root@freeradius raddb]# ls
For the basic configuration, the important files are client.conf where RADIUS clients are defined and users where RADIUS users are defined. The following instructions will show how to define radius client and user in client and user configuration file.
- Ensure that your working directory is /etc/radddb.
- FreeRADIUS includes a default client called localhost. This client can be used by
RADIUS client programs on the localhost to help with troubleshooting and testing.
Open client.conf file with vim editor (vim client.conf) and confirm that the following entry exists in the clients.confclient localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nas_type = other
} - Define bob as a FreeRADIUS test user. Open users file with vim editor (vim users) and add the following lines at the top of the users file. Make sure that the second and third lines are indented by a single tab character.“bob” Cleartext-Password := “password”
Framed-IP-Address = 192.168.10.10,
Reply-Message = “Hello, %{User-Name}” - Reload the freeRADIUS server with the restart command.
- Authenticate bob user using the following radtest command where bob is a test user and password is the password of bob user defined in users file. 127.0.0.1 (localhost) is IP address of NAS device, 100 is NAS port and testing123 is the NAS password defined in client.conf file.[root@freeradius raddb]# radtest bob password 127.0.0.1 100 testing123Sent Access-Request Id 118 from 0.0.0.0:52494 to 127.0.0.1:1812 length 75User-Name = “bob”User-Password = “password”NAS-IP-Address = 192.168.40.10NAS-Port = 100Message-Authenticator = 0x00Cleartext-Password = “password”Received Access-Accept Id 118 from 127.0.0.1:1812 to 0.0.0.0:0 length 40Framed-IP-Address = 192.168.10.10Reply-Message = “Hello, bob”
Radtest will show the response of the FreeRADIUS server like the above output. That means, your freeRADIUS server is completely ready to accept RADIUS clients and users request. In my next article, I will show how to add MikroTik Router as a RADIUS client of your freeRADIUS server and how to authenticate MikroTik login user with RADIUS users.
If you face any confusion to follow above steps properly, follow the video about freeRADIUS installation and configuration on CentOS 7. I hope it will reduce your confusion.
How to install and configure freeRADIUS server on CentOS 7 has been discussed in this article. I hope you are now be able to install and configure freeRADIUS server without any confusion following the above steps properly. However, if you face any confusion, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.
-->Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016
You can use this topic to configure network access servers as RADIUS Clients in NPS.
When you add a new network access server (VPN server, wireless access point, authenticating switch, or dial-up server) to your network, you must add the server as a RADIUS client in NPS, and then configure the RADIUS client to communicate with the NPS.
Important
Client computers and devices, such as laptop computers, tablets, phones, and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers - such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers - because they use the RADIUS protocol to communicate with RADIUS servers, such as Network Policy Server (NPS) servers.
This step is also necessary when your NPS is a member of a remote RADIUS server group that is configured on an NPS proxy. In this circumstance, in addition to performing the steps in this task on the NPS proxy, you must do the following:
- On the NPS proxy, configure a remote RADIUS server group that contains the NPS.
- On the remote NPS, configure the NPS proxy as a RADIUS client.
To perform the procedures in this topic, you must have at least one network access server (VPN server, wireless access point, authenticating switch, or dial-up server) or NPS proxy physically installed on your network.
Configure the Network Access Server
Use this procedure to configure network access servers for use with NPS. When you deploy network access servers (NASs) as RADIUS clients, you must configure the clients to communicate with the NPSs where the NASs are configured as clients.
This procedure provides general guidelines about the settings you should use to configure your NASs; for specific instructions on how to configure the device you are deploying on your network, see your NAS product documentation.
To configure the network access server
- On the NAS, in RADIUS settings, select RADIUS authentication on User Datagram Protocol (UDP) port 1812 and RADIUS accounting on UDP port 1813.
- In Authentication server or RADIUS server, specify your NPS by IP address or fully qualified domain name (FQDN), depending on the requirements of the NAS.
- In Secret or Shared secret, type a strong password. When you configure the NAS as a RADIUS client in NPS, you will use the same password, so do not forget it.
- If you are using PEAP or EAP as an authentication method, configure the NAS to use EAP authentication.
- If you are configuring a wireless access point, in SSID, specify a Service Set Identifier (SSID), which is an alphanumeric string that serves as the network name. This name is broadcast by access points to wireless clients and is visible to users at your wireless fidelity (Wi-Fi) hotspots.
- If you are configuring a wireless access point, in 802.1X and WPA, enable IEEE 802.1X authentication if you want to deploy PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS.
Add the Network Access Server as a RADIUS Client in NPS
Use this procedure to add a network access server as a RADIUS client in NPS. You can use this procedure to configure a NAS as a RADIUS client by using the NPS console.
To complete this procedure, you must be a member of the Administrators group.
To add a network access server as a RADIUS client in NPS
- On the NPS, in Server Manager, click Tools, and then click Network Policy Server. The NPS console opens.
- In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client.
- In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.
- In New RADIUS Client, in Friendly name, type a display name for the NAS. In Address (IP or DNS), type the NAS IP address or fully qualified domain name (FQDN). If you enter the FQDN, click Verify if you want to verify that the name is correct and maps to a valid IP address.
- In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.
- In New RADIUS Client, in Shared secret, do one of the following:
- Ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret.
- Select Generate, and then click Generate to automatically generate a shared secret. Save the generated shared secret for configuration on the NAS so that it can communicate with the NPS.
- In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if your NAS supports use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.
- Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS.
Configure RADIUS Clients by IP Address Range in Windows Server 2016 Datacenter
If you are running Windows Server 2016 Datacenter, you can configure RADIUS clients in NPS by IP address range. This allows you to add a large number of RADIUS clients (such as wireless access points) to the NPS console at one time, rather than adding each RADIUS client individually.
You cannot configure RADIUS clients by IP address range if you are running NPS on Windows Server 2016 Standard.
Use this procedure to add a group of network access servers (NASs) as RADIUS clients that are all configured with IP addresses from the same IP address range.
All of the RADIUS clients in the range must use the same configuration and shared secret.
To complete this procedure, you must be a member of the Administrators group.
To set up RADIUS clients by IP address range
- On the NPS, in Server Manager, click Tools, and then click Network Policy Server. The NPS console opens.
- In the NPS console, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client.
- In New RADIUS Client, in Friendly name, type a display name for the collection of NASs.
- In Address (IP or DNS), type the IP address range for the RADIUS clients by using Classless Inter-Domain Routing (CIDR) notation. For example, if the IP address range for the NASs is 10.10.0.0, type 10.10.0.0/16.
- In New RADIUS Client, in Vendor, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.
- In New RADIUS Client, in Shared secret, do one of the following:
- Ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret.
- Select Generate, and then click Generate to automatically generate a shared secret. Save the generated shared secret for configuration on the NAS so that it can communicate with the NPS.
- In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if all of your NASs support use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute.
- Click OK. Your NASs appear in the list of RADIUS clients configured on the NPS.
For more information, see RADIUS Clients.
For more information about NPS, see Network Policy Server (NPS).