Welcome to the TOUGHRADIUS project!
_____ _____ _ _ _____ _ _ _____ ___ _____ _ _ _ _____
|_ _| / _ \ | | | | / ___| | | | | | _ \ / | | _ \ | | | | | | / ___/
| | | | | | | | | | | | | |_| | | |_| | / /| | | | | | | | | | | | | |___
| | | | | | | | | | | | _ | _ | | _ / / / | | | | | | | | | | | | \___ \
| | | |_| | | |_| | | |_| | | | | | | | \ \ / / | | | |_| | | | | |_| | ___| |
|_| \_____/ \_____/ \_____/ |_| |_| |_| \_\ /_/ |_| |_____/ |_| \_____/ /_____/
A powerful, open-source RADIUS server designed for ISPs, enterprise networks, and carriers. Supports standard RADIUS protocols, a full EAP / 802.1X authentication suite (EAP-TLS, PEAPv0/EAP-MSCHAPv2, EAP-TTLS), RadSec (RADIUS over TLS), and a modern Web management interface.
- π Standard RADIUS - Full support for RFC 2865/2866 authentication and accounting protocols
- π RadSec - TLS encrypted RADIUS over TCP (RFC 6614)
- π Multi-Vendor Support - Compatible with major network devices like Cisco, Mikrotik, Huawei, etc.
- β‘ High Performance - Built with Go, supporting high concurrency processing
A pluggable EAP handler registry covers both challenge and tunneled methods:
- πͺͺ EAP-MD5 / EAP-MSCHAPv2 - Challenge-based password methods (RFC 3748)
- π EAP-TLS - Certificate-based mutual authentication with TLS handshake, fragmentation reassembly, and certificate-to-identity mapping (RFC 5216)
- πͺ PEAPv0 / EAP-MSCHAPv2 - Server-certificate TLS tunnel carrying inner EAP-MSCHAPv2 with MPPE key derivation, for Windows / AD / legacy enterprise networks
- 𧩠EAP-TTLS - TLS tunnel carrying inner PAP / MS-CHAPv2, onboarding LDAP and legacy credential stores without a per-client certificate rollout (RFC 5281)
β οΈ Compatibility note: PEAP and EAP-MSCHAPv2 are compatibility-first methods. MS-CHAPv2-style exchanges carry an NTLMv1-like attack surface (see Microsoft guidance). Use them to serve legacy devices and AD users; prefer EAP-TLS for new deployments where you control the client certificate estate.
- π React Admin Interface - Modern Web management dashboard
- π₯ User Management - Complete user account and profile management
- π Real-time Monitoring - Online session monitoring and accounting record queries
- π Log Auditing - Detailed authentication and accounting logs
- Multi-Database Support - PostgreSQL, SQLite
- π Flexible Extension - Supports custom authentication and accounting logic
- π‘ Multi-Vendor VSA - Huawei, Mikrotik, Cisco, H3C, etc.
- Go 1.25+ (for building from source)
- PostgreSQL or SQLite
- Node.js 18+ (for frontend development)
# Clone repository
git clone https://github.com/talkincode/toughradius.git
cd toughradius
# Build frontend
cd web
npm install
npm run build
cd ..
# Build backend
go build -o toughradius main.goDownload the latest version from the Releases page.
- Copy the configuration template:
cp toughradius.yml toughradius.prod.yml- Edit
toughradius.prod.ymlconfiguration file:
system:
appid: ToughRADIUS
location: Asia/Shanghai
workdir: ./rundata
database:
type: sqlite # or postgres
name: toughradius.db
# PostgreSQL configuration
# host: localhost
# port: 5432
# user: toughradius
# passwd: your_password
radiusd:
enabled: true
host: 0.0.0.0
auth_port: 1812 # RADIUS authentication port
acct_port: 1813 # RADIUS accounting port
radsec_port: 2083 # RadSec port
web:
host: 0.0.0.0
port: 1816 # Web management interface portToughRADIUS registers the following EAP handlers out of the box:
| Method | Kind | Notes |
|---|---|---|
eap-md5 |
Challenge | Default; password challenge (RFC 3748) |
eap-mschapv2 |
Challenge | MS-CHAPv2 password challenge |
eap-tls |
Tunneled (certificate) | Certificate-based mutual authentication (RFC 5216) |
eap-peap |
Tunneled | PEAPv0 with inner EAP-MSCHAPv2 (Windows / AD) |
eap-ttls |
Tunneled | Inner PAP / MS-CHAPv2 (RFC 5281) |
Fine-tune authentication behavior via system configuration (sys_config):
radius.EapMethod: Preferred EAP method offered on EAP-Identity (defaulteap-md5).radius.EapEnabledHandlers: Allow-list of enabled handlers, comma-separated, e.g.eap-md5,eap-mschapv2,eap-tls. Use*to enable all registered handlers.
This lets you disable unauthorized EAP methods without interrupting the service.
β οΈ MS-CHAPv2-based methods (eap-mschapv2,eap-peap, and TTLS inner MS-CHAPv2) are compatibility-oriented and carry an NTLMv1-like attack surface. Prefereap-tlsfor new deployments where you control client certificates.
# Initialize database
./toughradius -initdb -c toughradius.prod.yml
# Start service
./toughradius -c toughradius.prod.ymlAccess Web Management Interface: http://localhost:1816
Default Admin Account:
- Username: admin
- Password: Please check the initialization log output
- π Bilingual Handbook (mdbook) - CN/EN documentation site (source in
docs-site/) consolidating the overview, security policy, RFC reference, and more; built, link-checked, and deployed to GitHub Pages by CI - Roadmap - Milestones and the EAP suite delivery plan (EAP-TLS / PEAP / TTLS, with TLS 1.3, TEAP, EAP-PWD tracked)
- Feature Checklist / English - Product scope baseline for aligning future development with feature IDs and avoiding uncontrolled direction changes
- Architecture - v9 version architecture design
- React Admin Refactor - Frontend management interface explanation
- SQLite Support - SQLite database configuration
- Environment Variables - Environment variable configuration guide
toughradius/
βββ cmd/ # Application entry points
βββ internal/ # Private application code
β βββ adminapi/ # Admin API (New version)
β βββ radiusd/ # RADIUS service core
β βββ domain/ # Data models
β βββ webserver/ # Web server
βββ pkg/ # Public libraries
βββ web/ # React Admin frontend
βββ docs/ # Documentation
# Run tests
go test ./...
# Run benchmark tests
go test -bench=. ./internal/radiusd/
# Start development mode
go run main.go -c toughradius.ymlcd web
npm install
npm run dev # Development server
npm run build # Production build
npm run lint # Code lintingWe welcome contributions in various forms, including but not limited to:
- π Submitting Bug reports and feature requests
- π Improving documentation
- π» Submitting code patches and new features
- π Helping with translation
This project is licensed under the MIT License.
The RADIUS dictionary files in the share/ directory are derived from the FreeRADIUS project and are licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
- Official Website
- Online Documentation
- RadSec RFC 6614
- RADIUS RFC 2865
- EAP RFC 3748
- EAP-TLS RFC 5216
- EAP-TTLS RFC 5281
- Mikrotik RADIUS Configuration
Thanks to JetBrains for supporting this project!