Skip to main content

FreeRADIUS-Based User Authentication with Asterfusion SONiC Campus Access Switches

written by Asterfuison

February 21, 2024

What are RADIUS and FreeRADIUS?

RADIUS (Remote Authentication and Dial-In User Service) is a network protocol for dial-up user access and service request authentication.RADIUS provides centralized authentication, authorization and accounting (AAA) for managing access to network resources. RADIUS allows all user configuration information to be stored using a centralized database and shared by all users.

FreeRADIUS is an open source, modular, high-performance and feature-rich set of RADIUS programs, including servers, clients, development libraries and some additional related RADIUS tools. As the first open source RADIUS program, the source code can be compiled and installed on almost any system. Moreover, the product is designed for large-scale AAA authentication server deployment (10 million users and millions of requests per day).

How to configure a FreeRADIUS server?

Before everything starts, we should have a server with the required services and software installed. One thing to note is that FreeRADIUS does not have WebUI, so we use a third-party tool DaloRADIUS, as the management interface.

  • Server:KVM,2 vCPU + 2GB vMem + 8GB Disk
  • OS:CentOS Linux release 7.8.2003
  • Database:PostgreSQL 15.4
  • Web:v2.4.6
  • PHP:v5.4.16
  • FreeRADIUS:v3.0.13
  • DaloRADIUS:v1.3


Basic configurations on server

  • Disable SELinux, so as not to cause Web access exceptions.
  • Disable firewall to make sure external access after installation is finished
  • Configure YUM, EPEL and PostgreSQL database source
  • Download installation package (DaloRADIUS)

Install & configure database

Install & configure Web & PHP service

Install & configure FreeRADIUS

Install & configure DaloRADIUS

After finishing all the steps above, we can verify the results by visiting: http://freeradius-ip/daloradius/ and the default username/password is administrator/radius.

How to configure SONiC AAA authentication using Freeradius server?

Now we already have a functioning FreeRADIUS server, and it’s time to set up networking and enable user access authentication. Firstly, let’s take a look at the basic deployment environment. We drew a detailed schematic and organized all the switches involved, server parameters and software information into a table.

Asterfusion CX204Y-48GT-MSpine switch (Spine 1)AsterNOS V5.2R006/
Asterfusion CX204Y-48GT-MLeaf switch(Leaf 3)AsterNOS V5.2R006/
2-Core vCPU,2G vMemory (Linux bridge )Access Terminal (PC)CentOS Linux release 7.8.2003/
2-Core vCPU,2G vMemory (Ethernet interface passthrough)AAA Authentication ServerCentOS Linux release 7.8.2003FreeRADIUS v3.0.13
daloRADIUS v1.3
DHCP v4.2.5

Asterfusion SONiC Campus Access Switches Overview

Asterfusion CX-M series are SONiC-based Switches for campus accesses and enterprise data centers. With Full featured and enterprise ready SONiC (AsterNOS), it’s easy for us to build a high scalability and reliability network with just 2-3 commodity single chip switch SKUs, and what’s more, after simple peer configuration, the entire large-scale campus network can be considered as a virtual device, other configuration will synchronized automatically.

Here we have provided an unboxing & disassembly video, a PoE switch in CX-M series. If you are interested, please feel free to visit our website( and help portal (

Okay, let’s get back to FreeRADIUS. You will soon find it is not hard to configure user authentication in Asterfusion’s SONiC-based campus access networking.

Configurations on FreeRADIUS Server

Check RADIUS server status and make sure that it is running normally.

Add NAS device

Add user account(user 03)

Configurations on Asterfusion SONiC Campus Switches


Finally, we have the following information, and it appears that our user authentication system using Asterfusion SONiC switches is now working well.

Let’s go through it step by step. After successful authentication, VM1 can access the network and connect to the gateway. We can see the authentication information from the access switch.

dot1x authentication interface of terminal VM1
dot1x configuration for VM1
Network status

When dot1x authentication is not enabled on the access terminal, we enable the NIC by DHCP, and although the IP address can be obtained, there is no network connection, and the terminal cannot connect to the gateway.


Due to the length of the article, we only demonstrated user authentication of SONIC AAA authentication. Authorization and accounting can be fully supported for Asterfusion CX-M series switches, perhaps with a little front-end tuning as needed.

If you would like to try this access switch with enterprise SONiC (AsterNOS) in your campus network, or learn more about the test results and deployment examples related to this switch, please contact us. In addition, we also support a virtual machine version of AsterNOS, which is available to experience the operating system without switch hardware.

Product Category List

Latest Posts