tutorials questions & answers
by Mark

Setup and Configuration of FreeRadius + MySql on Ubuntu 14.04 64bit

  • freeradius
  • ubuntu14
  • mysql

The FreeRADIUS Server is a daemon for unix and unix like operating systems which allows one to set up a radius protocol server, which can be used for Authentication and Accounting various types of network access. To use the server, you also need a correctly setup client which will talk to it. Samples are hotspots, vpn protocols such as openvpn, strongswan or softether and some other router OS.

FreeRadius + MySql on Ubuntu

From this tutorial we will try to install a freeradius server on Ubuntu 14.04 64bit distro with mysql support. ___


This tutorial requires will require the following ingredients to setup freeradius+mysql:
- an Ubuntu 14 64bit server
- Root Access to the server
- An SSH client (You can download putty or bitvise depends on your operating system and liking)

We shall be making a basic freeradius setup with a mysql database for storing user credentials and other information.

Installing Freeradius

Let us first update our distro so we can be sure we will be able to install the required applications sudo apt-get update
Then will will install freeradius, just do.
sudo apt-get install freeradius freeradius-mysql
'freeradius-mysql' is a required freeradius module so we can communicate with the mysql server. The Mysql server will store the needed data so freeradius can authenticate the client machine.

Next, we will need to edit the default file to change the AAA mechanism of freeradius from file system to sql server.
nano /etc/freeradius/sites-enabled/default

Then we will have to comment out every line where it says 'file' and un-comment the lines which says 'sql'. Below is the summary of what should be the final result of what we will do. Please do not remove any lines in the default configuration, just comment the 'file' and un-comment the 'sql' lines.

authorize {
#	files
authenticate {
preacct {
#   files
accounting {
session {
post-auth {
	Post-Auth-Type REJECT {
    # log failed authentications in SQL, too.

Save the file and exit.

Next, we will go to the main radius configuration file. We will enable the mysql module so we can use it later on.
nano /etc/freeradius/radiusd.conf
We will un-comment the line:
$INCLUDE sql.conf

You can exit after saving the configuration file.

After all the configurations are done we will enter our mysql server access credentials into radius. If you have your credentials ready you can use it, but if not, I will give a sample credentials for now.
nano /etc/freeradius/sql.conf

edit the file and supply your mysql credentials.

sql {
	database = "mysql"
	server = "localhost"
	login = "sampleuser"
	password = "samplepassword"
	radius_db = "radius"
	#uncomment read_groups
	read_groups = yes
	#uncomment readclients
	readclients = yes

Save it and exit.

We will come back to Freeradius later on. For now we will install mysql.

Installing & Configuring MySql

To install MySql we need to execute the command.
sudo apt-get install mysql-server
enter and repeat the password for the new mysql root user.
MySql Root Password

Enter Mysql root and create the radius database and user.
CREATE USER 'sampleuser'@'localhost' IDENTIFIED BY 'samplepassword';
GRANT ALL PRIVILEGES ON *.* TO 'sampleuser'@'localhost';

Then exit Mysql root to command line.

Next, we will have to import the sql file for freeradius into the 'radius' database. The schema.sql and nas.sql file is located at '/etc/freeradius/sql/mysql' folder.
mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql;
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql; ___

Populating Radius Database

It is important that we enter the correct freeradius values into the radius database for Freeradius to correctly read it, otherwise, Freeradius will throw an error during operation. The informations we want to enter are for the following:

  1. Freeradius client ip and secret (the secret should be unique per freeradius client and can be alphanumeric character most recommended to be more than 10).
  2. Users name and password
  3. Freeradius check values for groups and indvidual users.
  4. Freeradius reply values for groups and individual users.

First, we will enter the freeradius client information into the nas table. Enter mysql root and execute the command.
INSERT INTO nas VALUES (NULL , ', 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client');

Then we will enter user information into the radcheck table. INSERT INTO radcheck (username, attribute, op, value) VALUES ('thisuser', 'User-Password', ':=', 'thispassword');
Then we need to assign the user a group.
INSERT INTO radusergroup (username, groupname, priority) VALUES ('thisuser', 'thisgroup', '1');

After that we assign the reply properties for the group in the radgroupreply table.
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('thisgroup', 'Service-Type', ':=', 'Framed-User'), ('thisgroup', 'Framed-Protocol', ':=', 'PPP'), ('thisgroup', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
All is done for now. Exit Mysql root and go to the next step. ___

Testing Freeradius+Mysql installation

To test the setup we will have to run freeradius in debug mode. We will execute the below command.
service freeradius stop
freeradius -X

To check if freeradius is running, you should see the following lines in your screen.

 ... adding new socket proxy address * port 55302
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

Download NTRAdPing (Windows only) and enter the following information.

  1. Your Freeradius server ip
  2. Your username and password (you entered into radcheck earlier)
  3. Your secret (you entered into nas table earlier)
  4. Port is standard 1812 for authentication (do not change it)

If your test is successful you will see the Access-Accept line in NTRadPing.
ntradping successful test

Simultaneous-Use on Freeradius

It is used to control simultaneous logins of users in a particular service by the number entered in the database. It is done by reading the accounting table for the username currently logged-in. if none is found the connecting user is allowed to authentication but if the limit is reached to connecting user is rejected.

To enable simultaneous-use limit we un-comment the line in '/etc/freeradius/sql/mysql/dialup.conf'.

simul_count_query = "SELECT COUNT(*) \  
                     FROM ${acct_table1} \  
                     WHERE username = '%{SQL-User-Name}' \  
                     AND acctstoptime IS NULL"  

then entering the required value in the radgroupcheck table.
INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES ('thisgroup', 'Simultaneous-Use', ':=', '3');
Which means that the users in the group 'thisgroup' is allowed up to three simultaneous logins before being rejected.

Whewww!! Such a long tutorial but its all worth it. I hope you have learned a lot reading my guides and I am sure that you will be reading this a lot more than before.

comments (7)

  • JaredRampartap

    reply 0 10 months ago

    Hey, when I run "mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql; " I get "permission denied". Please tell me what I have to do to fix this. Thanks in advance for your help.

    • Mark

      reply 0 10 months ago

      remove the "<" and run it again. I think there is an issue with the webpage showing special characters.


        reply 0 9 months ago

        I removed it and replaced it with a "<" but it still said permission denied. I enter the below: mysql -uroot -p radius < /etc/freeradius/sql/mysql/schema.sql and get this: /etc/freeradius/sql/mysql/schema.sql: Permission denied

  • Mark

    reply 0 10 months ago

    remove the "&lt;" and run it again. I think there is an issue with the webpage showing special characters.


    reply 0 7 months ago


    Can i use this tutorial if I want to use freeradius as AAA for pfsense captive portal?

  • rizky

    reply 0 6 months ago

    My simultaneous-Use cant running, when i login for 3 devices and i limit on mysql 1 device. Please help

  • Kat K

    reply 0 4 months ago

    I am not able to get NTRadPing to work.

    I get this error: Ignoring request to authentication address * port 1812 from unknown client port 61031

    I seek you help. Appreciate your time and for the article. I must be doing something very stupid.

leave comment

Please choose login or register to comment in this thread.

Start now for as low as $5 a month!

  • 8 Characters
  • 1 Uppercase Atleast
  • 1 Number Atleast