How To Install FreeRADIUS on Fedora 42
Setting up a centralized authentication system is crucial for modern network infrastructure. FreeRADIUS stands as the most widely deployed RADIUS server globally, providing robust authentication, authorization, and accounting (AAA) services. This comprehensive guide walks you through installing and configuring FreeRADIUS on Fedora 42, ensuring your network access control meets enterprise standards.
RADIUS (Remote Authentication Dial-In User Service) protocols enable centralized user management across diverse network devices. Whether you’re managing Wi-Fi access points, VPN connections, or network switches, FreeRADIUS delivers the scalability and flexibility needed for secure network operations.
Understanding FreeRADIUS and Its Core Benefits
What is FreeRADIUS
FreeRADIUS operates as an open-source implementation of the RADIUS protocol, handling millions of authentication requests daily across organizations worldwide. The server processes authentication requests through a systematic workflow: clients send Access-Request packets containing user credentials, FreeRADIUS validates these credentials against configured authentication sources, and responds with either Access-Accept or Access-Reject packets.
The AAA framework forms the foundation of FreeRADIUS functionality. Authentication verifies user identity through passwords, certificates, or multi-factor methods. Authorization determines what resources authenticated users can access. Accounting tracks user sessions, bandwidth consumption, and connection duration for billing and monitoring purposes.
Key Features and Capabilities
FreeRADIUS supports extensive RADIUS attribute sets, including vendor-specific attributes (VSAs) that enable custom functionality. The server handles multiple authentication protocols simultaneously, including PAP, CHAP, MS-CHAP, EAP-TLS, and EAP-TTLS. Database integration capabilities span MySQL, PostgreSQL, LDAP, and Active Directory environments.
Scalability features include load balancing, failover mechanisms, and distributed architecture support. Virtual server configurations allow multiple RADIUS instances within a single deployment, each serving different client groups or authentication policies.
Modern Network Use Cases
Wi-Fi authentication represents the most common FreeRADIUS deployment scenario. Enterprise wireless networks leverage 802.1X authentication protocols to secure access points and manage user credentials centrally. VPN access control integrates FreeRADIUS with OpenVPN, StrongSwan, and commercial VPN solutions.
Network device management utilizes FreeRADIUS for administrator authentication on switches, routers, and firewalls. This centralized approach eliminates local account management while providing comprehensive audit trails.
Prerequisites and System Requirements
Hardware Requirements
Minimum specifications include a dual-core processor, 2GB RAM, and 10GB available storage space. These requirements support small-scale deployments with up to 1,000 concurrent users. Production environments handling enterprise workloads benefit from quad-core processors, 8GB RAM, and SSD storage for optimal performance.
Network connectivity requirements include stable internet access for package downloads and repository updates. Internal network planning should accommodate RADIUS traffic on UDP ports 1812 (authentication) and 1813 (accounting).
Software Prerequisites
Fedora 42 installation should be current with all available updates applied. Terminal access through either local console or SSH connection is essential for command-line operations. Basic Linux system administration knowledge helps troubleshoot configuration issues and understand service management concepts.
Root privileges or sudo access enables package installation and system configuration changes. Network administrators should understand firewall concepts and basic TCP/IP networking principles.
User Permissions and Security
Administrative access through sudo or direct root login allows complete system configuration. Security considerations include strong passwords, SSH key authentication, and limited user accounts with specific privileges. Initial security hardening should address unnecessary services, default passwords, and network access controls.
Pre-Installation System Preparation
System Updates and Package Management
Begin by updating your Fedora 42 system to ensure compatibility and security patches are current. Execute the following commands to refresh package repositories and install available updates:
sudo dnf clean all
sudo dnf update -y
The dnf clean all
command removes cached package data, preventing potential conflicts during updates. System updates may require a reboot if kernel updates are installed. Verify the update process completed successfully by checking for any error messages or failed package installations.
Repository Configuration
RPM Fusion repositories provide additional packages required for comprehensive FreeRADIUS functionality. These repositories contain modules for database integration and advanced authentication methods. Install both free and non-free RPM Fusion repositories:
sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm
sudo dnf install https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
After repository installation, refresh the package database to incorporate newly available packages:
sudo dnf update
Firewall and Initial Security Configuration
Fedora 42 includes firewalld for network security management. Before installing FreeRADIUS, review current firewall rules and plan for RADIUS service requirements. The default configuration typically blocks RADIUS ports, requiring specific rules for proper operation.
Check current firewall status and active zones:
sudo firewall-cmd --state
sudo firewall-cmd --get-active-zones
Document current configurations before making changes, enabling easy rollback if issues arise during installation or testing phases.
Installing FreeRADIUS on Fedora 42
Core Package Installation
Install the main FreeRADIUS server package along with essential utilities using dnf package manager. The installation includes the core server daemon, configuration files, and basic modules:
sudo dnf install freeradius freeradius-utils
The freeradius
package contains the main server daemon (radiusd
) and core configuration files. The freeradius-utils
package provides testing and diagnostic tools including radtest
, radclient
, and radeapclient
utilities.
Verify package installation by checking installed files:
rpm -ql freeradius | head -20
Additional Modules and Database Integration
Install database integration modules and advanced authentication capabilities:
sudo dnf install freeradius-ldap freeradius-mysql freeradius-postgresql
The LDAP module (freeradius-ldap
) enables integration with directory services including Active Directory and OpenLDAP. Database modules support user authentication and accounting storage in MySQL or PostgreSQL databases.
Additional modules available through Fedora repositories include:
freeradius-krb5
: Kerberos authentication supportfreeradius-rest
: RESTful API integrationfreeradius-python3
: Python script execution capabilities
Installation Verification
Confirm successful installation by checking package versions and file locations:
rpm -qa | grep freeradius
radiusd -v
The version command displays FreeRADIUS server information including build date, SSL support, and available modules. Typical output shows version 3.2.x with various compiled features listed.
Verify service files and configuration directories exist:
ls -la /etc/raddb/
systemctl status radiusd
The /etc/raddb/
directory contains all FreeRADIUS configuration files. Service status should show “inactive (dead)” initially since configuration is required before starting the daemon.
Basic FreeRADIUS Configuration
Main Configuration File Setup
The primary configuration file /etc/raddb/radiusd.conf
controls global server behavior and module loading. Create a backup copy before making changes:
sudo cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.backup
Edit the main configuration file using your preferred text editor:
sudo nano /etc/raddb/radiusd.conf
Key configuration parameters include:
- bind_address: IP address for server listening (default: all interfaces)
- port: Authentication port number (default: 1812)
- hostname_lookups: DNS resolution for client connections
- max_request_time: Maximum processing time for requests
- delete_blocked_requests: Automatic cleanup of blocked requests
Uncomment and modify the bind_address if you need to restrict FreeRADIUS to specific network interfaces. For security purposes, binding to specific addresses prevents unauthorized access from unintended network segments.
Client Configuration
Client configuration defines which devices can send RADIUS requests to your server. Edit the clients configuration file:
sudo nano /etc/raddb/clients.conf
Add client definitions for network devices that will authenticate users:
client 192.168.1.100 {
secret = mySecretKey123
shortname = wifi-controller
nas_type = other
}
client 10.0.0.0/24 {
secret = networkSecret456
shortname = lan-switches
}
Each client entry requires:
- IP address or subnet: Source of RADIUS requests
- secret: Shared key for packet encryption and authentication
- shortname: Descriptive identifier for logging and management
Use strong, unique secrets for each client to maintain security. Secrets should contain uppercase letters, lowercase letters, numbers, and special characters with minimum 16-character length.
Virtual Server Configuration
Virtual servers define authentication and authorization policies for different client groups. The default virtual server handles most standard configurations:
sudo nano /etc/raddb/sites-available/default
Review the authorize section for authentication methods:
authorize {
filter_username
preprocess
chap
mschap
suffix
eap {
ok = return
}
files
sql
pap
}
Each module in the authorize section runs sequentially, processing authentication requests according to defined policies. The files
module handles local user authentication, while sql
enables database integration.
Service Management and Startup Configuration
Starting FreeRADIUS Service
Enable and start the FreeRADIUS service using systemctl commands:
sudo systemctl enable radiusd
sudo systemctl start radiusd
The enable command configures automatic startup during system boot. Verify service status and startup success:
sudo systemctl status radiusd
Successful startup shows “active (running)” status with recent log entries indicating server initialization. Common startup indicators include module loading messages and port binding confirmations.
Service Management Commands
Essential service management commands for ongoing operations:
# Restart service after configuration changes
sudo systemctl restart radiusd
# Reload configuration without stopping service
sudo systemctl reload radiusd
# Stop service for maintenance
sudo systemctl stop radiusd
# View detailed service logs
journalctl -u radiusd -f
The reload command applies configuration changes without interrupting active user sessions. Use restart when structural changes require complete service reinitialization.
Debugging Mode Operations
Debug mode provides comprehensive troubleshooting information:
sudo radiusd -X
Debug output includes configuration parsing, module initialization, and request processing details. This mode runs in the foreground, displaying real-time server activity and error messages.
Common debug information includes:
- Configuration file parsing results
- Module loading success or failure
- Database connection status
- Authentication request processing
- Policy evaluation outcomes
User Authentication Configuration
Local User Authentication
Configure local users through the /etc/raddb/mods-config/files/authorize
file:
sudo nano /etc/raddb/mods-config/files/authorize
Add test user entries with authentication methods:
testuser Cleartext-Password := "testpassword"
Reply-Message = "Welcome to the network"
john User-Password == "securepass123"
Framed-IP-Address = 192.168.1.50,
Service-Type = Framed-User
Different password attributes support various authentication methods:
- Cleartext-Password: Plain text passwords for PAP authentication
- User-Password: Encrypted passwords for CHAP/MS-CHAP
- NT-Password: Windows-compatible password hashes
Reply attributes define access parameters and user restrictions. Common reply attributes include VLAN assignments, bandwidth limits, and session timeouts.
Database Integration Setup
Database authentication enables centralized user management and dynamic attribute assignment. Configure SQL module for MySQL integration:
sudo nano /etc/raddb/mods-available/sql
Key database configuration parameters:
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
connection_info {
server = "localhost"
port = 3306
login = "radius"
password = "radiuspassword"
radius_db = "radius"
}
read_clients = yes
client_table = "nas"
}
Enable the SQL module by creating a symbolic link:
sudo ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
Database schema installation requires importing FreeRADIUS SQL scripts into your MySQL database for proper table structure and initial data.
LDAP Integration Configuration
LDAP integration connects FreeRADIUS with Active Directory or OpenLDAP servers:
sudo nano /etc/raddb/mods-available/ldap
Configure LDAP connection parameters:
ldap {
server = "ldap.company.com"
port = 389
identity = "cn=radius,dc=company,dc=com"
password = "ldappassword"
basedn = "dc=company,dc=com"
user {
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_dn = "ou=Users,dc=company,dc=com"
}
}
Enable LDAP module and configure authentication policy to utilize directory services for user validation and authorization.
Testing and Validation Procedures
Basic Authentication Testing
Use the radtest
utility to verify server functionality:
sudo radtest testuser testpassword localhost 0 testing123
Command parameters include:
- username: Test account name
- password: Authentication password
- server: FreeRADIUS server address
- nas-port: NAS port identifier (typically 0 for testing)
- secret: Client shared secret
Successful authentication returns an Access-Accept packet with configured reply attributes. Failed authentication shows Access-Reject with error details in server logs.
Advanced Testing Scenarios
Test different authentication methods and client configurations:
# Test from remote client IP
radtest john securepass123 192.168.1.10 0 networkSecret456
# Test accounting functionality
echo "User-Name=testuser,Acct-Status-Type=Start" | radclient localhost acct testing123
Monitor server logs during testing to verify request processing and policy application. Debug mode provides detailed packet analysis and module execution flow.
Performance and Load Testing
Evaluate server performance under load conditions using multiple concurrent authentication requests. Tools like radperf
or custom scripts generate authentication traffic for capacity planning.
Monitor system resources during load testing:
- CPU utilization and load averages
- Memory consumption and swap usage
- Network interface statistics
- Disk I/O patterns for logging and database operations
Firewall Configuration and Network Security
RADIUS Port Configuration
Configure firewall rules to allow RADIUS traffic:
sudo firewall-cmd --permanent --add-port=1812/udp
sudo firewall-cmd --permanent --add-port=1813/udp
sudo firewall-cmd --reload
Verify firewall rules are active:
sudo firewall-cmd --list-ports
Restrict RADIUS access to specific source networks for enhanced security:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="udp" port="1812" accept'
SSL/TLS Certificate Configuration
Generate SSL certificates for EAP-TLS authentication methods:
cd /etc/raddb/certs
sudo ./bootstrap
The bootstrap script creates a certificate authority and server certificates for testing purposes. Production deployments should use certificates from trusted certificate authorities or internal PKI infrastructure.
Configure EAP module to utilize generated certificates:
sudo nano /etc/raddb/mods-available/eap
Update certificate paths and private key locations within the EAP configuration section.
Troubleshooting Common Installation Issues
Package Installation Problems
Dependency resolution failures typically result from missing repositories or conflicting packages. Verify repository configuration and clean package cache:
sudo dnf clean all
sudo dnf makecache
sudo dnf check
Check for conflicting packages or broken dependencies:
sudo dnf repoquery --conflicts freeradius
sudo dnf repoquery --requires freeradius
Configuration File Errors
Syntax errors in configuration files prevent service startup. Use debug mode to identify specific configuration problems:
sudo radiusd -XC
The -C
flag performs configuration checking without starting the server. Common syntax errors include:
- Missing semicolons or brackets
- Incorrect module references
- Invalid attribute names or values
- File permission issues
Authentication Failures
Troubleshoot authentication problems systematically:
- Verify client configuration and shared secrets
- Check user account existence and password accuracy
- Review authentication policy configuration
- Examine server logs for processing errors
Enable detailed logging for troubleshooting:
sudo nano /etc/raddb/radiusd.conf
Increase log verbosity and enable authentication logging:
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_accept = yes
auth_reject = yes
}
Performance Optimization and Production Considerations
Memory and Resource Tuning
Optimize FreeRADIUS performance for production workloads by adjusting memory allocation and connection pooling:
sudo nano /etc/raddb/radiusd.conf
Key performance parameters:
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
Database connection pooling reduces authentication latency:
connection_pool {
start = 5
min = 4
max = 32
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
High Availability and Redundancy
Implement high availability using multiple FreeRADIUS servers with load balancing. Configure RADIUS clients to support primary and secondary server configurations.
Database replication ensures consistent user data across multiple server instances. Monitor server health using external monitoring systems and automated failover mechanisms.
Monitoring and Maintenance
Establish regular maintenance procedures:
- Log rotation and archiving policies
- Database maintenance and optimization
- Certificate renewal processes
- Security update application
- Performance monitoring and capacity planning
Configure logrotate for FreeRADIUS log management:
sudo nano /etc/logrotate.d/radiusd
Congratulations! You have successfully installed FreeRADIUS. Thanks for using this tutorial for installing the FreeRADIUS on your Fedora 42 Linux system. For additional or useful information, we recommend you check the official FreeRADIUS website.