Module: COMP10014 — Network Security | University of the West of Scotland
Topic: AAA Infrastructure, FreeRADIUS Configuration, Authentication Testing
Install and configure a FreeRADIUS server to demonstrate the AAA (Authentication, Authorisation, and Accounting) model. Configure clients, users, and Attribute Value Pairs (AVPs), then test authentication using the radclient tool.
| Tool | Version | Role |
|---|---|---|
| FreeRADIUS | 3.0 | RADIUS server daemon |
| freeradius-utils | — | radtest / radclient testing utilities |
| systemctl | — | Service management |
| nano | — | Configuration file editing |
[Server VM] 10.0.2.2 — FreeRADIUS server
[Client VM] 10.0.1.2 — NAS / RADIUS client (radclient)
Installed FreeRADIUS and utilities:
sudo apt install freeradius freeradius-utils -yValidated configuration syntax before starting the service:
sudo freeradius -CXConfirmed the service was active and running:
sudo systemctl status freeradiusStopped the daemon and ran FreeRADIUS in verbose debug mode to observe the full request/response cycle:
sudo freeradius -XConfirmed the server was listening on the correct RADIUS ports:
- Port 1812 — Authentication and Authorisation
- Port 1813 — Accounting
Edited /etc/freeradius/3.0/clients.conf to review and retain the default localhost client:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nas_type = other
}
The secret is a shared key between the NAS (client) and the RADIUS server — it authenticates the RADIUS request itself, not the user.
Added a test user account to /etc/freeradius/3.0/users:
"B00249469" Cleartext-Password := "osboxes.org"
Framed-IP-Address = 10.0.2.2,
Reply-Message = "Hello, %{User-Name}"
Attribute Value Pairs (AVPs) returned on successful authentication:
Framed-IP-Address— IP address assigned to the authenticated userReply-Message— Personalised message returned in the Access-Accept packet
Restarted the FreeRADIUS daemon and used radclient to test authentication for the configured user, verifying that the server returned an Access-Accept response along with the configured AVPs.
Client (NAS) RADIUS Server
│ │
│──── Access-Request ───────────────▶│
│ (username, password hash, │
│ NAS identifier, shared secret)│
│ │ Validates credentials
│ │ Builds AVP response
│◀─── Access-Accept ─────────────────│
│ (Framed-IP-Address, │
│ Reply-Message) │
- RADIUS uses UDP ports 1812 (auth) and 1813 (accounting) — these are IANA-assigned and standardised across all RADIUS implementations.
- The shared secret between NAS and RADIUS server is critical — it is used to hash the user password in the Access-Request. Weak secrets undermine the entire authentication chain.
- AVPs allow RADIUS to return rich policy data alongside authentication decisions — IP assignments, VLAN tags, session timeouts, and more.
freeradius -CXis an essential pre-deployment step to catch configuration errors before they cause runtime failures.
- RADIUS is the backbone of enterprise network authentication — used in 802.1X port-based access control, Wi-Fi authentication (WPA2-Enterprise), and VPN gateways.
- Cleartext passwords in the
usersfile are only acceptable in lab environments — production deployments use PAP/CHAP/EAP with encrypted backends (LDAP, Active Directory). - RADIUS over TLS (RadSec) should be used in any environment where RADIUS traffic traverses untrusted networks, as standard RADIUS provides limited transport security.
- The AAA model — Authenticate (who are you?), Authorise (what can you do?), Account (what did you do?) — is foundational to Zero Trust network architecture.
All testing was conducted exclusively within an authorised VirtualBox academic lab environment. No real networks or third-party systems were targeted.