daloRADIUS on Ubuntu 24.04 on Azure User Guide
Overview
daloRADIUS is an open source, web based management platform for FreeRADIUS. It gives you a full operator console for managing RADIUS users, groups, hotspots, NAS devices, IP pools and billing, along with accounting reports and graphs, plus a self service portal for your end users. The cloudimg image ships daloRADIUS 2.3 with a complete RADIUS server behind it: Apache and PHP 8.3 serve the web interface on port 80, FreeRADIUS 3 answers authentication and accounting requests on the standard RADIUS ports, and a bundled local MariaDB holds both the FreeRADIUS tables (radcheck, radacct, nas and more) and the daloRADIUS management tables. Everything runs on a hardened, fully patched Ubuntu 24.04 LTS base. The database listens only on the loopback interface (127.0.0.1:3306) and is never exposed to the network. A unique operator password, a unique database password and a unique RADIUS shared secret are all generated on the first boot of every VM, so no known credential ever ships in the image. Backed by 24/7 cloudimg support.
What is included:
- daloRADIUS 2.3 served by Apache and PHP 8.3, managed by systemd
- FreeRADIUS 3 with the MySQL SQL backend, authenticating against the bundled database
- A bundled MariaDB server holding the FreeRADIUS and daloRADIUS schema, already installed and imported
- The operators (admin) console served on
:80, with the users self service portal at/users/ - Per VM secrets generated on first boot and recorded in a root only file: the operator password, the database password and the RADIUS shared secret
- No shipped default login: the default
administrator/radiusoperator and the defaulttesting123shared secret are both eliminated, and no known or blank credential authenticates - MariaDB bound to
127.0.0.1only, never exposed to the network apache2.service,freeradius.serviceandmariadb.serviceas enabled systemd units
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for larger deployments. NSG inbound: allow 22/tcp from your management network and 80/tcp for the web console. To let your network access servers (access points, switches, VPN concentrators) reach the RADIUS server, also allow 1812/udp (authentication) and 1813/udp (accounting) from those devices. daloRADIUS serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for daloRADIUS by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name daloradius \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Open port 80 for the web console, and the RADIUS ports for your network devices:
az vm open-port --resource-group <your-rg> --name daloradius --port 80 --priority 900
az vm open-port --resource-group <your-rg> --name daloradius --port 1812 --priority 910
az vm open-port --resource-group <your-rg> --name daloradius --port 1813 --priority 920
Step 3 - Confirm the services are running
SSH in as azureuser and confirm Apache, FreeRADIUS and MariaDB are all active. Note that MariaDB listens only on 127.0.0.1:3306, Apache serves the console on port 80, and FreeRADIUS listens on the RADIUS ports 1812 and 1813.
systemctl is-active apache2 freeradius mariadb daloradius-firstboot
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/ */ /g'; ss -ulnp | grep -E ':1812 |:1813 ' | sed 's/ */ /g'

Step 4 - Retrieve the per VM credentials
Every VM generates its own operator password, database password and RADIUS shared secret on first boot and writes them to a root only credentials file. Read it with sudo:
sudo cat /root/daloradius-credentials.txt

You sign in to the operators console as user administrator with the DALORADIUS_ADMIN_PASSWORD from this file. The RADIUS_SHARED_SECRET is the secret your network devices use to talk to FreeRADIUS. On the box itself you can also run sudo mariadb to reach the database directly over the local socket without a password.
Step 5 - Sign in to the operators console
Browse to http://<vm-public-ip>/. You are taken to the daloRADIUS operators sign in page. Sign in with username administrator and the password from Step 4.

Step 6 - The operator dashboard
Once signed in, you land on the daloRADIUS dashboard. The top navigation gives you Management (users, groups, NAS), Accounting, Billing, Reports, Configuration and Graphs, and the home page summarises your RADIUS deployment at a glance.

Step 7 - Manage RADIUS users
Open Management then Users to list, create and edit RADIUS users. Each user maps to rows in the FreeRADIUS radcheck table that the server authenticates against. Use New User to add a username and password, assign groups and attributes, and apply billing plans.

Step 8 - Manage NAS devices
Open Management then NAS to register your network access servers (access points, switches, VPN concentrators). FreeRADIUS is configured to read its clients from the database (read_clients = yes), so a NAS you add here, with its IP and shared secret, is honoured by the server. Restrict 1812/udp and 1813/udp in your NSG to the addresses of these devices.

Step 9 - Test RADIUS authentication
You can prove the RADIUS server end to end from the box itself. The block below reads the per VM shared secret from the credentials file, adds a throwaway test user to radcheck, authenticates it against the local FreeRADIUS server with radtest, and then removes it. A successful login prints Received Access-Accept:
SECRET="$(sudo grep '^RADIUS_SHARED_SECRET=' /root/daloradius-credentials.txt | cut -d= -f2-)"
sudo mariadb --protocol=socket -uroot raddb -e "INSERT INTO radcheck (username,attribute,op,value) VALUES ('demo-user','Cleartext-Password',':=','Demo1Pass2')"
radtest demo-user 'Demo1Pass2' 127.0.0.1 0 "$SECRET"
sudo mariadb --protocol=socket -uroot raddb -e "DELETE FROM radcheck WHERE username='demo-user'"

In day to day use you add real users from the web console (Step 7); this block is just a quick self test.
Step 10 - No known or default credentials
daloRADIUS normally ships a default operator administrator / radius and FreeRADIUS a default shared secret testing123. The cloudimg image eliminates both. The operator account is rotated to a unique per VM password (stored as a bcrypt hash), the database password and RADIUS shared secret are unique per VM, and no known or blank credential authenticates. You can prove it with the built in round-trip check, which confirms the per VM operator verifies while the default radius and common weak guesses are all rejected, and that RADIUS authentication succeeds with the per VM shared secret:
mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(username,' (the only operator account)') FROM raddb.operators WHERE username='administrator'"
sudo bash /usr/local/sbin/daloradius-cred-roundtrip.sh

Adding your own domain and TLS
The appliance serves plain HTTP on port 80. For production, front daloRADIUS with your own domain and a TLS certificate. You can terminate TLS with Azure Application Gateway, an nginx or Caddy reverse proxy, or a managed load balancer with a certificate for your domain, and forward to the VM on port 80. Because the operators console is an administrative interface, keep it off the public internet where you can, and restrict inbound 80/tcp in your NSG to your management network.
Security notes
- daloRADIUS serves plain HTTP on port 80. For anything beyond a trusted network, put it behind your own TLS terminating reverse proxy or Azure Application Gateway with a certificate for your domain, and restrict access to the operators console.
- The operator password, the database password and the RADIUS shared secret are all unique per VM, and no known or blank credential authenticates. Keep
/root/daloradius-credentials.txtprotected, and change the operator password from within daloRADIUS (Configuration then Operators) if you share access. - The bundled MariaDB listens on
127.0.0.1only and is never reachable from the network. Administer it through daloRADIUS or over SSH. - Restrict inbound
80/tcpto your management network, and1812/udpand1813/udpto the addresses of your network access servers, in your NSG.
Support
This image is maintained by cloudimg with 24/7 support. If you need help deploying or operating daloRADIUS on Azure, contact us at cloudimg.co.uk.