How to install FreeRADIUS (AAA) on Ubuntu Server

FreeRADIUS is a free / Open Source AAA server.  It can be used for Cisco routers & switches authentication, wpa2-enterprise deployments, 802.1x authentication, etc.

j@ubnt-server:~$ sudo apt-get install freeradius
[sudo] password for j:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  freeradius-common freeradius-config freeradius-utils freetds-common libct4 libdbi-perl
  libfreeradius3 libpython2.7 libpython2.7-minimal libpython2.7-stdlib libtalloc2
  libwbclient0 make ssl-cert
Suggested packages:
  freeradius-ldap freeradius-postgresql freeradius-mysql freeradius-krb5 snmp libclone-perl
  libmldbm-perl libnet-daemon-perl libsql-statement-perl make-doc openssl-blacklist
The following NEW packages will be installed:
  freeradius freeradius-common freeradius-config freeradius-utils freetds-common libct4
  libdbi-perl libfreeradius3 libpython2.7 libpython2.7-minimal libpython2.7-stdlib libtalloc2
  libwbclient0 make ssl-cert
0 upgraded, 15 newly installed, 0 to remove and 90 not upgraded.
Need to get 5,567 kB of archives.
After this operation, 23.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y

Verify installation and version

j@ubnt-server:~$ freeradius -v
radiusd: FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Feb 28 2018 at 06:51:17
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

Verify default configuration

j@ubnt-server:~$ sudo freeradius -CX
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
Configuration appears to be OK
j@ubnt-server:~$

Time to edit some files.  At a minimum we need to add a client and a user

root@ubnt-server:~# cd /etc/freeradius/3.0/
root@ubnt-server:/etc/freeradius/3.0# ls
certs         experimental.conf  mods-available  panic.gdb   radiusd.conf     sites-enabled   users
clients.conf  hints              mods-config     policy.d    README.rst       templates.conf
dictionary    huntgroups         mods-enabled    proxy.conf  sites-available  trigger.conf
root@ubnt-server:/etc/freeradius/3.0#

First edit your clients.conf file which can be a management network or a single host

root@ubnt-server:/etc/freeradius/3.0# nano clients.conf
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
client cisco-ios {
        ipaddr          = 192.168.0/16
        secret          = cisco123

Next we create our user

root@ubnt-server:/etc/freeradius/3.0# nano users
admin   Cleartext-Password := "cisco123"
        Reply-Message := "Hello, %{User-Name}"
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.  If you have
# users with spaces in their names, you must also change
# the "filter_username" policy to allow spaces.

Run a quick test from the server to verify everything is good to go

root@ubnt-server:/etc/freeradius/3.0# service freeradius stop
root@ubnt-server:/etc/freeradius/3.0# service freeradius start
#
root@ubnt-server:/etc/freeradius/3.0# radtest admin cisco123 192.168.49.60 0 cisco123
Sent Access-Request Id 178 from 0.0.0.0:48446 to 192.168.49.60:1812 length 75
        User-Name = "admin"
        User-Password = "cisco123"
        NAS-IP-Address = 192.168.49.60
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "cisco123"
Received Access-Accept Id 178 from 192.168.49.60:1812 to 0.0.0.0:0 length 34
        Reply-Message = "Hello, admin"

Topic discussion at CLI Warriors - Forum