Skip to content

FreeRADIUS IdP Setup

This example shows a modern FreeRADIUS 3.x Identity Provider deployment for local user authentication.

Install Packages

On Debian or Ubuntu:

apt update
apt install freeradius freeradius-utils freeradius-ldap freeradius-mysql

Install only the backend modules you need.

Service Management

systemctl enable --now freeradius
freeradius -XC

Use freeradius -XC to validate configuration syntax before any restart.

FreeRADIUS 3.x Layout

Key locations:

/etc/freeradius/3.0/clients.conf
/etc/freeradius/3.0/mods-enabled/eap
/etc/freeradius/3.0/mods-enabled/ldap
/etc/freeradius/3.0/mods-enabled/sql
/etc/freeradius/3.0/proxy.conf
/etc/freeradius/3.0/sites-enabled/default
/etc/freeradius/3.0/sites-enabled/inner-tunnel

For IdP service, default handles the outer request and inner-tunnel handles inner authentication for PEAP and TTLS.

EAP Configuration

Edit mods-enabled/eap and ensure a real server certificate is used. Do not use test certificates in production.

eap {
    default_eap_type = peap
    timer_expire     = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no

    tls-config tls-common {
        private_key_file = /etc/freeradius/3.0/certs/radius.key
        certificate_file = /etc/freeradius/3.0/certs/radius.crt
        ca_file = /etc/freeradius/3.0/certs/ca-chain.pem
        dh_file = /etc/freeradius/3.0/certs/dh
        cipher_list = "HIGH"
        cipher_server_preference = yes
        tls_min_version = "1.2"
    }

    ttls {
        tls = tls-common
        default_eap_type = pap
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
    }

    peap {
        tls = tls-common
        default_eap_type = mschapv2
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
    }
}

Local Realm Definition

Define your local realm in proxy.conf:

realm institution.ac.ke {
    nostrip
}

If you operate multiple local realms, define each explicitly.

AP and Controller Clients

Add only known wireless infrastructure in clients.conf:

client wlan-controller-1 {
    ipaddr = 10.10.10.20
    secret = <strong-shared-secret>
    shortname = wlan-controller-1
    nastype = other
}

Use unique, strong secrets per client wherever possible.

LDAP Example

Example mods-enabled/ldap highlights:

ldap {
    server = "ldaps://ldap.institution.ac.ke"
    identity = "uid=radius-bind,ou=service,dc=institution,dc=ac,dc=ke"
    password = <bind-password>
    base_dn = "dc=institution,dc=ac,dc=ke"
    user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    }
    group {
        base_dn = "ou=groups,dc=institution,dc=ac,dc=ke"
        filter = "(member=%{control:Ldap-UserDn})"
    }
    start_tls = no
}

Call the module in authorize and authenticate as required by your backend design.

Active Directory Notes

For AD-backed PEAP-MSCHAPv2 deployments, common patterns are:

  • LDAP for group lookup and policy
  • ntlm_auth or Samba/winbind integration for MSCHAP authentication

If using AD, test password expiry, lockout, and group lookups carefully before production rollout.

Dynamic VLAN Example

In sites-enabled/inner-tunnel, return VLANs based on realm or LDAP group:

post-auth {
    if (&Realm == "students.institution.ac.ke") {
        update reply {
            Tunnel-Type := VLAN
            Tunnel-Medium-Type := IEEE-802
            Tunnel-Private-Group-Id := "20"
        }
    }
    elsif (LDAP-Group == "cn=staff,ou=groups,dc=institution,dc=ac,dc=ke") {
        update reply {
            Tunnel-Type := VLAN
            Tunnel-Medium-Type := IEEE-802
            Tunnel-Private-Group-Id := "10"
        }
    }
}

Ensure the wireless controller honors these attributes.

SQL Accounting Example

Enable SQL and accounting if a local database is used:

sql {
    driver = "rlm_sql_mysql"
    dialect = "mysql"
    server = "127.0.0.1"
    port = 3306
    login = "radius"
    password = <sql-password>
    radius_db = "radius"
}

In sites-enabled/default:

accounting {
    detail
    sql
}
session {
    sql
}
post-auth {
    sql
}

Certificate Guidance

  • use a production certificate, not make or test certificates
  • include the full CA chain
  • ensure the server name in client profiles matches the certificate
  • monitor expiry and renew early

Performance Tuning

Adjust these parameters in radiusd.conf and module configuration for larger deployments:

Parameter Default Recommendation
max_requests 16384 Increase to 65536 for large deployments
cleanup_delay 5 Keep at 5; reduces memory pressure
max_request_time 30 Lower to 15 for faster failure detection
LDAP pool.max 32 Increase to 64 for heavy LDAP load
response_window 20 Increase to 45 for trans-continental NRO
frag_size (EAP) 1024 Increase to 1400 if MTU allows

Also add to radiusd.conf to avoid DNS-related slowdowns:

hostname_lookups = no

Security Hardening Checklist

  • Disable unused EAP types (MD5, GTC with plaintext password)
  • Set TLS minimum version: tls_min_version = '1.2'
  • Use a strong cipher list: HIGH:!aNULL:!MD5:!RC4:!3DES
  • Run FreeRADIUS as the freerad service account, not root
  • Restrict radiusd.conf to listen only on necessary interfaces
  • Firewall UDP 1812/1813 to known RADIUS peers only
  • Enable accounting for all authentication events
  • Regularly audit clients.conf — remove stale AP entries
  • Use unique, strong shared secrets per client (minimum 32 characters)
  • Validate configuration syntax before every restart: freeradius -XC

eduroam CAT Tool

The eduroam Configuration Assistant Tool (cat.eduroam.org) generates device-specific installers that pre-configure the correct SSID, EAP method, and certificate pinning. Maintaining a CAT profile is strongly recommended.

CAT profile settings

Setting What to configure
Institution Realm Your realm(s), e.g. @institution.ac.ke
EAP Method PEAP-MSCHAPv2 (most common) or EAP-TLS for certificate-based
Server Certificate Upload the CA certificate that signed your RADIUS server cert
Server Name FQDN of your RADIUS server (must match the cert SAN)
Anonymous Identity anonymous@institution.ac.ke (hides real username in outer EAP)
Help Desk Info Support email and phone shown in the installer

CAT operational responsibilities

  • create and maintain a profile at cat.eduroam.org
  • update the CAT profile whenever the RADIUS server certificate changes
  • distribute the CAT installer link in onboarding emails and on the IT support website
  • integrate with MDM/UEM for managed devices
  • test profiles on Windows, macOS, iOS, Android, and Linux before publishing

Anonymous outer identity

When using PEAP, the outer EAP exchange transmits the username in cleartext before the TLS tunnel is established. Setting an anonymous outer identity such as anonymous@institution.ac.ke reveals only the realm, not the actual username. This is an eduroam privacy best practice and is configured in the CAT profile.

Restart and Validate

freeradius -XC
systemctl restart freeradius
systemctl status freeradius