The world's most popular RADIUS Server.Features of the FreeRADIUS AAA Server
The FreeRADIUS server has a number of features which are commonly found in RADIUS servers, and additional features which are not found in any other free software server. Rather than doing a feature by feature comparison, we will simply list some of the features of the server, and let you decide if they satisfy your needs.
Cross-platform issues and source code
The FreeRADIUS server has been compiled and tested to run on the following platforms:
- Linux (all versions)
- FreeBSD
- NetBSD
- Solaris
- MAC OSX
The server currently has support for the following platforms, but has not been fully tested on them.
- HP/UX
- AIX
- MINGW32, CygWin (Unix-style environment under Windows NT.)
- SFU (or Interix, for Windows XP)
Unlike commercial servers, a large number of CPU and OS architectures are have been verified to work, and are "supported" via the users list. The drawback of supporting so many variations of systems is that the steps required to install the server can often be more than just "install a package". We suggest that you look to your OS vendor for a FreeRADIUS package for your system first, and if one was not found, then build the server from source.
Support for RFC and VSA Attributes
The server comes with complete support for RFC 2865 and RFC 2866 attributes, along with a Vendor-Specific Attributes for over fifty vendors, including Ascend, Microsoft, Shiva, USR/3Com, Cisco, Livingston, Versanet, Acc/Newbridge, and many, many, more.
Additional server configuration attributes
In addition to the RFC and VSA attributes defined above, the FreeRADIUS server has a number of server configuration attributes. These attributes allow you to control almost any aspect of an incoming RADIUS request. You can use these attributes to:
- Append attributes to the request
- Re-write any attribute of the request
- Proxy or replicate the request to another RADIUS server, based on any criteria, not just '@realm'.
- Choose an authentication method to use for this user.
- Administer users by groups
- Implement time of day access restrictions
- Execute a local program
- Limit the number of simultaneous logins by the user
All of the server configuration attributes can be used on either authentication or accounting RADIUS requests. Most servers limit this sort of configurability to authentication requests only.
Selecting a particular configuration
It is often difficult to allow a users request to match a particular configuration which should be used to reply to the user. The FreeRADIUS server provides a wide range of methods to select configurations.
The server can select a configuration based on any of the following criteria:
- Attributes which have a given value
- Attributes which do not have a given value
- Attributes which are in the request (independent of their value)
- Attributes which are not in the request
- String attributes which match a regular expression
- Integer attributes which match a range (e.g. <, >, <=, >=)
- Source IP address of the request. This can be different than the NAS-IP-Address attribute
- Group of NAS boxes. (These may be grouped based on Source IP address, NAS-IP-Address, or any other configuration)
- User-Name
- a DEFAULT configuration
- multiple DEFAULT configurations
Authorization methods
The following authorization types are some of the methods which are supported by the server
- Local files
- Local DB/DBM database
- LDAP
- A locally executed program. (like a CGI program.)
- Perl program
- Python program
- MySQL DB
- PostgreSQL DB
- Oracle SQL DB
- any IODBC SQL DB
- IBM's DB2
Authentication methods
The following authentication types are some of the methods which are supported by the server
- Clear-text password in local configuration file (PAP)
- Encrypted password in local configuration file
- CHAP
- MS-CHAP
- MS-CHAPv2
- authentication to a Windows Domain Controller (via ntlm_auth and winbindd)
- Proxy to another RADIUS server
- System authentication. (usually through
/etc/passwd) - PAM (Pluggable Authentication Modules)
- LDAP (PAP only)
- PAM (PAP only)
- CRAM
- Perl program
- Python program
- SIP Digest (Cisco VOIP boxes)
- A locally executed program. (like a CGI program.)
- Netscape-MTA-MD5 encrypted passwords
- Kerberos authentication
- X9.9 authentication token (e.g. CRYPTOCard)
- EAP, with embedded authentication methods
- EAP-MD5,
- Cisco LEAP,
- EAP-MSCHAP-V2 (as implemented by Microsoft),
- EAP-GTC,
- EAP-SIM,
- EAP-TLS,
- EAP-TTLS, with any authentication protocol inside of the TLS tunnel,
- EAP-PEAP, with tunneled EAP
Accounting methods
The following accounting logging methods are supported by the server
- Local 'detail' files
- Local 'wtmp' and 'utmp' files
- Proxy to another RADIUS server
- Replicate to one or more RADIUS servers
- SQL (Oracle, MySQL, PostgreSQL, Sybase, IODBC, etc)
Dialup Admin Web Administration Interface
The server includes dialup_admin, a PHP4 based web
administration interface for the server.
Dialup Admin
supports:
- Users in LDAP database
- Users and Groups in SQL database (MySQL or PostgreSQL)
- Create, test, delete, change personal information, check accounting and change dialup settings for a user
- Accounting Report Generator
- Bad Users facility to keep a record of users creating problems
- Online finger facility
- Test radius server
- Online Usage Statistics
Scripting Languages
FreeRADIUS contains plug-in modules which support Perl, and Python. These languages allow scripts to modify RADIUS requests and responses in a very efficient and simple manner.
RFC Compliance
FreeRADIUS strives to be conformant to relevant RFCs.
Supported RFC's
- RFC 2865 Remote Authentication Dial In User Service (RADIUS) (obsoletes RFC 2138 and RFC 2058 )
- RFC 2866 RADIUS Accounting (obsoletes RFC 2139 and RFC 2059 )
- RFC 2869 RADIUS Extensions
- RFC 2619 RADIUS Authentication Server MIB
- RFC 2621 RADIUS Accounting Server MIB
- RFC 1227 SNMP MUX Protocol and MIB
- RFC 2868 RADIUS Attributes for Tunnel Protocol Support
- RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support