Download from:

https://freeradius.org/releases/

FOr installation instructions:

http://wiki.freeradius.org/guide/Getting%20Started

To install:
1) sudo apt-get install freeradius

To verify if it is installed:
2) freeradius -v

Run a quick config check:

3) sudo freeradius -CX

output should be --> Configuration appears to be OK.

For config and setup details See: /etc/freeradius/3.0/README.rst

=======================================================================
Config files location: /etc/freeradius/3.0/
server daemon is called freeradius in ubuntu (debian) and radiusd on other distros.

To view files:
sudo ls -l /etc/freeradius/3.0/

To edit:
sudo emacs -nw 3.0/radiusd.conf

Configuration is done in this file and other associated files in the dir.
=======================================================================

STARTING THE SERVER:

When the server has been installed on a new machine, the first step is to start it
in debugging mode, as user root:

$su -i (if not logged in as root)

root@linuxdesktop:~# freeradius -X

output:
-------
Ready to process requests

The above output means that the server is installed and configured properly.

INITIAL TESTS:
================

ADDING USERS:

1) Edit the users file:

if you list files with: sudo ls -l /etc/freeradius/3.0/

the file "users" is a symbolic link to:
/etc/freeradius/3.0/mods-config/files/authorize

sudo emacs -nw /etc/freeradius/3.0/mods-config/files/authorize

2) Add the following line of text at the top of the file, before anything else:

testing Cleartext-Password := "password"

3) Start the server in debugging mode (freeradius -X), and run radtest from another
terminal window:

$ radtest testing password 127.0.0.1 0 testing123

NOTE: You should see the server respond with an "Access-Accept".

If it doesn't, the debug log will show why

If you see the "Access-Accept" message, the following authentication methods now
work for the testing user:

PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PEAP, EAP-TTLS, EAP-GTC, EAP-MD5

FURTHER SET UP
===============

1) ADDING CLIENTS:

When we discuss clients, we mean clients of the RADIUS server, e.g. wireless access
point, network switch or other form of NAS. NOT the network clients - such as
laptops, tablets etc - they do not talk directly to the RADIUS server.

Note:
The above test runs radtest from localhost.
It is useful to add a new client, which can be done by editing the clients.conf
file.

1) sudo emacs /etc/freeradius/3.0/clients.conf

2) Add the following content:

client new {
ipaddr = 10.0.0.1
secret = testing123
}

a) You should change the IP address 192.0.2.1 to be the address of the client which
will be sending Access-Request packets.
b) The client should also be configured to talk to the RADIUS server, using the IP
address of the machine running the RADIUS server. c) The client must use the same
secret as configured above in the client section.

Then restart the server in debugging mode (freeradius -X), and run a simple test
using the testing user.
You should see an Access-Accept in the server output.

Starting, stopping and checking status of FreeRADIUS:

=====================================================
sudo service freeradius status
sudo service freeradius start
sudo service freeradius stop
Example:
inside /etc/freeradius/3.0/clients.conf , is an aready defined local client:

client localhost {
ipaddr = 127.0.0.1
secret = testing123
}

To test the user we run this at the terminal prompt once freeradius service is
started:

$ radtest testing password 127.0.0.1 0 testing123

where:
Username = testing
Password = password
IP addr = 127.0.0.1 (this is of the local host, but should be your
client's ip add)
secret = testing123

Output:
###############################################################################
Sent Access-Request Id 34 from 0.0.0.0:48123 to 127.0.0.1:1812 length 77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Accept Id 34 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
###############################################################################

NEXT STEPS:
The next step is to configure an access point, switches, routers etc to point to
the radius server. These authenticators
and listed in /etc/freeradius/3.0/clients.conf , with their secret

NB: Their configured secret should match those in the above file.

EAP METHODS (802.1x): for Port-based Network Authentication.

==============================================================

1) EAP configurations is located at:

sudo emacs /etc/freeradius/3.0/mods-available/eap

freeRADIUS uses md5 by default.

Configuring the Server:

==============================================================

Other important files are:

server config file: /etc/freeradius/3.0/radiusd.conf

Changing the server configuration should be done via the following steps:
1) Start with a "known working" configuration, such as supplied by the default
installation.
2) Make one small change to the configuration files.
3) Start the server in debugging mode (radiusd -X).
4) Verify that the results are what you expect

The debug output shows any configuration changes you have made.
-Databases (if used) are connected and operating.
-Test packets are accepted by the server.
-The debug output shows that the packets are being processed as you expect.
-The response packets are contain the attributes you expect to see.
-If everything is OK, save a copy of the configuration, go back to step (2), and
make another change.

If anything goes wrong,

-double-check the configuration;
-read the entire debug output, looking for words like error or warning. These
messages usually contain descriptions of what went wrong, and suggestions for how
it can be fixed.

Example with CISCO Switch: