What is a RADIUS server and what is it for?
RADIUS (from the English Remote Access Dial In User Service) is a protocol that stands out for offering a security mechanism, flexibility, expandability and a simplified administration of the access credentials to a network resource. It is a protocol of authentication and authorization For network access, this protocol uses a client-server scheme, that is, a user with credentials to access the resource connects against a server that will be in charge of verifying the authenticity of the information, and will be the in charge of determining whether or not the user accesses the shared resource. Thanks to the use of RADIUS servers, the network administrator will be able to control at all times the beginning and end of the authentication and authorization period of the clients, for example, we can easily expel a user who has previously logged in for whatever reason. .
RADIUS servers are widely used by Internet operators (PPPoE), but they are also widely used in the WiFi networks of hotels, universities or anywhere we want to provide additional security to the wireless network, it can also be used to authenticate to clients that make use of the 802.1X protocol for Ethernet, and it could even be used to authenticate the VPN clients that we want, in this way, we will have all the centralized authentication in a single point in an easy and simple way, without having to have several databases with different data.
RADIUS servers make use of the protocol at the transport layer UDP on port 1812 to establish connections between teams to authenticate. When we configure a RADIUS server, we can define whether we want it to use TCP or UDP, and we can also define the port to use, although by default it is always UDP 1812. As regards the devices to use, there is a great variety, many Routers are able to offer this service to authenticate WiFi clients to a local or remote RADIUS server. Additionally, servers, OLTs and even NAS servers can be used, the possibilities are really wide, which allows that mounting a RADIUS server is not something prohibitive for a user, nor is it complicated, because NAS server manufacturers already incorporate a server internally RADIUS easily configurable. RADIUS servers generally make use of authentication protocols such as PAP, CHAP or EAP, of course, these protocols allow us to control sessions, both when the authentication begins, while the current session and also how the connection ends.
Roles of a RADIUS server and applications
First of all, a RADIUS server offers a user authentication mechanism to access a system, either to a wired network using the 802.1X protocol, to a WIFi network if we have WPA2 / WPA3-Enterprise authentication, and even to a server OpenVPN if we have it configured correctly to obtain the database of clients that can connect through this RADIUS server.
After the “Authentication” process, we have the “Authorization” process, which is not the same. One thing is that we can authenticate in a system, and quite another is that we have the authorization to perform certain actions. After the authentication and authorization we have the «Accounting», this serves to perform an analysis of the session time and record statistics that can later be used to make collections, or simply make informative reports.
We have indicated that the operators use it so that the users’ home routers authenticate themselves, and thus access the network resource that this time allows them to access the Internet. But one of the uses par excellence of this server and protocol is to guarantee restricted access to wireless networks, hotels, restaurants, schools, libraries, and so on until a long list of applications is completed. In these cases, those responsible for managing the network generate temporary credentials that allow limited access in terms of temporality, once the set date has passed, the credentials will not be valid and the RADIUS server will not validate the use of the net. The management is very varied, you can use active directories or databases that belong to transversal applications.
FreeRADIUS is always related to a RADIUS server because it is the software par excellence for the installation of a RADIUS server. If we have to install a RADIUS server on any computer (servers, routers, NAS etc), we will always resort to FreeRADIUS software because it is multiplatform, and all operating systems are compatible with this software. This software supports all common authentication protocols such as PAP, CHAP, EAP, EAP-TTLS, EAP-TLS, and others. This software is completely modular, free, and will provide us with great performance for customer authentication.
Some modules that we can incorporate in FreeRADIUS is to give it compatibility with LDAP, MySQL, PostgreSQL and even Oracle and other databases, in this way, we can have a database of thousands of clients without any problem. This software is configured through text configuration files, however, there are graphical user interfaces for quick and easy configuration as with pfSense, in this way, it will greatly facilitate the configuration of the RADIUS server using FreeRADIUS.
The FreeRADIUS software can be optionally installed on the pfSense operating system, the popular firewall and router that we can install on almost any hardware. In that operating system we can install it in the packages section, once installed, we can enter its configuration in the «Services / FreeRADIUS«. In this menu we can configure this RADIUS server in an advanced way, we will have different tabs to configure the different sections, and in the «View config» menu we can see the raw configuration file that is generated as a result of the configurations that we have made in the rest of the tabs. Here we can also see the integration with SQL and even with LDAP.
The NAS servers of the manufacturer QNAP also have an integrated RADIUS server, much more basic than that of pfSense where we have all the configuration options, but this RADIUS server based on FreeRADIUS will allow us to carry out typical uses such as client authentication via WiFi or by cable, all we have to do is enable the RADIUS server, register the RADIUS clients (switches or APs) and also the RADIUS users (end clients that are going to connect).
As you have seen, a RADIUS server will allow us to perform a large number of authentications and authorizations in other software, such as in the operator if PPPoE is used, in business WiFi networks with WPA2 / WPA3-Enterprise encryption and even authentication via 802.1X. FreeRADIUS is the software par excellence for the configuration and start-up of a RADIUS server in almost any operating system, for this reason, we always talk about a RADIUS or FreeRADIUS server interchangeably.