How To Install FreeRADIUS on AlmaLinux 10
FreeRADIUS stands as the world’s most widely deployed RADIUS server, providing robust Authentication, Authorization, and Accounting (AAA) services for enterprise networks worldwide. This powerful open-source solution handles millions of authentication requests daily across diverse network infrastructures, from small business WiFi deployments to large-scale enterprise environments.
AlmaLinux 10 offers an ideal platform for FreeRADIUS deployment, combining enterprise-grade stability with cost-effective licensing. As a 1:1 binary compatible fork of Red Hat Enterprise Linux, AlmaLinux provides the reliability and security features demanded by production environments while maintaining compatibility with existing RHEL-based workflows and tools.
The implementation of a RADIUS server becomes crucial when organizations need centralized authentication for network access points, VPN connections, and switch-based 802.1X authentication. FreeRADIUS excels in these scenarios by offering modular architecture, extensive protocol support, and seamless integration capabilities with existing directory services and databases.
This comprehensive guide walks through every aspect of installing and configuring FreeRADIUS on AlmaLinux 10. System administrators and network engineers will learn step-by-step installation procedures, security hardening techniques, and troubleshooting methodologies essential for production deployments. The tutorial covers everything from initial system preparation through advanced configuration options, ensuring readers can successfully implement a robust RADIUS infrastructure.
By following this guide, you’ll establish a fully functional FreeRADIUS server capable of handling authentication requests from wireless access points, network switches, and VPN concentrators while maintaining the highest security standards.
Understanding FreeRADIUS Fundamentals
Core RADIUS Protocol Concepts
RADIUS (Remote Authentication Dial-In User Service) operates on a client-server architecture that centralizes authentication, authorization, and accounting functions. The protocol utilizes UDP port 1812 for authentication requests and UDP port 1813 for accounting information, ensuring efficient network communication with minimal overhead.
Authentication verifies user credentials against configured databases or directory services. Authorization determines what resources authenticated users can access, while accounting tracks user sessions and resource consumption for billing and auditing purposes. This three-tier AAA model provides comprehensive network access control.
FreeRADIUS Architecture and Components
FreeRADIUS implements a highly modular design that enables flexible configuration and extensibility. The server’s core engine processes requests through configurable modules, each handling specific authentication methods, database connections, or protocol implementations.
Key configuration files reside in the /etc/raddb/
directory, including radiusd.conf
for main server settings, clients.conf
for Network Access Server definitions, and users
for local account management. This organized structure simplifies administration and troubleshooting procedures.
The modular architecture supports numerous authentication protocols including PAP, CHAP, MS-CHAP, EAP-TLS, and PEAP. Each module can be independently configured, loaded, or disabled based on specific deployment requirements, ensuring optimal performance and security.
Common Use Cases in Enterprise Networks
WiFi infrastructure represents the most prevalent FreeRADIUS deployment scenario. Wireless access points authenticate users against the RADIUS server, enforcing network access policies and VLAN assignments based on user credentials or device certificates.
VPN authentication through FreeRADIUS provides centralized credential management for remote access solutions. Network administrators can implement consistent authentication policies across multiple VPN concentrators while maintaining detailed session logging.
Network switch 802.1X implementations leverage FreeRADIUS for port-based access control. Switches authenticate connected devices before granting network access, preventing unauthorized equipment from accessing internal resources.
Prerequisites and System Preparation
Hardware Requirements
Minimum system specifications for FreeRADIUS include 1GB RAM, 10GB available disk space, and a single CPU core. However, production environments handling thousands of simultaneous users require substantially more resources to maintain optimal performance.
Recommended production hardware configurations start with 4GB RAM, 50GB disk space, and dual-core processors. High-traffic deployments serving large enterprise networks may require 8GB or more RAM, depending on authentication volume and database integration complexity.
Storage requirements vary significantly based on logging levels and accounting data retention policies. Organizations implementing detailed session logging should provision additional disk space for log rotation and archival procedures.
Software Prerequisites
AlmaLinux 10 installation must be completed and fully updated before FreeRADIUS deployment. System administrators should verify network connectivity, hostname resolution, and time synchronization services are properly configured.
Essential development packages may be required for certain FreeRADIUS modules or custom configurations. Installing gcc
and make
packages ensures compatibility with all FreeRADIUS components:
sudo dnf install gcc make -y
Network connectivity requirements include outbound internet access for package downloads and inbound access from Network Access Servers that will authenticate through the RADIUS server.
Security Considerations Before Installation
Firewall configuration planning should occur before FreeRADIUS installation to prevent service disruption. RADIUS typically requires UDP ports 1812 and 1813 to be accessible from client devices.
User permissions and sudo access must be properly configured for the installation account. Administrative users require sudo privileges for package installation, service management, and configuration file modifications.
Network segmentation best practices recommend isolating RADIUS servers within dedicated management VLANs to limit potential attack vectors and improve monitoring capabilities.
System Updates and Package Management
Updating all system packages ensures compatibility and security:
sudo dnf update -y
Enabling PowerTools repository may be necessary for certain FreeRADIUS dependencies:
sudo dnf config-manager --enable crb
Package management verification confirms DNF functionality and repository accessibility before beginning FreeRADIUS installation procedures.
FreeRADIUS Installation Process
Installing FreeRADIUS via DNF Package Manager
The standard installation process utilizes AlmaLinux’s native DNF package manager for reliable and maintainable FreeRADIUS deployment:
sudo dnf install freeradius freeradius-utils -y
This command installs the core FreeRADIUS server and essential utilities including radtest
for authentication testing and debugging tools for troubleshooting configurations.
Additional modules can be installed based on specific requirements:
sudo dnf install freeradius-mysql freeradius-postgresql freeradius-ldap -y
These optional packages provide database connectivity and LDAP integration capabilities for enterprise directory service authentication.
Alternative Installation Methods
Installing from source code provides access to the latest features and custom module development. However, this approach requires additional compilation time and manual dependency management.
Third-party repositories may offer newer FreeRADIUS versions than standard AlmaLinux repositories. Network RADIUS provides official packages for various distributions with enhanced features and performance optimizations.
Handling dependency conflicts requires careful package version management when mixing repository sources. System administrators should document custom installations for future maintenance procedures.
Post-Installation Directory Structure
The /etc/raddb/
directory contains all FreeRADIUS configuration files. Key components include:
radiusd.conf
– Main server configurationclients.conf
– Network Access Server definitionsusers
– Local user account databasecerts/
– SSL/TLS certificate storagemods-available/
– Available modulessites-available/
– Virtual server configurations
Log files are typically stored in /var/log/radius/
with separate files for different logging categories including authentication attempts, accounting records, and error messages.
Understanding this directory structure is essential for effective configuration management and troubleshooting procedures.
Service Management Setup
Enabling the FreeRADIUS service ensures automatic startup during system boot sequences:
sudo systemctl enable radiusd.service
Starting the service initiates FreeRADIUS with default configurations:
sudo systemctl start radiusd.service
Verifying service status confirms successful startup:
sudo systemctl status radiusd.service
Successful startup displays an “active (running)” status with no error messages in the service output.
Initial Configuration and Setup
Generating SSL/TLS Certificates
FreeRADIUS requires SSL/TLS certificates for secure EAP authentication methods. The included bootstrap script generates self-signed certificates for testing purposes:
sudo /etc/raddb/certs/bootstrap
Production environments should implement proper Certificate Authority (CA) certificates to ensure client device compatibility and security compliance. Self-signed certificates may cause connection issues with strict security policies.
Certificate management procedures include regular renewal schedules to prevent authentication failures due to expired certificates. Automated renewal systems can minimize administrative overhead.
Basic Server Configuration
The main configuration file /etc/raddb/radiusd.conf
controls core server behavior. Basic modifications include:
sudo nano /etc/raddb/radiusd.conf
Key configuration parameters include listening interfaces, port numbers, and logging levels. Default settings work for most installations, but production environments may require interface-specific bindings for security purposes.
Authentication port configuration typically uses standard RADIUS ports:
- Authentication: UDP 1812
- Accounting: UDP 1813
Logging configuration determines debug output levels and log file destinations for troubleshooting and monitoring purposes.
Client Configuration in clients.conf
Network Access Servers must be defined in /etc/raddb/clients.conf
before they can authenticate users through FreeRADIUS:
sudo nano /etc/raddb/clients.conf
Adding client configurations requires specific syntax:
client mynas {
ipaddr = 192.168.1.100
secret = very_strong_shared_secret
shortname = wireless-ap
nastype = other
}
Shared secrets must be identical on both FreeRADIUS and client devices. Strong passwords with minimum 32-character length provide optimal security.
IP address restrictions limit access to authorized Network Access Servers and prevent unauthorized authentication attempts.
User Management and Authentication
Local user accounts are configured in /etc/raddb/users
:
sudo nano /etc/raddb/users
Basic user account syntax includes:
john Cleartext-Password := "secure_password"
Service-Type = Framed-User,
Framed-Protocol = PPP
Password storage options include cleartext, MD5, and encrypted formats depending on client device capabilities and security requirements.
User attribute assignment controls access privileges and network parameters such as VLAN assignments and session timeouts.
Database Integration Setup (Optional)
MySQL or MariaDB integration provides scalable user management for large deployments:
sudo dnf install freeradius-mysql mariadb-server -y
sudo systemctl enable --now mariadb.service
Database schema installation creates required tables:
mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
PostgreSQL and LDAP integration options provide enterprise directory service connectivity for existing user databases.
Testing and Validation
Local Testing with radtest Command
The radtest
utility provides essential authentication testing capabilities:
radtest john secure_password localhost 0 testing123
Successful authentication returns specific response codes indicating proper server configuration and user credential validation.
Common test scenarios include:
- Basic username/password authentication
- Different user accounts and passwords
- Invalid credentials to verify rejection
Response code interpretation helps identify configuration issues:
- Access-Accept: Successful authentication
- Access-Reject: Authentication failure
- No response: Network or service problems
Debug Mode Operation
Running FreeRADIUS in debug mode provides detailed troubleshooting information:
sudo radiusd -X
Debug output includes configuration file parsing, module loading, and request processing details. This information is essential for identifying configuration errors and authentication failures.
Successful debug startup shows no error messages and displays listening port information. Configuration syntax errors are immediately visible during startup sequences.
Debug mode should be the first troubleshooting step when experiencing authentication problems.
Network Client Testing
Testing with actual network devices validates production readiness. Wireless access points, switches, and VPN concentrators provide realistic authentication scenarios.
WiFi access point integration testing verifies EAP method compatibility and certificate validation procedures.
Switch 802.1X authentication testing confirms port-based access control functionality and VLAN assignment capabilities.
Monitoring authentication logs during testing helps identify timing issues and protocol compatibility problems.
Load Testing and Performance Verification
Stress testing with multiple concurrent requests validates server capacity and response time requirements.
Performance monitoring tools track authentication response times and system resource utilization during peak usage periods.
Capacity planning calculations help determine hardware requirements for expected user loads and growth projections.
Security Hardening and Best Practices
Access Control Configuration
Restricting client access to trusted devices prevents unauthorized authentication attempts. IP address filtering and network segmentation provide multiple security layers.
Strong shared secret implementation requires minimum 32-character passwords with complex character combinations. Automated secret generation tools ensure proper randomness.
Firewall rule implementation should limit RADIUS port access to authorized Network Access Servers only. Default deny policies prevent unauthorized access attempts.
Authentication Security Measures
Password policy enforcement encourages strong user credentials and regular password updates. Integration with enterprise password policies maintains consistency.
Multi-factor authentication integration provides enhanced security for high-privilege accounts and sensitive network access.
Certificate-based authentication eliminates password-based vulnerabilities while providing strong device identification capabilities.
System-Level Security
File permission hardening restricts configuration file access to authorized administrators only:
sudo chmod 640 /etc/raddb/clients.conf
sudo chown root:radiusd /etc/raddb/clients.conf
Service account security includes running FreeRADIUS with minimal privileges and dedicated user accounts.
Network security considerations encompass TLS encryption for RADIUS traffic and secure management interfaces.
Monitoring and Logging
Comprehensive log file management includes rotation policies and long-term archival procedures for compliance requirements.
Security event monitoring tracks authentication failures, unusual access patterns, and potential attack indicators.
Audit trail maintenance provides accountability and forensic capabilities for security incident investigation.
Troubleshooting Common Issues
Installation and Startup Problems
Dependency resolution issues often occur when mixing repository sources or installing custom modules. Verifying package integrity resolves most conflicts:
sudo dnf check
sudo dnf clean all && sudo dnf update
Service startup failures typically indicate configuration syntax errors or missing dependencies. Checking system logs provides detailed error information:
sudo journalctl -u radiusd.service
Port binding conflicts occur when other services use RADIUS ports. Identifying conflicting processes enables resolution:
sudo netstat -tulpn | grep :1812
Configuration Errors
Common syntax errors in configuration files include missing brackets, incorrect indentation, and invalid parameter values. Debug mode immediately identifies these issues during startup.
Client authentication failures often result from shared secret mismatches or IP address restrictions. Verifying client configurations resolves most problems.
Debug output interpretation requires understanding FreeRADIUS processing flow and module interactions. Systematic analysis identifies root causes effectively.
Performance and Connectivity Issues
Network connectivity problems between clients and servers prevent authentication requests from reaching FreeRADIUS. Network troubleshooting tools identify routing and firewall issues.
Timeout issues may indicate server overload or network latency problems. Performance monitoring identifies bottlenecks requiring resolution.
Database connection problems affect user authentication when using external storage systems. Connection pooling and timeout configuration optimize performance.
Security-Related Problems
Certificate validation errors prevent EAP authentication methods from functioning properly. Verifying certificate chains and expiration dates resolves most issues.
Shared secret mismatches cause immediate authentication failures. Systematic verification of all client configurations ensures consistency.
Access denied scenarios require analysis of user permissions, client definitions, and authentication policies to identify restrictions.
Advanced Configuration Options
Module Configuration and Customization
FreeRADIUS provides extensive module libraries for authentication methods, database connectivity, and protocol support. Module selection depends on specific deployment requirements and client device capabilities.
Custom module development enables specialized authentication workflows and integration with proprietary systems. The FreeRADIUS API provides comprehensive development frameworks.
Third-party module integration expands functionality through community-developed extensions and commercial solutions for specialized environments.
High Availability and Redundancy
FreeRADIUS clustering configurations provide fault tolerance and load distribution for critical network infrastructure. Multiple server deployments eliminate single points of failure.
Load balancing implementations distribute authentication requests across multiple servers while maintaining session consistency and user experience.
Failover mechanisms automatically redirect traffic during server outages, ensuring continuous network access for authenticated users.
Integration with External Systems
Active Directory integration enables seamless authentication against existing Windows domain infrastructure while maintaining centralized user management.
Cloud authentication services provide scalable solutions for distributed organizations with multiple locations and remote workforce requirements.
API integrations and webhooks enable real-time user provisioning and automated account management workflows.
Maintenance and Monitoring
Regular Maintenance Tasks
Log file management requires automated rotation and archival procedures to prevent disk space exhaustion while maintaining compliance requirements. Configuring logrotate handles routine maintenance:
sudo nano /etc/logrotate.d/radiusd
Configuration backup procedures should include regular snapshots of the /etc/raddb/
directory and associated databases. Automated backup scripts minimize administrative overhead while ensuring recovery capabilities.
Security updates and patch management require monitoring FreeRADIUS release cycles and applying updates during scheduled maintenance windows.
Performance Monitoring
Key performance metrics include authentication response times, concurrent user sessions, and server resource utilization. Monitoring tools provide real-time visibility into system health and capacity utilization.
Threshold-based alerting systems notify administrators of performance degradation before user impact occurs. Proactive monitoring prevents service disruptions.
Capacity trending analysis identifies growth patterns requiring hardware upgrades or architectural changes to maintain service levels.
Backup and Recovery Procedures
Configuration backup strategies encompass both file-based backups and configuration management systems for version control and change tracking.
User database backup procedures vary depending on storage systems but should include regular snapshots and tested recovery procedures.
Disaster recovery planning includes documented procedures for complete system rebuilds and service restoration following catastrophic failures.
Congratulations! You have successfully installed FreeRADIUS. Thanks for using this tutorial for installing the FreeRADIUS on your AlmaLinux OS 10 system. For additional or useful information, we recommend you check the official FreeRADIUS website.