Line 1: |
Line 1: |
| ==Summary== | | ==Summary== |
− | In this example we will perform a basic Radius server configuration for router's SSH and WebUI authentication. We will use ''freeradius'' package to set up a local Radius server on Ubuntu operating system. Lastly we will test the configuration with a RUT series device.<br> | + | In this example we will perform a basic Radius server configuration for router's SSH and WebUI authentication. We will use the ''freeradius'' package to set up a local Radius server on an Ubuntu virtual machine. Lastly, we will test the configuration. |
| + | |
| + | This is the idea of how a Radius server is used for RUTOS authentication:<br> |
| [[File:Networking freeradius lan principle diagram v1.png|border|class=tlt-border]] | | [[File:Networking freeradius lan principle diagram v1.png|border|class=tlt-border]] |
| ==Topology used in this example== | | ==Topology used in this example== |
| [[File:Networking freeradius lan topology diagram v1.png|border|class=tlt-border]] | | [[File:Networking freeradius lan topology diagram v1.png|border|class=tlt-border]] |
| ==Prerequisites== | | ==Prerequisites== |
− | *'''Router''' with the ability to install an additional PAM package | + | *'''Router''' with the ability to install an additional package - PAM |
| *'''Ubuntu machine''' with the ability to host a local FreeRadius server | | *'''Ubuntu machine''' with the ability to host a local FreeRadius server |
− |
| |
| ==Preparing Ubuntu machine== | | ==Preparing Ubuntu machine== |
| ====Installing the FreeRadius server==== | | ====Installing the FreeRadius server==== |
| Firstly, update the package list and upgrade the packages to their latest version: | | Firstly, update the package list and upgrade the packages to their latest version: |
− |
| |
| sudo apt update | | sudo apt update |
| sudo apt upgrade | | sudo apt upgrade |
Line 17: |
Line 17: |
| Next, install the FreeRadius package: | | Next, install the FreeRadius package: |
| sudo apt install freeradius | | sudo apt install freeradius |
− |
| |
| ====Defining a Client==== | | ====Defining a Client==== |
− | Client - router that will use FreeRadius to authenticate WebUI and/or SSH users. | + | Client - a router that will use FreeRadius to authenticate WebUI and/or SSH users. |
− | In order to add/edit clients, we need to access the '''clients.conf''' file. Use your favorite text editor to access it: | + | In order to add/edit clients, we need to access the '''clients.conf''' file. Use your favorite text editor to edit it: |
| sudo nano /etc/freeradius/3.0/clients.conf | | sudo nano /etc/freeradius/3.0/clients.conf |
| | | |
Line 29: |
Line 28: |
| } | | } |
| | | |
− | '''Note:''' IP of a specific Public IP of the client can be used instead of 0.0.0.0/0 | + | '''Note:''' a specific public IP of the client can be used instead of 0.0.0.0/0 |
− | ====Defining a User and Password==== | + | ====Defining user login credentials==== |
− | Before we create a user's login credentials, let's use an MD5 hash instead of a clear text password. We will generate a hash value of '''demo123''' using the following command: | + | Before we create a user's login credentials, let's create an MD5 hash and use it instead of a clear text password. We will generate a hash value of '''demo123''' using the following command: |
| echo -n demo123| md5sum | awk '{print $1}' | | echo -n demo123| md5sum | awk '{print $1}' |
| | | |
− | We will now define credentials for user '''demo'''. Use your favorite text editor to access it: | + | We will now define credentials for user '''demo'''. Use your favorite text editor to edit the file '''users''': |
| sudo nano /etc/freeradius/3.0/users | | sudo nano /etc/freeradius/3.0/users |
| | | |
− | Add required lines to the file: | + | Add the name of the user, MD5 hash value of its password, and a reply message: |
| demo MD5-Password:= "62cc2d8b4bf2d8728120d052163a77df" | | demo MD5-Password:= "62cc2d8b4bf2d8728120d052163a77df" |
| Reply-Message := "Hello, %{User-Name}" | | Reply-Message := "Hello, %{User-Name}" |
Line 43: |
Line 42: |
| Once these changes are made, start the FreeRadius service: | | Once these changes are made, start the FreeRadius service: |
| sudo /etc/init.d/freeradius start | | sudo /etc/init.d/freeradius start |
− | | + | ==Preparing router== |
− | ==Preparing the router== | |
| ===Creating a static IP lease for FreeRadius server=== | | ===Creating a static IP lease for FreeRadius server=== |
| Firstly, we will set a static IP lease for the Ubuntu machine running FreeRadius server. To do that you can use two methods. | | Firstly, we will set a static IP lease for the Ubuntu machine running FreeRadius server. To do that you can use two methods. |
Line 50: |
Line 48: |
| * Connect to the WebUI | | * Connect to the WebUI |
| * Navigate to '''Status → Network → LAN''' | | * Navigate to '''Status → Network → LAN''' |
− | * In the '''DHCP Leases section''' you should the Ubuntu machine's IP | + | * In the '''DHCP Leases section''' you should add Ubuntu machine's IP address |
| * Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease | | * Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease |
| ====Second method==== | | ====Second method==== |
Line 59: |
Line 57: |
| * Press [[File:Networking save apply button fw76 v1.png]] | | * Press [[File:Networking save apply button fw76 v1.png]] |
| ===Creating a new RUTOS user=== | | ===Creating a new RUTOS user=== |
− | Now we will need to create a new user with SSH access. To do that follow these steps: | + | Now we will need to create a new user for SSH and/or WebUI access. To do that follow these steps: |
| * Go to '''System → Administration → User Settings → System Users''' section | | * Go to '''System → Administration → User Settings → System Users''' section |
| * In the Add new user section fill the user's login credentials. | | * In the Add new user section fill the user's login credentials. |
− | You can specify your own custom role or choose one from the default roles. In this example, admin role was chosen. | + | You can specify your own custom role or choose one from the default roles. In this example, admin role was chosen.<br> |
| [[File:Networking new device user fw76 v1.png|border|class=tlt-border]]<br> | | [[File:Networking new device user fw76 v1.png|border|class=tlt-border]]<br> |
| '''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file. | | '''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file. |
− | * Press [[File:Networking edit button fw76 v1.png]] near the newly created user
| |
− | * '''Enable''' the SSH access
| |
− | * Press [[File:Networking save apply button fw76 v1.png]]
| |
| ===PAM package installation=== | | ===PAM package installation=== |
| Now we will need to install a PAM package, to do that follow these steps: | | Now we will need to install a PAM package, to do that follow these steps: |
| * Go to '''System → Package Manager → Packages''' | | * Go to '''System → Package Manager → Packages''' |
− | * Install the PAM package | + | * '''Install''' the '''PAM''' package |
| ===Radius server configuration=== | | ===Radius server configuration=== |
| Now we will set the FreeRadius server's information on the router | | Now we will set the FreeRadius server's information on the router |
| ====For SSH authentication==== | | ====For SSH authentication==== |
| + | Firstly we will need to enable SSH access for the created user. To do that, follow these steps: |
| + | * Go to '''System → Administration → User Settings → System Users''' section |
| + | * Press [[File:Networking edit button fw76 v1.png]] near the newly created user |
| + | * '''Enable''' the '''SSH access''' |
| + | * Press [[File:Networking save apply button fw76 v1.png]] |
| + | To enable PAM authentication for SSH, follow these steps: |
| * Go to '''System → Administration → Access Control → PAM''' section | | * Go to '''System → Administration → Access Control → PAM''' section |
| * Press [[File:Networking edit button fw76 v1.png]] near the SSH instance | | * Press [[File:Networking edit button fw76 v1.png]] near the SSH instance |
− | * Enable the instance | + | * '''Enable''' the '''instance''' |
− | * Set module to RADIUS | + | * Set '''module''' to '''RADIUS''' |
− | * Set type to Required | + | * Set '''type''' to '''Required''' |
− | * Set server to Ubuntu machine's IP | + | * Set '''server''' to '''Ubuntu machine's IP''' |
− | * Set secret to the one defined in the FreeRadius '''clients.conf''' file | + | * Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file |
− | * Leave Port and Timeout to their default values | + | * Leave '''Port''' and '''Timeout''' to their '''default''' values |
| [[File:Networking pam ssh freeradius config fw76 v1.png|border|class=tlt-border]] | | [[File:Networking pam ssh freeradius config fw76 v1.png|border|class=tlt-border]] |
| * Press [[File:Networking save apply button fw76 v1.png]] | | * Press [[File:Networking save apply button fw76 v1.png]] |
| ====For WebUI authentication==== | | ====For WebUI authentication==== |
| + | To enable PAM authentication for WebUI, follow these steps: |
| * Go to '''System → Administration → Access Control → PAM''' section | | * Go to '''System → Administration → Access Control → PAM''' section |
| * Press [[File:Networking edit button fw76 v1.png]] near the SSH instance | | * Press [[File:Networking edit button fw76 v1.png]] near the SSH instance |
− | * Enable the instance | + | * '''Enable''' the '''instance''' |
− | * Set module to RADIUS | + | * Set '''module''' to '''RADIUS''' |
− | * Select the newly created user or enable PAM authentication for all users | + | * In the '''Select users add '''the newly created '''user or enable''' PAM authentication '''for all users''' |
− | * Set type to Required | + | * Set '''type''' to '''Required''' |
− | * Set server to Ubuntu machine's IP | + | * Set '''server''' to '''Ubuntu machine's IP''' |
− | * Set secret to the one defined in the FreeRadius '''clients.conf''' file | + | * Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file |
− | * Leave Port and Timeout to their default values | + | * Leave '''Port''' and '''Timeout''' to their '''default''' values |
| [[File:Networking pam webui freeradius config fw76 v1.png|border|class=tlt-border]] | | [[File:Networking pam webui freeradius config fw76 v1.png|border|class=tlt-border]] |
| * Press [[File:Networking save apply button fw76 v1.png]] | | * Press [[File:Networking save apply button fw76 v1.png]] |
− | ==Testing Authentication== | + | ==Testing configuration== |
− | | + | Now that we have the setup configured, we can test if the server properly authenticates the user. |
− | Now that we have the setup configured, we can test if the server authenticates the users. | + | To see authentication requests on the FreeRadius server side, follow these steps: |
− | | + | * Stop the FreeRadius service using this command: |
− | In order to see authentication requests on the server side:
| + | sudo /etc/init.d/freeradius stop |
− | | + | * Start the FreeRadius server in debug mode using this command: |
− | a. Run radius server in debug mode by first disabling the freeradius service using command
| + | sudo freeradius -X |
− | <pre>
| + | * Try connecting to the router's WebUI and/or SSH service |
− | sudo /etc/init.d/freeradius stop | |
− | </pre>
| |
− | and then running the following command:
| |
− | <pre>
| |
− | sudo freeradius -X | |
− | </pre>
| |
− | | |
− | b. Tail the log file using the following command:
| |
− | <pre>
| |
− | sudo tail -f /var/log/freeradius/radius.log
| |
− | </pre>
| |
| | | |
− | Once we see the logs, we can connect to the Hotspot using user credentials defined from either a smartphone or another computer:
| + | If the authentication is successful the server logs will contain these lines: |
| + | Auth-Type PAP { |
| + | pap: Login attempt with password |
| + | pap: Comparing with "known-good" MD5-Password |
| + | pap: User authenticated successfully |
| + | [pap] = ok |
| + | } # Auth-Type PAP = ok |
| | | |
− | * Connect to the wireless network
| + | If the authentication is unsuccessful the server logs will contain these lines: |
− | [[File:Networking Radius server wifi login v1.png|border|class=tlt-border|292x292px]]
| + | Auth-Type PAP { |
− | * Login using credentials defined in the Radius server users
| + | pap: Login attempt with password |
− | [[File:Networking Radius server hotspot login web v1.png|border|class=tlt-border|443x443px]]
| + | pap: Comparing with "known-good" MD5-Password |
− | * You should see authorization success window
| + | pap: ERROR: MD5 digest does not match "known good" digest |
− | [[File:Networking Radius server hotspot auth success v1.png|border|class=tlt-border|867x867px]]
| + | pap: Passwords don't match |
− | * Logs should show Login OK message
| + | [pap] = reject |
− | [[File:Networking Radius server log message v1.png|border|class=tlt-border|864x864px]] | + | } # Auth-Type PAP = reject |
− | [[Category:WIFI]]
| |