This page covers common configuration steps for FreeRADIUS deployments. FreeRADIUS 3.2.x uses a modular configuration system located primarily in /etc/freeradius/3.0/ (Debian/Ubuntu) or /etc/raddb/ (RHEL/CentOS).
The main configuration files are organized as follows:
radiusd.conf - Main daemon configurationclients.conf - Client definitions and shared secretsmods-available/ - Available modules (not enabled by default)mods-enabled/ - Enabled modules (symbolic links to mods-available)sites-available/ - Available virtual server configurationssites-enabled/ - Enabled virtual servers (symbolic links to sites-available)policy.d/ - Policy definitionsproxy.conf - Proxy configuration for distributed setupsDefine which devices can connect to your RADIUS server in clients.conf:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
}
client internal_network {
ipaddr = 192.168.1.0/24
secret = your_secure_shared_secret
shortname = internal
}
Enable and configure authentication modules in the mods-enabled/ directory:
# Enable the default files module
ln -s /etc/freeradius/3.0/mods-available/files /etc/freeradius/3.0/mods-enabled/files
Add users to the users file:
testuser Cleartext-Password := "password123"
Service-Type = Framed-User,
Framed-Protocol = PPP
# Enable LDAP module
ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap
Configure in mods-enabled/ldap:
ldap {
server = "ad.example.com"
identity = "cn=admin,dc=example,dc=com"
password = "admin_password"
basedn = "dc=example,dc=com"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
# Additional LDAP-specific settings...
}
# Enable SQL module
ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/sql
Configure database connection in mods-enabled/sql:
sql {
driver = "rlm_sql_${database}"
dialect = "mysql" # or postgresql, sqlite, etc.
server = "localhost"
port = 3306
login = "radius"
password = "radius_password"
radius_db = "radius"
}
The main authentication logic is defined in virtual servers. The default configuration is in sites-enabled/default.
For basic authentication, ensure the authorize, authenticate, and post-auth sections include your chosen modules:
authorize {
...
files
ldap
sql
...
}
authenticate {
...
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
ldap
sql
...
}
For enterprise WiFi authentication, configure EAP in mods-enabled/eap and reference it in your virtual server:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
tls {
rsa_key_exchange = yes
dh_key_exchange = yes
rsa_key_length = 2048
dh_key_length = 2048
verify_depth = 0
ca_path = "/etc/ssl/certs/"
pem_file_type = yes
private_key_file = "/etc/ssl/private/server.key"
certificate_file = "/etc/ssl/certs/server.crt"
CA_file = "/etc/ssl/certs/ca.pem"
}
}
FreeRADIUS supports complex conditional logic using policy language:
if (User-Name =~ /^.*@example\.com$/) {
update control {
Proxy-To-Realm := "example.com"
}
}
Configure accounting in the accounting section of your virtual server:
accounting {
detail
unix
exec
attr_filter.accounting_response
}
After making configuration changes:
Validate the configuration:
radiusd -XC
Reload the service:
sudo systemctl reload freeradius
Or restart if needed:
sudo systemctl restart freeradius
Test authentication with the radtest utility:
radtest username password localhost 0 testing123
For more complex tests, use the debug mode:
radiusd -X
/var/log/freeradius/ for authentication issuesRunning FreeRADIUS in regulated environments? We assist with:
Secure your deployment: office@linux-server-admin.com | Contact Page