In this article, we take a look at the top 32 best free open source RADIUS servers solutions available for Linux, Windows, Unix and other platforms.
Are you looking for a Remote Authentication Dial-In User Service (RADIUS) server to authenticate users for network access, authorize how much network access they are allowed, and account for all their activity on the network (Authentication, Authorization, and Accounting – AAA)? An AWS RADIUS server goes beyond your wired infrastructure, to your wireless clients giving them access to your network with their existing identities.
RADIUS Server applications are available with various features and at different price ranges. However, there are a number of open source alternatives that can be easily integrated into your system. You can benefit from the high-quality software, tech support, simple license management, and more services – all at a cost-effective price.
Take a look at top 32 best open source and free RADIUS servers solutions and find the best one for your needs.
Best Open Source RADIUS Servers for Linux / Windows in 2023
One of the leading open source RADIUS servers, FreeRadius is available on Linux, Unix, and Windows. Other than the RADIUS Server, FreeRadius includes a BSD licensed client library, Apache module, and a PAM library. Supposed to be the world’s most widely deployed RADIUS server, it is used by more than 50 thousand sites and can support organizations ranging in size from 10 users to over a million users. FreeRADIUS can be configured independently for each of the server IP address, client IP address, home server pool, and inner TLS tunnels.
LDAP-RADIUS, as the name suggests, is a lightweight open source RADIUS server which uses Lightweight Directory Access Protocol (LDAP) as its authentication source. Written in Go, LDAP, through the use of Transport Layer Security (TLS), can encrypt user sessions between the client and server. LDAP allows for both centralized authentication services and single sign-on services in the network, though it lacks built-in tools for accounting. It runs on Windows, MacOS and Linux.
It’s quite heavily rewritten fork of another Go RADIUS library
Significant changes are:
- Encoding/Decoding of attribute 26 (Vendor-Specific)
- RFC2866 & RFC2869 (Accounting)
- Request throttling (maximum requests per second) support
- Supports limiting the number of requests in processing queue
- Multiple RADIUS Secrets based on packet’s source IP with a fallback default
- Request/Response packet replication (useful for logging, IDS etc)
- Configurable UDP buffer size
- Lots of vendor-specific (Cisco, Juniper, Mikrotik) functions and constants
- Support for generating CoA/Disconnect-Message packets
5. OpenWISP RADIUS
OpenWISP RADIUS provides a web interface to a freeradius database (FreeRADIUS GUI), a rich REST HTTP API and features like user self registration, SMS verification, import of users from CSV files, generation of new users for events, social login, and much more.
It can be used as a standalone application or integrated with the rest of OpenWISP. It can also be used as a base system or framework on top of which custom tailored solutions can be built.
TOUGHRADIUS has all the functionalities of a standard RADIUS protocol and provides a complete AAA implementation. The other features include flexible policy management, billing policy support and supporting all major access devices. Built on Java, TOUGHRADIUS comes with a high-performance RADIUS processing engine and a simple and easy-to-use web management interface. It supports platforms like Linux, Windows, and MacOS.
Redeveloped from version 6.x onwards, based on the Java language. A high-performance RADIUS processing engine is provided, along with a simple and easy-to-use web management interface that is easy to use.
TOUGHRADIUS is similar in functionality to freeRADIUS, but it is simpler to use and easier to develop by extension. Supports standard RADIUS protocol (RFC 2865, RFC 2866) and provides a complete AAA implementation
RADIUS-rs. An async/await native implementation of the RADIUS server, RADIUS-rs is available on Windows and Linus and is built on Java. It can be used for decoding/encoding purposes as a RADIUS library. The RADIUS-rs uses tokio to support asynchronous operations natively. It supports the database server MySQL/MariaDB.
An async/await native implementation of the RADIUS server and client for Rust.
How mod_auth_radius works
- The browser requests a page: http://www.example.com/index.html
- Apache notes that the directory is access controlled, and sends a “Authorization Required“.
- The browser asks for a username & password, which it then sends to Apache, along with a request for the page again.
- Apache calls mod_auth_radius, which notes that there is no RADIUS cookie in the request.
- mod_auth_radius packages up the username/password into a RADIUS request, and sends it to the RADIUS server.
- The RADIUS server does its magic, and decides yes/no for authentication.
- If no, mod_auth_radius returns DENIED.
- If yes, mod_auth_radius returns a cookie containing MD5’d public+private information.
- The web browser uses this cookie on all subsequent requests, and mod_auth_radius verifies the cookie is valid, and doesn’t contact the RADIUS server again.
9. Pyrad - RADIUS for Python
Implemented RFCs in RADIUSd:
- auth https://tools.ietf.org/html/rfc2865
- acct https://tools.ietf.org/html/rfc2866
- CHAP https://tools.ietf.org/html/rfc1994
- MSCHAP1+2 http://freeradius.org/rfc/rfc2548.html
- MSCHAP1 https://tools.ietf.org/html/rfc2433
- MSCHAP2 https://tools.ietf.org/html/rfc2759
- MPPE (RC4 encryption) https://www.ietf.org/rfc/rfc3079.txt
OpenRADIUS is a RADIUS server that links your network access devices to your user, service profil-, and usage databases.
OpenRADIUS has a powerful external module interface that uses pre-spawned subprocesses and pipes for communication, allowing you to implement modules in any language that supports Unix pipe I/O. Its behaviour is fully configurable, using a simple built-in language that gives you full control over the request and reply list.
It includes versatile LDAP and SQL modules, a full featured RADIUS client, and a fully functional example configuration for metered pre-paid accounts.
- Ability to get shared secrets, authentication information, policies and user profiles from any available external data source.
- Support for password databases, including NIS/NIS+, Livingston-style ASCII files, LDAP directories and SQL databases out of the box.
- Fully customizeable authentication schemes and security policies, using a built-in business rule language.
- Simple, scalable and fully documented module interface. Modules may supply data such as user information, and may also store data such as logging and accounting.
- Modules can be written in any language that supports ASCII or binary Unix pipe I/O.
- The interface allows multiple module subprocesses to be started for each data source, allowing modules to be single-threaded while retaining support for multiple concurrent requests to the same data source.
- Flexible dictionary that can be made to support any type of non-standard vendor-specific attribute, including multiple attributes inside the same VSA, non-standard attribute IDs or length fields, subfields, and much more.
- Binds to a single or multiple IP addresses/network cards, and listen on multiple ports.
13. Windows NPS Server (Network Policy Server)
Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for connection request authentication and authorization. You can also configure NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a remote NPS or other RADIUS server so that you can load balance connection requests and forward them to the correct domain for authentication and authorization.
NPS allows you to centrally configure and manage network access authentication, authorization, and accounting with the following features:
- RADIUS server. NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.
Deploy Windows NPS Server in the Cloud
This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests. You will need to supply your own RADIUS server to perform the actual authentication. Use to enable two factor authentication (MFA) for your WIFI/VPN clients.
15. Gluu RADIUS Server
Gluu ships with a very small Radius Server. It’s not meant for high performance requirements. For scale and concurrency. But if you just have some ad hoc Unix logins, and you want to use Super Gluu for authentication, this little Radius server can get the job done for you!
16. Dapphp Radius
Dapphp\Radius is a pure PHP RADIUS client for authenticating users against a RADIUS server in PHP. It currently supports basic RADIUS auth using PAP, CHAP (MD5), MSCHAP v1, and EAP-MSCHAP v2. The current 2.5.x branch is tested to work with the following RADIUS servers:
- Microsoft Windows Server 2019 Network Policy Server
- Microsoft Windows Server 2016 Network Policy Server
- Microsoft Windows Server 2012 Network Policy Server
- FreeRADIUS 2 and above
PAP authentication has been tested on:
- Microsoft Radius server IAS
- Mideye RADIUS Server
- RSA SecurID
- VASCO Middleware 3.0 server
- ZyXEL ZyWALL OTP
The PHP openssl extension is required if using MSCHAP v1 or v2. For older PHP versions that have mcrypt without openssl support, then mcrypt is used.
The stack handles receiving UDP packets on sockets, silently discarding packets with invalid RADIUS Code or Length, starting a process to handle the transaction and calling the stack user’s defined handler. The transaction handler then responds directly to retransmitted requests without calling the user’s handler again.
TinyRadius is a fast and reliable Radius library capable of sending and receiving Radius packets. Built in Java, TinyRadius helps to implement Radius services in applications.
TinyRadius is a simple, small and fast Java Radius library capable of sending and receiving Radius packets of all types. It is released under the terms of the LGPL.
What can you do with TinyRadius
- Send and receive Radius packets (Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, Accounting-Response and others) from within your Java application
- Use PAP and CHAP as authentication types for Access-Request messages
- Attach arbitrary Radius attributes to the packets employing attribute names read from a dictionary file
- Send and receive Radius packets with “Vendor-Specific” attributes
19. Tiny Radius Netty
TinyRadius-Netty is a Radius library, based on the TinyRadius Radius library. Built with Java 8 and Netty patterns, some of the other features that TinyRadius-Netty performs are sending/receiving Radius packets, signing and verifying for access and accounting requests/responses, attach arbitrary attributes to packets, etc.
Tiny RADIUS Netty Features
- Sends/receives Radius packets
- Signs and verifies Request Authenticator for Access and Accounting requests/responses
- Supports verifying and encoding for PAP, CHAP, and EAP (Message-Authenticator)
- Attach arbitrary attributes to packets
- Loads dictionaries recursively from file system or classpath (Radiator/FreeRadius format)
21. FreeRADIUS Server Configuration Tool
Developed for the Linux operating system and written in Python, FreeRADIUS-Server-Configuration-Tool can configure any FreeRADIUS servers easily and perform authentication, authorization, and accounting quickly. The purpose of the program is to configure the FreeRADIUS server easily and quickly.
WinRADIUS is a Windows native port of FreeRADIUS Server. Runs on 64-bit Windows OS. Built in options include OpenSSL, OpenLDAP, PostgreSQL, Python, IPv6.
WinRadius is a standard RADIUS server for network authentication, accounting. It’s easy to use, and can be used for telecommunication accounting platform, PPP authentication, accounting server. It support PPP, PPPoE, PPTP, VPN, VoIP, ADSL, Cable Modem, CDMA, GSM, GPRS, WLAN(802.1x), etc. It’s a perfect authentication, accounting solution for wide-band, VoIP, W-LAN, etc.
WinRadius is suitable for intelligent building, wide-band network, remote CAI, ISP, VPN, IP Phone, and so on. It’s stable, full-functioned solution.
23. Flexinets Radius Server
Flexinets.radius.radiusserver is a RADIUS server library for .NET Standard. This project can be used to create a Radius server in for example a Windows Service.
Packets are handled in multiple threads without running several instances. This can be useful when packet handlers do something slow, like lookups from external dependencies.
Pluggable packet handlers for different remote IPs. Conditionally compliant with RFCs
24. Pepper Spot
PepperSpot is a captive portal or wireless LAN access point controller which support the IPv6 protocol. It supports web based login and it supports Wireless Protected Access (WPA). Authentication is handled by your favorite radius server (over IPv4/IPv6).
PepperSpot is a Captive Portal which allow an authenticated user to access a service network, in most case Internet. PepperSpot is destinated to be used by wireless clients.
25. HostAPD / Host Access Point Daemon
Hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. The current version supports Linux (Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).
hostapd is designed to be a “daemon” program that runs in the background and acts as the backend component controlling authentication. hostapd supports separate frontend programs and an example text-based frontend, hostapd_cli, is included with hostapd.
Hostapd Supported Features:
- WPA-PSK (“WPA-Personal”)
- WPA with EAP (with integrated EAP server or an external RADIUS backend authentication server) (“WPA-Enterprise”)
- key management for CCMP, TKIP, WEP104, WEP40
- WPA and full IEEE 802.11i/RSN/WPA2
- RSN: PMKSA caching, pre-authentication
- IEEE 802.11r
- IEEE 802.11w
- RADIUS accounting
- RADIUS authentication server with EAP
- Wi-Fi Protected Setup (WPS)
RADIUSdesk is a web gui for FreeRADIUS to manage your WiFi network.
- A Modern dashboard that is easy to navigate
- Easy to use API that makes third party integration a snap
- Login pages applet for central hotspot login page management.
- Support Social Login (Facebook etc) integration for CoovaChilli and Mikrotik.
- A device manager which makes BYOD a pleasure for any enterprise.
- Fine grained rights management.
- Extensive usage graphs for fine grained trend analysis and capacity planning.
- i18n. Easy translations. Also supporting rtl languages.
- Advanced debug trace applet to allow real-time debug traces on FreeRADIUS by using Websocket.
- MESHdesk applet that helps to set-up, manage and monitor Batman-adv mesh networks
TACPPD this is Tacacs + plus daemon (TACacs Plus Plus Daemon). TACPPD is is AAA server (authentication, authorization, accounting) for network devices. The main goal – create distributed AAA environment with a full database support + integration with billing system and with real-time user sessions control.
This is “all-in-one” system (tacacs+ with telnet server, with http server, with NetFlow collector, with SNMP poller and other) easily deploy to a VM with telnet/web control and AAA server functionality. Tacppd core use C++ and web/billing interface uses Perl. It can be compiled for any *nix system with POSIX threads. Most information about network devices valid only for Cisco equipment. Read more on TACPPD
SMRadius is a high performance pre-forked radius AAA server, it features a highly configurable backend engine supporting flexible data specifications. The primary goal of the SMRadius project is to provide an extremely flexible authentication platform which may serve a large number of industries (ISPs, WiSPs … etc).
30. BSDRadius - RADIUS Server for VoIP
BSDRadius is free and opensource RADIUS (Remote Authentication Dial In User Service) server to use primarily in Voice over IP (VoIP) application. It complies with RFC2865 and related RFC, and is extensible by user-defined modules. It is completely written in Python. BSDRadius uses a popular library – pyrad – for lower level operations such as parsing attribute dictionaries and building accounting and authorization packets
31. Keycloak RADIUS
Keycloak RADIUS Plugin Features:
- Embedded radius server in keycloak server
- use keycloak authentication and authorization for the embedded RADIUS server
- radius oidc password
- webAuthn authentication. Radius Authentication using your fingerprint or FIDO2 security key
- radius OTP password (TOTP/HOTP via Google Authenticator or FreeOTP)
- use Keycloak user credentials, if radius access-request protocol is PAP Otherwise is using Keycloak Radius credentials or OTP
- use Kerberos/ldap credentials(only if Radius client use PAP authorization)
- can work as radius proxy
- support Radsec Protocol (Radius over TLS)
- Map Keycloak authorization , Role, Group and User Attributes to Radius Attributes
- conditional attributes for authorization/Role/Group/User
- reject attribute for authorization/Role/Group/User
32. OpenVPN RADIUS
RADIUSPlugin is an OpenVPN plugin for RADIUS authentication and RADIUS accounting with support of some RADIUS attributes like framed ip address, framed routes and acct interim interval. Vendor specific attributes can be also used by defining own scripts.