FreeRADIUS is often security-critical in VPN/Wi-Fi AAA paths and requires hardening to protect against attacks. Proper security configuration is essential since FreeRADIUS handles authentication credentials and network access decisions.
- Restrict client definitions in
clients.conf to known NAS devices only
- Use specific IP addresses rather than network ranges when possible
- Implement strong, unique shared secrets for each client
- Rotate shared secrets regularly using a schedule appropriate to your security requirements
Example secure client configuration:
client secure_nas {
ipaddr = 192.168.1.100
secret = "long-and-random-shared-secret-at-least-32-chars-long"
shortname = secure-nas-device
require_message_authenticator = yes
}
- Use cryptographically strong secrets (minimum 16 characters, ideally 32+)
- Generate secrets using secure random generators
- Never reuse secrets across different clients or environments
- Store secrets securely, especially when using configuration management tools
- Prefer EAP-TLS or EAP-TTLS/PWD over weaker methods like PAP or CHAP
- Implement proper certificate validation and chain verification
- Use strong cipher suites and disable weak cryptographic algorithms
- Configure proper certificate revocation checking (OCSP/CRL)
- Disable insecure authentication methods when not required
- Implement rate limiting to prevent brute force attacks
- Use strong password policies and account lockout mechanisms
- Limit access to RADIUS ports (1812/UDP for authentication, 1813/UDP for accounting)
- Use network segmentation to isolate RADIUS traffic
- Implement ingress filtering to prevent IP spoofing
- Use IPsec or VPN for inter-site RADIUS communication
- Encrypt backend connections (SQL, LDAP) with TLS
- Enable message authenticators for enhanced security
- Secure SQL connections with TLS encryption
- Use dedicated database accounts with minimal required privileges
- Implement connection pooling with appropriate timeouts
- Regularly audit database access logs
- Use LDAPS (LDAP over SSL/TLS) for all directory communications
- Implement proper certificate validation for directory servers
- Use dedicated service accounts with limited permissions
- Configure proper timeout values to prevent resource exhaustion
- Run FreeRADIUS in chroot environment if possible
- Implement resource limits to prevent DoS attacks
- Use process isolation techniques where available
¶ Logging and Monitoring
- Enable authentication logging
- Monitor for repeated authentication failures
- Track configuration changes and administrative actions
- Implement log rotation to prevent disk space issues
- Set up alerts for unusual authentication patterns
- Monitor for attempts to access unauthorized resources
- Track changes to client configurations and shared secrets
- Use strong certificate authorities
- Implement proper certificate lifecycle management
- Regularly update certificates before expiration
- Maintain backup certificates for emergency situations
- Store private keys separately from public certificates
- Use hardware security modules (HSMs) when available
- Implement proper key rotation procedures
¶ Regular Security Maintenance
¶ Updates and Patching
- Keep FreeRADIUS updated to the latest stable version
- Subscribe to security mailing lists for vulnerability notifications
- Test updates in staging environments before production deployment
- Maintain current system patches and security updates
- Conduct regular security reviews of configurations
- Perform penetration testing of RADIUS infrastructure
- Review access controls and authentication policies periodically
- Validate certificate chains and trust relationships
- Ensure compliance with privacy regulations (GDPR, CCPA, etc.)
- Minimize storage of sensitive authentication data
- Implement proper data retention and deletion policies
- Encrypt stored authentication logs where required