radiusd.conf

radiusd.conf is the main configuration file for the FreeRADIUS server, which is an open-source implementation of the RADIUS (Remote Authentication Dial-In User Service) protocol. This file contains essential settings that define how the FreeRADIUS server operates, including authentication, authorization, accounting, and other network access policies.

Key Components in radiusd.conf

1. Global Settings: These include parameters that affect the overall behavior of the FreeRADIUS server, such as server ports, logging configuration, and paths to various directories.

2. Module Configuration: FreeRADIUS operates using various modules that handle different aspects of the RADIUS protocol and server functionality. Each module can be configured within radiusd.conf to specify its behavior and settings.

3. Authentication Settings: Configuration related to how users are authenticated, including supported authentication methods (e.g., PAP, CHAP, EAP), authentication realms, and authentication policies.

4. Authorization Settings: Defines policies and rules for authorizing access to network resources based on user credentials and other attributes.

5. Accounting Settings: Specifies how accounting information is logged and stored, including accounting methods (e.g., SQL, LDAP) and retention policies.

6. Logging Configuration: Controls the level and destination of log messages generated by the FreeRADIUS server, crucial for monitoring server activity and diagnosing issues.

7. TLS/SSL Configuration: If RADIUS communication is secured using TLS/SSL, configuration parameters for certificates, private keys, and cipher suites are defined here.

Example Sections in radiusd.conf

Global Configuration

listen {
    type = auth
    ipaddr = 127.0.0.1
    port = 1812
}

listen {
    type = acct
    ipaddr = 127.0.0.1
    port = 1813
}

log {
    destination = files
    file = /var/log/radius/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth_badpass = yes
    auth_goodpass = yes
}

Module Configuration

modules {
    ...
    ldap {
        server = "ldap.example.com"
        identity = "cn=admin,dc=example,dc=com"
        password = "admin_password"
        base_dn = "dc=example,dc=com"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        tls {
            start_tls = yes
            tls_cacertfile = /etc/radius/ldap-ca.pem
            tls_certfile = /etc/radius/ldap-cert.pem
            tls_keyfile = /etc/radius/ldap-key.pem
        }
    }
    ...
}

Authentication Configuration

authorize {
    ...
    pap
    chap
    mschap
    ...
}

authenticate {
    ...
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    ...
}

Location of radiusd.conf

The radiusd.conf file is typically located in the following directory:

• Debian/Ubuntu: /etc/freeradius/

• Red Hat/CentOS: /etc/raddb/

Editing radiusd.conf

When editing radiusd.conf, it's crucial to follow these best practices:

• Make backups before making changes.

• Ensure proper syntax and formatting to avoid configuration errors.

• Test changes in a controlled environment before applying them in a production environment.

• Monitor server logs (radius.log) for any error messages or warnings after making changes.

Conclusion

radiusd.conf is the central configuration file for the FreeRADIUS server, governing its operation and behavior. Understanding and properly configuring radiusd.conf is essential for maintaining a secure and efficient RADIUS authentication and authorization service.