Sam works as a network analyst for an algorithmic trading firm. He obtained his bachelor's degree in information technology from UMKC.
In this article, I'm going to walk through the process of setting up a radius server on pfSense.
Radius provides a central source of authentication for various network devices and services. Some common uses for radius authentication are VPNs, captive portals, switches, routers, and firewalls.
Central authentication is much easier to manage than keeping track of various local accounts across separate devices on a network.
Why Use pfSense as a Radius Server?
PfSense makes a great host for a radius server since the service doesn't require much system resources. The service can easily handle authentication for several hundred clients without impacting performance.
With the appropriate hardware it can easily be scaled to support thousands of clients. In fact pfSense even allows radius to run on a dedicated network interface.
If you're already running pfSense on your network there is really no need to build a separate server just for Radius.
Installing the Package
The pfSense 2.X package manager includes both FreeRadius and FreeRadius2 as installation options. For this example, I'm going to be using FreeRadius2 since it has some additional features not found in the previous version.
Only one version of radius can be installed on pfSense at a time. If you previously installed any radius packages, go ahead and remove them first.
The package installation will briefly interrupt traffic passing through the router as the service starts, so be careful when running the installation on a production system.
- Open the package manager in the system menu of the web interface.
- Click the plus symbol next to FreeRadius2 to begin the installation.
- Click 'Ok' to confirm the package installation.
The setup process will automatically download and install the radius package along with all of its dependencies. The installation normally takes a couple of minutes to complete.
After it's finished, there will be a new menu item for the package in the services menu.
Configuring an Interface
The first thing you'll need to do is specify one or more interfaces for the radius server to listen on. The configuration settings for FreeRadius can be found under the services menu.
In most cases, you will want to bind the service to the LAN interface.
- Click on the interfaces tab of the settings page.
- Click on the plus symbol icon to add a new interface.
- Enter the LAN IP address in the Interface IP address field.
- Click save
The rest of the settings can remain at the default settings.
The next step in configuring the authentication server is to add client entries. Each device that will use the radius server for authentication will need to have a client entry configured in the settings.
- Click on the NAS / Clients tab.
- Enter the IP address of the device where authentication requests will come from in the client IP field.
- Enter a secure password in the client shared secret field. This will need to be entered on the client device as well.
Under the miscellaneous configuration section, you should choose a client type from the dropdown box. If none of the types listed are suitable, you can select other.
Creating User Accounts
The final step is to create user accounts. To create the accounts, go to the users tab in the package settings and click the plus symbol to open the new user creation page.
There are only two required fields on this page, the username and password. All of the other settings are optional and apply mostly to captive portal users.
At this point, the radius server should now be up and running and ready to accept incoming requests for authentication. You can now begin pointing devices to the server.
Devices will need to be configured with the following items.
- The LAN IP address of the pfSense system, or whichever interface you chose to bind the radius server to.
- The radius key you assigned on the clients tab.
- The auth port should be set to 1812, or the port you assigned on the interfaces tab.
Checking the Service Status
The first thing you should do if you're having problems is to make sure the radius service is running.
If it's not running, try to start it by clicking on the play icon next to radiusd.
If the service doesn't seem to start, go ahead and reinstall the package to resolve the issue.
You shouldn't lose any of the configuration when you reinstall, but make sure everything looks right after it comes back up.
I've noticed that sometimes client configs disappeared when I performed a reinstallation.
Check the Logs
The system logs may provide a clue as to why a problem is occurring. To view the logs, click on system logs in the status menu.
On the system tab, enter "root: freeRADIUS" without the quotes in the box at the bottom, then click filter. This will show the startup and shutdown log messages for the service.
Authentication success and failure messages are not visible in the system logs, in order to view them, you need to configure a remote syslog server.
Radius Syslog Messages
Testing the Service With Radtest
The radius package includes a utility called Radtest which can be used to test the service to determine if it is working correctly.
Radtest is handy because it allows you to determine if authentication is working before you reconfigure any devices on the network.
Steps for Running the Test
- Add an interface with the IP address of 127.0.0.1.
- Set the interface type to 'Auth' , use the default port (1812).
- Add a client/NAS with the IP of 127.0.0.1 and the shared secret 'test'.
- Create a test user account on the users tab.
- Log into pfSense via SSH or use the command prompt feature in the diagnostics menu.
- Run the command below, replacing <username> , and <password> with the credentials you assigned.
radtest <username> <password> 127.0.0.1:1812 0 test
If the test is successful you should see the message "rad_recv: Access-Accept".
Great Ways to Use Your New Radius Server
After you start using central radius authentication, you won't ever want to go back to local user accounts. Below I've created a list of some great ways to take advantage of your new radius server.
- Captive Portal Authentication: Set up a wireless hotspot for your home or business and use radius as the source of authentication for the captive portal.
- Remote Access VPN: Configure pfSense to act as a VPN server and use centralized authentication for the user accounts.
- Network Switches: Instead of using local user accounts, point the managed switches to pfSense.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2012 Sam Kear
alexis.verano on October 23, 2017:
Can the freeradius control the telephone number of the call origin?
Yannick on February 13, 2017:
Hi I just want to know how can I used pfsense captive portal with a billing software. We want to bill user for there internet usage .
Can you help ..
aravinth70 on September 20, 2016:
Can we allocate quota limit user wise as time allocation
Bijil on September 07, 2015:
Is there any way to add daloradius to pfsense???
nardjesse on March 25, 2015:
How to configure mysql with freeradius
gangooparsad on February 05, 2015:
Thanks for a great Tutorial, would it also work if 1 freeradius installation was used as a central authentication hub for all devices / users for OpenVPN and captive portal? preferably over IPSEC.
Sam Kear (author) from Kansas City on January 28, 2015:
You'll need to set up a profile for each different device since radius uses the source IP address to key off of.
Some radius servers allow multiple source IPs to be listed for the same device but I do not believe the pfSense implementation allows this.
TTGReviews on January 27, 2015:
Is there a way to use this to create an account for multiple devices for one account, or multiple accounts for one device without just adding them all individually?
Marlo on January 06, 2015:
"IP address of the device where authentication requests" this should be Router IP adress or Acces Point IP adress? I do not have any other machine...
Wander on August 08, 2014:
how to configure the LDAP tab in active directory?