FreeRADIUS - Cluster on Debian with PostgreSQL Backend

From IT-Arts.net
Revision as of 16:00, 14 December 2025 by Admin (talk | contribs) (Created page with "Category:Wiki FreeRADIUS_-_Cluster_on_Debian_with_PostgreSQL_Backend == Cluster Architecture == A typical FreeRADIUS cluster consists of multiple FreeRADIUS servers configured to authenticate against a central PostgreSQL database. The servers share a common configuration and load balance authentication requests. Components: * FreeRADIUS servers * PostgreSQL database backend * Load balancing mechanism (such as DNS or hardware load balancer) In this architecture,...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


FreeRADIUS_-_Cluster_on_Debian_with_PostgreSQL_Backend

Cluster Architecture

A typical FreeRADIUS cluster consists of multiple FreeRADIUS servers configured to authenticate against a central PostgreSQL database. The servers share a common configuration and load balance authentication requests.

Components:

  • FreeRADIUS servers
  • PostgreSQL database backend
  • Load balancing mechanism (such as DNS or hardware load balancer)

In this architecture, each FreeRADIUS instance communicates with the same PostgreSQL database to store user credentials, accounting information, and configuration details.

FreeRADIUS Configuration

The configuration of FreeRADIUS for a cluster is primarily focused on ensuring that each instance connects to the PostgreSQL backend. Configuration files are located in `/etc/freeradius/3.0/`. The main files involved are `radiusd.conf`, `clients.conf`, `eap.conf`, `sql.conf`, and `mods-available/sql`.

radiusd.conf

In the `radiusd.conf`, configure the load balancing and database connection settings. The section that deals with database connections should reference the PostgreSQL backend.

# Example of a simplified `radiusd.conf` for FreeRADIUS cluster # Database configuration modules { sql { driver = "rlm_sql_postgresql" server = "127.0.0.1" port = 5432 login = "radiususer" password = "radiuspassword" radius_db = "radiusdb" read_groups = yes read_clients = yes } }

sql.conf

The `sql.conf` file contains database connection settings specific to the PostgreSQL backend. It is essential that all FreeRADIUS instances in the cluster use the same `sql.conf` settings to maintain consistency.

# Example of sql.conf configuration sql { driver = "rlm_sql_postgresql" dialect = "postgresql" server = "127.0.0.1" login = "radiususer" password = "radiuspassword" radius_db = "radiusdb" read_clients = yes read_groups = yes sqltrace = yes }

clients.conf

The `clients.conf` file defines the client devices or NAS (Network Access Servers) that the FreeRADIUS instance will authenticate. In a clustered setup, you may have multiple FreeRADIUS servers communicating with these clients.

# Example `clients.conf` file client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no nas_type = other }

Load Balancing Configuration

FreeRADIUS does not have built-in load balancing, but it can be achieved through DNS round-robin, HAProxy, or other similar tools. For a simple round-robin DNS setup, you would configure multiple FreeRADIUS servers to share the same DNS hostname.

Example DNS setup:

  • `radius.example.com` points to multiple FreeRADIUS servers using round-robin DNS.
  • Each FreeRADIUS server is configured to point to the same PostgreSQL backend.

Alternatively, you can configure HAProxy for load balancing and high availability.

# Example HAProxy configuration for FreeRADIUS frontend radius_front bind *:1812 default_backend radius_back backend radius_back balance roundrobin server radius1 192.168.1.2:1812 check server radius2 192.168.1.3:1812 check

PostgreSQL Configuration

The PostgreSQL backend stores user credentials, accounting information, and FreeRADIUS configuration. It is essential to have the correct schema in the database and ensure that all FreeRADIUS servers in the cluster have access to the same database.

Database Schema

FreeRADIUS provides an SQL schema for PostgreSQL that should be imported into the `radiusdb` database. This schema creates the necessary tables for users, accounting, and configuration storage.

You can find the SQL schema in the FreeRADIUS source code, typically under `sql/postgresql/schema.sql`.

Import the schema using the following command:

psql -U postgres -d radiusdb -f /path/to/schema.sql

PostgreSQL High Availability

To ensure high availability for your FreeRADIUS cluster, consider using PostgreSQL replication and failover mechanisms. You can configure streaming replication in PostgreSQL with a primary and one or more standby servers.

Basic steps for replication: 1. Configure the `primary` and `standby` PostgreSQL servers. 2. Enable replication in the `postgresql.conf` file on the primary server. 3. Set up replication users and replication slots.

# PostgreSQL primary server configuration # In postgresql.conf wal_level = replica max_wal_senders = 10 archive_mode = on archive_command = 'cp %p /var/lib/postgresql/archive/%f' # On the standby server, set up replication restore_command = 'cp /var/lib/postgresql/archive/%f %p' primary_conninfo = 'host=primary_server port=5432 user=replica password=replica_password'

Scaling and Redundancy

Scaling FreeRADIUS involves adding more servers to the cluster to distribute authentication requests. You can either deploy additional FreeRADIUS servers behind a load balancer or add servers to handle specific types of requests (e.g., wireless vs. wired authentication).

Redundancy is achieved through load balancing and using a high-availability PostgreSQL setup. If one FreeRADIUS server goes down, the load balancer will automatically redirect traffic to another server in the cluster.

Retrieved from "https://it-arts.net/index.php?title=FreeRADIUS_-_Cluster_on_Debian_with_PostgreSQL_Backend&oldid=564"