How to Set Up a Radius Server on pfSense Using the FreeRadius2 Package
In this hub I'm going to walk through the process of setting up a radius server on pfSense.
Radius provides a central source of authentication for various network devices and services. Some common uses for radius authentication are VPNs, captive portals, switches, routers, and firewalls.
Central authentication is much easier to manage than keeping track of various local accounts across separate devices on a network.
Why use pfSense as a radius server?
PfSense makes a great host for a radius server since the service doesn't require much system resources. The service can easily handle authentication for several hundred clients without impacting performance.
With the appropriate hardware it can easily be scaled to support thousands of clients. In fact pfSense even allows radius to run on a dedicated network interface.
If you're already running pfSense on your network there is really no need to build a separate server just for Radius.
Installing the Package
The pfSense 2.X package manager includes both FreeRadius and FreeRadius2 as installation options. For this example I'm going to be using FreeRadius2 since it has some additional features not found in the previous version.
Only one version of radius can be installed on pfSense at one time. If you previously installed any radius packages go ahead and remove them first.
The package installation will briefly interrupt traffic passing through the router as the service starts so be careful when running the installation on a production system.
- Open the package manager in the system menu of the web interface.
- Click the plus symbol next to FreeRadius2 to begin the installation.
- Click 'Ok' to confirm the package installation.
The setup process will automatically download and install the radius package along with all of it's dependencies. The installation normally takes a couple of minutes to complete.
After it's finished there will be a new menu item for the package in the services menu.
Configuring an Interface
The first thing you'll need to do is specify one or more interfaces for the radius server to listen on. The configuration settings for FreeRadius can be found under the services menu.
In most cases you will want to bind the service to the LAN interface.
- Click on the interfaces tab of the settings page.
- Click on the plus symbol icon to add a new interface.
- Enter the LAN IP address in the Interface IP address field.
- Click save
The rest of the settings can remain at the default settings.
The next step in configuring the authentication server is to add client entries. Each device that will use the radius server for authentication will need to have a client entry configured in the settings.
- Click on the NAS / Clients tab.
- Enter the IP address of the device where authentication requests will come from in the client IP field.
- Enter a secure password in the client shared secret field. This will need to be entered on the client device as well.
Under the miscellaneous configuration section you should choose a client type from the dropdown box. If none of the types listed are suitable you can select other.
Creating User Accounts
The final step is to create user accounts. To create the accounts go to the users tab in the package settings and click the plus symbol to open the new user creation page.
There are only two required fields on this page, the username and password. All of the other settings are optional and apply mostly to captive portal users.
At this point the radius server should now be up and running and ready to accept incoming requests for authentication. You can now begin pointing devices to the server.
Devices will need to be configured with the following items.
- The LAN IP address of the pfSense system, or whichever interface you chose to bind the radius server to.
- The radius key you assigned on the clients tab.
- The auth port should be set to 1812, or the port you assigned on the interfaces tab.
Checking the service status
The first thing you should do if you're having problems is make sure the radius service is running.
If it's not running try to start it by clicking on the play icon next to radiusd.
If the service doesn't seem to start go ahead and reinstall the package to resolve the issue.
You shouldn't lose any of the configuration when you reinstall but make sure everything looks right after it comes back up.
I've noticed that sometimes client configs disappeared when I performed a reinstallation.
Check the logs
The system logs may provide a clue to why a problem is occurring. To view the logs click on system logs in the status menu.
On the system tab enter "root: freeRADIUS" without the quotes in the box at the bottom , then click filter. This will show the startup and shutdown log messages for the service.
Authentication success and failure messages are not visible in the system logs, in order to view them you need to configure a remote syslog server.
Radius Syslog Messages
Testing the Service With Radtest
The radius package includes a utility called Radtest which can be used to test the service to determine if it is working correctly.
Radtest is handy because it allows you to determine if authentication is working before you reconfigure any devices on the network.
Steps for running the test
- Add an interface with the IP address of 127.0.0.1.
- Set the interface type to 'Auth' , use the default port (1812).
- Add a client/NAS with the IP of 127.0.0.1 and the shared secret 'test'.
- Create a test user account on the users tab.
- Log into pfSense via SSH or use the command prompt feature in the diagnostics menu.
- Run the command below, replacing <username> , and <password> with the credentials you assigned.
radtest <username> <password> 127.0.0.1:1812 0 test
If the test is successful you should see the message "rad_recv: Access-Accept".
Great Ways to Use Your New Radius Server
After you start using central radius authentication you won't ever want to go back to local user accounts. Below I've created a list of some great ways to take advantage of your new radius server.
- Captive Portal Authentication - Set up a wireless hotspot for your home or business and use radius as the source of authentication for the captive portal.
- Remote Access VPN - Configure pfSense to act as a VPN server and use centralized authentication for the user accounts.
- Network Switches - Instead of using local user accounts point the managed switches to pfSense.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2012 Sam Kear