How to Set Up a Radius Server on pfSense Using the FreeRadius2 Package

Updated on January 15, 2018
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

In this hub I'm going to walk through the process of setting up a radius server on pfSense.

Radius provides a central source of authentication for various network devices and services. Some common uses for radius authentication are VPNs, captive portals, switches, routers, and firewalls.

Central authentication is much easier to manage than keeping track of various local accounts across separate devices on a network.

Why use pfSense as a radius server?

PfSense makes a great host for a radius server since the service doesn't require much system resources. The service can easily handle authentication for several hundred clients without impacting performance.

With the appropriate hardware it can easily be scaled to support thousands of clients. In fact pfSense even allows radius to run on a dedicated network interface.

If you're already running pfSense on your network there is really no need to build a separate server just for Radius.


Installing the Package

The pfSense 2.X package manager includes both FreeRadius and FreeRadius2 as installation options. For this example I'm going to be using FreeRadius2 since it has some additional features not found in the previous version.

Only one version of radius can be installed on pfSense at one time. If you previously installed any radius packages go ahead and remove them first.

The package installation will briefly interrupt traffic passing through the router as the service starts so be careful when running the installation on a production system.

  1. Open the package manager in the system menu of the web interface.
  2. Click the plus symbol next to FreeRadius2 to begin the installation.
  3. Click 'Ok' to confirm the package installation.

You cannot run both FreeRadius and FreeRadius2 on the same pfSense system.  Make sure to remove one before installing the other.
You cannot run both FreeRadius and FreeRadius2 on the same pfSense system. Make sure to remove one before installing the other.

The setup process will automatically download and install the radius package along with all of it's dependencies. The installation normally takes a couple of minutes to complete.

After it's finished there will be a new menu item for the package in the services menu.

The FreeRadius installation normally takes a couple minutes to complete.
The FreeRadius installation normally takes a couple minutes to complete.

Configuring an Interface

The first thing you'll need to do is specify one or more interfaces for the radius server to listen on. The configuration settings for FreeRadius can be found under the services menu.

In most cases you will want to bind the service to the LAN interface.

  1. Click on the interfaces tab of the settings page.
  2. Click on the plus symbol icon to add a new interface.
  3. Enter the LAN IP address in the Interface IP address field.
  4. Click save

The rest of the settings can remain at the default settings.

In the configuration you need to specify which interfaces the service should listen on.
In the configuration you need to specify which interfaces the service should listen on.

Adding Clients

The next step in configuring the authentication server is to add client entries. Each device that will use the radius server for authentication will need to have a client entry configured in the settings.

  1. Click on the NAS / Clients tab.
  2. Enter the IP address of the device where authentication requests will come from in the client IP field.
  3. Enter a secure password in the client shared secret field. This will need to be entered on the client device as well.

Under the miscellaneous configuration section you should choose a client type from the dropdown box. If none of the types listed are suitable you can select other.

Creating User Accounts

The final step is to create user accounts. To create the accounts go to the users tab in the package settings and click the plus symbol to open the new user creation page.

There are only two required fields on this page, the username and password. All of the other settings are optional and apply mostly to captive portal users.

Set up as many different user accounts as you would like.
Set up as many different user accounts as you would like.

Adding Devices

At this point the radius server should now be up and running and ready to accept incoming requests for authentication. You can now begin pointing devices to the server.

Devices will need to be configured with the following items.

  1. The LAN IP address of the pfSense system, or whichever interface you chose to bind the radius server to.
  2. The radius key you assigned on the clients tab.
  3. The auth port should be set to 1812, or the port you assigned on the interfaces tab.

Troubleshooting

Checking the service status

The first thing you should do if you're having problems is make sure the radius service is running.

If it's not running try to start it by clicking on the play icon next to radiusd.

If the service doesn't seem to start go ahead and reinstall the package to resolve the issue.

You shouldn't lose any of the configuration when you reinstall but make sure everything looks right after it comes back up.

I've noticed that sometimes client configs disappeared when I performed a reinstallation.

Check the logs

The system logs may provide a clue to why a problem is occurring. To view the logs click on system logs in the status menu.

On the system tab enter "root: freeRADIUS" without the quotes in the box at the bottom , then click filter. This will show the startup and shutdown log messages for the service.

Authentication success and failure messages are not visible in the system logs, in order to view them you need to configure a remote syslog server.

Check the service status page to make sure the radiusd service is running.
Check the service status page to make sure the radiusd service is running.

Radius Syslog Messages

Syslog messages are the best way to troubleshoot radius problems
Syslog messages are the best way to troubleshoot radius problems

Testing the Service With Radtest

The radius package includes a utility called Radtest which can be used to test the service to determine if it is working correctly.

Radtest is handy because it allows you to determine if authentication is working before you reconfigure any devices on the network.

Steps for running the test

  1. Add an interface with the IP address of 127.0.0.1.
  2. Set the interface type to 'Auth' , use the default port (1812).
  3. Add a client/NAS with the IP of 127.0.0.1 and the shared secret 'test'.
  4. Create a test user account on the users tab.
  5. Log into pfSense via SSH or use the command prompt feature in the diagnostics menu.
  6. Run the command below, replacing <username> , and <password> with the credentials you assigned.

radtest <username> <password> 127.0.0.1:1812 0 test

If the test is successful you should see the message "rad_recv: Access-Accept".

The radtest utility can be used to test authentication.
The radtest utility can be used to test authentication.

Great Ways to Use Your New Radius Server

After you start using central radius authentication you won't ever want to go back to local user accounts. Below I've created a list of some great ways to take advantage of your new radius server.

  • Captive Portal Authentication - Set up a wireless hotspot for your home or business and use radius as the source of authentication for the captive portal.
  • Remote Access VPN - Configure pfSense to act as a VPN server and use centralized authentication for the user accounts.
  • Network Switches - Instead of using local user accounts point the managed switches to pfSense.

Questions & Answers

    © 2012 Sam Kear

    Comments

      0 of 8192 characters used
      Post Comment

      • profile image

        alexis.verano 7 months ago

        Can the freeradius control the telephone number of the call origin?

      • profile image

        Yannick 15 months ago

        Hi I just want to know how can I used pfsense captive portal with a billing software. We want to bill user for there internet usage .

        Can you help ..

      • aravinth70 profile image

        aravinth70 20 months ago

        Can we allocate quota limit user wise as time allocation

      • profile image

        Bijil 2 years ago

        Is there any way to add daloradius to pfsense???

      • profile image

        nardjesse 3 years ago

        How to configure mysql with freeradius

      • profile image

        gangooparsad 3 years ago

        Thanks for a great Tutorial, would it also work if 1 freeradius installation was used as a central authentication hub for all devices / users for OpenVPN and captive portal? preferably over IPSEC.

      • skear profile image
        Author

        Sam Kear 3 years ago from Kansas City

        @TTGReviews

        You'll need to set up a profile for each different device since radius uses the source IP address to key off of.

        Some radius servers allow multiple source IPs to be listed for the same device but I do not believe the pfSense implementation allows this.

      • TTGReviews profile image

        TTGReviews 3 years ago

        Is there a way to use this to create an account for multiple devices for one account, or multiple accounts for one device without just adding them all individually?

      • profile image

        Marlo 3 years ago

        "IP address of the device where authentication requests" this should be Router IP adress or Acces Point IP adress? I do not have any other machine...

      • profile image

        Wander 3 years ago

        how to configure the LDAP tab in active directory?

      working

      This website uses cookies

      As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

      For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: "https://turbofuture.com/privacy-policy#gdpr"

      Show Details
      Necessary
      HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
      LoginThis is necessary to sign in to the HubPages Service.
      Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
      AkismetThis is used to detect comment spam. (Privacy Policy)
      HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
      HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
      Amazon Web ServicesThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized. (Privacy Policy)
      CloudflareThis is used to quickly and efficiently deliver files such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
      Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
      Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
      PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
      Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
      Features
      Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
      Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
      Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
      Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
      VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
      MavenThis supports the Maven widget and search functionality. (Privacy Policy)
      Marketing
      Google AdSenseThis is an ad network. (Privacy Policy)
      Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
      Index ExchangeThis is an ad network. (Privacy Policy)
      SovrnThis is an ad network. (Privacy Policy)
      Facebook AdsThis is an ad network. (Privacy Policy)
      Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
      AppNexusThis is an ad network. (Privacy Policy)
      OpenxThis is an ad network. (Privacy Policy)
      Rubicon ProjectThis is an ad network. (Privacy Policy)
      TripleLiftThis is an ad network. (Privacy Policy)
      Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
      Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
      Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisements has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
      Statistics
      Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
      ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
      Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)