Installing and Upgrading

This page describes how to perform the first install of FreeRADIUS. It assumes a basic knowledge of Unix system administration. No RADIUS knowledge is required.

Where possible, while learning the basics, it’s recommended that beginners use the packaging system that is used by your operating system. The version that is supplied by your OS might be out of date, but ususally works "out of the box". The only exception to this is if your operating system supplies an older major version, as you will then be learning an obsolete configuration. See install from packages for a more current version.

Once you have learnt how FreeRADIUS works, it is then highly recommended to move to the latest released stable version before moving into production.

If you need to install it yourself, the [building from source] page contains detailed instructions for a number of platforms.

Otherwise, we assume that you can install the server via something like yum install freeradius, or apt-get install freeradius.

When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:

This step demonstrates that the server is installed and configured properly. If the output says Ready to process requests, then the installation was successful.

Otherwise, typical errors include Address already in use, which means that there is another RADIUS server already running. You will need to find that one and stop it before running the server in debugging mode.

The output from radiusd -X is very verbose, see the debugging page for an explanation of the debug output.

Once your server is up and running, test basic authentication. Testing authentication is simple. Edit the users file (in v3 this has been moved to raddb/mods-config/files/authorize), and add the following line of text at the top of the file, before anything else:

Start the server in debugging mode (radiusd -X), and run radtest from another terminal window:

You should see the server respond with an Access-Accept. If it doesn’t, the debug log will show why. In version 2, you can paste the output into the [debug form](http://networkradius.com/freeradius-debugging/), and a colorized HTML version will be produced. In version 3, the output will already be colorized in the terminal. Look for red or yellow text, and read the relevant messages. They should describe exactly what went wrong, and how to fix the problem.

If you do see an Access-Accept, then congratulations, the following authentication methods now work for the testing user:

The next step is to add more users, and to configure databases. Those steps are outside of the scope of this short web page, but the general method to use is important, and is outlined in the next section.

After a successful authentication, add a client, and verify that packets are successfully sent and received. When we discuss clients, we mean clients of the RADIUS server, e.g. wireless access point, network switch or other form of NAS. NOT the network clients - such as laptops, tablets etc - they do not talk directly to the RADIUS server.

The above test runs radtest from localhost. It is useful to add a new client, which can be done by editing the clients.conf file. Add the following content:

You should change the IP address 192.0.2.1 to be the address of the client which will be sending Access-Request packets.

The client should also be configured to talk to the RADIUS server, by using the IP address of the machine running the RADIUS server. The client must use the same secret as configured above in the client section.

Then restart the server in debugging mode, and run a simple test using the testing user. You should see an Access-Accept in the server output

The following steps outline the best known method for configuring the server. Following them lets you create complex configurations with a minimum of effort. Failure to follow them leads to days of frustration and wasted effort.