Setting Up a RADIUS Server on Linux

RADIUS (Remote Authentication Dial-In User Service) is a protocol for centralized network authentication. Instead of configuring credentials on each router or access point separately, you configure them once on a RADIUS server and all network devices authenticate against it. Common uses include Wi-Fi enterprise authentication (WPA2-Enterprise), VPN login, and managed switch access.

This guide sets up FreeRADIUS — the most widely deployed open-source RADIUS server.

Installation

sudo apt update
sudo apt install freeradius -y

The service starts automatically. Verify it's running:

sudo systemctl status freeradius

FreeRADIUS listens on port 1812 (authentication) and 1813 (accounting) by default.

Configuration Directory

FreeRADIUS 3.x configuration lives in /etc/freeradius/3.0/:

/etc/freeradius/3.0/
├── clients.conf      ← which devices can talk to this server
├── users             ← user credentials (simple/testing use)
├── radiusd.conf      ← main server configuration
└── mods-enabled/     ← authentication modules

Step 1: Add a RADIUS Client

A "client" in RADIUS terminology is the network device that sends authentication requests (your router, access point, or VPN gateway) — not the end user.

Edit the clients file:

sudo nano /etc/freeradius/3.0/clients.conf

Add your specific device. Never use 0.0.0.0/0 (any IP) in production:

client my-router {
    ipaddr          = 192.168.1.1      # IP of your router/AP
    secret          = your-shared-secret-here
    shortname       = home-router
}

The secret is a shared password between FreeRADIUS and the client device — configure the same value on your router's RADIUS settings.

Step 2: Add Users

For simple setups, add users to the flat-file database:

sudo nano /etc/freeradius/3.0/users

Add entries near the top of the file:

alice   Cleartext-Password := "alice_password"
bob     Cleartext-Password := "bob_password"

Security note: Cleartext passwords in users are acceptable for internal testing but not ideal for production. FreeRADIUS supports LDAP, Active Directory, SQL databases, and EAP methods (certificates) for more secure authentication. See the mods-available/ directory for available modules.

Step 3: Restart FreeRADIUS

sudo systemctl restart freeradius

Step 4: Test Authentication

FreeRADIUS includes radtest for testing:

radtest alice alice_password 127.0.0.1 0 testing123

Parameters: username password radius-server NAS-port secret

The default testing secret (testing123) is configured in clients.conf for 127.0.0.1.

A successful response looks like:

Sent Access-Request Id 123 from 0.0.0.0:58000 to 127.0.0.1:1812
Received Access-Accept Id 123 from 127.0.0.1:1812

A failed response returns Access-Reject.

Step 5: Configure Your Router/Access Point

On your router or Wi-Fi access point, find the RADIUS or WPA2-Enterprise settings and enter:

• RADIUS Server IP: your Linux server's IP
• RADIUS Port: 1812
• Shared Secret: the value you set in clients.conf

Firewall Rules

Allow RADIUS traffic through UFW:

sudo ufw allow from 192.168.1.1 to any port 1812 proto udp  # from your router only

Avoid opening port 1812 to the entire internet.

Debugging

Run FreeRADIUS in debug mode to see detailed authentication logs:

sudo systemctl stop freeradius
sudo freeradius -X

Test with radtest in another terminal. Debug mode shows each step of the authentication process, making it easy to diagnose configuration errors.

Conclusion

FreeRADIUS is powerful but has a steep learning curve for advanced authentication methods. For a home or small office setup using WPA2-Enterprise, the flat-file users configuration shown here is sufficient. For larger deployments, connect FreeRADIUS to an LDAP directory or database backend, and use EAP-TLS (certificate-based) authentication for the strongest security.