Stream

Stream — PKI

Sovereign Certificate Authority for enterprise-grade certificate issuance & management
Horizon

Horizon — CLM

Certificate Lifecycle Management — discovery, governance & automation
Talk to an expert View all integrations

Tools & Knowledge

Crypto Decoder

Free

Decode and validate certificates

Education Center

PKI guides and documentation

Blog & Insights

Cybersecurity trends and analysis

Whitepapers

In-depth technical resources

Events & Community

Webinars

Expert-led sessions on PKI

Events & Conferences

Meet us worldwide

Newsroom

Company news and updates
Contact Sales Explore all resources
Educational Resource

Streamlining Network Security: A Guide to Configuring FreeRADIUS for NAC

April 2, 2024
6 min read
Expert Content

Published on

April 2, 2024

In today's digital landscape, ensuring robust network security is paramount for organizations of all sizes. Network Access Control (NAC) plays a crucial role in securing networks by regulating access based on predefined policies and in the following diagram we will guide you step-by-step through the process of configuring FreeRADIUS for NAC. 
Configure FreeRADIUS for NAC Configure FreeRADIUS for NAC

 But before diving into the configuration process, it is essential to ensure that the following prerequisites are met: 

Prerequisites: 

  • Root Access: Ensure root access to the Linux machine, granting necessary permissions for system-level configurations. 

  • FreeRADIUS Installation: Install FreeRADIUS as a Linux service, commonly known as 'radiusd'.  

  • Firewall Configuration: Open UDP ports 1812 and 1813 to allow communication for RADIUS authentication.  

  • Upload and Configure 'getcrls' Script: Adapt and configure the 'getcrls' bash script to facilitate Certificate Revocation List (CRL) retrieval.  

Please note: This procedure has been tailored for EL 7/8/9 distributions. For other Linux distributions like Ubuntu, some parameters may require adaptation. 

Then, 

To enable EAP-TLS authentication, follow these steps:  

  1. Open the '/etc/raddb/mods-available/eap' file.  

  2. Change the default EAP type to TLS within the configuration.  

To set up TLS for secure communication, perform the following steps:  

  1. Open the '/etc/raddb/radiusd.conf' file.  

  2. Add a custom certificate directory parameter.  

  3. Generate a key, sign a Certificate Signing Request (CSR), and upload the signed certificate.  

    Want to implement these PKI practices?

    Get expert guidance on implementing secure PKI solutions for your organization.

    Get Expert Help

  4. Set proper permissions for the server key and certificate files.  

  5. Edit the '/etc/raddb/mods-enabled/eap' file to configure TLS settings.  

To configure Certificate Revocation List (CRL) retrieval as follows:  

  1. Import and adapt the 'getcrl.sh' bash script to match the client context.  

  2. Edit the '/etc/raddb/mods-enabled/eap' file to enable CRL checking.   

To configure Radius client settings by: 

  • Editing the '/etc/raddb/clients.conf' file.  

  • Adapt client blocks as needed, providing IP addresses and secret keys.  

To configure the access Policy: 

  1. Customize access policies based on client needs by editing the '/etc/raddb/sites-enabled/default' file. 

  2. Structure the file into sections corresponding to authentication, authorization, and accounting.  

Finally, for logs level: 

  1. Enable authentication logs by modifying the '/etc/raddb/radiusd.conf' file. 

  2. Adjust logging parameters to specify which events should be recorded in the log file.   

In conclusion, the meticulous implementation of FreeRADIUS on a Linux machine, following outlined procedures, significantly fortifies your organization's network security infrastructure. With robust authentication, authorization, and logging mechanisms established, secure access to network resources is assured while aligning with security policies.

By meticulously adapting procedures to specific Linux distributions, administrators effectively deploy FreeRADIUS for NAC, thereby enhancing network security and control. It's worth noting that while FreeRADIUS enables authentication of endpoints and users, issuing certificates for them is paramount. For this task, our solutions Horizon & Stream offer the most reliable and comprehensive approach.

Horizon and Stream Horizon and Stream

Was this helpful?
Back to Education Center

Table of Contents

Keep Learning

Get the latest educational content and PKI insights delivered to your inbox.

By subscribing you accept to receive our communications. You can unsubscribe at any moment.

Related Resources

Evertrust

Sequence 2: Install and configure NGINX for TLS encryption on RHEL/Debian/OpenSUSE

April 22, 2024
1 min

Improve the security of your web server by mastering TLS encryption. Our detailed guide offers practical steps to set up NGINX on different Linux distributions, adding a layer of security to safeguard sensitive web-transmitted data.

Read more
Evertrust How to

Enable Post Quantum Cryptography Support in Web Browsers

April 17, 2024
1 min

Explore the future of post-quantum cryptography and secure key exchange in web communication. Learn how to enable these advanced security features in top browsers like Microsoft Edge and Firefox. Stay ahead with our step-by-step guide.

Read more
Evertrust

Sequence 1: The guide to Installing and configuring Apache Httpd for TLS encryption on RHEL, Debian, OpenSUSE

April 16, 2024
1 min

Explore the optimal process of setting up and securing a web server on Linux distributions like RHEL, Debian, and OpenSUSE. Mastering TLS encryption implementation on Apache Httpd web servers, we provide concise steps for higher data protection.

Read more

Ready to take back control over your certificates?

Talk to our experts and discover how Evertrust can help you implement best practices in PKI and certificate lifecycle management.

Talk to an expert