# What is FreeRADIUS? The FreeRADIUS Server Project is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4 and VMPS. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network. FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dialup, PPPoE, VPN's, VoIP, and many others. It supports back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft Active Directory, Redis, OpenLDAP. It is used daily to authenticate the Internet access for hundreds of millions of people, in sites ranging from 10 to 10 million+ users. > [wikipedia.org/wiki/FreeRADIUS](https://en.wikipedia.org/wiki/FreeRADIUS) # How to use this image ## Starting the server ```console $ docker run --name my-radius -d freeradius/freeradius-server ``` The image contains only the default FreeRADIUS configuration which has no users, and accepts test clients on 127.0.0.1. In order to use it in production, as a minimum you will need to add clients to the `clients.conf` file, and users to the "users" file in `mods-config/files/authorize`. **Without building a local image with a configuration, the container will refuse to answer any queries.** ## Defining a local configuration Create a local `Dockerfile` based on the required image and COPY in the server configuration. ```Dockerfile FROM freeradius/freeradius-server:latest COPY raddb/ /etc/raddb/ ``` The `raddb` directory could contain, for example: ``` clients.conf mods-config/ mods-config/files/ mods-config/files/authorize ``` Where `clients.conf` contains a simple client definition ``` client dockernet { ipaddr = 172.17.0.0/16 secret = testing123 } ``` and the `authorize` "users" file contains a test user: ``` bob Cleartext-Password := "test" ``` Build the image locally: ```console $ docker build -t my-radius-image -f Dockerfile . ``` ## Using the local configuration It should now be possible to test authentication against the server from the host machine, using the `radtest` utility supplied with FreeRADIUS and the credentials defined above. Start the local container. Ports will need to be forwarded to the server, typically 1812/udp and/or 1813/udp, for example: ```console docker run --rm -d --name my-radius -p 1812-1813:1812-1813/udp my-radius-image ``` Send a test request, you will need the `radtest` utility: ```console $ radtest bob test 127.0.0.1 0 testing123 ``` which should return an "Access-Accept". The image can now be stopped with: ```console docker stop my-radius ``` ## Running in debug mode FreeRADIUS should always be tested in debug mode, using option `-X`. Coloured debug output also requres `-t` be passed to docker. ```console $ docker run --rm --name my-radius -t -p 1812-1813:1812-1813/udp freeradius/freeradius-server -X ``` Guidelines for how to read and interpret the debug output are on the [FreeRADIUS Wiki](https://wiki.freeradius.org/radiusd-X). ## Security notes The configuration in the docker image comes with self-signed certificates for convenience. These should not be used in a production environment, but replaced with new certificates. See the file `raddb/certs/README.md` for more information. ## Debugging By default if you try to use `gdb` in a Docker container, the pattach call will fail, and you will not be able to trace processes. In order to allow tracing, the ``--privileged`` flag must be passed to ``docker run``, this restores any Linux ``cap`` privileges that would not ordinarily be given. # Image variants ## `freeradius/freeradius-server:` The de-facto image which should be used unless you know you need another image. It is based on [Ubuntu Linux](https://hub.docker.com/_/ubuntu/) Docker images. ## `freeradius/freeradius-server:-alpine` Image based on the [Alpine Linux](https://hub.docker.com/_/alpine/) Docker images, which are much smaller than most Linux distributions. To keep the basic size as small as possible, **this image does not include libraries for all modules that have been built** (especially the languages such as Perl or Python). Therefore these extra libraries will need to be installed with `apk add` in your own Dockerfile if you intend on using modules that require them. # Building Docker images The FreeRADIUS source contains Dockerfiles for several Linux distributions. They are in [`freeradius-server/scripts/docker/`](https://github.com/FreeRADIUS/freeradius-server/tree/v3.2.x/scripts/docker). Build an image with ```bash $ cd scripts/docker/ $ docker build . -t freeradius- ``` This will download the OS base image, install/build any dependencies as necessary, perform a shallow clone of the FreeRADIUS source and build the server. Once built, running ``docker images`` should show the image. ```bash $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE freeradius-ubuntu16 latest 289b3c7aca94 4 minutes ago 218MB freeradius-alpine latest d7fb3041bea2 2 hours ago 88.6MB ``` ## Build args Two ARGs are defined in the Dockerfiles that specify the source repository and git tag that the release will be built from. These are - source: the git repository URL - release: the git commit/tag To build the image from a specific repository and git tag, set one or both of these args: ```console $ docker build . --build-arg=release=v3.2.x --build-arg=source=https://github.com/FreeRADIUS/freeradius-server.git -t freeradius- ```