Installing the Package
The pfSense 2.X package manager includes both FreeRadius and FreeRadius2 as installation options. For this example, I’m going to be using FreeRadius2 since it has some additional features not found in the previous version.
Only one version of radius can be installed on pfSense at a time. If you previously installed any radius packages, go ahead and remove them first.
The package installation will briefly interrupt traffic passing through the router as the service starts, so be careful when running the installation on a production system.
- Open the package manager in the system menu of the web interface.
- Click the plus symbol next to FreeRadius2 to begin the installation.
- Click ‘Ok’ to confirm the package installation.
You cannot run both FreeRadius and FreeRadius2 on the same pfSense system. Make sure to remove one before installing the other. The setup process will automatically download and install the radius package along with all of its dependencies. The installation normally takes a couple of minutes to complete.
After it’s finished, there will be a new menu item for the package in the services menu. The FreeRadius installation normally takes a couple minutes to complete.
Configuring an Interface
The first thing you’ll need to do is specify one or more interfaces for the radius server to listen on. The configuration settings for FreeRadius can be found under the services menu.
In most cases, you will want to bind the service to the LAN interface.
- Click on the interfaces tab of the settings page.
- Click on the plus symbol icon to add a new interface.
- Enter the LAN IP address in the Interface IP address field.
- Click save
The rest of the settings can remain at the default settings.
In the configuration you need to specify which interfaces the service should listen on.
The next step in configuring the authentication server is to add client entries. Each device that will use the radius server for authentication will need to have a client entry configured in the settings.
Click on the NAS / Clients tab.
- Enter the IP address of the device where authentication requests will come from in the client IP field.
- Enter a secure password in the client shared secret field. This will need to be entered on the client device as well.
- Under the miscellaneous configuration section, you should choose a client type from the dropdown box. If none of the types listed are suitable, you can select other.
Creating User Accounts
The final step is to create user accounts. To create the accounts, go to the users tab in the package settings and click the plus symbol to open the new user creation page.
There are only two required fields on this page, the username and password. All of the other settings are optional and apply mostly to captive portal users. Set up as many different user accounts as you would like.
At this point, the radius server should now be up and running and ready to accept incoming requests for authentication. You can now begin pointing devices to the server.
Devices will need to be configured with the following items.
- The LAN IP address of the pfSense system, or whichever interface you chose to bind the radius server to.
- The radius key you assigned on the clients tab.
- The auth port should be set to 1812, or the port you assigned on the interfaces tab.
Checking the Service Status
- The first thing you should do if you’re having problems is to make sure the radius service is running.
- If it’s not running, try to start it by clicking on the play icon next to radiusd.
- If the service doesn’t seem to start, go ahead and reinstall the package to resolve the issue.
- You shouldn’t lose any of the configuration when you reinstall, but make sure everything looks right after it comes back up.
Check the Logs
- The system logs may provide a clue as to why a problem is occurring. To view the logs, click on system logs in the status menu.
- On the system tab, enter “root: freeRADIUS” without the quotes in the box at the bottom, then click filter. This will show the startup and shutdown log messages for the service.
- Authentication success and failure messages are not visible in the system logs, in order to view them, you need to configure a remote syslog server.
- Check the service status page to make sure the radiusd service is running.
Radius Syslog Messages
Syslog messages are the best way to troubleshoot radius problems
Testing the Service With Radtest
The radius package includes a utility called Radtest which can be used to test the service to determine if it is working correctly. Radtest is handy because it allows you to determine if authentication is working before you reconfigure any devices on the network.
Steps for Running the Test
- Add an interface with the IP address of 127.0.0.1.
- Set the interface type to ‘Auth’ , use the default port (1812).
- Add a client/NAS with the IP of 127.0.0.1 and the shared secret ‘test’.
- Create a test user account on the users tab.
- Log into pfSense via SSH or use the command prompt feature in the diagnostics menu.
- Run the command below, replacing <username> , and <password> with the credentials you assigned.
radtest <username> <password> 127.0.0.1:1812 0 test
- If the test is successful you should see the message “rad_recv: Access-Accept”.
- The radtest utility can be used to test authentication.
Great Ways to Use Your New Radius Server
After you start using central radius authentication, you won’t ever want to go back to local user accounts. Below I’ve created a list of some great ways to take advantage of your new radius server.
- Captive Portal Authentication: Set up a wireless hotspot for your home or business and use radius as the source of authentication for the captive portal.
- Remote Access VPN: Configure pfSense to act as a VPN server and use centralized authentication for the user accounts.
- Network Switches: Instead of using local user accounts, point the managed switches to pfSense.