How To Install FreeRADIUS on Rocky Linux 10
Network authentication has become increasingly critical in today’s security landscape. Organizations need robust, centralized authentication systems that can handle diverse network infrastructure requirements while maintaining enterprise-grade security standards. FreeRADIUS stands as the world’s most widely deployed RADIUS server, providing comprehensive authentication, authorization, and accounting (AAA) services for millions of users globally.
This comprehensive guide walks you through installing and configuring FreeRADIUS on Rocky Linux 10. You’ll learn everything from initial system preparation to advanced configuration options, ensuring your RADIUS server meets enterprise security requirements. Whether you’re deploying wireless authentication, VPN access control, or network switch management, this tutorial provides the foundation for a robust authentication infrastructure.
Rocky Linux 10 offers the perfect platform for FreeRADIUS deployment. Its enterprise-grade stability, long-term support, and compatibility with Red Hat Enterprise Linux ecosystem make it an ideal choice for mission-critical authentication services. The combination delivers reliability, security, and performance that enterprise environments demand.
Prerequisites and System Requirements
System Requirements
Before beginning the FreeRADIUS installation process, ensure your Rocky Linux 10 system meets these minimum requirements:
- CPU: Dual-core processor (2.0 GHz minimum)
- RAM: 2 GB minimum (4 GB recommended for production)
- Storage: 20 GB available disk space
- Network: Stable network connectivity with proper DNS resolution
- Architecture: x86_64 or aarch64 supported architectures
Required Knowledge and Skills
Success with this installation requires familiarity with several key areas:
- Basic Linux command-line operations and file system navigation
- Understanding of networking concepts including IP addressing, subnets, and port configurations
- Knowledge of system administration tasks such as service management and user permissions
- Basic understanding of authentication protocols and network security principles
Pre-installation Checklist
Complete these essential preparation steps:
- Verify root or sudo access to the target system
- Confirm network connectivity and DNS resolution
- Review existing firewall configurations and security policies
- Ensure system time synchronization is properly configured
- Create backup copies of any existing network authentication configurations
- Document current network infrastructure and authentication requirements
System Preparation
Updating the System
Begin with a complete system update to ensure all packages are current and security patches are applied:
sudo dnf update -y
sudo dnf upgrade -yIf kernel updates were installed, reboot the system to ensure the new kernel is active:
sudo rebootAfter reboot, verify the system is running the latest kernel:
uname -rEssential Package Installation
Install development tools and essential dependencies required for FreeRADIUS compilation and operation:
sudo dnf groupinstall "Development Tools" -y
sudo dnf install wget curl vim net-tools -yEnable the EPEL (Extra Packages for Enterprise Linux) repository to access additional packages:
sudo dnf install epel-release -yEnable the Code Ready Builder (CRB) repository for development packages:
sudo dnf config-manager --set-enabled crbNetwork and Security Configuration
Configure firewall rules to allow RADIUS traffic on the standard ports:
sudo firewall-cmd --permanent --add-port=1812/udp
sudo firewall-cmd --permanent --add-port=1813/udp
sudo firewall-cmd --reloadVerify the firewall rules are active:
sudo firewall-cmd --list-portsConfigure SELinux to allow FreeRADIUS operations. First, check the current SELinux status:
sestatusIf SELinux is enforcing, configure appropriate policies for FreeRADIUS:
sudo setsebool -P radiusd_disable_trans 1Time Synchronization Setup
Accurate timekeeping is crucial for RADIUS authentication. Install and configure chrony for time synchronization:
sudo dnf install chrony -y
sudo systemctl enable chronyd
sudo systemctl start chronydVerify time synchronization status:
chrony sources -vFreeRADIUS Installation Methods
Method 1: Installation from Default Rocky Linux Repositories
The simplest installation method uses Rocky Linux’s default package repositories:
sudo dnf install freeradius freeradius-utils -yThis method provides stable, tested packages that integrate well with Rocky Linux’s package management system. However, the versions may not be the latest available upstream releases.
Method 2: Network RADIUS Repository Installation
For access to the latest FreeRADIUS versions, add the Network RADIUS repository:
curl -o /tmp/networkradius-release.rpm https://packages.networkradius.com/releases/networkradius-release-latest.rpm
sudo rpm -Uvh /tmp/networkradius-release.rpmImport the GPG signing key:
sudo rpm --import https://packages.networkradius.com/pgp/packages@networkradius.comInstall FreeRADIUS from the Network RADIUS repository:
sudo dnf install freeradius freeradius-utils -yEssential and Optional Package Selection
Install core FreeRADIUS packages and commonly needed modules:
# Core packages
sudo dnf install freeradius freeradius-utils freeradius-doc -y
# Database support modules
sudo dnf install freeradius-mysql freeradius-postgresql freeradius-sqlite -y
# Additional authentication modules
sudo dnf install freeradius-ldap freeradius-krb5 -y
# REST API and JSON support
sudo dnf install freeradius-rest freeradius-json -yVerify the installation by checking the FreeRADIUS version:
radiusd -vInitial FreeRADIUS Configuration
Understanding FreeRADIUS Directory Structure
FreeRADIUS stores its configuration files in /etc/raddb/. Understanding this structure is essential for effective administration:
radiusd.conf: Main server configuration file controlling global settingsclients.conf: Network Access Server (NAS) client definitions and shared secretsusers: Local user authentication database for file-based authenticationproxy.conf: Proxy server and realm configuration for distributed authenticationmods-available/: Available modules that can be enabledmods-enabled/: Symbolically linked enabled modulessites-available/: Virtual server configurationssites-enabled/: Active virtual server configurations
Basic Server Configuration
Edit the main configuration file to set basic server parameters:
sudo cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.backup
sudo vim /etc/raddb/radiusd.confKey configuration parameters to review:
# Set the user and group for the daemon
user = radiusd
group = radiusd
# Configure logging detail level
log_destination = files
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
# Set maximum request time
max_request_time = 30
# Configure cleanup delay
cleanup_delay = 5Client Configuration Setup
Configure Network Access Server clients in /etc/raddb/clients.conf:
sudo cp /etc/raddb/clients.conf /etc/raddb/clients.conf.backup
sudo vim /etc/raddb/clients.confAdd client definitions for your network infrastructure:
# Example wireless access point
client wireless-ap-01 {
ipaddr = 192.168.1.10
secret = YourStrongSharedSecret123
require_message_authenticator = yes
nas_type = other
}
# Example network switch
client switch-core-01 {
ipaddr = 192.168.1.20
secret = AnotherStrongSecret456
shortname = core-switch
nas_type = ethernet
}
# Local subnet for testing
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nas_type = other
}User Authentication Configuration
Configure local users in /etc/raddb/users for initial testing:
sudo cp /etc/raddb/users /etc/raddb/users.backup
sudo vim /etc/raddb/usersAdd test users with different authentication methods:
# Basic cleartext password authentication
testuser Cleartext-Password := "password123"
Reply-Message := "Welcome to the network"
# User with VLAN assignment
employee1 Cleartext-Password := "emp123"
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id := "100"
# User with IP address assignment
contractor1 Cleartext-Password := "contractor456"
Framed-IP-Address := 192.168.100.50,
Framed-IP-Netmask := 255.255.255.0Service Management and Testing
FreeRADIUS Service Control
Enable and start the FreeRADIUS service using systemd:
sudo systemctl enable radiusd
sudo systemctl start radiusdCheck the service status to ensure it’s running properly:
sudo systemctl status radiusdMonitor the service logs for any startup issues:
sudo journalctl -u radiusd -fInitial Testing Procedures
Test FreeRADIUS configuration syntax before starting the service:
sudo radiusd -CRun FreeRADIUS in debug mode to troubleshoot configuration issues:
sudo systemctl stop radiusd
sudo radiusd -XThe debug mode provides detailed output showing configuration loading, module initialization, and request processing. Press Ctrl+C to exit debug mode.
Authentication Testing Examples
Test local authentication using the radtest utility:
# Test basic authentication
radtest testuser password123 localhost 1812 testing123
# Test with verbose output
radtest -x employee1 emp123 127.0.0.1 1812 testing123Successful authentication returns an Access-Accept packet:
Sent Access-Request Id 123 from 0.0.0.0:12345 to 127.0.0.1:1812 length 73
User-Name = "testuser"
User-Password = "password123"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "password123"
Received Access-Accept Id 123 from 127.0.0.1:1812 to 0.0.0.0:12345 length 32
Reply-Message = "Welcome to the network"Performance and Connection Monitoring
Monitor active RADIUS sessions and server statistics:
# Check server statistics
radmin -e "stats"
# Show connected clients
radmin -e "stats client"
# Display detailed module statistics
radmin -e "stats detail"Set up log rotation to manage disk space:
sudo vim /etc/logrotate.d/radiusdConfigure log rotation parameters:
/var/log/radius/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 radiusd radiusd
postrotate
/bin/kill -HUP `cat /var/run/radiusd/radiusd.pid 2> /dev/null` 2> /dev/null || true
endscript
}Advanced Configuration Options
Database Integration Setup
For scalable user management, integrate FreeRADIUS with MariaDB or MySQL. First, install and configure the database:
sudo dnf install mariadb-server -y
sudo systemctl enable mariadb
sudo systemctl start mariadb
sudo mysql_secure_installationCreate the RADIUS database and user:
CREATE DATABASE radius;
CREATE USER 'radius'@'localhost' IDENTIFIED BY 'radiuspassword';
GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost';
FLUSH PRIVILEGES;Import the FreeRADIUS database schema:
mysql -u radius -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sqlConfigure the SQL module by editing /etc/raddb/mods-available/sql:
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "radiuspassword"
radius_db = "radius"
read_groups = yes
read_profiles = yes
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}Enable the SQL module:
sudo ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/LDAP and Active Directory Integration
For enterprise environments, integrate FreeRADIUS with existing LDAP or Active Directory infrastructure:
sudo dnf install freeradius-ldap -yConfigure the LDAP module in /etc/raddb/mods-available/ldap:
ldap {
server = 'ldap.example.com'
port = 389
identity = 'cn=radiususer,dc=example,dc=com'
password = 'ldappassword'
base_dn = 'dc=example,dc=com'
user {
base_dn = "ou=users,${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
group {
base_dn = "ou=groups,${..base_dn}"
filter = '(objectClass=groupOfNames)'
scope = 'sub'
membership_attribute = 'member'
}
profile_attribute = "radiusProfileDn"
pool {
start = 3
min = 3
max = 10
spare = 3
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}Virtual Server Configuration
Create custom virtual servers for different authentication scenarios. Copy the default virtual server:
sudo cp /etc/raddb/sites-available/default /etc/raddb/sites-available/wireless
sudo vim /etc/raddb/sites-available/wirelessConfigure the wireless virtual server for 802.1X authentication:
server wireless {
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
}Enable the virtual server:
sudo ln -s /etc/raddb/sites-available/wireless /etc/raddb/sites-enabled/Advanced Authentication Methods
Configure EAP (Extensible Authentication Protocol) for secure wireless authentication. Edit /etc/raddb/mods-available/eap:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
tls-config tls-common {
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
cipher_list = "HIGH"
cipher_server_preference = yes
tls_min_version = "1.2"
tls_max_version = "1.3"
}
peap {
tls = tls-common
default_method = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
ttls {
tls = tls-common
default_method = "pap"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
}Security Hardening and Best Practices
Security Configuration Essentials
Implement robust security measures to protect your RADIUS infrastructure:
Generate strong shared secrets using a secure random generator:
openssl rand -base64 32Configure certificate-based authentication for EAP-TLS. Generate server certificates:
cd /etc/raddb/certs
sudo makeCustomize certificate parameters by editing /etc/raddb/certs/server.cnf before generation.
Monitoring and Logging Setup
Configure comprehensive logging for security monitoring and troubleshooting:
sudo vim /etc/raddb/radiusd.confEnable detailed logging:
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_goodpass = "Login successful for user %{User-Name}"
msg_badpass = "Login failed for user %{User-Name}: %{reply:Reply-Message}"
}Set up log monitoring with fail2ban to detect brute force attacks:
sudo dnf install fail2ban -y
sudo vim /etc/fail2ban/jail.localConfigure fail2ban for RADIUS:
[radiusd]
enabled = true
port = 1812,1813
protocol = udp
filter = radiusd
logpath = /var/log/radius/radius.log
maxretry = 5
bantime = 3600
findtime = 600Backup and Recovery Procedures
Implement regular backup procedures for RADIUS configurations:
#!/bin/bash
# RADIUS backup script
BACKUP_DIR="/backup/radius/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# Backup configuration files
tar -czf $BACKUP_DIR/raddb-config.tar.gz /etc/raddb/
# Backup database (if using SQL)
mysqldump -u radius -p radius > $BACKUP_DIR/radius-db.sql
# Backup certificates
tar -czf $BACKUP_DIR/radius-certs.tar.gz /etc/raddb/certs/
echo "RADIUS backup completed: $BACKUP_DIR"Schedule automated backups using cron:
sudo crontab -eAdd the backup schedule:
# Daily RADIUS backup at 2 AM
0 2 * * * /usr/local/bin/radius-backup.shTroubleshooting Common Issues
Installation and Startup Problems
Issue: Package dependency conflicts during installation
Solution: Clean the DNF cache and retry installation:
sudo dnf clean all
sudo dnf makecache
sudo dnf install freeradius freeradius-utils -yIssue: FreeRADIUS fails to start due to permission errors
Solution: Check file ownership and permissions:
sudo chown -R radiusd:radiusd /etc/raddb/
sudo chmod 640 /etc/raddb/clients.conf
sudo chmod 640 /etc/raddb/usersIssue: Port binding failures on startup
Solution: Check for conflicting services and ensure firewall allows traffic:
sudo netstat -tulnp | grep :1812
sudo firewall-cmd --list-portsAuthentication and Authorization Issues
Issue: Shared secret mismatches causing authentication failures
Solution: Verify client configuration matches server settings:
# Test with debug mode
sudo radiusd -X
# Check client configuration
sudo grep -A 5 "client.*{" /etc/raddb/clients.confIssue: Database connectivity problems with SQL backend
Solution: Test database connection and verify credentials:
mysql -u radius -p -h localhost radius
# Run: SELECT VERSION();Issue: LDAP authentication timeouts
Solution: Test LDAP connectivity and adjust timeout values:
ldapsearch -x -H ldap://ldap.example.com -D "cn=radiususer,dc=example,dc=com" -W -b "dc=example,dc=com" "(uid=testuser)"Performance and Connectivity Problems
Issue: High memory usage under load
Solution: Optimize memory settings in radiusd.conf:
max_requests = 1024
max_request_time = 30
cleanup_delay = 5Issue: Slow authentication response times
Solution: Enable connection pooling and adjust pool settings:
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
retry_delay = 30
idle_timeout = 60
}Integration with Network Infrastructure
Network Equipment Configuration
Configure network switches for 802.1X authentication with FreeRADIUS:
Cisco Switch Configuration Example:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius server FREERADIUS
address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
key YourStrongSharedSecret123
dot1x system-auth-control
interface GigabitEthernet1/0/1
authentication port-control auto
authentication periodic
authentication timer restart 300
dot1x pae authenticatorWireless Access Point Configuration:
Most enterprise wireless controllers support RADIUS authentication through their web interfaces. Configure these settings:
- RADIUS server IP: Your FreeRADIUS server IP
- Authentication port: 1812
- Accounting port: 1813
- Shared secret: Match your clients.conf configuration
- Authentication method: WPA2-Enterprise or WPA3-Enterprise
Common Integration Scenarios
Enterprise Wi-Fi Deployment: Configure PEAP-MSCHAPv2 for seamless Windows domain integration:
# /etc/raddb/sites-available/inner-tunnel
authorize {
filter_username
chap
mschap
suffix
ntdomain
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}VPN Authentication Setup: Configure FreeRADIUS for OpenVPN or IPSec VPN authentication by adding VPN server as a RADIUS client and configuring appropriate authentication policies.
Maintenance and Monitoring
Regular Maintenance Tasks
Establish a maintenance schedule that includes:
Weekly Tasks:
- Review authentication logs for anomalies
- Check system resource utilization
- Verify backup completion and integrity
- Update fail2ban rules if needed
Monthly Tasks:
- Apply security updates to Rocky Linux and FreeRADIUS
- Rotate log files and clean old backups
- Review and update shared secrets
- Audit user accounts and permissions
Quarterly Tasks:
- Perform full configuration backup verification
- Review and update certificate expiration dates
- Conduct security audit and penetration testing
- Update documentation and procedures
Monitoring Tools and Techniques
Implement comprehensive monitoring using built-in FreeRADIUS features and external tools:
Built-in Statistics:
# Real-time statistics monitoring
radmin -e "stats server"
radmin -e "stats client"
radmin -e "stats home_server"Custom Monitoring Script:
#!/bin/bash
# Check FreeRADIUS health
STATUS=$(systemctl is-active radiusd)
if [ "$STATUS" != "active" ]; then
echo "CRITICAL: FreeRADIUS service is down"
exit 2
fi
# Check authentication success rate
TOTAL_AUTH=$(grep "Access-Request" /var/log/radius/radius.log | wc -l)
ACCEPT_AUTH=$(grep "Access-Accept" /var/log/radius/radius.log | wc -l)
SUCCESS_RATE=$(echo "scale=2; $ACCEPT_AUTH / $TOTAL_AUTH * 100" | bc)
echo "OK: FreeRADIUS running, Success rate: $SUCCESS_RATE%"Capacity Planning and Scaling
Monitor key performance indicators to plan for growth:
- Concurrent authentication requests per second
- Average response time for authentication
- Memory and CPU utilization patterns
- Database connection pool usage
- Network bandwidth utilization
Plan scaling strategies based on usage patterns:
- Horizontal scaling with RADIUS proxy configurations
- Database optimization and read replicas
- Load balancing between multiple RADIUS servers
- Caching strategies for frequently accessed data
Congratulations! You have successfully installed FreeRADIUS. Thanks for using this tutorial for installing FreeRADIUS on your Rocky Linux 10 system. For additional or useful information, we recommend you check the official FreeRADIUS website.
