Centralizing Authentication with FreeRADIUS
Managing unique logins across 20 different Wi-Fi Access Points and three VPN gateways is an operational nightmare. If an employee leaves on a Friday, you shouldn’t have to spend your afternoon logging into every piece of hardware to scrub their credentials. FreeRADIUS solves this. It acts as a sophisticated traffic controller, sitting between your network hardware and your central user database, such as OpenLDAP or Active Directory.
I’ve deployed this stack in environments with over 500 concurrent users. It remains one of the most stable ways to handle AAA (Authentication, Authorization, and Accounting). By following this walkthrough, you’ll build a RADIUS server that eliminates manual overhead and secures your perimeter.
Quick Start: Up and Running in 5 Minutes
I’ll be using Ubuntu 22.04 LTS for this setup, though the logic applies to Debian and RHEL-based systems as well. We’ll start by installing the core server and the essential testing suite.
sudo apt update
sudo apt install freeradius freeradius-utils -yFreeRADIUS fires up immediately upon installation. To ensure the engine is humming, use radtest. This utility simulates a login request so you don’t have to run to a physical Access Point to test every change. The default installation includes a test user named “steve”.
# Syntax: radtest [user] [password] [radius-server] [nas-port] [secret]
radtest steve testing localhost 0 testing123An Access-Accept response means your server is healthy. If you see Access-Reject, double-check that the service is actually running with systemctl status freeradius.
Configuring Clients and Local Users
With the service live, we need to authorize your hardware. In the RADIUS world, any device sending authentication requests—like a Cisco WLC or a Mikrotik router—is known as a “Client.”
1. Defining your Network Access Server (NAS)
Open /etc/freeradius/3.0/clients.conf. This is where you whitelist your hardware IPs and set a shared secret. Think of the shared secret as a password between the router and the server.
client office_ap {
ipaddr = 192.168.1.50
secret = K7p$92mNx_qL2 # Use a strong, random string
shortname = office-wifi
}The secret must be identical to the one you input into your Wi-Fi controller’s RADIUS settings, or the packets will be silently dropped.
2. Managing Local Users
Even if you plan to use LDAP, keeping a local emergency admin account is a smart move. These are managed in /etc/freeradius/3.0/users. Add your entry at the very top of the file:
"net_admin" Cleartext-Password := "secure_pass_2024"
Reply-Message = "Authenticated to Corporate Core"Always restart the service to commit your changes:
sudo systemctl restart freeradiusScaling Up: Integrating with LDAP
This is where the configuration scales. Instead of manually updating text files, we’ll link FreeRADIUS to your directory service. This allows users to use their standard domain credentials for network access.
Step 1: Install the LDAP Module
FreeRADIUS is modular. You need the specific library to communicate with LDAP servers.
sudo apt install freeradius-ldap -yStep 2: Configure the LDAP Module
Edit /etc/freeradius/3.0/mods-available/ldap. You need to point it to your LDAP URI and provide a service account with read permissions.
ldap {
server = "ldaps://ldap.example.com"
identity = "cn=radius-svc,dc=example,dc=com"
password = service_account_password
base_dn = "dc=example,dc=com"
user {
base_dn = "ou=users,dc=example,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
}Step 3: Enable and Link
Enable the module by creating a symbolic link to the mods-enabled directory.
sudo ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/Step 4: Update the Default Site Logic
Finally, tell FreeRADIUS to check the LDAP database during the login flow. Edit /etc/freeradius/3.0/sites-enabled/default. Add ldap to both the authorize and authenticate sections.
authorize {
# ... other modules ...
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}Hardening for Production
Running RADIUS in a live environment requires more than just functional configs. Here is how to ensure it doesn’t break when you need it most.
The Power of Debug Mode
Standard logs are often too vague for complex LDAP issues. If a user can’t connect, stop the service and run it manually in debug mode.
sudo systemctl stop freeradius
sudo freeradius -XThe -X flag provides a frame-by-frame look at every packet. You can see the exact moment an LDAP lookup fails or if there is a certificate mismatch. It is the single most important tool in your kit.
Security and Resilience
- Shared Secrets: Treat these like root passwords. A compromised secret allows an attacker to spoof your RADIUS server. Aim for at least 24 characters.
- Firewalling: RADIUS uses UDP 1812 and 1813. Block these ports for everyone except your specific Access Point IPs.
- Encryption: Use
ldaps://. Sending LDAP queries over plain text (port 389) exposes user passwords to anyone on your internal management VLAN. - Redundancy: If RADIUS dies, your Wi-Fi dies. Always deploy two nodes. Most enterprise APs allow you to set a Primary and Secondary RADIUS IP for instant failover.
The sheer number of configuration files in FreeRADIUS can feel overwhelming at first. However, once you grasp the flow—from the Client to the Server and finally to the Database—it becomes a highly predictable system. It is a foundational skill for any engineer managing modern office infrastructure.
