How To Install FreeRADIUS on Fedora 42

Setting up a centralized authentication system is crucial for modern network infrastructure. FreeRADIUS stands as the most widely deployed RADIUS server globally, providing robust authentication, authorization, and accounting (AAA) services. This comprehensive guide walks you through installing and configuring FreeRADIUS on Fedora 42, ensuring your network access control meets enterprise standards.

RADIUS (Remote Authentication Dial-In User Service) protocols enable centralized user management across diverse network devices. Whether you’re managing Wi-Fi access points, VPN connections, or network switches, FreeRADIUS delivers the scalability and flexibility needed for secure network operations.

Table of Contents

Understanding FreeRADIUS and Its Core Benefits

What is FreeRADIUS

FreeRADIUS operates as an open-source implementation of the RADIUS protocol, handling millions of authentication requests daily across organizations worldwide. The server processes authentication requests through a systematic workflow: clients send Access-Request packets containing user credentials, FreeRADIUS validates these credentials against configured authentication sources, and responds with either Access-Accept or Access-Reject packets.

The AAA framework forms the foundation of FreeRADIUS functionality. Authentication verifies user identity through passwords, certificates, or multi-factor methods. Authorization determines what resources authenticated users can access. Accounting tracks user sessions, bandwidth consumption, and connection duration for billing and monitoring purposes.

Key Features and Capabilities

FreeRADIUS supports extensive RADIUS attribute sets, including vendor-specific attributes (VSAs) that enable custom functionality. The server handles multiple authentication protocols simultaneously, including PAP, CHAP, MS-CHAP, EAP-TLS, and EAP-TTLS. Database integration capabilities span MySQL, PostgreSQL, LDAP, and Active Directory environments.

Scalability features include load balancing, failover mechanisms, and distributed architecture support. Virtual server configurations allow multiple RADIUS instances within a single deployment, each serving different client groups or authentication policies.

Modern Network Use Cases

Wi-Fi authentication represents the most common FreeRADIUS deployment scenario. Enterprise wireless networks leverage 802.1X authentication protocols to secure access points and manage user credentials centrally. VPN access control integrates FreeRADIUS with OpenVPN, StrongSwan, and commercial VPN solutions.

Network device management utilizes FreeRADIUS for administrator authentication on switches, routers, and firewalls. This centralized approach eliminates local account management while providing comprehensive audit trails.

Prerequisites and System Requirements

Hardware Requirements

Minimum specifications include a dual-core processor, 2GB RAM, and 10GB available storage space. These requirements support small-scale deployments with up to 1,000 concurrent users. Production environments handling enterprise workloads benefit from quad-core processors, 8GB RAM, and SSD storage for optimal performance.

Network connectivity requirements include stable internet access for package downloads and repository updates. Internal network planning should accommodate RADIUS traffic on UDP ports 1812 (authentication) and 1813 (accounting).

Software Prerequisites

Fedora 42 installation should be current with all available updates applied. Terminal access through either local console or SSH connection is essential for command-line operations. Basic Linux system administration knowledge helps troubleshoot configuration issues and understand service management concepts.

Root privileges or sudo access enables package installation and system configuration changes. Network administrators should understand firewall concepts and basic TCP/IP networking principles.

User Permissions and Security

Administrative access through sudo or direct root login allows complete system configuration. Security considerations include strong passwords, SSH key authentication, and limited user accounts with specific privileges. Initial security hardening should address unnecessary services, default passwords, and network access controls.

Pre-Installation System Preparation

System Updates and Package Management

Begin by updating your Fedora 42 system to ensure compatibility and security patches are current. Execute the following commands to refresh package repositories and install available updates:

sudo dnf clean all
sudo dnf update -y

The dnf clean all command removes cached package data, preventing potential conflicts during updates. System updates may require a reboot if kernel updates are installed. Verify the update process completed successfully by checking for any error messages or failed package installations.

Repository Configuration

RPM Fusion repositories provide additional packages required for comprehensive FreeRADIUS functionality. These repositories contain modules for database integration and advanced authentication methods. Install both free and non-free RPM Fusion repositories:

sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm
sudo dnf install https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

After repository installation, refresh the package database to incorporate newly available packages:

sudo dnf update

Firewall and Initial Security Configuration

Fedora 42 includes firewalld for network security management. Before installing FreeRADIUS, review current firewall rules and plan for RADIUS service requirements. The default configuration typically blocks RADIUS ports, requiring specific rules for proper operation.

Check current firewall status and active zones:

sudo firewall-cmd --state
sudo firewall-cmd --get-active-zones

Document current configurations before making changes, enabling easy rollback if issues arise during installation or testing phases.

Installing FreeRADIUS on Fedora 42

Core Package Installation

Install the main FreeRADIUS server package along with essential utilities using dnf package manager. The installation includes the core server daemon, configuration files, and basic modules:

sudo dnf install freeradius freeradius-utils

The freeradius package contains the main server daemon (radiusd) and core configuration files. The freeradius-utils package provides testing and diagnostic tools including radtest, radclient, and radeapclient utilities.

Verify package installation by checking installed files:

rpm -ql freeradius | head -20

Additional Modules and Database Integration

Install database integration modules and advanced authentication capabilities:

sudo dnf install freeradius-ldap freeradius-mysql freeradius-postgresql

The LDAP module (freeradius-ldap) enables integration with directory services including Active Directory and OpenLDAP. Database modules support user authentication and accounting storage in MySQL or PostgreSQL databases.

Additional modules available through Fedora repositories include:

freeradius-krb5: Kerberos authentication support
freeradius-rest: RESTful API integration
freeradius-python3: Python script execution capabilities

Installation Verification

Confirm successful installation by checking package versions and file locations:

rpm -qa | grep freeradius
radiusd -v

The version command displays FreeRADIUS server information including build date, SSL support, and available modules. Typical output shows version 3.2.x with various compiled features listed.

Verify service files and configuration directories exist:

ls -la /etc/raddb/
systemctl status radiusd

The /etc/raddb/ directory contains all FreeRADIUS configuration files. Service status should show “inactive (dead)” initially since configuration is required before starting the daemon.

Basic FreeRADIUS Configuration

Main Configuration File Setup

The primary configuration file /etc/raddb/radiusd.conf controls global server behavior and module loading. Create a backup copy before making changes:

sudo cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.backup

Edit the main configuration file using your preferred text editor:

sudo nano /etc/raddb/radiusd.conf

Key configuration parameters include:

bind_address: IP address for server listening (default: all interfaces)
port: Authentication port number (default: 1812)
hostname_lookups: DNS resolution for client connections
max_request_time: Maximum processing time for requests
delete_blocked_requests: Automatic cleanup of blocked requests

Uncomment and modify the bind_address if you need to restrict FreeRADIUS to specific network interfaces. For security purposes, binding to specific addresses prevents unauthorized access from unintended network segments.

Client Configuration

Client configuration defines which devices can send RADIUS requests to your server. Edit the clients configuration file:

sudo nano /etc/raddb/clients.conf

Add client definitions for network devices that will authenticate users:

client 192.168.1.100 {
    secret = mySecretKey123
    shortname = wifi-controller
    nas_type = other
}

client 10.0.0.0/24 {
    secret = networkSecret456
    shortname = lan-switches
}

Each client entry requires:

IP address or subnet: Source of RADIUS requests
secret: Shared key for packet encryption and authentication
shortname: Descriptive identifier for logging and management

Use strong, unique secrets for each client to maintain security. Secrets should contain uppercase letters, lowercase letters, numbers, and special characters with minimum 16-character length.

Virtual Server Configuration

Virtual servers define authentication and authorization policies for different client groups. The default virtual server handles most standard configurations:

sudo nano /etc/raddb/sites-available/default

Review the authorize section for authentication methods:

authorize {
    filter_username
    preprocess
    chap
    mschap
    suffix
    eap {
        ok = return
    }
    files
    sql
    pap
}

Each module in the authorize section runs sequentially, processing authentication requests according to defined policies. The files module handles local user authentication, while sql enables database integration.

Service Management and Startup Configuration

Starting FreeRADIUS Service

Enable and start the FreeRADIUS service using systemctl commands:

sudo systemctl enable radiusd
sudo systemctl start radiusd

The enable command configures automatic startup during system boot. Verify service status and startup success:

sudo systemctl status radiusd

Successful startup shows “active (running)” status with recent log entries indicating server initialization. Common startup indicators include module loading messages and port binding confirmations.

Service Management Commands

Essential service management commands for ongoing operations:

# Restart service after configuration changes
sudo systemctl restart radiusd

# Reload configuration without stopping service
sudo systemctl reload radiusd

# Stop service for maintenance
sudo systemctl stop radiusd

# View detailed service logs
journalctl -u radiusd -f

The reload command applies configuration changes without interrupting active user sessions. Use restart when structural changes require complete service reinitialization.

Debugging Mode Operations

Debug mode provides comprehensive troubleshooting information:

sudo radiusd -X

Debug output includes configuration parsing, module initialization, and request processing details. This mode runs in the foreground, displaying real-time server activity and error messages.

Common debug information includes:

Configuration file parsing results
Module loading success or failure
Database connection status
Authentication request processing
Policy evaluation outcomes

User Authentication Configuration

Local User Authentication

Configure local users through the /etc/raddb/mods-config/files/authorize file:

sudo nano /etc/raddb/mods-config/files/authorize

Add test user entries with authentication methods:

testuser Cleartext-Password := "testpassword"
    Reply-Message = "Welcome to the network"

john User-Password == "securepass123"
    Framed-IP-Address = 192.168.1.50,
    Service-Type = Framed-User

Different password attributes support various authentication methods:

Cleartext-Password: Plain text passwords for PAP authentication
User-Password: Encrypted passwords for CHAP/MS-CHAP
NT-Password: Windows-compatible password hashes

Reply attributes define access parameters and user restrictions. Common reply attributes include VLAN assignments, bandwidth limits, and session timeouts.

Database Integration Setup

Database authentication enables centralized user management and dynamic attribute assignment. Configure SQL module for MySQL integration:

sudo nano /etc/raddb/mods-available/sql

Key database configuration parameters:

sql {
    driver = "rlm_sql_mysql"
    dialect = "mysql"
    
    connection_info {
        server = "localhost"
        port = 3306
        login = "radius"
        password = "radiuspassword"
        radius_db = "radius"
    }
    
    read_clients = yes
    client_table = "nas"
}

Enable the SQL module by creating a symbolic link:

sudo ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/

Database schema installation requires importing FreeRADIUS SQL scripts into your MySQL database for proper table structure and initial data.

LDAP Integration Configuration

LDAP integration connects FreeRADIUS with Active Directory or OpenLDAP servers:

sudo nano /etc/raddb/mods-available/ldap

Configure LDAP connection parameters:

ldap {
    server = "ldap.company.com"
    port = 389
    identity = "cn=radius,dc=company,dc=com"
    password = "ldappassword"
    basedn = "dc=company,dc=com"
    
    user {
        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
        base_dn = "ou=Users,dc=company,dc=com"
    }
}

Enable LDAP module and configure authentication policy to utilize directory services for user validation and authorization.

Testing and Validation Procedures

Basic Authentication Testing

Use the radtest utility to verify server functionality:

sudo radtest testuser testpassword localhost 0 testing123

Command parameters include:

username: Test account name
password: Authentication password
server: FreeRADIUS server address
nas-port: NAS port identifier (typically 0 for testing)
secret: Client shared secret

Successful authentication returns an Access-Accept packet with configured reply attributes. Failed authentication shows Access-Reject with error details in server logs.

Advanced Testing Scenarios

Test different authentication methods and client configurations:

# Test from remote client IP
radtest john securepass123 192.168.1.10 0 networkSecret456

# Test accounting functionality
echo "User-Name=testuser,Acct-Status-Type=Start" | radclient localhost acct testing123

Monitor server logs during testing to verify request processing and policy application. Debug mode provides detailed packet analysis and module execution flow.

Performance and Load Testing

Evaluate server performance under load conditions using multiple concurrent authentication requests. Tools like radperf or custom scripts generate authentication traffic for capacity planning.

Monitor system resources during load testing:

CPU utilization and load averages
Memory consumption and swap usage
Network interface statistics
Disk I/O patterns for logging and database operations

Firewall Configuration and Network Security

RADIUS Port Configuration

Configure firewall rules to allow RADIUS traffic:

sudo firewall-cmd --permanent --add-port=1812/udp
sudo firewall-cmd --permanent --add-port=1813/udp
sudo firewall-cmd --reload

Verify firewall rules are active:

sudo firewall-cmd --list-ports

Restrict RADIUS access to specific source networks for enhanced security:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="udp" port="1812" accept'

SSL/TLS Certificate Configuration

Generate SSL certificates for EAP-TLS authentication methods:

cd /etc/raddb/certs
sudo ./bootstrap

The bootstrap script creates a certificate authority and server certificates for testing purposes. Production deployments should use certificates from trusted certificate authorities or internal PKI infrastructure.

Configure EAP module to utilize generated certificates:

sudo nano /etc/raddb/mods-available/eap

Update certificate paths and private key locations within the EAP configuration section.

Troubleshooting Common Installation Issues

Package Installation Problems

Dependency resolution failures typically result from missing repositories or conflicting packages. Verify repository configuration and clean package cache:

sudo dnf clean all
sudo dnf makecache
sudo dnf check

Check for conflicting packages or broken dependencies:

sudo dnf repoquery --conflicts freeradius
sudo dnf repoquery --requires freeradius

Configuration File Errors

Syntax errors in configuration files prevent service startup. Use debug mode to identify specific configuration problems:

sudo radiusd -XC

The -C flag performs configuration checking without starting the server. Common syntax errors include:

Missing semicolons or brackets
Incorrect module references
Invalid attribute names or values
File permission issues

Authentication Failures

Troubleshoot authentication problems systematically:

Verify client configuration and shared secrets
Check user account existence and password accuracy
Review authentication policy configuration
Examine server logs for processing errors

Enable detailed logging for troubleshooting:

sudo nano /etc/raddb/radiusd.conf

Increase log verbosity and enable authentication logging:

log {
    destination = files
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth = yes
    auth_accept = yes
    auth_reject = yes
}

Performance Optimization and Production Considerations

Memory and Resource Tuning

Optimize FreeRADIUS performance for production workloads by adjusting memory allocation and connection pooling:

sudo nano /etc/raddb/radiusd.conf

Key performance parameters:

thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
}

Database connection pooling reduces authentication latency:

connection_pool {
    start = 5
    min = 4
    max = 32
    spare = 3
    uses = 0
    lifetime = 0
    idle_timeout = 60
}

High Availability and Redundancy

Implement high availability using multiple FreeRADIUS servers with load balancing. Configure RADIUS clients to support primary and secondary server configurations.

Database replication ensures consistent user data across multiple server instances. Monitor server health using external monitoring systems and automated failover mechanisms.

Monitoring and Maintenance

Establish regular maintenance procedures:

Log rotation and archiving policies
Database maintenance and optimization
Certificate renewal processes
Security update application
Performance monitoring and capacity planning

Configure logrotate for FreeRADIUS log management:

sudo nano /etc/logrotate.d/radiusd

Congratulations! You have successfully installed FreeRADIUS. Thanks for using this tutorial for installing the FreeRADIUS on your Fedora 42 Linux system. For additional or useful information, we recommend you check the official FreeRADIUS website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!