This guide installs FreeRADIUS 3.2.x and applies a baseline server configuration using Ansible. FreeRADIUS 3.2.x is the currently recommended stable release for production environments.
---
- name: Install FreeRADIUS on Debian family
hosts: freeradius_debian
become: true
vars:
radius_client_ip: "192.0.2.20"
radius_client_secret: "change-me-radius-secret"
freeradius_version: "3.2.x" # Specify version if needed
tasks:
- name: Update apt cache
ansible.builtin.apt:
update_cache: true
register: apt_update_result
retries: 3
until: apt_update_result is succeeded
- name: Install FreeRADIUS packages
ansible.builtin.apt:
name:
- freeradius
- freeradius-utils
- freeradius-common
state: present
update_cache: false
- name: Configure authorized RADIUS client
ansible.builtin.blockinfile:
path: /etc/freeradius/{{ freeradius_version }}/clients.conf
marker: "# {mark} ANSIBLE MANAGED CLIENT"
block: |
client ansible-client {
ipaddr = {{ radius_client_ip }}
secret = {{ radius_client_secret }}
shortname = ansible-client
}
create: true
- name: Validate FreeRADIUS configuration
ansible.builtin.command: radiusd -XC
changed_when: false
register: config_check
failed_when: config_check.rc != 0
- name: Enable and start FreeRADIUS
ansible.builtin.systemd:
name: freeradius
enabled: true
state: started
daemon_reload: true
- name: Check FreeRADIUS service status
ansible.builtin.systemd:
name: freeradius
state: started
register: service_status
- name: Display service status
ansible.builtin.debug:
msg: "FreeRADIUS service is running on {{ inventory_hostname }}"
- name: Install FreeRADIUS on RHEL family
hosts: freeradius_rhel
become: true
vars:
radius_client_ip: "192.0.2.20"
radius_client_secret: "change-me-radius-secret"
freeradius_version: "3.2.x" # Specify version if needed
tasks:
- name: Install FreeRADIUS packages
ansible.builtin.dnf:
name:
- freeradius
- freeradius-utils
state: present
- name: Configure authorized RADIUS client
ansible.builtin.blockinfile:
path: /etc/raddb/clients.conf
marker: "# {mark} ANSIBLE MANAGED CLIENT"
block: |
client ansible-client {
ipaddr = {{ radius_client_ip }}
secret = {{ radius_client_secret }}
shortname = ansible-client
}
create: true
- name: Validate FreeRADIUS configuration
ansible.builtin.command: radiusd -XC
changed_when: false
register: config_check
failed_when: config_check.rc != 0
- name: Enable and start FreeRADIUS
ansible.builtin.systemd:
name: radiusd
enabled: true
state: started
daemon_reload: true
- name: Check FreeRADIUS service status
ansible.builtin.systemd:
name: radiusd
state: started
register: service_status
- name: Display service status
ansible.builtin.debug:
msg: "FreeRADIUS service is running on {{ inventory_hostname }}"
For production environments, you may want to configure authentication modules:
---
- name: Install and configure FreeRADIUS with LDAP backend
hosts: freeradius_ldap
become: true
vars:
ldap_server: "ldap.example.com"
ldap_bind_dn: "cn=admin,dc=example,dc=com"
ldap_bind_password: "{{ vault_ldap_bind_password }}"
radius_client_ip: "192.0.2.20"
radius_client_secret: "{{ vault_radius_client_secret }}"
tasks:
- name: Install FreeRADIUS packages
ansible.builtin.package:
name:
- freeradius
- freeradius-utils
- freeradius-ldap # Install LDAP module if separate package
state: present
- name: Enable LDAP module
ansible.builtin.file:
src: /etc/freeradius/3.0/mods-available/ldap
dest: /etc/freeradius/3.0/mods-enabled/ldap
state: link
- name: Configure LDAP module
ansible.builtin.template:
src: ldap_config.j2
dest: /etc/freeradius/3.0/mods-enabled/ldap
mode: '0640'
owner: freerad
group: freerad
- name: Configure RADIUS clients
ansible.builtin.blockinfile:
path: /etc/freeradius/3.0/clients.conf
marker: "# {mark} ANSIBLE MANAGED CLIENT"
block: |
client nas-device {
ipaddr = {{ radius_client_ip }}
secret = {{ radius_client_secret }}
shortname = nas-device
}
- name: Validate configuration
ansible.builtin.command: radiusd -XC
changed_when: false
- name: Restart FreeRADIUS service
ansible.builtin.systemd:
name: freeradius
state: restarted
enabled: true
daemon_reload: true
ansible-playbook -i inventory.ini freeradius-install.yml
Store sensitive information in Ansible Vault:
# Create encrypted variables file
ansible-vault create group_vars/freeradius/vault.yml
Example vault file (group_vars/freeradius/vault.yml):
vault_radius_client_secret: "your-very-secure-radius-secret-here"
vault_ldap_bind_password: "your-ldap-bind-password-here"
Reference vault variables in your playbook:
vars:
radius_client_secret: "{{ vault_radius_client_secret }}"
freeradius_debian group.radiusd -XC before starting the serviceWe develop tailored automation solutions for:
Let’s discuss your requirements: office@linux-server-admin.com | Contact