Frequently Asked Questions (FAQ)
This FreeRADIUS FAQ contains both general and technical information about FreeRADIUS and common issues. The guide is divided into three sections:
Read this FAQ before posting questions to the mailing lists as your question may be answered.
FreeRADIUS Overview
FreeRADIUS is the worlds leading RADIUS server used by Internet Service Providers (ISPs), cellular providers, and corporate and educational networks. RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol used to manage network access using Authentication, Authorization and Accounting processes.
FreeRADIUS is developed by a group of people who call themselves "The FreeRADIUS Project" and is sponsored by InkBridge Networks.
What is FreeRADIUS and what is it supposed to do?
The FreeRADIUS Server is a daemon for unix and unix like operating systems which allows one to set up a radius protocol server. The RADIUS protocol manages the communication between network devices to facilitate remote user authentication and accounting practices. See Architecture for more information on RADIUS components and interactions. The RADIUS protocol serves three primary functions:
-
Authenticates users or devices before allowing them access to a network.
-
Authorizes those users or devices for specific network services.
-
Accounts for and tracks the usage of those services.
How does FreeRADIUS differ from other radius servers?
FreeRADIUS is an open-source product with all the benefits of open-source software that includes flexibility, scalibility, and cost-effectivness. FreeRADIUS has many features not found in other free and commercial versions. Some of these features are:
-
Access based on huntgroups.
-
Multiple DEFAULT entries in raddb/users file.
-
All users file entries can optionally
fall through. -
Caches all config files in-memory.
-
Supports Simultaneous-Use = X parameter to prevent double logins.
-
Supports Vendor-Specific attributes, including USR non-standard ones.
-
Supports proxying.
-
Supports the
Alivepacket. -
Exec-Program-Wait capability that allows an external program to execute after authentication and output a list of A/V pairs, which is then added to the reply.
-
Supports PAM.
Can I install FreeRADIUS on any platform?
Yes. FreeRADIUS is compatible with all known equipment and products which implement the RADIUS standards. FreeRADIUS runs on a large number of 32 and 64 bit Unix-like platforms. Where there are compatibility issues is ofent due to third-party vendors' implementation of the relevant standards.
Can I get binary packages of FreeRADIUS?
Yes. You can find it on the official FreeRADIUS site.
Can I build and install FreeRADIUS from source?
Yes. The source is available at ftp or on github. See the instructions on how to build FreeRADIUS.
Does FreeRADIUS Support IPv6?
Yes. FreeRADIUS v2 and later has full support for both IPv6 attributes and IPv6 network packets.
Can I get more information?
Yes. The official site for FreeRADIUS contains the server, documentation, and additional RADIUS programs. FreeRADIUS is supported by the InkBridge Networks team.
Please see the following for a description of the FreeRADIUS mailing lists. For normal discussion of the server and how to use it, subscribe to the FreeRADIUS user-list. Only subscribe to the development list if you are interested in writing software for the new server.
| Mailing List | Description |
|---|---|
Announcements about FreeRADIUS, including new versions and security issues, are made here. |
|
This list is for all users of FreeRADIUS and deals with general questions related to FreeRADIUS. |
|
This list is for developers who are writing code for FreeRADIUS. The content is highly technical and is not suited to the average user. If you looking to contribute code, please join this list. |
|
An archive of all previous posts and emails from the users' email list. |
|
An archive of all previous posts and emails from the developement users' email list. |
User Management
Can I disconnect a user with FreeRADIUS?
No. A user with an active session can’t be disconnected with FreeRADIUS. The RADIUS server doesn’t actively maintain the user sessions and only receives information about these sessions from the NAS. This means that you have to signal your NAS to disconnect sessions. Depending on the NAS type and it’s configuration, there are a number of ways to disconnect sessions.
Packet of disconnect
Packet of Disconnect is the standard and recommended method to disconnect users. It is supported by many newer NAS and uses a RADIUS packet (usually sent to port 3799 although some NAS use 1700 (Mikrotik for example)) to signal that a NAS should terminate an active session.
SNMP
Many NAS support SNMP which can usually (among other things) be used to disconnect users, however implimentation details vary. Read your NAS documentation to find out whether it supports this, and which MIB to use.
Radkill
The radkill tool is a TCL program written by Jason Straight for FreeRADIUS users that monitors ISP users' online times and disconnects them if they are over their call limit. It also monitors the number of users online and will disconnect the users with the least time left to always keep lines open. It’s very configurable for multiple NAS setups.
Download the radkill source archive and install the program on your server.
Can I send a message to PPP users?
Yes. RADIUS defines a Reply-Message attribute, which you can use to send text messages in a RADIUS reply packet. PPP has provisions for passing text messages back to the user.
However, Microsoft windows users can’t see PPP messages due to Microsoft’s implementation of the PPP protocol. For macs, the only dialer that shows up the server’s message is FreePPP.
Can I use Login-Time for groups instead of users?
Yes. There are several methods to manage login time for groups.
| Requirement | Method |
|---|---|
Limit logons between 08:00am and 08:00pm for the Unix group "daysonly" |
DEFAULT Group == "daysonly", Login-Time := "0800-2000" DEFAULT Group == "daysonly", Login-Time := "Any0800-2000" |
Limit logons between 08:00am and 08:00pm, from Monday to Friday for Unix group "weekdays" |
DEFAULT Group == "weekdays", Login-Time := "Wk0800-2000" |
Limit logons between 08:00am and 08:00pm, in Saturday and Sunday for Unix group "weekends" |
DEFAULT Group == "weekends", Login-Time := "Sa-Su0800-2000" |
Can I permit access to any user regardless of password?
Yes. Edit the raddb/users file with the following entry on the first line (top of the file). This entry accepts everybody on to the network.
DEFAULT Auth-Type := Accept
If you want this to apply to a single user replace DEFAULT with username. You can also add Auth-Type Accept to radcheck or radgroupcheck entries in order to accept that user/group. This only works for PAP, and does NOT work for EAP-TLS, CHAP, MSCHAP, or WIMAX authentication.
Server Configuration
Is there a way to bind FreeRADIUS to a specific IP address?
Yes. There are several ways to bind the IP address.
-
The deprecated way is to specify an IP address with the
_-i {IP}command-line option. -
The recommended way is to use the
listendirective in radiusd.conf. Multiplelistendirectives can be added to this file. listen { ipaddr = 192.168.1.250 port = 1817 type = auth } -
The third way bind_address = 192.168.1.250 port = 1817
Can I enable FreeRADIUS to log accounting attribute type X?
No. The RADIUS server only logs the messages which a NAS sends to it. If your NAS is not sending those messages or attributes, then the RADIUS server will not log them. Configure your NAS to send the information you want to the RADIUS server. Once the NAS is sending the information, the server can then log it.
Do I need to use the Attribute Operators?
Yes. All of the attribute operators such as :=, ==, +=, etc. are documented via the:
| === The update is no longer necessary. The new attribute editing is much simpler, and is more powerful. === |
Can I send multiple values for an attribute ?
Yes. use the following example to configure multiple values on an attribute.
Framed-Route := "10.130.1.252/32 0.0.0.0 5", Framed-Route += "10.130.0.252/32 0.0.0.0 10",
Check your changes with a tcpdump. See the sample output and verify your configuration.
Framed Route Attribute (22), length: 28, Value: 10.130.1.252/32 0.0.0.0 5 0x0000: 3130 2e31 3330 2e31 2e32 3532 2f33 3220 0x0010: 302e 302e 302e 3020 2035 Framed Route Attribute (22), length: 28, Value: 10.130.0.252/32 0.0.0.0 10 0x0000: 3130 2e31 3330 2e30 2e32 3532 2f33 3220 0x0010: 302e 302e 302e 3020 3130
Isn’t CHAP more secure?
No. If CHAP is implemented as the authentication protocol, a file resides on your network with cleartext passwords for all the users that log on using FreeRADIUS. This is a limitation of the CHAP protocol itself, not the RADIUS protocol. The CHAP protocol requires that you store the passwords in plain-text format.
As an administrator, decide which authentication method is required for your business needs. Some considerations are:
| Requirement | Advantage | Disadvantage |
|---|---|---|
Allow CHAP and store all the passwords plaintext |
Passwords don’t go cleartext over the phone line between the user and the terminal server. |
You have to store the passwords in cleartext on the server. |
Don’t allow CHAP, only PAP |
You don’t store cleartext passwords on your system. |
passwords going cleartext over the phone line between the user and the terminal server. |
Can I limit access to only POP3 and SMTP?
Yes. The most common approach is to just assign non-globally-routable IP addresses to those users, such as RFC 1918 addresses. Make sure you have RADIUS authorization enabled on your NAS.
Depending on your internal network configuration, you may need to set up internal routes for those addresses, and if you don’t want them to do anything besides SMTP and POP3 within your network, you’ll have to set up ACLs on your dialup interfaces allowing only ports 25 and 110 through.
User entry in raddb/users file example
Details
foo Auth-Type := System
Framed-Filter-Id += "160.in"
Framed-Filter-Id += "161.out"
Fall-Through = Yes
CISCO configuation example
aaa authorization network default radius ip access-list extended 160 permit ip ... ip access-list extended 161 permit ip ...
The access list 160 gets applied on inbound packets and 161 on outbound packets.
Can I use Privledged Access Management (PAM) with FreeRADIUS?
Yes. Retrieve the redhat/radiusd.pam file from the distribution and save it as a new file in /etc/pam.d/radiusd.
If you have 100’s to 1000’s of users in /etc/passwd, you’ll want to replace the pam_pwdb.so entries with pam_unix_auth.so, pam_unix_acct.so etc. The pam_pwdb module is slow for authenticating users from a large /etc/passwd file.
Bruno Lopes F. Cabral|mailto:bruno-at-openline-dot-com-dot-br also says:
Now I can emulate group behaviour using just PAM and some tricks, like
auth required /lib/security/pam_userdb.so crypt db=/etc/raddb/data/users auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/raddb/data/somehunt.allow onerr=fail auth required /lib/security/pam_nologin.so account required /lib/security/pam_userdb.so
and
DEFAULT Huntgroup-Name ="somehunt", Auth-Type=PAM, Pam-Auth="radhunt", Simultaneous-Use=1 Fall-Through = Yes
With this method, I have NO users on /etc/password and NO need for lots of lines on /etc/raddb/users. time to search for a db enabled pam_listfile module
Is the RADIUS server broken after an upgrade?
No. After upgrading to FreeRADIUS, some users are unable to fully use the network, but their access worked with the previous RADIUS server you were using.
The NAS doesn’t know which RADIUS server you use, and it doesn’t care. The entire problem is that the responses to the NAS from the servers are different. Since FreeRADIUS only sends the attributes in a response that you’ve configured, your local configuration of FreeRADIUS is incomplete after the upgrade.
Use tcpdump to snoop the RADIUS responses from each server. Once you discover which attributes are missing from the response of FreeRADIUS, you can add them to it’s configuration. Re-start the server, and your users should have full access to the network again.