How To Install FreeRADIUS on Manjaro
Network security and centralized authentication have become critical components of modern IT infrastructure. FreeRADIUS stands out as one of the most powerful and widely-deployed open-source RADIUS servers available today, offering robust authentication, authorization, and accounting (AAA) services for network administrators. Whether you’re managing WiFi access points, VPN connections, or network devices, FreeRADIUS provides the flexibility and security needed to control access effectively.
Manjaro Linux, an Arch-based distribution known for its user-friendliness and rolling-release model, provides an excellent platform for deploying FreeRADIUS. This comprehensive guide walks you through every step of installing and configuring FreeRADIUS on Manjaro, from initial system preparation to testing and troubleshooting. By following these detailed instructions, you’ll have a fully functional RADIUS server ready to secure your network infrastructure.
Understanding FreeRADIUS and Its Capabilities
FreeRADIUS operates as a high-performance RADIUS protocol server that enables centralized authentication for remote network access. The RADIUS (Remote Authentication Dial-In User Service) protocol has become the industry standard for AAA services, making FreeRADIUS an essential tool for system administrators worldwide.
The server supports multiple protocols beyond traditional RADIUS, including DHCPv4 and VMPS (VLAN Management Policy Server). This multi-protocol capability allows FreeRADIUS to serve various authentication needs across different network technologies. Common use cases include wireless network authentication through WPA-Enterprise, VPN access control for remote workers, and administrative access management for network equipment like switches and routers.
FreeRADIUS excels in environments requiring scalable authentication solutions. Its modular architecture enables integration with various backend systems including LDAP directories, SQL databases, and Active Directory. The flexibility to customize authentication methods and policies makes it suitable for small office deployments and large enterprise networks alike.
Prerequisites and System Requirements
Before beginning the installation process, ensure your Manjaro system meets the necessary requirements. You’ll need a functioning Manjaro Linux installation with any desktop environment—whether XFCE, KDE Plasma, or GNOME. Root access or sudo privileges are essential for installing packages and modifying system configuration files.
Basic familiarity with Linux terminal commands will help you navigate this tutorial smoothly. You don’t need to be an expert, but understanding how to execute commands and edit text files using terminal-based editors like nano or vim proves beneficial. Network connectivity is required to download packages from Manjaro repositories during installation.
Adequate disk space should be available for the FreeRADIUS installation and its dependencies. The package itself is relatively lightweight, but you’ll want sufficient space for log files that accumulate over time as the server processes authentication requests.
Updating Your Manjaro System
System updates ensure compatibility and security before installing new software. Manjaro uses the pacman package manager, which provides access to the extensive Arch Linux repositories. Keeping your system current prevents potential conflicts with outdated dependencies.
Open your terminal and execute the system update command:
sudo pacman -SyuThis command performs a full system synchronization. The -S flag tells pacman to synchronize packages, -y refreshes the package database, and -u upgrades all outdated packages. Pacman will display a list of packages requiring updates and prompt for confirmation before proceeding.
The update process may take several minutes depending on your internet connection speed and the number of packages needing updates. Respond with “Y” when prompted to continue with the installation. Once completed, your system will have the latest security patches and software versions, creating a stable foundation for the FreeRADIUS installation.
Installing FreeRADIUS Packages
Manjaro provides FreeRADIUS packages directly through its official repositories, simplifying the installation process considerably. You’ll install both the core FreeRADIUS server and the utilities package, which includes helpful testing and management tools.
Execute the following command to install FreeRADIUS:
sudo pacman -S freeradius freeradius-utilsThe package manager will resolve dependencies automatically and present a list of packages to be installed. The core freeradius package contains the server daemon and essential configuration files, while freeradius-utils provides command-line tools like radtest for testing authentication.
Pacman downloads the packages and verifies their integrity using cryptographic signatures. This security measure ensures you’re installing legitimate, unmodified software from trusted sources. After installation completes, verify success by checking the FreeRADIUS version:
radiusd -vThis command displays version information and confirms the server installed correctly. You should see output indicating the FreeRADIUS version number and compilation details.
Understanding FreeRADIUS Directory Structure
FreeRADIUS organizes its configuration through a logical directory structure under /etc/raddb/. Familiarizing yourself with this layout helps you navigate configuration tasks efficiently and understand how different components interact.
The main configuration file, radiusd.conf, serves as the entry point that includes other configuration files. This modular approach allows you to modify specific functionality without cluttering a single massive configuration file. The clients.conf file defines RADIUS clients—devices authorized to send authentication requests to your server.
User authentication credentials can be stored in the users file for simple deployments, though production environments typically use database backends or directory services. The mods-available and mods-enabled directories contain module configurations using a structure similar to Apache web server configuration.
Certificate files reside in /etc/raddb/certs/, which become crucial when implementing secure authentication methods like EAP-TLS. Log files typically appear in /var/log/radius/ or within the raddb directory depending on your configuration. Understanding these locations streamlines troubleshooting when issues arise.
Generating SSL/TLS Certificates
Secure authentication methods require SSL/TLS certificates for encrypted communication between RADIUS clients and the server. FreeRADIUS includes a convenient bootstrap script that generates default certificates suitable for testing and development environments.
Navigate to the certificates directory and run the bootstrap script:
sudo /etc/raddb/certs/bootstrapThe script generates several certificate files including a Certificate Authority (CA) certificate, server certificate, and client certificates. These certificates enable secure EAP methods like EAP-TLS and PEAP-MSCHAPv2, which encrypt credential transmission over wireless networks.
For production environments, customize certificate parameters by editing ca.cnf, server.cnf, and client.cnf before running bootstrap. These configuration files allow you to specify organizational details, certificate lifespans, and cryptographic parameters. Production deployments should use certificates signed by a trusted CA rather than self-signed certificates from the bootstrap script.
Certificate security directly impacts your authentication infrastructure’s overall security posture. Protect private keys with appropriate file permissions and store them securely. Regular certificate rotation following industry best practices prevents compromise from expired or potentially compromised credentials.
Configuring RADIUS Clients
RADIUS clients represent network devices that forward authentication requests to your FreeRADIUS server. These might include wireless access points, VPN concentrators, or network switches requiring administrative authentication. Each client must be explicitly defined in the server configuration.
Edit the clients configuration file:
sudo nano /etc/raddb/clients.confAdd a client definition block specifying the device’s IP address, a shared secret for secure communication, and a descriptive shortname:
client my_access_point {
ipaddr = 192.168.1.100
secret = YourStrongSecretHere123!
shortname = office-ap-01
}The shared secret functions as a password between the RADIUS client and server. Choose cryptographically strong secrets with mixed case letters, numbers, and special characters. Never reuse the same secret across multiple clients—unique secrets limit the impact if one client becomes compromised.
You can define clients using IP address ranges with the ipaddr parameter set to a network subnet. This approach simplifies management when dealing with multiple devices, though individual client definitions provide more granular control and audit trails.
Configuring User Authentication
User authentication defines which credentials the RADIUS server accepts and what attributes get returned upon successful authentication. For initial testing and simple deployments, the flat-file users configuration provides straightforward credential management.
Open the users file for editing:
sudo nano /etc/raddb/usersAdd test user entries with the following syntax:
testuser Cleartext-Password := "SecurePassword123"
Reply-Message = "Welcome, testuser!"
admin Cleartext-Password := "AdminPass456"
Reply-Message = "Administrative access granted"Each user entry begins with the username followed by authentication parameters. The := operator sets the password, while subsequent indented lines define reply attributes sent back to the client upon successful authentication. Reply-Message attributes often appear in authentication success notifications on client devices.
Production environments should avoid storing plaintext passwords in configuration files. Instead, integrate FreeRADIUS with secure credential storage systems like LDAP directories, SQL databases with hashed passwords, or enterprise Active Directory implementations. These backend integrations provide centralized credential management and enhanced security.
Default profiles defined in the users file can apply standard attributes to multiple users without repeating configuration. This approach simplifies management when many users require identical authorization attributes.
Configuring the Main Server File
The radiusd.conf file controls core server behavior including listening ports, logging levels, security parameters, and module loading. While default settings work for most installations, understanding key parameters helps optimize performance and security for your specific environment.
Edit the main configuration file:
sudo nano /etc/raddb/radiusd.confKey configuration sections include the server identity, thread pool settings for handling concurrent requests, and security flags that control protocol behavior. The logging section determines what information gets recorded and where log files are stored.
For initial deployments, minimal changes to default settings are typically required. The included configuration provides reasonable defaults developed through years of community refinement and real-world deployment experience. Focus modifications on security-related parameters that match your threat model and compliance requirements.
Thread pool configuration affects how many simultaneous authentication requests the server can process. Adjusting these values based on your expected authentication load improves performance and response times. However, start with defaults and tune only if monitoring reveals performance bottlenecks.
Starting and Enabling the FreeRADIUS Service
Manjaro uses systemd for service management, providing reliable process supervision and automatic restart capabilities. Starting the FreeRADIUS service activates the RADIUS server, making it ready to process authentication requests.
Start the FreeRADIUS service:
sudo systemctl start radiusdCheck the service status to confirm successful startup:
sudo systemctl status radiusdThe status output displays whether the service is active, how long it’s been running, and recent log entries. Look for “active (running)” status indicating successful startup. Any errors or warnings appear in the log excerpt, helping diagnose problems.
Enable the service to start automatically at system boot:
sudo systemctl enable radiusdThis command creates the necessary systemd links ensuring FreeRADIUS starts whenever your Manjaro system boots. Automatic startup prevents authentication service interruptions after system maintenance or unexpected reboots.
When modifying configuration files, restart the service to apply changes:
sudo systemctl restart radiusdSystemd manages the shutdown of the running process and starts a fresh instance with updated configuration.
Testing FreeRADIUS in Debug Mode
Debug mode runs FreeRADIUS in the foreground with verbose output, displaying every action the server takes when processing requests. This visibility proves invaluable for troubleshooting configuration issues and understanding server behavior.
Stop the systemd service before launching debug mode to avoid port conflicts:
sudo systemctl stop radiusdLaunch FreeRADIUS in debug mode:
sudo radiusd -XThe server displays startup messages showing configuration file parsing, module initialization, and network socket binding. Successful startup concludes with “Ready to process requests” indicating the server is operational.
Debug output reveals exactly how FreeRADIUS processes each authentication request. When you test authentication, you’ll see the complete request packet, server decision-making process, and response packet construction. This transparency makes identifying configuration errors straightforward.
Common startup errors include configuration syntax mistakes, missing files, permission problems, or port conflicts if another process is using the RADIUS ports. Debug mode displays specific error messages pinpointing the problem’s nature and location within configuration files.
Leave debug mode running while testing authentication to observe real-time request processing. Exit debug mode by pressing Ctrl+C, then restart the systemd service for normal operation.
Verifying Installation with radtest
The radtest utility performs authentication tests by sending RADIUS Access-Request packets to your server and displaying responses. This tool validates that your FreeRADIUS installation functions correctly and user credentials authenticate properly.
Execute radtest with the following syntax:
radtest username password server_ip port shared_secretFor testing local server installation:
radtest testuser SecurePassword123 127.0.0.1 0 testing123Parameters specify the username and password to test, server IP address (127.0.0.1 for localhost), NAS port number (0 is standard for testing), and the shared secret from clients.conf. The shared secret must match what you configured for the localhost client definition.
Successful authentication displays an “Access-Accept” response packet:
Sending Access-Request Id 1 to 127.0.0.1:1812
User-Name = "testuser"
User-Password = "SecurePassword123"
NAS-IP-Address = 192.168.1.50
rad_recv: Access-Accept packet from host 127.0.0.1:1812Access-Reject responses indicate authentication failure. Common causes include incorrect passwords, username typos, client configuration mismatches, or user entries missing from the authentication database. Debug mode output reveals the specific reason for rejection.
Troubleshooting Common Issues
RADIUS server deployments occasionally encounter issues requiring systematic diagnosis and resolution. Understanding common problems and their solutions minimizes downtime and accelerates deployment success.
Service startup failures often stem from configuration syntax errors. Run FreeRADIUS in debug mode to identify the specific configuration file and line number causing problems. Missing semicolons, unclosed brackets, or incorrect directive names trigger parsing errors that prevent startup.
Authentication failures with “Access-Reject” responses require examining debug output to understand the server’s decision process. Shared secret mismatches between client and server configuration represent a frequent cause—secrets are case-sensitive and must match exactly. Verify client IP addresses in clients.conf match the actual source addresses in authentication requests.
Certificate errors appear when implementing secure EAP methods without properly generated certificates. Ensure the bootstrap script completed successfully and certificate files have appropriate permissions for the FreeRADIUS process to read them. Production deployments require valid certificates from trusted certificate authorities.
Port conflicts occur if another process already uses UDP ports 1812 (authentication) and 1813 (accounting). Check for running FreeRADIUS instances or other services with sudo netstat -ulnp | grep 181 and resolve conflicts by stopping conflicting services or changing port assignments.
Firewall rules blocking RADIUS traffic prevent legitimate clients from reaching your server. Configure firewall exceptions allowing UDP traffic on ports 1812 and 1813 from authorized client IP addresses. Restrict access to known client addresses rather than allowing universal access.
Security Best Practices
Security considerations must guide RADIUS server deployment since authentication infrastructure represents a high-value target for attackers. Implementing robust security measures protects your network from unauthorized access and credential theft.
Generate cryptographically strong shared secrets for each RADIUS client using at least 20 random characters. Avoid dictionary words, predictable patterns, or reusing secrets across multiple devices. Store secrets securely and limit access to authorized administrators only.
Implement secure EAP methods like EAP-TLS or PEAP-MSCHAPv2 for wireless authentication instead of less secure protocols. These methods encrypt credentials during transmission, preventing capture through wireless eavesdropping. Legacy protocols like PAP transmit passwords in cleartext and should be disabled entirely.
Enable SSL/TLS encryption for all RADIUS communication when supported by clients. The Message-Authenticator attribute provides integrity verification preventing packet manipulation attacks. Configure the require_message_authenticator = yes directive in clients.conf for enhanced security.
Implement strict firewall rules limiting RADIUS access to known client IP addresses. Never expose RADIUS ports directly to the internet without VPN or other protective measures. Use fail2ban or similar intrusion prevention systems to detect and block brute force authentication attempts.
Regular security updates maintain protection against newly discovered vulnerabilities. Monitor FreeRADIUS security announcements and apply patches promptly. The FreeRADIUS project maintains an excellent security track record, but staying current ensures maximum protection.
Audit log files regularly for suspicious authentication patterns indicating potential compromise attempts. Multiple failed authentication attempts from unexpected sources warrant investigation. Implement centralized logging for comprehensive visibility across your authentication infrastructure.
Performance Optimization Strategies
FreeRADIUS handles extremely high authentication loads efficiently when properly configured. Understanding performance tuning options helps optimize response times and resource utilization for your specific deployment scale.
Thread pool configuration controls concurrent request processing capability. The thread pool section in radiusd.conf defines parameters like max_threads, min_spare_threads, and max_spare_threads. Increase max_threads for high-volume deployments processing thousands of simultaneous authentication requests.
Optimize the users file by keeping it small and leveraging default profiles. Large flat files with thousands of entries slow authentication lookups. Consider database backends when managing more than a few hundred users for improved performance and scalability.
Backend caching reduces database query overhead when using LDAP or SQL user stores. Module-specific caching configurations temporarily store query results, eliminating redundant database lookups for frequently authenticating users. Balance cache timeout values between performance gains and credential update responsiveness.
The max_requests_per_server parameter in radiusd.conf controls request load distribution across threads. Setting this to zero allows unlimited requests per thread, improving performance in most scenarios. Adjust based on monitoring if you observe uneven load distribution.
Network optimization includes ensuring adequate bandwidth and low latency between RADIUS clients and server. Position RADIUS servers close to clients geographically in distributed environments. Monitor server resource utilization—CPU, memory, and network—to identify bottlenecks requiring hardware upgrades.
Advanced Configuration Opportunities
FreeRADIUS’s extensive feature set supports sophisticated authentication scenarios beyond basic username/password validation. Exploring advanced capabilities enables more powerful and flexible authentication policies.
LDAP integration connects FreeRADIUS to directory services for centralized user management. Configure the LDAP module to query Active Directory or OpenLDAP servers, eliminating duplicate credential storage. This approach provides single sign-on capabilities across network services.
Database backends using MySQL, PostgreSQL, or MariaDB offer scalable credential storage with powerful query capabilities. SQL integration enables complex authorization logic based on user attributes, group memberships, and dynamic policies. Database schemas accommodate custom attributes matching your specific business requirements.
RADIUS proxying forwards authentication requests to other RADIUS servers, enabling distributed authentication architectures. Proxy configurations support roaming scenarios where users authenticate against home organization servers while accessing guest networks. Load balancing across multiple backend RADIUS servers improves reliability and performance.
Policy configurations implement sophisticated authorization decisions using the unlang policy language. Policies evaluate user attributes, client properties, time of day, and other contextual factors to make dynamic access control decisions. This flexibility supports complex business rules that simple user files cannot express.
Congratulations! You have successfully installed FreeRADIUS. Thanks for using this tutorial for installing FreeRADIUS on your Manjaro Linux system. For additional or useful information, we recommend you check the official FreeRADIUS website.
