Establishing access to a wireless network in an office or corporate environment requires more than just a secure password, but a comprehensive user identification system. Using the protocol RADIUS (Remote Authentication Dial-In User Service) allows you to centrally manage access, track traffic, and ensure a high level of security. Instead of changing the shared password on the router when an employee leaves, you simply lock their account on the server.
Implementing such a system may seem like a complex task, requiring in-depth knowledge of Linux and network protocols. However, by following proven algorithms, it is possible to deploy a fully functional FreeRADIUS Even on basic hardware. This solution will form the foundation for building a scalable network, where each user is individually authenticated via WPA2-Enterprise or WPA3-Enterprise.
In this article, we'll walk you through the process of creating a server from scratch, from operating system installation to fine-tuning client devices. You'll learn how to link the authorization server to access points and which parameters are critical for the stable operation of the entire infrastructure.
Operating principles and security architecture
The RADIUS protocol operates on a client-server model, with network access servers (NAS) such as Wi-Fi routers or switches serving as entry points, and an authorization server serving as the central element. When a device attempts to connect to the network, it sends a request to the server, which verifies the credentials against a database. Only after receiving a positive response is access to resources granted.
The key advantage of this architecture is the separation of functions. The access point does not store user passwords or make access decisions; it merely acts as an intermediary. This significantly improves safety, since even if the access point is compromised, the attacker won't gain access to the account database. All connection logs and statistics are also centrally collected on the server.
⚠️ Attention: By default, the RADIUS protocol uses UDP ports 1812 (authorization) and 1813 (accounting). Ensure that these ports are open on your firewall, not the obsolete 1645 and 1646 ports used in earlier versions of the specification.
A shared secret key is used to encrypt traffic between the client and server. This key must be complex and unique for each connecting network device. FreeRADIUS supports various methods of storing user data, from simple text files to complex SQL databases such as MySQL or PostgreSQL.
Preparing the server environment and installing FreeRADIUS
The most stable platform for deploying an authorization server is the Linux operating system. We'll use the Ubuntu Server distribution, as it has excellent package support and a large community. Before beginning the installation, you need to update the repositories and install basic network utilities.
Installing the server itself FreeRADIUS In Debian-like systems, this is done using the standard package manager. This automatically configures the necessary dependencies and creates initial configuration files. The process takes only a few minutes and does not require manual source code compilation.
sudo apt update
sudo apt install freeradius freeradius-utils -y
After installation, the service starts automatically. It's important to check the service status to ensure there are no startup errors. For an initial check, you can run the server in debug mode, which will allow you to view requests in real time in the console.
☑️ Checking FreeRADIUS installation
During the setup process, you will often have to edit the configuration files located in the directory /etc/freeradius/. The main focus should be on files clients.conf and module settings sql, if you plan to use a database. Configuration file syntax is case-sensitive and indentation-sensitive.
Setting up clients and secret keys
The server must know which devices are authorized to send authorization requests. These devices are called clients and are described in the file clients.confFor each client, you need to specify the IP address (or subnet), name and, most importantly, Secret (secret key).
The secret key is used to encrypt passwords within RADIUS packets and for mutual authentication between the server and client. If the keys on the server and router do not match by even one character, authorization will fail. It is recommended to use complex, random strings of at least 16 characters.
client wifi-office {ipaddr = 192.168.1.254
secret = sUp3rS3cr3tK3y2026!
shortname = OfficeAP
nastype = other
}
In the configuration, you can define clients not only by specific IP addresses but also by entire subnets, which is convenient for large networks with dedicated VLANs for access equipment. However, for security reasons, it's best to define each device individually to ensure full control over the list of trusted devices.
What to do if the access point IP address is dynamic?
If the access point receives an address via DHCP, it is better to reserve a static IP for it on the DHCP server or use an address range in clients.conf, although the latter method is less secure.
After adding a client record, you must restart the RADIUS service or send a re-configuration signal. Changes in the file clients.conf are applied only after restarting the service freeradiusDon't forget to check the logs after each change.
Creating users and managing access
To get started, simply create users in a local file. usersThis is a simple text file, where each line corresponds to a user or group. This approach is suitable for small networks with no more than a few dozen users.
In the file users You can set not only passwords but also access attributes, such as VLAN ID, session time, or traffic limits. This allows for flexible management of permissions for different categories of employees directly from the server configuration without having to adjust switch settings.
| User | Password | Attributes | Description |
|---|---|---|---|
| ivanov | password123 | Tunnel-Private-Group-ID = "10" | Office employee |
| guest | guest2026 | Session-Timeout = 3600 | Guest access |
| admin | strongpass | Tunnel-Private-Group-ID = "99" | Administrator |
When storing passwords in a file users It is highly recommended to use hashing (such as MD5 or SHA1) rather than storing them in cleartext. FreeRADIUS supports various encryption schemes, which improves overall safety systems even if configuration files are leaked.
⚠️ Attention: The interfaces and exact field names in router web configurators (Mikrotik, Ubiquiti, Cisco) may differ depending on the firmware version. Always consult the official documentation from your equipment manufacturer before entering parameters.
For more complex scenarios, such as integration with Active Directory or LDAP, a connection via SQL or specialized modules is used. This allows for the use of existing employee accounts without creating duplicate users on the RADIUS server.
Access Point Configuration and WPA2-Enterprise
On the access point (or wireless network controller), you need to create a new SSID with the WPA2-Enterprise (or WPA3-Enterprise) security type. Unlike Personal (PSK) mode, this doesn't require a single password; instead, you configure RADIUS server settings.
You will need to specify the IP address of the authorization server, the port (default 1812) and the same Secret, which you wrote in the file clients.confThe access point will act as an intermediary, forwarding requests from clients to the server and receiving a verdict of "Accept" or "Reject".
radius-server {servers {
server radius-local {
address = 192.168.1.100
port = 1812
secret = "sUp3rS3cr3tK3y2026!"
type = auth
}
}
}
Setting the timeout period is crucial. If the server doesn't respond within a certain amount of time, the access point can retry the request or switch to a backup server. Properly setting these parameters will prevent long connection delays for users during temporary network outages.
Connecting clients and diagnosing problems
When connecting a smartphone or laptop to a WPA2-Enterprise network, the device will request a login and password. Unlike regular Wi-Fi, you must enter the user credentials defined on the server. Operating systems may also require confirmation of the server certificate.
A common problem is the "Unable to connect" error or an endless authorization loop. In 90% of cases, this is due to an incorrect secret key on the access point or an incorrect username format. Use the following utility for diagnostics: radtest, which simulates a request from a client.
radtest ivanov password123 localhost 0 testing123
If the test request is successful but clients cannot connect, the problem lies with the EAP encryption settings or certificates. Corporate networks often require installing a root certificate on client devices to protect against man-in-the-middle attacks.
Why does my phone say "Certificate is not valid"?
This is a normal OS response to a self-signed certificate, which is often used on internal networks. For corporate deployments, it is recommended to use certificates from a trusted authority (CA) or forcefully install the organization's root certificate on all user devices.
Can I use RADIUS with a regular home router?
Most consumer routers (TP-Link, entry-level D-Link) do not support RADIUS Client mode for WiFi. This feature is typically found in business-class models (Mikrotik, Keenetic, Asus with Merlin firmware, Ubiquiti).
How to reset the time counter for a user?
If you use session timeouts, the session is reset automatically after the session ends or after the time specified in the user attributes expires. To force a session disconnect, you can use the radclient command with the Disconnect package.
Setting up a RADIUS server is an investment in the security and manageability of your network. While it may take some initial time to configure, it will save you hundreds of hours of password administration and connection monitoring down the road.