How To Install FreeRADIUS on openSUSE

Network authentication has become increasingly critical in today’s enterprise environments. FreeRADIUS stands as the world’s most widely deployed RADIUS server, offering robust authentication, authorization, and accounting (AAA) services. This comprehensive guide will walk you through installing and configuring FreeRADIUS on openSUSE, providing you with a secure and scalable network authentication solution.

FreeRADIUS excels in managing network access for wireless access points, VPNs, and network devices. Its open-source nature, combined with openSUSE’s stability and security features, creates an ideal platform for enterprise-grade authentication services. Whether you’re a system administrator implementing centralized authentication or a network engineer securing wireless infrastructure, this guide provides the essential knowledge to deploy FreeRADIUS successfully.

The installation process involves several critical steps: system preparation, package installation, configuration management, and security implementation. Each phase requires careful attention to detail to ensure optimal performance and security. By following this guide, you’ll establish a foundation for scalable network authentication that can grow with your organization’s needs.

System Requirements and Prerequisites

Hardware Requirements

FreeRADIUS operates efficiently on modest hardware specifications. A minimum of 2GB RAM and 20GB disk space suffices for small to medium deployments. However, production environments handling thousands of concurrent authentications require more substantial resources. CPU performance directly impacts authentication throughput, particularly when using encryption-heavy protocols like EAP-TLS.

Consider network bandwidth requirements carefully. RADIUS traffic itself is minimal, but certificate exchanges and accounting data can accumulate quickly. Plan for redundancy and load distribution in high-availability scenarios.

Software Dependencies

OpenSUSE provides excellent package management through zypper, making FreeRADIUS installation straightforward. The core packages include freeradius-server and freeradius-server-utils. Additional modules extend functionality for specific authentication methods, database backends, and integration scenarios.

Ensure your openSUSE installation includes development tools if you plan to compile additional modules. The base repository typically contains all necessary components for standard deployments.

Network Configuration Considerations

RADIUS operates on UDP ports 1812 (authentication) and 1813 (accounting). Plan your network topology to accommodate these requirements. Firewall rules must permit traffic between RADIUS clients and servers. Consider implementing network segmentation to isolate authentication traffic from general network communications.

Time synchronization proves critical for RADIUS operations. Ensure NTP configuration maintains accurate time across all network devices. Authentication failures often result from time skew between clients and servers.

Security Planning

Develop a comprehensive security strategy before implementation. Strong shared secrets between clients and servers form the foundation of RADIUS security. Certificate management becomes crucial when implementing EAP-based authentication methods.

Plan for regular security audits and updates. FreeRADIUS security depends heavily on proper configuration and ongoing maintenance. Document all security decisions for future reference and compliance requirements.

Preparing the openSUSE System

System Update and Package Management

Begin with a complete system update to ensure compatibility and security. Execute the following commands to refresh package repositories and update installed software:

sudo zypper refresh
sudo zypper update

This process updates the package database and installs any pending security updates. Reboot the system if kernel updates were applied. A clean, updated system provides the best foundation for FreeRADIUS installation.

Verify repository configuration includes the main openSUSE repositories. Additional repositories may be necessary for specific FreeRADIUS modules or database backends.

Repository Configuration

OpenSUSE’s default repositories contain FreeRADIUS packages suitable for most implementations. However, verify repository availability and package versions before proceeding:

zypper search freeradius

This command displays available FreeRADIUS packages and their versions. Ensure the freeradius-server package appears in the search results.

User Permissions and Security Setup

Create dedicated user accounts for FreeRADIUS management. Avoid using root for routine operations. The radiusd daemon typically runs under its own user account for security isolation.

Configure sudo access for administrative tasks:

sudo visudo

Add appropriate permissions for FreeRADIUS management tasks. Limit access to essential commands and file operations.

Initial Firewall Configuration

Configure the openSUSE firewall to permit RADIUS traffic. Use YaST or command-line tools to open necessary ports:

sudo firewall-cmd --permanent --add-port=1812/udp
sudo firewall-cmd --permanent --add-port=1813/udp
sudo firewall-cmd --reload

These commands permanently open RADIUS authentication and accounting ports. Verify the changes with:

sudo firewall-cmd --list-ports

Time synchronization setup ensures accurate timestamps for authentication logging and certificate validation. Configure NTP if not already enabled:

sudo systemctl enable ntpd
sudo systemctl start ntpd

Installing FreeRADIUS on openSUSE

Package Installation Using Zypper

Install FreeRADIUS using openSUSE’s package manager. The primary installation command installs the server and essential utilities:

sudo zypper install freeradius-server freeradius-server-utils

This command installs the core FreeRADIUS server and administrative tools. The package manager automatically resolves dependencies and downloads required components.

Additional modules enhance FreeRADIUS functionality:

sudo zypper install freeradius-server-mysql freeradius-server-postgresql freeradius-server-ldap

These optional packages provide database and directory service integration capabilities.

Alternative Installation Methods

YaST provides a graphical interface for package installation. Launch YaST and navigate to Software Management. Search for “freeradius” and select appropriate packages. This method offers an intuitive interface for users preferring graphical tools.

Building from source provides maximum flexibility but requires additional development tools. The FreeRADIUS Wiki provides comprehensive build instructions. Source compilation enables custom module integration and optimization for specific environments.

Verifying Installation Success

Verify package installation using RPM queries:

rpm -qa | grep freeradius

This command lists all installed FreeRADIUS packages. Confirm the presence of freeradius-server and freeradius-server-utils.

Check service availability:

systemctl status radiusd

The service should appear as “loaded” but not yet active. This confirms successful package installation and service configuration.

Initial File Structure Overview

FreeRADIUS installs configuration files in /etc/raddb/. Key directories include:

• /etc/raddb/ – Main configuration directory
• /etc/raddb/mods-available/ – Available modules
• /etc/raddb/mods-enabled/ – Active modules
• /etc/raddb/sites-available/ – Virtual server configurations
• /etc/raddb/sites-enabled/ – Active virtual servers

Understanding this structure facilitates efficient configuration management. Default file permissions restrict access to sensitive configuration data.

Basic FreeRADIUS Configuration

Main Configuration File (radiusd.conf)

The primary configuration file /etc/raddb/radiusd.conf controls server behavior. Edit this file to configure basic server settings:

sudo nano /etc/raddb/radiusd.conf

Key configuration parameters include:

• prefix = /usr – Installation directory
• localstatedir = /var – Variable data directory
• logdir = ${localstatedir}/log/radius – Log file location
• run_dir = ${localstatedir}/run/radiusd – Runtime file directory

Review security settings carefully. The default configuration provides reasonable security for testing but requires hardening for production use.

Client Configuration Setup

Configure RADIUS clients in /etc/raddb/clients.conf. Each client requires a unique entry with appropriate shared secrets:

sudo nano /etc/raddb/clients.conf

Add client configurations:

client wireless-controller {
    ipaddr = 192.168.1.100
    secret = YourStrongSharedSecret
    shortname = wlc
    nastype = cisco
}

Replace IP addresses and secrets with appropriate values for your environment. Strong shared secrets prevent unauthorized access to your RADIUS server.

User Database Configuration

Configure user authentication in /etc/raddb/mods-config/files/authorize. This file contains user credentials and authorization attributes:

sudo nano /etc/raddb/mods-config/files/authorize

Add user entries:

testuser Cleartext-Password := "testpassword"
    Reply-Message = "Welcome to the network"

This simple configuration provides basic username/password authentication. Production environments typically integrate with databases or directory services for scalable user management.

Authentication Methods Configuration

FreeRADIUS supports multiple authentication protocols including PAP, CHAP, and EAP. Configure authentication modules in the mods-enabled directory. Enable required modules by creating symbolic links:

sudo ln -s /etc/raddb/mods-available/pap /etc/raddb/mods-enabled/
sudo ln -s /etc/raddb/mods-available/chap /etc/raddb/mods-enabled/

Each authentication method provides different security characteristics. PAP transmits passwords in cleartext (protected by RADIUS encryption), while CHAP and EAP offer enhanced security features.

Configure authorization policies to control user access. The default configuration provides basic authorization suitable for testing environments.

Certificate Management and Security

Creating Test Certificates

FreeRADIUS includes scripts for generating test certificates. Navigate to the certificates directory and execute the bootstrap script:

cd /etc/raddb/certs
sudo ./bootstrap

This script creates a complete certificate infrastructure for testing. The generated certificates enable EAP-TLS authentication testing but should not be used in production environments.

Production Certificate Deployment

Production deployments require proper certificates from trusted certificate authorities. Create certificate signing requests (CSRs) using OpenSSL:

openssl req -new -keyout server.key -out server.csr

Submit the CSR to your certificate authority and install the resulting certificates in the appropriate directories. Update FreeRADIUS configuration to reference production certificates.

SSL/TLS Configuration

Configure SSL/TLS parameters in the EAP module configuration. Strong cipher suites enhance security while maintaining compatibility:

sudo nano /etc/raddb/mods-available/eap

Update TLS configuration:

tls-config tls-common {
    private_key_file = ${certdir}/server.key
    certificate_file = ${certdir}/server.pem
    ca_file = ${cadir}/ca.pem
    cipher_list = "HIGH:!SSLv2:!SSLv3:!TLSv1"
}

This configuration enforces strong encryption while disabling vulnerable protocols.

Security Best Practices

Implement comprehensive security measures throughout your FreeRADIUS deployment. Use strong, unique shared secrets for each client. Rotate secrets regularly according to your security policy.

Restrict file permissions on configuration files:

sudo chmod 640 /etc/raddb/clients.conf
sudo chown root:radiusd /etc/raddb/clients.conf

These commands limit access to sensitive configuration data while permitting necessary daemon access.

Regular security auditing identifies potential vulnerabilities. Review logs for unusual authentication patterns or failed access attempts. Implement intrusion detection systems to monitor RADIUS traffic.

Starting and Testing FreeRADIUS

Starting FreeRADIUS in Debug Mode

Initial testing requires debug mode to identify configuration issues. Start FreeRADIUS in debug mode:

sudo radiusd -X

This command starts the server in foreground mode with detailed logging. Monitor the output for error messages or warnings. Successful startup displays “Ready to process requests”.

Debug mode reveals configuration problems immediately. Address any errors before proceeding to service mode operation.

System Service Configuration

Configure FreeRADIUS as a system service for automatic startup. Enable the service:

sudo systemctl enable radiusd

Start the service:

sudo systemctl start radiusd

Verify service status:

sudo systemctl status radiusd

The service should display “active (running)” status. Service mode provides better performance and reliability than debug mode.

Authentication Testing

Test authentication using the radtest utility. This command-line tool simulates RADIUS client authentication:

radtest testuser testpassword 127.0.0.1 0 testing123

This command tests authentication for user “testuser” with password “testpassword” against the local server using shared secret “testing123”. Successful authentication returns an Access-Accept packet.

Test various authentication scenarios:

radtest wronguser testpassword 127.0.0.1 0 testing123
radtest testuser wrongpassword 127.0.0.1 0 testing123

These tests verify proper handling of authentication failures. Failed authentication should return Access-Reject packets.

Troubleshooting Common Issues

Common startup problems include port conflicts and permission issues. The error “Address already in use” indicates another process is using RADIUS ports. Identify conflicting processes:

sudo netstat -tulpn | grep :1812

Stop conflicting services or configure FreeRADIUS to use alternative ports.

Permission errors prevent access to configuration files or certificates. Verify file ownership and permissions match FreeRADIUS requirements. The radiusd user must read configuration files and certificates.

Network connectivity issues prevent client-server communication. Use tcpdump to capture RADIUS traffic:

sudo tcpdump -i any port 1812

This command captures authentication traffic for analysis. Verify packets flow between clients and servers.

Advanced Configuration and Integration

Database Integration (MySQL/PostgreSQL)

Enterprise environments benefit from database-backed user storage. Configure MySQL integration by installing the appropriate module:

sudo zypper install freeradius-server-mysql

Create a MySQL database for RADIUS data:

CREATE DATABASE radius;
GRANT ALL PRIVILEGES ON radius.* TO 'radiususer'@'localhost' IDENTIFIED BY 'radiuspassword';

Import the FreeRADIUS schema:

mysql -u radiususer -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql

Configure the SQL module in /etc/raddb/mods-available/sql. Update database connection parameters and enable the module.

LDAP Authentication Setup

LDAP integration provides centralized user management for enterprise environments. Configure LDAP authentication by editing the LDAP module:

sudo nano /etc/raddb/mods-available/ldap

Update LDAP server settings:

ldap {
    server = "ldap.example.com"
    port = 389
    identity = "cn=radiusbind,ou=services,dc=example,dc=com"
    password = "bindpassword"
    base_dn = "ou=users,dc=example,dc=com"
}

Enable LDAP authentication in the default site configuration. LDAP provides scalable user management and integrates with existing directory services.

Multiple Client Management

Large deployments require efficient client management. Organize clients logically in the clients.conf file. Use meaningful shortnames and document client purposes.

Consider client grouping for policy application:

client subnet-wireless {
    ipaddr = 192.168.100.0/24
    secret = wireless-shared-secret
    shortname = wireless-subnet
}

This configuration applies the same settings to an entire subnet, simplifying management.

Load Balancing and High Availability

High-availability deployments require multiple FreeRADIUS servers. Configure clients to use multiple RADIUS servers for redundancy. Implement load balancing using proxy RADIUS configurations.

Create proxy configurations for distributed authentication:

realm example.com {
    type = radius
    authhost = radius1.example.com:1812
    accthost = radius1.example.com:1813
    secret = proxy-secret
}

This configuration forwards authentication requests to specified servers, enabling geographic distribution and load sharing.

Maintenance and Monitoring

Log Management and Analysis

FreeRADIUS generates comprehensive logs for security auditing and troubleshooting. Configure log rotation to manage disk space:

sudo nano /etc/logrotate.d/radiusd

Add rotation configuration:

/var/log/radius/*.log {
    weekly
    rotate 52
    compress
    delaycompress
    missingok
    create 640 radiusd radiusd
}

This configuration rotates logs weekly, keeping 52 weeks of history.

Performance Monitoring

Monitor FreeRADIUS performance using built-in statistics. Enable status monitoring in the sites-enabled/status configuration. Query server statistics:

echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:18121 status testing123

This command retrieves server performance statistics. Monitor authentication rates, response times, and error counts.

Regular Maintenance Tasks

Implement routine maintenance procedures to ensure optimal performance. Update certificates before expiration. Review user accounts and remove inactive users. Update client configurations as network infrastructure changes.

Database maintenance becomes critical for SQL-backed deployments. Implement regular backup procedures and optimize database performance.

Backup and Recovery Procedures

Develop comprehensive backup strategies covering configuration files, certificates, and databases. Critical files include:

• /etc/raddb/ – Complete configuration directory
• Certificate files and private keys
• Database contents (for SQL deployments)

Test recovery procedures regularly to ensure business continuity. Document recovery steps for operational teams.

Troubleshooting Common Issues

Installation Problems

Package dependency issues occasionally prevent successful installation. Resolve dependencies manually:

sudo zypper install --resolve-conflicts freeradius-server

Repository configuration problems may prevent package access. Verify repository URLs and refresh package databases.

Configuration Errors

Syntax errors in configuration files prevent server startup. Use the debug mode to identify configuration problems:

sudo radiusd -CX

This command checks configuration syntax without starting the server. Address all reported errors before attempting startup.

Authentication Failures

Authentication failures often result from configuration mismatches. Common causes include:

• Incorrect shared secrets between clients and servers
• User database configuration errors
• Certificate validation problems
• Time synchronization issues

Use debug mode to trace authentication requests and identify failure points.

Network Connectivity Issues

Network problems prevent client-server communication. Verify firewall configurations permit RADIUS traffic. Test connectivity using telnet or netcat:

nc -u radius-server 1812

This command tests UDP connectivity to the RADIUS server.

Performance Problems

Performance issues may result from inadequate hardware, inefficient configurations, or database bottlenecks. Monitor system resources during authentication peaks. Consider hardware upgrades or configuration optimization for high-load environments.

Database query optimization significantly impacts SQL-backed deployments. Implement appropriate indexes and tune database parameters for RADIUS workloads.

Congratulations! You have successfully installed FreeRADIUS. Thanks for using this tutorial for installing FreeRADIUS on your openSUSE Linux system. For additional or useful information, we recommend you check the official FreeRADIUS website.