Note: This freeradius will accept all the pppoe request. And store username and password to a log file. Please don't use this in production network. Using this radius you can collect pppoe user password if you don't know the pppoe username and password that are configured in client side router.
How to Build a FreeRADIUS Server with Username and Password Logging
Setting up a FreeRADIUS server is an essential task for ISPs and network administrators looking to manage authentication, authorization, and accounting (AAA) efficiently. In this blog, we will guide you through building a FreeRADIUS server and configuring it to store usernames and passwords for PPPoE users. Let’s dive in!
Why FreeRADIUS?
FreeRADIUS is one of the most widely used open-source RADIUS servers. Its flexibility, scalability, and extensive community support make it a go-to choice for managing AAA in networks of all sizes.
Steps to Build a FreeRADIUS Server
Follow these simple steps to set up and configure your FreeRADIUS server.
1. Update Your System
First, ensure your system is up-to-date:
sudo apt update
sudo apt upgrade -y2. Install FreeRADIUS
Install FreeRADIUS and its utilities:
sudo apt install freeradius freeradius-utils -y3. Modify the Default Configuration
Edit the default FreeRADIUS configuration:
sudo nano /etc/freeradius/3.0/sites-enabled/defaultUpdate the following sections:
Authorize Section:
authorize {
update control {
Auth-Type := Accept
}
}Authenticate Section:
authenticate {
Auth-Type Accept {
ok
}
}Post-Auth Section:
post-auth {
linelog
}Also, disable the conditional statement at line 732 by commenting it out. To do this, place a # at the beginning of the line. Additionally, comment out other Auth-Type configurations in the authorize and authenticate sections to avoid conflicts.
4. Configure Clients
Define client devices that can communicate with the RADIUS server:
sudo nano /etc/freeradius/3.0/clients.confAdd the following configuration:
client 0.0.0.0/0 {
secret = testing123
shortname = all_clients
nas_type = other
}5. Define PPPoE Users
Add default PPPoE user settings:
sudo nano /etc/freeradius/3.0/usersInsert this:
DEFAULT Framed-Protocol == PPP,
Framed-Protocol = PPP,
Auth-Type := Accept,
Framed-Pool = pool1,
Framed-Compression = Van-Jacobson-TCP-IPNote: This configuration is designed for scenarios where the RADIUS server automatically accepts all authentication requests, regardless of the PPPoE username and password set on the client router. It is commonly used for testing, debugging, or open PPPoE systems in controlled environments. However, it is not recommended for production use as it bypasses credential validation.
6. Restart FreeRADIUS
Restart the FreeRADIUS service to apply changes:
sudo systemctl restart freeradiusLogging Usernames and Passwords
To store usernames and passwords, configure the linelog module as follows:
1. Set Proper Permissions
Set permissions for FreeRADIUS log directory:
sudo chown -R freerad:freerad /var/log/freeradius
sudo chmod -R 750 /var/log/freeradius2. Configure Linelog
Edit the linelog module:
sudo nano /etc/freeradius/3.0/mods-available/linelogAdd the following configuration:
linelog {
filename = /var/log/freeradius/pppoe_usernames-%{Packet-Src-IP-Address}.log
permissions = 0644
Access-Accept = "Accepted user: %{User-Name} Password: %{User-Password}"
}
Verification
Test your FreeRADIUS configuration with a client to ensure it’s working as expected.
Check the log file (e.g.,
/var/log/freeradius/pppoe_usernames-<IP>.log) to verify that usernames and passwords are being logged correctly.
