FreeRADIUS is a free implementation of the RADIUS protocol. Supports MySQL, PostgreSQL, LDAP, Kerberos.
Refer to the following articles for more information on the listed topics:
Authentication with Captive-Portal
Pre-defined user attributes and custom check-items and reply-items
NAS/Clients running on IPv4 and IPv6
Interfaces can listen on IPv4 and IPv6
OpenVPN + Username + RADIUS and OpenVPN + Username + Cert + RADIUS
Auth with PAP, CHAP, MSCHAP, MSCHAPv2
Auth with EAP-MD5 + dynamic VLAN assignment
Auth with PEAP + dynamic VLAN assignment
Auth with EAP-TLS/EAP-TTLS + dynamic VLAN assignment
radiusd: Login OK: [testuser/<via Auth-Type = EAP>] (from client pfsense port 0 cli 00-04-23-5C-9D-19) radiusd: Login OK: [testuser/<via Auth-Type = EAP>] (from client pfsense port 0 cli 00-04-23-5C-9D-19) radiusd: Login OK: [testuser/<via Auth-Type = EAP>] (from client pfsense port 0 via TLS tunnel) radiusd: Login OK: [testuser/<via Auth-Type = EAP>] (from client pfsense port 0 via TLS tunnel)
Simultaneous-Use - The following will be present in the system log
radiusd: Multiple logins (max 1) : [testuser/testpw] (from client testing port 10)
A certain amount of time per day/week/month/forever (
CHECK-ITEM: Max-Daily-Session := 60) The user will be disconnected and cannot re-login after the amount of time is reached:
radiusd: Invalid user (rlm_counter: Maximum daily usage time reached): [testuser/<via Auth-Type = EAP>] (from client pfsense port 0 cli 00-04-23-5C-9D-19)
A certain amount of traffic per day/week/month/forever. The user will be disconnected and cannot re-login after the amount of traffic is reached. The syslog output looks like this:
root: FreeRADIUS: Used amount of daily upload and download traffic by testuser is 0 of 100 MB! The user was accepted!!! root: FreeRADIUS: Credentials are probably correct but the user testuser has reached the daily amount of upload and download traffic which is 243 of 100 MB! The user was rejected!!!
LDAP/ActiveDirectory (connecting to MS AD with PAP)
Installation and Configuration¶
Navigate to System > Packages, Available Packages tab.
Click at the end of the row for freeradius3.
Confirm the installation.
Monitor the progress as it installs.
After Installation, the service may be configured at Services > FreeRADIUS.
Configure the Interface(s) on which the RADIUS server should listen.
Configure the NAS / Client(s) from which the RADIUS server should accept packets.
Add the User(s) who should have access.
After this, have a look at the system log. There should be the following:
radiusd: Ready to process requests. radiusd: Loaded virtual server
Troubleshooting RADIUS Authentication¶
When attempting to authenticate against a RADIUS server, errors may be encountered that prevent it from working properly. Here are some errors found in the logs and how to resolve them:
mpd: [pt0] RADIUS: RadiusSendRequest: rad_init_send_request failed: -1
This appears to happen when the RADIUS shared secret contains special characters. Try again with an alphanumeric shared secret.
Get FreeRADIUS Status Server Updates¶
The status server provides detailed information about the FreeRADIUS server. The status data includes Accounting-Packets, dropped packets and much more.
To enable status server:
Setup an interface with Interface-Type: status and a free port.
The default port for RADIUS status is
Setup a NAS/Client with IP-Address:
127.0.0.1and a password if one does not already exist.
This example uses a password of
To request information from the status server:
SSH to the firewall and enter the following command on the command line:
$ echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = All" | \ radclient -x localhost:18121 status testing123
The output should look like this:
Received response ID 223, code 3, length = 140 FreeRADIUS-Total-Access-Requests = 1 FreeRADIUS-Total-Access-Accepts = 0 FreeRADIUS-Total-Access-Rejects = 14 FreeRADIUS-Total-Access-Challenges = 0 FreeRADIUS-Total-Auth-Responses = 14 FreeRADIUS-Total-Auth-Duplicate-Requests = 0 FreeRADIUS-Total-Auth-Malformed-Requests = 0 FreeRADIUS-Total-Auth-Invalid-Requests = 0 FreeRADIUS-Total-Auth-Dropped-Requests = 0 FreeRADIUS-Total-Auth-Unknown-Types = 0 [...]
To request specific subsets of the status data, replace
FreeRADIUS-Statistics-Type = All from the command above with another valid
name or value.
A few common names and values are:
Internal server statistics:
The status server accepts either the name or its corresponding value a parameter.
More name/value pairs for
FreeRADIUS-Statistics-Type are listed in the
FreeRADIUS dictionary file on the firewall: