Integrations/RADIUS Server/freeradius
FreeRADIUS · proxy · module

MFA for FreeRADIUS

FreeRADIUS powers a huge share of the internet's network authentication — flexible, scriptable, and everywhere. That flexibility is also why bolting on MFA cleanly takes care. Authnull integrates either as an upstream proxy realm or as a module call from your policy, so you can add a phishing-resistant factor without rewriting your virtual servers. You point a realm or an authenticate stanza at Authnull, run radiusd in debug to confirm the exchange, then restart the service.

At a glance
VendorOpen source
Connects viaproxy / module
ProtectsAny RADIUS client
DeploymentAgentless
Setup time25 minutes
No rip-and-replace — sits in front of your existing setup
How Authnull connects

FreeRADIUS forwards the login; Authnull adds the factor.

FreeRADIUS
user connects
Authnull
proxy / module
Directory
AD / LDAP
User device
approve factor

FreeRADIUS proxies (or calls) Authnull after the primary check; Authnull challenges for the factor and returns Access-Accept/Reject, which FreeRADIUS relays to the NAS. The deepest-control path our team knows — pick proxy for simplicity or a module call for fine-grained policy.

Setup

Configure MFA for FreeRADIUS

Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 25 minutes.

1

Define Authnull as a home server

Add Authnull as a home server and pool in proxy.conf so a realm can route to it.

proxy.conf
home_server authnull {
  type = auth
  ipaddr = 10.0.0.20
  port = 1812
  secret = <shared-secret>
}
2

Route a realm to Authnull

Create a realm that uses the Authnull pool so matching requests are proxied for the factor.

proxy.conf
realm authnull {
  auth_pool = authnull_pool
}
3

Reference it in your virtual server

In sites-enabled/default, ensure the authenticate section sends the request through the realm after primary auth.

/etc/freeradius/sites-enabled/default
4

Test with radiusd debug

Run the daemon in debug mode and send a test request to watch the full Access-Request → Challenge → Accept exchange.

shell
radiusd -X
# in another shell:
radtest user pass localhost 0 testing123
5

Restart the service

Once the debug run is clean, restart FreeRADIUS to apply the configuration in production.

shell
systemctl restart freeradius
Reference — connection values
Integrationproxy realm / module
home_server port1812
Debugradiusd -X
Servicefreeradius

Closes the MFA gap auditors look for

Enforcing MFA on FreeRADIUS gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.

Related integrations

Browse all
Fortinet FortiGateVPN & FirewallCisco AnyConnectVPNPalo Alto GlobalProtectVPNSonicWallVPN & Firewall

Add MFA to FreeRADIUS — free to start.

Spin up Authnull, point FreeRADIUS at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.

Get in touch