Setting Up a RADIUS Server on Ubuntu 22.04 with MySQL

RADIUS (Remote Authentication Dial-In User Service) is a protocol for centralized Authentication, Authorization, and Accounting (AAA) management. It allows organizations to control access to networks and services by authenticating users and devices before authorizing access.

In this comprehensive guide, we will walk through setting up a RADIUS server on Ubuntu 22.04 using FreeRADIUS with a MySQL backend for storing user credentials and session data.

Prerequisites

Before we begin, make sure your Ubuntu 22.04 server meets the following requirements:

• A minimum of 2 GB RAM and 2 CPU cores
• At least 10 GB available storage space
• A valid domain name pointed to the server‘s public IP address
• OpenSSH server installed
• A non-root user account with sudo privileges

First, update the package lists and install any available upgrades:

sudo apt update
sudo apt upgrade -y

We also need some additional packages to compile and build software from source later on:

sudo apt install build-essential libssl-dev libncurses5-dev libreadline-dev libpq-dev libmysqlclient-dev libperl-dev libcurl4-gnutls-dev -y

Installing the RADIUS Server

For our RADIUS server, we will use FreeRADIUS – a popular open source RADIUS implementation. We‘ll compile the latest version from source.

First create a src directory and download the latest FreeRADIUS release:

mkdir /usr/local/src
cd /usr/local/src
wget https://github.com/FreeRADIUS/freeradius-server/archive/release_3_1_x.zip

Unzip the file and change to the new directory:

unzip release_3_1_x.zip 
cd freeradius-server-release_3_1_x

Now compile with the following options enabled: MySQL, OpenSSL, TCP, and TLS:

./configure --prefix=/usr/local/freeradius --with-openssl --with-tcp --with-tls --with-mysql

Compile and install:

make
sudo make install

We also need to install some additional libraries and the database connector:

sudo apt install libmysqlclient-dev libtalloc-dev -y

cd /usr/local/src/freeradius-server-release_3_1_x/raddb/mods-available/
wget https://github.com/FreeRADIUS/freeradius-server/raw/v3.0.x/raddb/mods-available/sql_mysql

The RADIUS server is now installed! Next we‘ll configure it and set up the backend database.

Setting Up the MySQL Database

Our RADIUS server needs a persistent database for storing user authentication credentials, configurations, and session data. For this guide, we will use MySQL.

First install the server:

sudo apt install mysql-server -y

Log in with the root MySQL user and create a database for RADIUS along with a dedicated user:

CREATE DATABASE radius;
CREATE USER ‘radius‘@‘localhost‘ IDENTIFIED BY ‘radpass‘;
GRANT ALL PRIVILEGES ON radius.* TO ‘radius‘@‘localhost‘;
FLUSH PRIVILEGES;
exit

Now open /etc/freeradius/3.0/mods-enabled/sql and update the following parameters:

driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "radius"
password = "radpass"  
radius_db = "radius"

This connects FreeRADIUS to our new MySQL database for authentication and accounting.

Configuring the RADIUS Server

FreeRADIUS is highly customizable – we just need to modify some key configuration files.

First, update the listener ports in /etc/freeradius/3.0/radiusd.conf:

port = 0
listen {
        type = auth
        ipaddr = *
        port = 1812
}

listen {
        ipaddr = * 
        port = 1813
        type = acct
} 

Next, enable TLS encryption for traffic between the client and RADIUS server.

1. Generate a private key and self-signed certificate:

cd /etc/freeradius/3.0/
openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -out server.crt -keyout server.key
chmod 600 server.key

2. Open /etc/freeradius/3.0/radiusd.conf and uncomment these lines:

tls-cert-file = ${raddbdir}/server.crt  
tls-key-file = ${raddbdir}/server.key

Finally, we need to enable our MySQL module for authentication:

cd /etc/freeradius/3.0/mods-enabled/  
ln -s /usr/local/freeradius/etc/raddb/mods-available/sql /etc/freeradius/3.0/mods-enabled

Restart the RADIUS daemon to apply the new configuration:

sudo systemctl restart freeradius

Check the status with:

sudo systemctl status freeradius

The server is now ready! Clients can authenticate against it using the RADIUS protocol.

Next we will configure secure connections from clients.

Enabling RADIUS Connections

By default, most firewalls block RADIUS traffic. We need to open the authentication (1812/UDP) and accounting (1813/UDP) ports.

On Ubuntu, configure UFW firewall:

sudo ufw allow 1812/udp
sudo ufw allow 1813/udp

You should also enable TLS encryption (port 2083/tcp) for secure RADIUS Access:

sudo ufw allow 2083/tcp

Now network devices like VPN gateways, switches, and wireless access points can connect to authenticate users against our RADIUS system.

Creating User Accounts

Before clients can authenticate, we need to add user accounts to the MySQL database.

There are two methods:

1. Manually add rows via SQL queries

2. Automatically sync accounts from another source like LDAP

For testing, we will manually add a user. Log in to MySQL and insert a row:

INSERT INTO radcheck (username, attribute, op, value) 
VALUES (‘john‘, ‘Cleartext-Password‘, ‘:=‘, ‘radiuspassword‘);

The fields are:

• username – the account name
• attribute – in this case we store a clear text password
• op – match type (‘:=‘ equals)
• value – the user‘s password

This adds a user ‘john‘ with password ‘radiuspassword‘.

Do this for each user that needs RADIUS authentication. For better security, consider using encrypted passwords.

Now when John attempts to authenticate via RADIUS, his credentials will be checked against the database.

Testing RADIUS Authentication

We can verify RADIUS authentication using radtest – a utility included with FreeRADIUS.

It allows sending test authentication requests without setting up a real RADIUS client.

Authenticate John using his clear text password:

radtest john radiuspassword 127.0.0.1 10 testing123

This connects to our local RADIUS server (127.0.0.1) on the auth port (1812) and checks the credentials for ‘john‘ against his database password.

The output should show an Access-Accept response if successful:

Sending Access-Request of id 74 to 127.0.0.1 port 1812
        User-Name = "john"
        User-Password = "radiuspassword"
                NAS-IP-Address = 10.10.0.1
        NAS-Port = 10
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=74, length=20

For an invalid password, it would be Access-Reject.

This confirms our server is successfully authenticating!

You can now configure devices like VPNs, switches, and access points to leverage RADIUS and centrally manage user accounts and access privileges.

Summary

Setting up RADIUS for centralized authentication enables large organizations to secure access to networks and services for many users.

In this guide, we walked through installing and configuring FreeRADIUS on Ubuntu 22.04 with MySQL for storing credentials and session data.

Some key takeaways:

• FreeRADIUS provides an open source RADIUS server
• MySQL/MariaDB gives a persistent backend database
• Accounts are stored in database tables like radcheck
• RADIUS usesUDP ports 1812 for authentication and 1813 for accounting
• Encrypt with TLS for secure client connections
• Test authentication manually with utilities like radtest

From here, you can further customize FreeRADIUS, create additional user permission policies, and monitor usage with accounting data in MySQL.

Let me know in the comments if you have any issues getting a RADIUS server running on your Ubuntu system!