Setup and Install a Cloud FreeRADIUS Server in Azure, AWS or GCP with optional daloRADIUS GUI. Free RADIUS is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4 DHCPv6, TACACS+ and VMPS. freeRADIUS allows authentication, authorization, and accounting (AAA) for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.
FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dialup, PPPoE, VPN’s, VoIP, and many others. It runs on a back-end database MariaDB/MySQL. It supports RADIUS Active Directory authentication, Azure AD authentication and LDAP integration.
Cloud RADIUS Server with daloRADIUS Portal Management
Cloud RADIUS Solution using freeRADIUS and daloRADIUS
Cloud RADIUS solution using FreeRADIUS and daloRADIUS GUI management portal. Supports request proxying, with fail-over and load balancing, as well as the ability to access many types of back-end databases. Different classes of authentication requests can trigger access of different authentication and authorization databases (with cascaded fall back), and Accounting records can be simultaneously recorded in multiple different storage databases and directories.
FreeRADIUS Features
Complete support for RFC 2865 and RFC 2866 attributes.
EAP with EAP-MD5, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP, and Cisco LEAP EAP sub-types
Vendor Specific Attributes for almost one hundred vendors, including BinTec, Foundry, Cisco, Juniper, Lucent/Ascend, HP ProCurve, Microsoft, USR/3Com, Acc/Newbridge and many more.
FreeRADIUS provides a wide range of methods to select user configurations. The server can select a configuration based on any type of criteria or attribute.
FreeRADIUS is designed to be secure and is one of the fastest and scalable products available for RADIUS.
Authenticate users via simple methods (PAP, CHAP, MS-CHAP, MS-CHAPv2, SIP Digest) and all common EAP types. All client operating systems are supported
Both pre-authentication and post-authentication policies are supported.
IP addresses can be allocated through IP Pools.
All common accounting methods are supported
Any RADIUS request can be proxied.
Supports virtual servers
VLAN assignment may be done via the VMPS protocol.
daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating.
RADIUS User Management
Reporting
Accounting and visual graphs
RADIUS user activity reporting
Manage hotspots
Great for ISP deployments
Billing engine
Integrates with GoogleMaps for Geo-locating
Table of Contents
Step 1.) Getting Started with FreeRADIUS Server
Login to FreeRADIUS via SSH
Once your RADIUS server has been deployed, the following links explain how to connect to a Linux VM:
Once connected and logged in, the following section explains how to start using FreeRADIUS.
Step 2.) Setup MySQL/MariaDB for FreeRADIUS
As part of this RADIUS solution MariaDB server is pre-installed. First run the following command to set your MySQL password. Currently the password is blank, so press ‘Enter’:
sudo mysql_secure_installation
Then follow the instructions to set a password and then selecting ‘Y‘ for the options that are asked.
Create database for FreeRADIUS Server
In order to run FreeRADIUS we need to create a database. Run the following commands to create a new database that we will use with freeRADIUS (Replace the green text with your chosen password):
sudo mysql -u root -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "Somestrongpassword_321";
FLUSH PRIVILEGES;
quit;
Import FreeRADIUS database schema
Before we make any further changes you will need to stop the freeRADIUS service with the following command:
sudo systemctl stop freeradius
Verify the service has stopped:
sudo systemctl status freeradius
Next we need to populate the database with the RADIUS MySQL schema.
First, you’ll have to switch to using the root user, otherwise you’ll get Access denied when trying to import, even if we’re using sudo:
sudo su -
Import the freeRADIUS MySQL schema with the following command:
mysql -u root -p radius < /etc/freeradius/mods-config/sql/main/mysql/schema.sql
Lets check the tables we just created in the radius database by running the following command, and then entering your root MySQL/MariaDB password:
sudo mysql -u root -p -e "use radius;show tables;"
2.) Next, you will need to configure RADIUS to use SQL. To do this open /etc/freeradius/mods-enabled/sql using the nano editor:
sudo nano /etc/freeradius/mods-enabled/sql
Configure Dialect of SQL
3.) Now we need to edit some of the values in this config file.
Change dialect = “sqlite” to “mysql”
Uncomment the driver = “rlm_sql_${dialect}” option to enable MySQL/MariaDB backend by removing # symbol in front.
Comment out driver = “rlm_sql_null” with #
Disable TLS Support for MariaDB
1.) If you use MySQL the FreeRADIUS configuration assumes the use of TLS certs by default. As you won’t be using TLS certs in this solution as MariaDB database are on the same server, so you do not need the MariaDB TLS support. You’ll comment out the MySQL TLS section, by adding a # sign in at the beginning of every line in the tls section.The TLS section looks something like this:
In the below screenshot you can see TLS encryption is greyed out by adding #.
MariaDB Connection Details
1.) Next is to uncomment the connection info section and add in the connection details to our MySQL/MariaDB database. Remove the # from the beginning of the lines starting with server, port, login, password.
server – this is the server where the database is located, which will be local server so we can leave “localhost”
port – is set to 3306, which is the default port for the classic MySQL protocol. Leave it as is, unless you changed the MySQL port.
login – this is the database user you created earlier for FreeRADIUS to use in the ‘Create database for FreeRADIUS Server’ section above. I created the user radius.
password – the password for the MySQL user that you also created earlier.
# Connection info:
#
server = "localhost"
port = 3306
login = "radius"
password = "Areallystrongpassword_321"
2.) Further down in the config we need to set the MariaDB database name for the FreeRADIUS, as shown below. Add your database name. In my example my database name is called “radius“
3.) Next, is to uncomment the read_clients = yes option to allow FreeRADIUS clients to read from the nas table inside the FreeRADIUS database and also uncomment client_table = “nas”.
Save all the changes you made and close the file.
Change Group Permissions of SQL Module
Now change the group rights of the file you just edited:
At this point freeRADIUS is ready, an optional feature to install is a freeRADIUS GUI that allows you to manage your RADIUS Server via a web browser interface or GUI. I’ll share 1 popular free GUIs that you can install.
Install daloRADIUS GUI for FreeRADIUS
One of the popular free RADIUS management tools is daloRADIUS. Note: However i should point out daloRADIUS doesn’t work directly with Active Directory or LDAP via the GUI, it uses local users stored in MySQL. To use LDAP, Active Directory or Azure AD you manage via the terminal. Instructions below.
daloRADIUS Features include:
daloRADIUS is an advanced RADIUS web platform aimed at managing Hotspots and general-purpose ISP deployments. It features
Rich user management
Graphical reporting
Accounting
Integrates with GoogleMaps for geo-locating (GIS).
Before we run the installation of daloRADIUS change your current directory to /var/www/html with the following command:
cd /var/www/html/
Next is to install daloRADIUS on your server, by running the following commands:
After extraction, run the below commands to import the database schema for daloRADIUS to the radius database and verify the list of tables on the FreeRADIUS database.
sudo mysql -u root -p radius < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
Verify the database schema with the following command and you should see a list of tables for FreeRADIUS and daloRADIUS
mysqlshow radius
You should see a similar output to the following tables for daloRADIUS and FreeRADIUS
Now, run the cp command below. This command copies the daloRADIUS configuration to /var/www/html/daloradius/library/daloradius.conf.php.
Next is to open daloradius.conf.php and add your database name, user and password in the config file. Run the following command to open using your nano editor:
Step 4.) Azure AD / LDAP / Active Directory Authentication
You can now configure RADIUS authentication. You have several options, you can setup local users using daloRADIUS that are stored locally in the database or you can use different identity providers such as Azure AD, LDAP or Active Directory. The following sections explains how to set this up depending on your environment.
FreeRADIUS Azure AD Authentication
FreeRADIUS supports Azure AD Authentication using rlm_perl to communicate with an OAuth2 identity provider backend allowing users to connect to a wireless 802.1X (WPA Enterprise) network without needing on premise systems.
Another solution we have is our Active Directory / Azure AD / Office 365 reporting solution, InfraSOS which will allow you to run reports on your users for auditing purposes. Allows you to auditing user logins for Azure AD, Office 365, monitor what locations they are logging in from, see who is enabled for MFA or not. Check your Office 365 license utilization and so much more..
FreeRADIUS Firewall Ports
FreeRADIUS uses the following ports:
RADIUS Authentication and Authorization
UDP: 1812
RADIUS Accounting
UDP: 1813
daloRADIUS Web Portal
http 80
If you are using any of the cloud security groups and need to change / add ports refer to the following guides:
Disclaimer: FreeRADIUS and daloRADIUS are licensed under GNU General Public License v2.0. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user. The author is not responsible for any damage that its use could cause.
Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.