ComputersConsumer ElectronicsCell PhonesHome Theater & AudioGraphic Design & Video EditingInternetIndustrial Technology

How to Set Up a Radius Server on pfSense Using the FreeRadius2 Package

Updated on April 29, 2016
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

In this hub I'm going to walk through the process of setting up a radius server on pfSense.

Radius provides a central source of authentication for various network devices and services. Some common uses for radius authentication are VPNs, captive portals, switches, routers, and firewalls.

Central authentication is much easier to manage than keeping track of various local accounts across separate devices on a network.

Why use pfSense as a radius server?

PfSense makes a great host for a radius server since the service doesn't require much system resources. The service can easily handle authentication for several hundred clients without impacting performance.

With the appropriate hardware it can easily be scaled to support thousands of clients. In fact pfSense even allows radius to run on a dedicated network interface.

If you're already running pfSense on your network there is really no need to build a separate server just for Radius.


Installing the Package

The pfSense 2.X package manager includes both FreeRadius and FreeRadius2 as installation options. For this example I'm going to be using FreeRadius2 since it has some additional features not found in the previous version.

Only one version of radius can be installed on pfSense at one time. If you previously installed any radius packages go ahead and remove them first.

The package installation will briefly interrupt traffic passing through the router as the service starts so be careful when running the installation on a production system.

  1. Open the package manager in the system menu of the web interface.
  2. Click the plus symbol next to FreeRadius2 to begin the installation.
  3. Click 'Ok' to confirm the package installation.

You cannot run both FreeRadius and FreeRadius2 on the same pfSense system.  Make sure to remove one before installing the other.
You cannot run both FreeRadius and FreeRadius2 on the same pfSense system. Make sure to remove one before installing the other.

The setup process will automatically download and install the radius package along with all of it's dependencies. The installation normally takes a couple of minutes to complete.

After it's finished there will be a new menu item for the package in the services menu.

The FreeRadius installation normally takes a couple minutes to complete.
The FreeRadius installation normally takes a couple minutes to complete.

Configuring an Interface

The first thing you'll need to do is specify one or more interfaces for the radius server to listen on. The configuration settings for FreeRadius can be found under the services menu.

In most cases you will want to bind the service to the LAN interface.

  1. Click on the interfaces tab of the settings page.
  2. Click on the plus symbol icon to add a new interface.
  3. Enter the LAN IP address in the Interface IP address field.
  4. Click save

The rest of the settings can remain at the default settings.

In the configuration you need to specify which interfaces the service should listen on.
In the configuration you need to specify which interfaces the service should listen on.

Adding Clients

The next step in configuring the authentication server is to add client entries. Each device that will use the radius server for authentication will need to have a client entry configured in the settings.

  1. Click on the NAS / Clients tab.
  2. Enter the IP address of the device where authentication requests will come from in the client IP field.
  3. Enter a secure password in the client shared secret field. This will need to be entered on the client device as well.

Under the miscellaneous configuration section you should choose a client type from the dropdown box. If none of the types listed are suitable you can select other.

Creating User Accounts

The final step is to create user accounts. To create the accounts go to the users tab in the package settings and click the plus symbol to open the new user creation page.

There are only two required fields on this page, the username and password. All of the other settings are optional and apply mostly to captive portal users.

Set up as many different user accounts as you would like.
Set up as many different user accounts as you would like.

Adding Devices

At this point the radius server should now be up and running and ready to accept incoming requests for authentication. You can now begin pointing devices to the server.

Devices will need to be configured with the following items.

  1. The LAN IP address of the pfSense system, or whichever interface you chose to bind the radius server to.
  2. The radius key you assigned on the clients tab.
  3. The auth port should be set to 1812, or the port you assigned on the interfaces tab.

Check the service status page to make sure the radiusd service is running.
Check the service status page to make sure the radiusd service is running.

Troubleshooting

Checking the service status

The first thing you should do if you're having problems is make sure the radius service is running.

If it's not running try to start it by clicking on the play icon next to radiusd.

If the service doesn't seem to start go ahead and reinstall the package to resolve the issue.

You shouldn't lose any of the configuration when you reinstall but make sure everything looks right after it comes back up.

I've noticed that sometimes client configs disappeared when I performed a reinstallation.

Check the logs

The system logs may provide a clue to why a problem is occurring. To view the logs click on system logs in the status menu.

On the system tab enter "root: freeRADIUS" without the quotes in the box at the bottom , then click filter. This will show the startup and shutdown log messages for the service.

Authentication success and failure messages are not visible in the system logs, in order to view them you need to configure a remote syslog server.

Radius Syslog Messages

Syslog messages are the best way to troubleshoot radius problems
Syslog messages are the best way to troubleshoot radius problems

Testing the Service With Radtest

The radius package includes a utility called Radtest which can be used to test the service to determine if it is working correctly.

Radtest is handy because it allows you to determine if authentication is working before you reconfigure any devices on the network.

Steps for running the test

  1. Add an interface with the IP address of 127.0.0.1.
  2. Set the interface type to 'Auth' , use the default port (1812).
  3. Add a client/NAS with the IP of 127.0.0.1 and the shared secret 'test'.
  4. Create a test user account on the users tab.
  5. Log into pfSense via SSH or use the command prompt feature in the diagnostics menu.
  6. Run the command below, replacing <username> , and <password> with the credentials you assigned.

radtest <username> <password> 127.0.0.1:1812 0 test

If the test is successful you should see the message "rad_recv: Access-Accept".

The radtest utility can be used to test authentication.
The radtest utility can be used to test authentication.

Great Ways to Use Your New Radius Server

After you start using central radius authentication you won't ever want to go back to local user accounts. Below I've created a list of some great ways to take advantage of your new radius server.

  • Captive Portal Authentication - Set up a wireless hotspot for your home or business and use radius as the source of authentication for the captive portal.
  • Remote Access VPN - Configure pfSense to act as a VPN server and use centralized authentication for the user accounts.
  • Network Switches - Instead of using local user accounts point the managed switches to pfSense.

© 2012 Sam Kear

Comments

    0 of 8192 characters used
    Post Comment

    • profile image

      Yannick 7 months ago

      Hi I just want to know how can I used pfsense captive portal with a billing software. We want to bill user for there internet usage .

      Can you help ..

    • aravinth70 profile image

      aravinth70 12 months ago

      Can we allocate quota limit user wise as time allocation

    • profile image

      Bijil 2 years ago

      Is there any way to add daloradius to pfsense???

    • profile image

      nardjesse 2 years ago

      How to configure mysql with freeradius

    • profile image

      gangooparsad 2 years ago

      Thanks for a great Tutorial, would it also work if 1 freeradius installation was used as a central authentication hub for all devices / users for OpenVPN and captive portal? preferably over IPSEC.

    • skear profile image
      Author

      Sam Kear 2 years ago from Kansas City

      @TTGReviews

      You'll need to set up a profile for each different device since radius uses the source IP address to key off of.

      Some radius servers allow multiple source IPs to be listed for the same device but I do not believe the pfSense implementation allows this.

    • TTGReviews profile image

      TTGReviews 2 years ago

      Is there a way to use this to create an account for multiple devices for one account, or multiple accounts for one device without just adding them all individually?

    • profile image

      Marlo 2 years ago

      "IP address of the device where authentication requests" this should be Router IP adress or Acces Point IP adress? I do not have any other machine...

    • profile image

      Wander 3 years ago

      how to configure the LDAP tab in active directory?