How to Install Radius Server Linux on Ubuntu (Step by Step)
RADIUS, a free and open-source application of the RADIUS Server Linux protocol is the most popular and widely deployed open-source RADIUS server for Linux. It is used by several Fortune-500 companies, telecommunications companies, and other businesses. The RADIUS server is just one component of the FreeRADIUS suite. Deploy on Ubuntu, CentOS, Debian and other popular Linux distros.
What is the RADIUS Protocol?
Remote Authentication Dial-In User Service or RADIUS is a networking protocol that offers centralized Authentication, Authorization and Accounting (AAA) management for users who connect and network service.
Authentication is the process of determining whether the client (user, device, or process) is a genuine user of the system. Authorization is the process of determining what the client is allowed to do on the network. Accounting is the process of monitoring the client’s activity on the network and providing the information necessary to calculate the cost for services.
Setup FreeRADIUS on Azure
Setup FreeRADIUS on AWS
Setup FreeRADIUS on GCP
Installing RADIUS on Ubuntu
Let’s now see how to install and configure RADIUS on Ubuntu. You’ll need a server running Ubuntu 20.04, with a minimum of 512RAM and 300MB storage space for installing RADIUS. Also, login as a non-root sudo user so that you will not harm your system unknowingly. If malicious programs run with root permission, it could harm your system.
If you are on a fresh server running Ubuntu 20.04 install, you’ll have to update the server’s package index and upgrade to the latest packages:
sudo apt update
sudo apt upgrade
Try deploying Cloud FreeRADIUS Server instead?
Try deploying our RADIUS Server solution using freeRADIUS into Azure, AWS or GCP and test it out for yourself.
Install LAMP Stack
The LAMP Stack (Linux, Apache, MySQL, PHP) stack is a group of open-source software used to create web applications and websites.
Install Apache Web Server
sudo apt -y install apache2
Enable Apache so it starts on boot:
sudo systemctl enable --now apache2
Include Apache’s application profile in UFW’s rules:
sudo ufw allow Apache
Check access to Apache by visiting the server’s IP or hostname (http://ip_address). You will see something like this in your browser:
Install PHP & Additional PHP Modules
sudo apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl}
Check PHP version:
php -v
Check if PHP is working
A fast way to make sure that PHP works is creating a simple PHP file in the Apache document root as follows.
Create a file in /var/www/html called phpinfo.php (it can be any name, it doesn’t matter)
sudo nano /var/www/html/phpinfo.php
And add the following line:
Save and close the file.
Now you can visit https://your_server_ip/phpinfo.php and you’ll see something like:
However, you should now remove the file as it can be used by malicious entities to see information about your server:
sudo rm /var/www/html/phpinfo.php
Install MySQL or MariaDB
Although both are somewhat different, MariaDB has been a drop-in replacement for MySQL for years. However, both will work for your purposes. So, you can choose whichever you prefer. Let’s go with MariaDB.
MySQL
sudo apt -y install mysql-server
MariaDB
sudo apt -y install mariadb-server
MySQL/MariaDB comes with a script to set up your password to MySQL/MariaDB, as well as altering some less secure values. To start, run the following command:
sudo mysql_secure_installation
You’ll be asked for the current root MySQL password for root:
Enter current password for root (enter for none):
If you have been following this tutorial, you wouldn’t have set it yet. So, go ahead and press Enter. You’ll be asked if you want to set a root password – press Y and Enter and set a new root MySQL password.
Validate Password Plugin
You can skip this section if you’re not prompted by the VALIDATE PASSWORD PLUGIN.
If you install MySQL (and not MariaDB), when you run mysql_secure_installation you may be asked if you want your password validated to make sure it’s strong.
The plugin will ask you to choose from 3 levels of password strength to validate from, and depending on what you select, your password will be graded and shown to you so you can decide if you want to continue with it or try entering a different one.
VALIDATE PASSWORD PLUGIN can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y |Y for Yes, any other key for No:
It is better to select Y, but you can select No if you are sure of your password. If you select Y, then you’ll be asked to select how strong your password should be.
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2
If you selected 2, you’ll password should contain lowercase letters, uppercase letters, numbers, and symbols, and it must be over 8 characters. When you get password strength 100 and decide you want to continue so you input Y.
Estimated strength of the password: 100
Do you wish to continue with the password provided? (Press y|Y for Yes, any other key for No) : Y
Next, you’ll be asked if you want to remove anonymous users, restrict remote root user access to the local machine, remove test databases, and reload tables. Answer y/leave empty, and press enter for Yes to each – unless you have a good reason not to.
Remove anonymous users:
Remove anonymous users? [Y/n] y
... Success!
Disallow root login remotely:
Disallow root login remotely? [Y/n] y
... Success!
Remove the test database:
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables:
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
Now MySQL (or MariaDB) has been installed on your system and you can proceed with configuring FreeRADIUS to use it.
Install FreeRADIUS and Configure with MySQL/MariaDB on Ubuntu 20.04
To Install FreeRADIUS along with two modules that FreeRADIUS need:
- freeradius-mysql – MySQL module for FreeRADIUS, so the server can do accounting and authentication using MySQL.
- freeradius-utils – a module that adds additional useful features to the FreeRADIUS server
sudo apt -y install freeradius freeradius-mysql freeradius-utils -y
Test the RADIUS Server
FreeRADIUS is expected to run well with the default configuration.
To quickly check that FreeRADIUS and up and running we’ll run it in debug mode.
Stop the FreeRADIUS server, as it started automatically after installing it.
sudo systemctl stop freeradius
Run FreeARDIUS in debug mode (remember to use sudo):
sudo freeradius -X
The output should look something like this:
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 52868
Listening on proxy address :: port 57983
Ready to process requests
Stop debug mode by pressing Ctrl+C.
Start and enable RADIUS service so it runs on system boot:
sudo systemctl enable --now freeradius
Allow RADIUS in Firewall
(If you have UFW running on Ubuntu 20.04) RADIUS uses UDP ports 1812 for authentication and 1813 for accounting. You must ensure those ports are allowed. The method you use to allow them also depends on the platform you use. If you’re using UFW, then you can open them by running:
sudo ufw allow to any port 1812 proto udp
sudo ufw allow to any port 1813 proto udp
Configure RADIUS to use MySQL/MariaDB
You’ll create a database and a database user for RADIUS to use. You can use any credentials you like (don’t forget to replace the credentials used in this tutorial with your own). The details we’ll use are: Database: radius User: radius Password: Areallystrongpassword_321
To begin, access the MySQL/MariaDB console as root, by running the following command and then inputting your password at the prompt:
sudo mysql -u root -p
Create a database and user that will be used by RADIUS:
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "Somestrongpassword_321";
FLUSH PRIVILEGES;
quit;
Now to populate the database with the RADIUS MySQL schema.
First, you’ll have to switch to using the root user, otherwise you’ll get Access denied when trying to import, even if we’re using sudo:
sudo su -
Now import the RADIUS MySQL schema:
mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
Let’s switch back to our non-root user:
sudo su - edxd
You can check the tables just created in the radius database by running the following command, and then entering your root MySQL/MariaDB password:
sudo mysql -u root -p -e "use radius;show tables;"
Output:
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
Create a soft link to the SQL module to /etc/freeradius/3.0/mods-enabled:
sudo ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Next, you’ll configure RADIUS to use SQL. To do this open /etc/freeradius/3.0/mods-enabled/sql using your favorite text editor, so we can edit some parameters.
You’ll install and use nano as the text editor, and open the file:
sudo apt install nano
sudo nano /etc/freeradius/3.0/mods-enabled/sql
There’s quite a bit of text, but most of it is commented out. You’ll just need to edit a few things.
- Change dialect = “sqlite” to dialect = “mysql”
- Change driver = “rlm_sql_null” to driver = “rlm_sql_${dialect}”
- If you use MySQL the FreeRADIUS configuration assumes the use of TLS certs by default. As you won’t be using TLS certs in this tutorial, you’ll comment out the MySQL TLS section, by adding a # sign in at the beginning of every line in the tls section.The TLS section looks something like this:
And this is how it looks with the tls section commented out:
4.Next we’ll uncomment the Connection info section and add in the connection details to our MySQL/MariaDB database. First uncomment (remove the # signs) from the beginning of the lines starting with server, port, login, password.
server – this is the server where the database is located. In this case it’s the local server so we can leave “localhost”
port – is set to 3306, which is the default port for the classic MySQL protocol. Leave it as is, unless you changed the MySQL port.
login – this is the database user you created earlier for FreeRADIUS to use. I created the user radius so I’ll leave it as is. You change it if your user is something else.
password – the password for that MySQL user that you also set earlier.
This is it’s initial state:
# Connection info:
#
# server = "localhost"
# port = 3306
# login = "radius"
# password = "radpass"
And here it is edited.
# Connection info:
#
server = "localhost"
port = 3306
login = "radius"
password = "Areallystrongpassword_321"
5. A few lines lower we need to configure the name of the database. By default it looks like this:
# Database table configuration for everything except Oracle
radius_db = "radius"
Instead of radius, input the database you created.
# Database table configuration for everything except Oracle
radius_db = "radius"
6. Further down we’ll uncomment a line containing read_clients = yes. This is to enable FreeRADIUS to read clients from the database. Here is how it looks:
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup.
# read_clients = yes
And just remove the # sign to uncomment it:
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup.
read_clients = yes
7. Just a few lines lower, we want client_table = “nas” to be uncommented. It should be uncommented by default, but just check to make sure it looks like this:
# Table to keep radius client info
client_table = "nas"
Now change the group rights of the file you just edited:
sudo chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
sudo chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
And restart the FreeRADIUS service:
sudo systemctl restart freeradius.service
Since you’ve done quite a few edits, you should run FreeRADIUS in debug mode so you know if we made any mistake, before going further.
First stop the FreeRADIUS service since we can’t have 2 instances of the service running simultaneously:
sudo systemctl stop freeradius.service
And run FreeRADIUS in debug mode:
sudo freeradius -X
The output looks something like this:
Exit debug mode by pressing Ctrl+C and then start FreeRADIUS again by running:
sudo systemctl start freeradius.service
Now FreeRADIUS is installed on your Ubuntu 20.04 Linux server and is configured to work with MySQL or MariaDB database.
If you wish, you can install daloRADIUS, which is a web control panel to manage your FreeRADIUS server. However, this step is optional, for those who want a GUI for their FreeRADIUS server.
