Would you like to learn how to configure the OPNsense firewall to use Freeradius as the authentication server?In this tutorial, we are going to show you how to authenticate OPNsense users using a Freeradius server installed on a computer running Ubuntu Linux.

• OPNsense 19.7

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Tutorial – FreeRadius Server Installation on Ubuntu Linux

• IP – 192.168.15.10.
• Operacional System – Ubuntu 19
• Hostname – UBUNTU

On the Linux console, use the following commands to install the FreeRadius service.

Copy to Clipboard

Now, we need to add FreeRadius clients to the clients.conf;.

Locate and edit the clients.conf.

Copy to Clipboard

Add the following lines at the end of the clients.conf file.

Copy to Clipboard

In our example, we are adding 1 client devices:

The device was named OPNSENSE and has the IP address 192.168.15.11.

Now, we need to add FreeRadius users to the USERS configuration file.

Locate and edit the Freeradius users configuration file.

Copy to Clipboard

Add the following lines at the end of the file

Copy to Clipboard

Restart the Freeradius server.

Copy to Clipboard

Test your radius server configuration file.

Copy to Clipboard

You have finished the Freeradius installation on Ubuntu Linux.

OPNsense – OPNsense Radius Authentication on FreeRadius

Open a browser software, enter the IP address of your Opnsense firewall and access web interface.

In our example, the following URL was entered in the Browser:

• https://192.168.15.11

The opnsense web interface should be presented.

opnsense login

On the prompt screen, enter the OPNsense Default Password login information.

• Username: root
• Password: Password set during OPNsense the installation

After a successful login, you will be sent to the OPNSense Dashboard.

opnsense dashboard

Access the Opnsense System menu, access the Access sub-menu and select the Servers option.

opnsense servers menu

Click on the Add button and perform the following configuration.

• Descriptive name: RADIUS
• Type: RADIUS
• Hostname or IP address – 192.168.15.10
• Shared Secret – The Radius Client shared secret (kamisama123)
• Services Offered – Authentication and Accounting
• Authentication Port – 1812
• Acconting Port – 1813

You need to change IP address of the Radius server.

You need to change the Shared secret to reflect your Radius client shared secret.

opnsense radius configuration

Click on the Save button to finish the configuration.

In our example, we configured the Radius server authentication on the OPNsense firewall.

OPNsense Radius – Testing FreeRadius Authentication

Access the Opnsense System menu, access the Access sub-menu and select the Tester option.

Select the RADIUS authentication server.

Enter the Admin username, its password and click on the Test button.

If your test succeeds, you should see the following message.

opnsense radius

Congratulations! Your OPNsense Radius server authentication on FreeRadius was sucessfully configured.

OPNsense – FreeRadius Group Permission

Access the Opnsense System menu, access the Access sub-menu and select the Groups option.

opnsense servers menu

Add a new local group on the OPNsense firewall.

On the Group creation screen, perform the following configuration:

• Group name – opnsense-admins
• Description – FreeRadius group
• Member of – optionally you may add the roou user account.

Click on the Save button, you will be sent back to the Group configuration screen.

opnsense radius group

Now, you need to edit the permissions of the opnsense-admins group.

On the opnsense-admins group properties, locate the Assigned Privileges area and click on the Add button.

On the Group privilege area, perform the following configuration:

• Assigned privileges – GUI – ALL pages

opnsense group permission

Click on the Save button to finish the configuration.

OPNsense – FreeRadius User Permission

OPNsense requires all Radius user accounts to exist on the local database to perform the proper authorization configuration.

We are going to add the admin user account to the local database.

We are going to configure the local account named admin member of the opnsense-admins group.

Access the Opnsense System menu, access the Access sub-menu and select the Users option.

opnsense servers menu

Add a new local user account using the same username from the radius account.

opnsense radius user

Make this user account member of the opnsense-admins group.

opnsense radius user group

Click on the Save button to finish the configuration.

OPNsense – Enable the Radius Authentication

Access the Opnsense System menu, access the Settings sub-menu and select the Administration option.

opnsense administration menu

Locate the authentication area, select the Radius authentication and click on the Save button.

opnsense radius authentication

After finishing your configuration, you should log off the Opnsense web interface.

Try to login using the admin user and the password from the Freeradius database.

On the login screen, use the admin user and the password from the FreeRadius database.

• Username: admin
• Password: Enter the FreeRadius password.

opnsense login

Congratulations! You have configured the OPNsense authentication to use the FreeRadius database.