Wireless security: The FreeRADIUS Project

With all the wireless security options available today, deciding which way to go can be confusing. Aside from the basics, like using strong encryption to hide the SSID, what other methods can we use to better secure our networks? Here's a look at my personal favorite, FreeRADIUS.

RADIUS Introduction

Remote Authentication Dial-in User Service (RADIUS) provides better security through an authentication, authorization, and accounting (AAA) protocol. This technology is designed to make the user present authorized credentials before being granted network access. Internet providers commonly use this method to verify that a user is a current customer and to determine the user's access rights.

However, RADIUS also offers security benefits for corporate and even home networks. There are many flavors of RADIUS software available, and many methods of implementing it. The open source community has released several types of RADIUS technology available for download at no cost under the GNU or GPL (General Public License).

I find The FreeRADIUS Project to be one of the most complete open source RADIUS software packages available. It's compatible with nearly any network configuration and a wide variety of operating systems (including Windows, Linux, Unix, and Macintosh). The freeRADIUS project includes detailed installation instructions as well as Support, an FAQ, and a WIKI project for the best support the open source community has to offer.

FreeRADIUS Installation

According to the FreeRADIUS project's Web site, there are over 50,000 deployments of the FreeRADIUS software. This software is available on many different platforms but is only supported on a Unix based operating system such as Linux, BSD, or most recently, Mac OSX. The current release of FreeRADIUS is available on SUSE Linux 8.0 and up, as well as Mac OSX Leopard Server installation media. For other distributions you may download the source files or find the Binary, TAR, or RPM for your distribution at your distribution's Web site. The FreeRADIUS project does not offer a release for a Windows-based server as of this writing, but the software can be deployed on a Windows network. The FreeRADIUS project Wiki has several links to information on Windows integration.

Before installing the the software, you must download and uncompress the source file using the following command:

tar -zxvf freeradius.tar.gz

Next, you'll need to compile the source code. Change to the directory the contain the uncompressed files and execute the ./configure command. You may add several flags to the configure command to change the way that the software will install. Refer to Table A for a set of flags that you can use.

Table A




--enable-shared[=PKGS] Builds shared libraries. YES
--enable-static[=PKGS] Builds static libraries. YES
--enable-fast install[=PKGS] Optimizes the resulting files for fastest installation. YES
--with-gnu-ld Makes the procedure assume the C compiler uses GNU lD. NO
--disable-libtool-lock Avoids locking problems. This may break parallel builds. N/A
--with-logdir=DIR Specifies the directory for log files. N/A
--with-radacctdir=DIR Specifies the directory for detail files. N/A
--with-raddbdir=DIR Specifies the directory for configuration files. N/A
--with-dict-nocase Makes the dictionary case insensitive. YES
--with-ascend-binary Includes support for attributes provided with the Ascend binary filter. YES
--with-threads Uses threads if they're supported and available. YES
--with-snmp Compiles SNMP support into the binaries. N/A
--with-mysql-include-dir=DIR Specifies where the include files for MySQL can be found. N/A
--with-mysql-lib-dur=DIR Specifies where the dictionary files for MySQL can be found. N/A
--with-mysql-dir-DIR Specifies where MySQL is installed on the local system. N/A
--disable-ltdl-install Does not install libltdl. N/A
--with-static-modules=QUOTED-MODULE-LIST Compiles the list of modules statically. N/A
--enable-developer Turns on extra developer warnings in the compiler. N/A

Chart source:

To use the common locations to compile the files, use the following command:

./configure --localstatedir=/var --sysconfdir=/etc

The files are now ready to be compiled in the default locations. Now that the package is prepared to be installed, you'll start the actual installation process with the following commands:

Make Install

This will install the software and add the configuration files to the server. If you haven't used RADIUS software on this server prior to installing FreeRADIUS, new configuration files will be created. If you have used RADIUS on your computer before, the configuration files will be skipped and will use the configuration files that you have used before. If this is the case, the installer will notify you on the files not installed.

At this point your software is installed. Next you'll need to configure the software before you're ready to start using it. The configuration files you'll need to edit are simple text documents that you can edit using your favorite text editor. I use Nano for this. If you choose the default directories for the installation, you'll find the configuration files in the /etc/raddb directory.

After you configure the files to your specific needs, you're ready to start the software and test your configuration. The most common port used in RADIUS is port 1645. Default for this software is 1812. You may use the port that your network is configured for or set it as default. I will use the most common port for RADIUS to listen on with the following command:

radius:/etc/raddb # radiusd -p 1645

You'll now receive the the "starting..." message. When it's done, you'll return to the radius"etc/raddb # prompt. Your FreeRADIUS is now installed and running!The next step you might want to follow is a quick test before fully deploying your RADIUS server. To do this, I choose NTRadPing. NTRadPing is a freeware utility that you can download and use for free. It is available from Master Soft's Web site.