Raspberry Pi – Radius (Part 1)

Version used – 2013-09-25-wheezy-raspbian

Having a test radius server is handy when you are trying to troubleshoot an existing radius implementation or you want to get experience with it while studying for a certification exam.

The process get started with these two commands –

sudo apt-get update
sudo apt-get install freeradius

The first thing that you will want to do is create a user to authenticate with. You will do this using this command – sudo nano /etc/freeradius/users.

Here is the username that I created to start with – cisco Cleartext-Password := “cisco123”.

When making any changes to freeradius, you will need to stop and then start freeradius for it to re-read the configuration files –
sudo service freeradius stop
sudo service freeradius start

If you have made any mistakes in the any change to the freeradius configuration, you should expect to see a problem with freeradius starting.

A part of the freeradius installation process install a troubleshooting tool called radtest. Since we dont have a hardware device to authenticate against setup yet, we will test using the loopback device configured by default in freeradius. When using this tool using for the device address, 0 for the port number and testing123 for the radius secret.

pi@raspberrypi:/etc/freeradius$ radtest cisco cisco123 0 testing123
Sending Access-Request of id 155 to port 1812
User-Name = “cisco”
User-Password = “cisco123”
NAS-IP-Address =
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host port 1812, id=155, length=20

This test can be done from local console and initially doesnt show up in freeradius log file. The example above with Access-Accept is one you want to see indicating that the user has authenticated successfully. Now we will retry the test using an incorrect password.

Sending Access-Request of id 136 to port 1812
User-Name = “cisco”
User-Password = “cisco1234”
NAS-IP-Address =
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host port 1812, id=136, length=20

The next thing we need to do is establish a profile that will allow physical devices on the network to authenticate using radius. We need to make a change to the radius configuration file – sudo nano /etc/freeradius/client.conf.

This entry can be used to allow all devices on a particular subnet to use the same shared secret.

client {
secret = testing123-1
shortname = private-network-1

Make sure that you using the { and } brackets like you see here or radius will have a problem in restarting. After making this change, restart radius. You can add individual device or using subnet mask to create one entry to service a multiple devices by changing the subnet mask you use.

To get the login attempts to show up in the radius log file, you will need to make a couple of changes to the main config file, sudo nano /etc/freeradius/radiusd.conf.

To see the authentication requests as they come through, you will want to make a few changes to the radiusd.conf file. Look for the log { section of the config, change auth = to yes to allow the request to be written to the log file. At a minimum you will want to set the auth_badpass to yes so that when a user complains they cant login, you can see the password they are using. For a similar reason, you probably should set the auth_goodpass to no so that you dont see the users password when they are using the correct one.

Here is the output you should see based on the following statements –

Tue Oct 15 14:01:36 2013 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [cisco/cisco] (from client lab-net port 0)
Tue Oct 15 14:01:52 2013 : Auth: Login OK: [cisco] (from client lab-net port 0)

To see the logfile that radius writes to – sudo tail /var/log/freeradius/radius.log

Using the tail -f command will show you what is going on in realtime. To see all of the files in the /etc/freeradius directory, need to do sudo ls -all.

Upcoming installments of this series will show the configuration on cisco and juniper platforms, integration with AD and other configuration options.

To see more of my posts about the Raspberry Pi, please go to http://www.ronnutter.com/category/raspberry-pi/.

Send to Kindle
This entry was posted in Blog Entries, Raspberry Pi and tagged . Bookmark the permalink.