toughradius
Welcome to the TOUGHRADIUS project!
_____ _____ _ _ _____ _ _ _____ ___ _____ _ _ _ _____
|_ _| / _ \ | | | | / ___| | | | | | _ \ / | | _ \ | | | | | | / ___/
| | | | | | | | | | | | | |_| | | |_| | / /| | | | | | | | | | | | | |___
| | | | | | | | | | | | _ | _ | | _ / / / | | | | | | | | | | | | \___ \
| | | |_| | | |_| | | |_| | | | | | | | \ \ / / | | | |_| | | | | |_| | ___| |
|_| \_____/ \_____/ \_____/ |_| |_| |_| \_\ /_/ |_| |_____/ |_| \_____/ /_____/
A powerful, open-source RADIUS server designed for ISPs, enterprise networks, and carriers. Supports standard RADIUS protocols, a full EAP / 802.1X authentication suite (EAP-TLS, PEAPv0/EAP-MSCHAPv2, EAP-TTLS), RadSec (RADIUS over TLS), and a modern Web management interface.
A pluggable EAP handler registry covers both challenge and tunneled methods:
β οΈ Compatibility note: PEAP and EAP-MSCHAPv2 are compatibility-first methods. MS-CHAPv2-style exchanges carry an NTLMv1-like attack surface (see Microsoft guidance). Use them to serve legacy devices and AD users; prefer EAP-TLS for new deployments where you control the client certificate estate.
# Clone repository
git clone https://github.com/talkincode/toughradius.git
cd toughradius
# Build frontend
cd web
npm install
npm run build
cd ..
# Build backend
go build -o toughradius main.go
Download the latest version from the Releasesβ page.
cp toughradius.yml toughradius.prod.yml
toughradius.prod.yml configuration file:system:
appid: ToughRADIUS
location: Asia/Shanghai
workdir: ./rundata
database:
type: sqlite # or postgres
name: toughradius.db
# PostgreSQL configuration
# host: localhost
# port: 5432
# user: toughradius
# passwd: your_password
radiusd:
enabled: true
host: 0.0.0.0
auth_port: 1812 # RADIUS authentication port
acct_port: 1813 # RADIUS accounting port
radsec_port: 2083 # RadSec port
web:
host: 0.0.0.0
port: 1816 # Web management interface port
ToughRADIUS registers the following EAP handlers out of the box:
| Method | Kind | Notes |
|---|---|---|
eap-md5 | Challenge | Default; password challenge (RFC 3748) |
eap-mschapv2 | Challenge | MS-CHAPv2 password challenge |
eap-tls | Tunneled (certificate) | Certificate-based mutual authentication (RFC 5216) |
eap-peap | Tunneled | PEAPv0 with inner EAP-MSCHAPv2 (Windows / AD) |
eap-ttls | Tunneled | Inner PAP / MS-CHAPv2 (RFC 5281) |
Fine-tune authentication behavior via system configuration (sys_config):
radius.EapMethod: Preferred EAP method offered on EAP-Identity (default eap-md5).radius.EapEnabledHandlers: Allow-list of enabled handlers, comma-separated, e.g. eap-md5,eap-mschapv2,eap-tls. Use * to enable all registered handlers.This lets you disable unauthorized EAP methods without interrupting the service.
β οΈ MS-CHAPv2-based methods (
eap-mschapv2,eap-peap, and TTLS inner MS-CHAPv2) are compatibility-oriented and carry an NTLMv1-like attack surface. Prefereap-tlsfor new deployments where you control client certificates.
# Initialize database
./toughradius -initdb -c toughradius.prod.yml
# Start service
./toughradius -c toughradius.prod.yml
Access Web Management Interface: http://localhost:1816β
Default Admin Account:
Change the default admin password immediately after first login. For any deployment exposed beyond a local development host, also set web.secret / TOUGHRADIUS_WEB_SECRET to a long random value before starting the service; it signs management API JWTs.
Production mode (system.debug=false or logger.mode=production) refuses to start when the built-in placeholder or an empty JWT secret is still configured.
docs-site/β ) consolidating the overview, security policy, RFC reference, and more; built, link-checked, and deployed to GitHub Pages by CItoughradius/
βββ cmd/ # Application entry points
βββ internal/ # Private application code
β βββ adminapi/ # Admin API (New version)
β βββ radiusd/ # RADIUS service core
β βββ domain/ # Data models
β βββ webserver/ # Web server
βββ pkg/ # Public libraries
βββ web/ # React Admin frontend
βββ docs/ # Documentation
# Run tests
go test ./...
# Run benchmark tests
go test -bench=. ./internal/radiusd/
# Start development mode
go run main.go -c toughradius.yml
cd web
npm install
npm run dev # Development server
npm run build # Production build
npm run lint # Code linting
We welcome contributions in various forms, including but not limited to:
This project is licensed under the MIT Licenseβ .
The RADIUS dictionary files in the share/ directory are derived from the FreeRADIUSβ project and are licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0)β .
Thanks to JetBrainsβ for supporting this project!
Content type
Image
Digest
sha256:479846a6eβ¦
Size
15.7 MB
Last updated
29 days ago
docker pull talkincode/toughradius:9.1.0