pfSense FreeRADIUS + MySQL Documentation
This guide covers configuring FreeRADIUS with a MySQL backend on pfSense, including installation, user management, pfSense integration, firewall setup, and testing.
Install pfSense
# Download pfSense ISO from official site
# https://www.pfsense.org/download/
# Install on server/VM and complete initial setup
# https://www.pfsense.org/download/
# Install on server/VM and complete initial setup
Install FreeRADIUS Package on pfSense
# Navigate in pfSense Web GUI:
System → Package Manager → Available Packages → FreeRADIUS
Click "Install" and wait for completion
System → Package Manager → Available Packages → FreeRADIUS
Click "Install" and wait for completion
Install MySQL Server
# On Linux backend
sudo apt update
sudo apt install mysql-server -y
# Secure MySQL installation
sudo mysql_secure_installation
sudo apt update
sudo apt install mysql-server -y
# Secure MySQL installation
sudo mysql_secure_installation
Configure RADIUS Server
# In pfSense Web GUI:
Services → FreeRADIUS → Servers → Add
# Example settings:
Interface: LAN
Shared Secret: radiussecret
Authentication Port: 1812
Accounting Port: 1813
Services → FreeRADIUS → Servers → Add
# Example settings:
Interface: LAN
Shared Secret: radiussecret
Authentication Port: 1812
Accounting Port: 1813
Configure MySQL Backend
# In FreeRADIUS GUI → NAS / Authentication → Backend
Backend Type: SQL
SQL Module: MySQL
Host: 127.0.0.1 or MySQL server IP
Database: radius
Username: radiususer
Password: StrongPassword
# On MySQL, create database and tables
CREATE DATABASE radius;
CREATE USER 'radiususer'@'localhost' IDENTIFIED BY 'StrongPassword';
GRANT ALL PRIVILEGES ON radius.* TO 'radiususer'@'localhost';
FLUSH PRIVILEGES;
Backend Type: SQL
SQL Module: MySQL
Host: 127.0.0.1 or MySQL server IP
Database: radius
Username: radiususer
Password: StrongPassword
# On MySQL, create database and tables
CREATE DATABASE radius;
CREATE USER 'radiususer'@'localhost' IDENTIFIED BY 'StrongPassword';
GRANT ALL PRIVILEGES ON radius.* TO 'radiususer'@'localhost';
FLUSH PRIVILEGES;
Add RADIUS Users
# Option 1: Via MySQL directly
INSERT INTO radcheck (username, attribute, op, value) VALUES ('user1','Cleartext-Password',':','password123');
# Option 2: Via FreeRADIUS GUI
Services → FreeRADIUS → Users → Add User
INSERT INTO radcheck (username, attribute, op, value) VALUES ('user1','Cleartext-Password',':','password123');
# Option 2: Via FreeRADIUS GUI
Services → FreeRADIUS → Users → Add User
Add RADIUS Authentication Server in pfSense
System → User Manager → Authentication Servers → Add
Type: RADIUS
Hostname: pfSense IP
Shared Secret: radiussecret
Port: 1812
Timeout: 5
Type: RADIUS
Hostname: pfSense IP
Shared Secret: radiussecret
Port: 1812
Timeout: 5
Enable Captive Portal (Optional)
Services → Captive Portal → Add
Interface: LAN or Guest
Authentication: RADIUS
RADIUS Server: select your configured server
Apply
Interface: LAN or Guest
Authentication: RADIUS
RADIUS Server: select your configured server
Apply
Firewall Rules
# Ensure pfSense LAN/WAN rules allow:
UDP 1812 (Authentication)
UDP 1813 (Accounting)
TCP 3306 (if MySQL is remote)
# Optional: limit access by IP
# pfSense → Firewall → Rules → LAN/WAN
UDP 1812 (Authentication)
UDP 1813 (Accounting)
TCP 3306 (if MySQL is remote)
# Optional: limit access by IP
# pfSense → Firewall → Rules → LAN/WAN
Security Tips
# Use strong shared secrets for RADIUS
# Use VPN if RADIUS or MySQL is exposed to internet
# Keep FreeRADIUS & MySQL updated
# Restrict MySQL user host access (avoid '%')
# Use VPN if RADIUS or MySQL is exposed to internet
# Keep FreeRADIUS & MySQL updated
# Restrict MySQL user host access (avoid '%')
Test RADIUS Authentication
# On pfSense CLI or Linux radius client:
radtest user1 password123 pfSense_IP 0 radiussecret
radtest user1 password123 pfSense_IP 0 radiussecret
Check Logs
# FreeRADIUS logs on pfSense
/var/log/freeradius/radius.log
# MySQL logs (Linux)
sudo tail -f /var/log/mysql/error.log
/var/log/freeradius/radius.log
# MySQL logs (Linux)
sudo tail -f /var/log/mysql/error.log