RHEL BasedRocky Linux

How To Install FreeRADIUS on Rocky Linux 9

r00t

Install FreeRADIUS on Rocky Linux 9

FreeRADIUS plays a vital role in managing AAA (Authentication, Authorization, and Accounting) services for network access control. Whether supporting enterprise Wi-Fi connections or authenticating VPN logins, FreeRADIUS stands among the most popular open-source RADIUS server solutions. Its robustness, scalability, and flexibility make it a top choice for both small businesses and large organizations. Rocky Linux 9, celebrated for its stability and enterprise-readiness, forms an exceptional platform to run FreeRADIUS with peace of mind. This guide provides a step-by-step approach for installing and configuring FreeRADIUS on Rocky Linux 9. The detailed instructions aim to bridge knowledge gaps and offer clarity, making the server deployment process simpler and more transparent.

RADIUS serves as a critical component when dealing with centralized authentication and authorization services. Over time, it has proven especially beneficial in environments requiring standardization and security for user management. Using FreeRADIUS on Rocky Linux 9 assures access to updates and long-term enhancements, which is essential for preserving robust security and high performance. System administrators often prefer open-source solutions because they enable customization and support from thriving online communities. This tutorial addresses everything from system prerequisites to advanced configurations, ensuring a strong foundation for any organization’s authentication infrastructure.

Introduction

FreeRADIUS is an open-source RADIUS server intended for handling authentication, authorization, and accounting workloads. Highly regarded in networking circles, it helps enterprises centralize credentials for users and devices. By implementing FreeRADIUS on Rocky Linux 9, administrators can manage network security more easily, allowing multi-layered authentication methods such as 802.1X, VPN, and LDAP-based authentication.

Rocky Linux 9, a community-driven alternative to CentOS, inherits a strong focus on support and reliability. This environment provides a stable base for services like FreeRADIUS, ensuring minimal downtime and robust data protection. Compatibility with SELinux and the Rocky Linux security features further boosts the reliability of your AAA deployment. Following the instructions below, those new to FreeRADIUS or system administration can create a flexible and secure authentication server in a relatively straightforward way.

Prerequisites

Before installing FreeRADIUS, ensure that all relevant prerequisites are met to avoid configuration obstacles:

  • A server or virtual machine running Rocky Linux 9 with proper network access.
  • Sudo or root-level privileges to make system-wide changes.
  • A basic understanding of the Linux command line, including file editing and service management.
  • Sufficient disk space and memory to handle RADIUS operations, especially if hosting a large user database.
  • Optional but recommended: a fully qualified domain name (FQDN) for production environments.

System Preparation

Preparing the system helps ensure a smooth experience during and after installation. To begin, update the existing package repositories to the latest versions. Keeping packages current enhances security and stability:

sudo dnf update -y

Next, configure crucial settings like hostname if you have not done so already. Setting a descriptive hostname aids in identifying the server easily:

sudo hostnamectl set-hostname radius-server.example.com

Although optional, synchronizing the system clock with an NTP server helps maintain consistent logs and accurate timestamps. This step can be accomplished by installing and configuring Chrony:

sudo dnf install chrony -y
sudo systemctl enable --now chronyd

Additionally, check your network settings to guarantee that the server can communicate with client devices and any external database servers if you plan on using MySQL or LDAP at a later stage. Ensuring your firewall allows inbound traffic on the required UDP ports (1812 for Authentication, 1813 for Accounting by default) will also be essential for future steps.Installation Process

After configuring your Rocky Linux 9 environment, proceed with installing FreeRADIUS and its related packages. The official repositories provide a straightforward way to get started. To install FreeRADIUS using the default dnf package manager:

sudo dnf install freeradius freeradius-utils -y

This command typically installs the server software, various modules, and utilities. Some distributions split functionalities into separate packages, so it is good practice to confirm which components you truly need. For instance, if you require MySQL or LDAP support, ensure you install the relevant packages:

sudo dnf install freeradius-mysql freeradius-ldap -y

Once installed, enable and start the FreeRADIUS service:

sudo systemctl enable radiusd
sudo systemctl start radiusd

Verify that the service is running:

systemctl status radiusd

If it shows “active (running),” you have successfully installed FreeRADIUS on your Rocky Linux 9 server. If it isn’t running, the logs in /var/log/messages, /var/log/radius/, or the output from journalctl -u radiusd can provide clues. At this preliminary stage, you have a functional RADIUS server, but additional steps to configure client settings, security policies, and authentication methods are strongly advised.

Basic Configuration

The next step is configuring basic settings to ensure secure and correct operation. By default, configuration files are located in /etc/raddb. Understanding these directories is vital for effectively managing your server.

Understanding the Directory Structure

Within /etc/raddb, you will find files like radiusd.conf, clients.conf, and subdirectories such as mods-available, mods-enabled, and sites-available. The radiusd.conf file contains global configurations, while modules or virtual hosts are enabled by linking them from the “available” directories to the “enabled” directories. This approach is similar to how many web servers handle site configurations.

Configuring Clients

In clients.conf, define the IP addresses or network ranges for devices that will request authentication from the RADIUS server. For each client, specify a secret shared between the client and the server:

client switch-01 {
    ipaddr = 192.168.10.5
    secret = VerySecretKey
    require_message_authenticator = no
}

Replace switch-01 and the IP address with meaningful values to match your environment. Using a random and strong secret is recommended to enhance security.

Editing the Users File

The users file in /etc/raddb/ holds user accounts mapped to various authentication methods. To create a user named “testuser” with the password “testpassword,” add an entry similar to the following:

testuser Cleartext-Password := "testpassword"

This setup belongs to the simplest scenario where credentials are stored in a flat file. Later sections will explain how to connect FreeRADIUS to more robust storage solutions like MySQL or LDAP directories.

Basic Security Settings

While it might be convenient to keep minimal configurations for testing, remember to use strong passwords and secrets from the very beginning. Additionally, ensure SELinux policies are respected. If SELinux blocks your RADIUS traffic, you may check or modify contexts using semanage and restorecon as appropriate. A well-defined firewall policy restricting RADIUS protocols to only known clients further strengthens security.

Advanced Configuration

While local file-based authentication works for smaller deployments, enterprises often need more advanced configurations involving external databases or directory services. FreeRADIUS supports multiple backends, allowing large-scale user management.

Using MySQL or MariaDB

MySQL or MariaDB is frequently used for storing user profiles, group assignments, and accounting data. After installing the freeradius-mysql module, create a dedicated database and user for FreeRADIUS:

CREATE DATABASE radius_db;
CREATE USER 'radius_user'@'localhost' IDENTIFIED BY 'StrongPassword123';
GRANT ALL PRIVILEGES ON radius_db.* TO 'radius_user'@'localhost';
FLUSH PRIVILEGES;

Then, import standard schema files provided by FreeRADIUS. Typically, these files reside in /etc/raddb/mods-config/sql/main/mysql/schema.sql or a similarly named location. Then configure sql.conf with database connection details, and enable sql in mods-enabled.

Integrating LDAP

Organizations using Active Directory or OpenLDAP for centralized user management may prefer LDAP integration. After installing freeradius-ldap, define the LDAP server details in mods-available/ldap, specify base DNs, and set the correct bind credentials. Next, enable the module by linking from mods-available to mods-enabled and referencing it in sites-enabled/default.

Configuring TLS Certificates

For EAP (Extensible Authentication Protocol) methods like PEAP or EAP-TLS, you will need valid TLS certificates. Default self-signed certificates exist in /etc/raddb/certs, but for production use, generate or procure valid certificates from a certificate authority. Update eap.conf to point to the new certificates and keys for improved trust and security.

Security Hardening

Maintaining strong security is paramount for a RADIUS server, as it typically handles highly sensitive credentials. Several measures reduce risks and increase defense-in-depth.

  • Strong Secrets and Passwords: Make sure all RADIUS client secrets and database credentials are random and complex.
  • Firewall Configuration: Limit RADIUS traffic to authorized subnets or specific client IP addresses using firewall-cmd. For instance: 
    sudo firewall-cmd --add-port=1812/udp --permanent
sudo firewall-cmd --add-port=1813/udp --permanent
sudo firewall-cmd --reload
  • SELinux Policies: If SELinux is enabled, audit deny logs in /var/log/audit/audit.log and adjust contexts or policies to allow legitimate RADIUS transactions.
  • Account Lockouts: Consider implementing account lockout methods or intrusion detection tools to protect against brute-force attacks.
  • Frequent Updates: Regularly update Rocky Linux 9 and FreeRADIUS to patch known vulnerabilities and ensure stable performance.

A well-hardened system guards not only user credentials but also crucial corporate resources. Small misconfigurations or weak password policies may lead to intrusions and data breaches. Regularly review logs, configuration files, and security advisories to catch potential threats early.

Testing and Verification

Once the initial configuration is complete, verifying that the server works correctly is a logical next step. The radtest utility is an excellent tool for testing authentication. For example:

radtest testuser testpassword 127.0.0.1 0 testing123

Replace testuser, testpassword, and the secret testing123 with actual credentials defined in your configuration. If the result shows “Access-Accept,” the basic authentication flow works.

When troubleshooting errors, consult logs in /var/log/radius/radius.log or use debug mode:

sudo systemctl stop radiusd
sudo radiusd -X

In debug mode, FreeRADIUS runs in the foreground, printing detailed output about each request. Check for any indication of misconfiguration, missing modules, or database connectivity problems, then adjust accordingly. This thorough verification ensures a stable baseline before exploring advanced or large-scale deployments.

Integration Examples

A RADIUS server’s versatility makes it applicable to many different network services. Below are a few common integration scenarios highlighting how FreeRADIUS can serve as a robust authentication platform.

Network Device Integration

Switches, routers, and wireless controllers often natively support RADIUS for AAA. After configuring the device’s RADIUS settings, provide the server IP address and matching secret. Set the device to forward authentication and accounting requests to the FreeRADIUS instance. This central management method is useful for large campus networks.

Wireless Authentication (WPA2-Enterprise)

When configuring enterprise-grade Wi-Fi encryption (WPA2-Enterprise), a FreeRADIUS server authenticates users via 802.1X. APs forward EAP requests to FreeRADIUS, which checks credentials in user files, databases, or LDAP, then grants or denies access automatically. This process ensures that unauthorized devices cannot join the network.

VPN Server Integration

Many VPN products, such as OpenVPN or IPsec-based solutions, let you define a RADIUS server for user authentication. By routing VPN login requests to FreeRADIUS, organizations maintain a single, central identity store covering both on-site and remote access. This consistent approach simplifies user provisioning and auditing.

Maintenance and Monitoring

After achieving a stable configuration, regular maintenance and monitoring keep the service running smoothly. Perform the following tasks consistently:

  • Apply Updates: Use sudo dnf update on a schedule to protect against new vulnerabilities. This also ensures module compatibility in the broader Rocky Linux ecosystem.
  • Log Monitoring: Keep an eye on the FreeRADIUS logs at /var/log/radius/ for any suspicious activity or recurring errors.
  • Performance Tuning: If the server handles high volumes of traffic, consider tuning threadpool settings in radiusd.conf or optimizing SQL queries. A caching setup may improve speed and reduce load.
  • Backups: Regularly backup both configuration files and backend databases. Overlooking backups can result in significant data loss if hardware fails or a misconfiguration corrupts files.

An organized maintenance strategy prevents small issues from escalating. For instance, ignoring log warnings about authentication errors could be a sign of a brute-force attack. Routine checks keep your organization’s AAA infrastructure reliable and alert administrators to emerging threats or user issues.

Troubleshooting Guide

Common Error Messages

Error messages like “Cannot find a config item” or “Module not found” usually mean a missing or disabled module in mods-enabled. Ensure it is symlinked properly from mods-available and that dependencies are installed.

Debug Mode

Running FreeRADIUS in debug mode (radiusd -X) prints verbose logs that clarify the authentication process. This approach is recommended for diagnosing complex login failures or module loading errors.

Log Analysis

Inspect the logs in /var/log/radius/ or use journalctl -u radiusd to locate error details. Typically, the logs highlight incorrect secrets, invalid certificates, or references to non-existent users.

Resolution Steps

Once the cause is identified, re-check your clients.conf, user definitions, or SQL/LDAP credentials. Reload or restart the FreeRADIUS service to test if the fix resolves the issue:

sudo systemctl restart radiusd

Congratulations! You have successfully installed FreeRADIUS. Thanks for using this tutorial for installing the FreeRADIUS on your Rocky Linux 9 system. For additional or useful information, we recommend you check the official FreeRADIUS website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved.
Back to top button