How to Install and Configure FreeRADIUS (RADIUS) on Raspberry Pi OS

How to Install and Configure FreeRADIUS (RADIUS) on Raspberry Pi OS

FreeRADIUS is an open sourced RADIUS server that can be ran on any Linux distribution. It’s exceptionally easy to set up and scales very well (handling 10k+ connections with ease). In this tutorial, the goal is to show you how to install FreeRADIUS and set it up in a way that a network device (such as a Cisco Meraki MX, or Access Point) can use it to authenticate a client with.

The steps I have are for Raspberry Pi OS, however Ubuntu and any other Debian based installations should be identical (or nearly identical).

I’ll also share a basic username and password combination configuration, and go through the freeradius directories that are relevant to be configured. FreeRADIUS can be configured for RADIUS Accounting and also have credentials from a SQL database, but this is beyond the scope of this particular blog post.

Don’t have Raspberry Pi OS set up yet? Go do it now! Installing Raspberry Pi OS 6.12 and SSHing into a Raspberry Pi

Installing FreeRADIUS and FreeRADIUS Utils

As always, start the updating/downloading of anything by running an update, and an upgrade on the system (-y will just say yes to everything that was asked for)

sudo apt update
sudo apt upgrade -y

After that, let’s install FreeRADIUS as well as FreeRADIUS Utils (which will let us perform local testing).

sudo apt install freeradius freeradius-utils -y

Configuration of FreeRADIUS files

The important files for a FreeRADIUS server on Raspberry Pi OS can be found at the following locations:

/etc/freeradius/3.0/clients.conf
/etc/freeradius/3.0/users
/var/log/freeradius/radius.log

/etc/freeradius/3.0/clients.conf lets you define IP addresses or subnets that are authorised to reach the Radius server. This will be the IPs of the device that sends the RADIUS packet, not necessarily the client device. EG: If you’re authenticating to an AP, the AP’s IP would be the IP that you authorise.

/etc/freeradius/3.0/users lets you configure username and password credentials that the client device will be authenticating with.

/var/log/freeradius/radius.log is where we’ll see logs about clients authenticating.

In /etc/freeradius/3.0/clients.conf, lets remove everything (feel free to save a copy, it helps you understand other examples of configuration) and add the client called “localhost” as a user using your favourite edit tool:

client localhost {
        ipaddr          = 127.0.0.1
        secret          = test
}

Subnets can be defined as well, with this syntax. This would allow any client from 10.66.66.0/24.

client private-network {
        ipaddr          = 10.66.66.0
        netmask         = 24
        secret          = test
}

Now, /etc/freeradius/3.0/users lets create some test credentials – these can be whatever you’d like for testing, here I’ve chosen a username of “localhost” and a password of “localtest”. Edit /etc/freeradius/3.0/users and add the following:

localhost Cleartext-Password := "localtest"

Once you’ve made both of these changes, lets restart and enable the service:

sudo systemctl restart freeradius
sudo systemctl enable freeradius

Testing FreeRADIUS server connectivity

Now that we’ve set up credentials, and enabled the service, we can now use the radtest utility of FreeRADIUS-utils to test if we would be authenticated correctly.

The syntax of radtest is as follows:

radtest <client username> <client password> <IP of radius server> <radius port> <shared secret>

Based on this, our command will be:

radtest localhost localtest 127.0.0.1 1812 test

Let’s test this locally – and we’ll see that the RADIUS server is replying, and an Access-Accept is received!

root@raspberrypi:/home/burstbytes# radtest localhost localtest 127.0.0.1 1812 test
Sent Access-Request Id 79 from 0.0.0.0:36732 to 127.0.0.1:1812 length 79
User-Name = "localhost"
User-Password = "localtest"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "localtest"
Received Access-Accept Id 79 from 127.0.0.1:1812 to 127.0.0.1:36732 length 20
root@raspberrypi:/home/burstbytes#

Conclusion

You can see that we were able to install FreeRADIUS on Raspberry Pi OS extremely quickly, and it is now ready to accept connections from 10.66.66.0/24 from the user called localhost.

I’ve used FreeRADIUS for many different Cisco Meraki RADIUS related authentications, such as Client VPN, 802.1x port authentication and Wifi access, and it always works quickly and cleanly.

Subscribe to my Blog!

Get notified whenever I post something new. No spam, and it helps a lot!

Julian Burst Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *