Deploying FreeRADIUS on Linux: The Standard AAA Solution for Enterprise Wi-Fi and VPN – ITFROMZERO

Table of Contents

The Nightmare Called “What’s the Wi-Fi Password?”

If you’re managing an office of about 50-100 employees, using a shared Wi-Fi password is a nightmare. Every month, the boss asks to change the password for security. As a result, you have to manually re-enter the password for dozens of laptops and phones. Worse, when an employee leaves, they can still sit in the hallway and leech the network or access internal resources because you haven’t updated the password for the entire company yet.

The issue is even more painful when deploying a VPN. Each employee has a unique username/password set stored locally on the server. If you forget to delete an account in one place when they quit, you’ve inadvertently left a critical security loophole.

Why Using a Pre-Shared Key (PSK) is Suicidal?

Using WPA2-Personal with a single password for everyone makes your system extremely vulnerable:

Loss of Identity: You can’t pinpoint exactly who is hogging 80% of the bandwidth or who is accessing malicious websites.
Difficult Revocation: To block one person, you have to force the whole company to change to a new password.
Brute-force Risk: Shared passwords are often easy to guess so employees can remember them, facilitating password-guessing attacks.

To solve this once and for all, we need an AAA (Authentication, Authorization, Accounting) mechanism. FreeRADIUS is the leading open-source “lifesaver” to help you achieve this.

Common Centralized Authentication Options

Depending on your infrastructure scale, you can choose one of the following directions:

LDAP/Active Directory: The optimal choice if the company runs a Windows Server ecosystem.
Local Database on Router: Only suitable for small offices with fewer than 20 people using high-end routers.
FreeRADIUS Server: The most flexible option. It acts as a “referee” in the middle. When a connection request comes in, the Router asks RADIUS: “Is this user valid?”. RADIUS checks the database and returns the result in an instant.

Guide to Installing FreeRADIUS on Linux

I prefer using Ubuntu Server due to its large support community and high stability. FreeRADIUS is compatible with most devices from Cisco and Mikrotik to UniFi.

Step 1: Install Software Packages

Installation on Ubuntu is very straightforward:

sudo apt update
sudo apt install freeradius freeradius-utils -y

After installation, use the command systemctl status freeradius to ensure the service is in an active state.

Step 2: Declare Network Access Servers (NAS)

FreeRADIUS only accepts requests from trusted devices. You need to declare the IP of your Wi-Fi Router or VPN Server in the clients.conf file.

sudo nano /etc/freeradius/3.0/clients.conf

Add your device configuration:

client vps_office {
    ipaddr = 192.168.1.1
    secret = SecretPassword2024
    shortname = office-router
}

Pro Tip: When managing multiple branches with different IP ranges, I often use toolcraft.app/en/tools/developer/ip-subnet-calculator. This tool helps calculate CIDR and IP ranges accurately, preventing misconfigurations that stop the Router from connecting to RADIUS.

Step 3: Manage User Accounts

To start, we will add users to the users file. This is the fastest way to test the system before connecting it to MySQL or LDAP.

sudo nano /etc/freeradius/3.0/users

Add the following line to the top of the file:

nguyenvan_a  Cleartext-Password := "VeryHardPass@2024"
    Reply-Message = "Welcome to Office Network"

Step 4: Debug Mode – The Ultimate Troubleshooting Trick

Don’t just restart the service normally. A common mistake is editing the config and then struggling to figure out why it won’t start. Run FreeRADIUS in Debug mode instead:

sudo systemctl stop freeradius
sudo freeradius -X

The entire handshake process and any syntax errors will be clearly displayed on the screen. If you see the line “Ready to process requests”, you’re 90% successful.

Step 5: Testing Authentication

Use the radtest tool to simulate a login request directly on the server:

radtest nguyenvan_a VeryHardPass@2024 localhost 0 testing123

If the result returned is Access-Accept, your system is ready to serve.

Configuration on Wi-Fi Router/VPN

On the end device (such as UniFi Controller or Mikrotik), switch the Security Mode to WPA2-Enterprise. Then enter the parameters:

RADIUS Server IP: The IP address of your Linux machine.
Shared Secret: SecretPassword2024 (set in step 2).
Port: 1812.

Critical Lessons for System Stability

Open Firewall Ports: FreeRADIUS uses UDP ports 1812 and 1813. Don’t forget the command: sudo ufw allow 1812/udp.
Time Synchronization (NTP): If the time between the Router and Server drifts by more than 5 minutes, certificate-based authentication (EAP-TLS) will be rejected immediately.
File Permissions: Always ensure the clients.conf file is only readable by the freerad user to prevent leaking the Secret Key.

Deploying FreeRADIUS might take some time initially, but it will make your life much easier in the long run. You can limit each user to only 2 devices or automatically disconnect them when their contract ends. If you encounter errors, just turn on -X mode—all the answers are there!