not logged in | [Login]

Always start with the "default" configuration. It will work everywhere, and do almost everything you need. The only change you will need to make is to define users and passwords.

Making a lot of changes to the configuration files is the best way to break the server. Don't do that.

Define a Client IP

For initial testing from localhost with radtest, the server comes with a default definition for 127.0.0.1 and ::1

For testing from external machines, edit /etc/raddb/clients.conf and add an entry. There are many examples and the syntax is easy:

client NAME {
  ipaddr = IPADDRESS
  secret = SECRET
}

Define a User and Password

Edit /etc/raddb/users and create an example user account as the first entry. i.e. at the top of the file, such as:

testing Cleartext-Password := "password"

Start the server in debugging mode

At this point you should be able to manually start radiusd. You should do this with the debugging enabled so that you can see what happens:

$ radiusd -X

The location and the name of the FreeRADIUS server executable may vary, for example it could be /usr/sbin/freeradius. But the -X parameter is essential, always use it!

Lots of output will scroll by, and it will eventually say:

Read to process requests.

Sometimes people want to change default port to run on 1645, the old RADIUS port (the new one is 1812), if replacing a legacy RADIUS server. Other than that, it's possible that the EAP Module initial setup will fail.

Simple test

Once the FreeRADIUS server is operational, you can use radtest to test an account from the command line:

$ radtest testing password localhost 0 testing123

Where testing is the user name configured above, and password is the password for the user. These can be real user names and passwords, of course.

You should see output like:

Sending Access-Request of id 226 to 127.0.0.1:1812
      User-Name = 'testing'
      User-Password = 'password'
      NAS-IP-Address = radius.domain.com
      NAS-Port = 10

rad_recv : Access-Accept packet from host 127.0.0.1:1812,id=226, length=56
      Framed-IP-Address = 80.84.161.1
      Framed-Protocol = PPP
      Service-Type = Framed-User
      Framed-Compression = Van-Jacobson-TCP-IP
      Framed-IP- Netmask = 255.255.255.255

The key is to get an 'Access Accept' response.

At this point you should have text-file authentication working in FreeRADIUS. Also based on the default settings, the authentication methods now work for the testing user

  • PAP
  • CHAP
  • MS-CHAPv1
  • MS-CHAPv2
  • PEAP
  • EAP-TTLS
  • EAP-GTC
  • EAP-MD5.

If you made changes to the default configuration, odds are that one or more of these authentication methods will stop working.

The next step is to add more users, and/or to configure directories and databases.

Troubleshooting

If you don't get an Access-Accept, go back and check everything.

Read the relevant documentation including comments, and read the debug messages!

See also the Troubleshooting guide.

For configuring EAP, see the external EAP Howto. It offers a step-by-step guide which is guaranteed to work.

The initial setup is usually sufficient, but if you get an error, then read the debug messages. Check the docs, check that you have followed the above steps to the letter, and try again. Try posting the output into the Network RADIUS Debug colorizer, it will group the debug output into request/reply sections, and will colorize portions of text that you should pay attention to. While many of the debug messages can be ignore (they are for more in-depth debugging), a number of them contain detailed descriptions of what is going on. Read them, and follow the instructions.

If you need to edit configuration files, read them carefully and edit them as little as possible. See man radiusd for a guide. Start with radiusd.conf.

More testing

If you have a Windows PC handy you may also wish to use NTradPing (downloadable from MasterSoft) to send test packets instead of radtest. If you do this, or test from any other machine, remember your PC (or other machine) needs to be in your NAS list in clients.conf too!

See also