Line 1: |
Line 1: |
| + | <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.10'''] firmware version.</p> |
| ==Summary== | | ==Summary== |
| In this example, we will set up a Teltonika Networks router to use a Radius server for SSH and/or WebUI authentication. We will use the ''freeradius'' package to set up a local Radius server on an Ubuntu virtual machine. Then we will create a new user. Lastly, we will test the configuration. | | In this example, we will set up a Teltonika Networks router to use a Radius server for SSH and/or WebUI authentication. We will use the ''freeradius'' package to set up a local Radius server on an Ubuntu virtual machine. Then we will create a new user. Lastly, we will test the configuration. |
Line 5: |
Line 6: |
| [[File:Networking freeradius lan principle diagram v1.png|border|class=tlt-border]] | | [[File:Networking freeradius lan principle diagram v1.png|border|class=tlt-border]] |
| ==Topology used in this example== | | ==Topology used in this example== |
− | [[File:Networking freeradius lan topology diagram v1.png|border|class=tlt-border]] | + | [[File:Networking freeradius lan topology diagram v1.png|border|600px|class=tlt-border]] |
| ==Prerequisites== | | ==Prerequisites== |
| *'''Router''' with the ability to install the PAM package and running firmware version 7.6 or later | | *'''Router''' with the ability to install the PAM package and running firmware version 7.6 or later |
Line 30: |
Line 31: |
| '''Note:''' a specific public IP of the client can be used instead of 0.0.0.0/0 | | '''Note:''' a specific public IP of the client can be used instead of 0.0.0.0/0 |
| ====Defining user login credentials==== | | ====Defining user login credentials==== |
− | Before we create the user's login credentials, let's create an MD5 hash and use it instead of a clear text password. We will generate a hash value of '''demo123''' using the following command: | + | Before we create the user's login credentials, let's create an MD5 hash and use it instead of a clear text password. We will generate a hash value of '''Temp1234''' using the following command: |
− | echo -n demo123| md5sum | awk '{print $1}' | + | echo -n Temp1234| md5sum | awk '{print $1}' |
| | | |
| We will now define credentials for user '''demo'''. Use your favorite text editor to edit the file '''users''': | | We will now define credentials for user '''demo'''. Use your favorite text editor to edit the file '''users''': |
Line 37: |
Line 38: |
| | | |
| Add the name of the user, MD5 hash value of its password, and a reply message: | | Add the name of the user, MD5 hash value of its password, and a reply message: |
− | demo MD5-Password:= "62cc2d8b4bf2d8728120d052163a77df" | + | demo MD5-Password:= "2aeac48777d7d33ac22cb0c1bac45bf3" |
| Reply-Message := "Hello, %{User-Name}" | | Reply-Message := "Hello, %{User-Name}" |
| | | |
Line 43: |
Line 44: |
| sudo /etc/init.d/freeradius start | | sudo /etc/init.d/freeradius start |
| ==Preparing router== | | ==Preparing router== |
− | ===Setting a static IP for the FreeRadius server===
| + | Firstly, let us set a static lease for the Ubuntu machine running Radius server and configure port forwarding: |
− | Firstly, we will set a static IP for the Ubuntu machine running FreeRadius server. To do that you can use two methods. | + | * Login to WebUI and navigate to Network → DHCP → Static Leases |
− | ====First method====
| + | #Press the '''ADD''' butoon. |
− | * Connect to the WebUI | + | #Select MAC address of Ubuntu machine. |
− | * Navigate to '''Status → Network → LAN'''
| + | #Press the '''Save & Apply''' button. |
− | * In the '''DHCP Leases section''' you should see Ubuntu machine's IP address
| + | [[File:Networking Radius server LAN edit v3.png|1100px|border|class=tlt-border|1097x1097px]] |
− | * Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease
| |
− | ====Second method====
| |
− | * Connect to the WebUI
| |
− | * Navigate to '''Network → DHCP → Static Leases'''
| |
− | * Add the Ubuntu machine's MAC, IP, and provide a description
| |
− | [[File:Networking add static lease fw76 v1.png|border|class=tlt-border]] | |
− | * Press [[File:Networking save apply button fw76 v1.png]]
| |
| ===Creating a new RUTOS user=== | | ===Creating a new RUTOS user=== |
| Now we will need to create a new user for SSH and/or WebUI access. To do that follow these steps: | | Now we will need to create a new user for SSH and/or WebUI access. To do that follow these steps: |
Line 61: |
Line 55: |
| * In the Add new user section fill in the user's login credentials. | | * In the Add new user section fill in the user's login credentials. |
| You can specify your own custom role or choose one from the default roles. In this example, the admin role was chosen.<br> | | You can specify your own custom role or choose one from the default roles. In this example, the admin role was chosen.<br> |
− | [[File:Networking create new rutos user for freeradius fw76 v1.png|border|class=tlt-border]]<br> | + | [[File:Networking create new rutos user for freeradius fw76 v2.png|1100px|border|class=tlt-border]]<br> |
| '''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file. | | '''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file. |
| ===PAM package installation=== | | ===PAM package installation=== |
| Now we will need to install a PAM package, to do that follow these steps: | | Now we will need to install a PAM package, to do that follow these steps: |
| * Go to '''System → Package Manager → Packages''' | | * Go to '''System → Package Manager → Packages''' |
− | * '''Install''' the '''PAM''' package
| + | # '''Search''' for '''PAM''' package |
| + | # '''Install''' the '''PAM''' package |
| + | [[File:Networking create new rutos user for freeradius fw76 part2 v2.png|1100px|border|class=tlt-border]] |
| ===Radius server configuration=== | | ===Radius server configuration=== |
| Now we will set the FreeRadius server's information on the router | | Now we will set the FreeRadius server's information on the router |
| ====For SSH authentication==== | | ====For SSH authentication==== |
− | Firstly, we will need to enable SSH access for the created user. To do that, follow these steps:
| + | |
− | * Go to '''System → Administration → User Settings → System Users''' section
| |
− | * Press [[File:Networking edit button fw76 v1.png]] near the newly created user
| |
− | * '''Enable''' the '''SSH access'''
| |
− | * Press [[File:Networking save apply button fw76 v1.png]]
| |
| To enable PAM authentication for SSH, follow these steps: | | To enable PAM authentication for SSH, follow these steps: |
| * Go to '''System → Administration → Access Control → PAM''' section | | * Go to '''System → Administration → Access Control → PAM''' section |
| * Press [[File:Networking edit button fw76 v1.png]] near the SSH instance | | * Press [[File:Networking edit button fw76 v1.png]] near the SSH instance |
− | * '''Enable''' the '''instance'''
| + | # '''Enable''' the '''instance''' |
− | * Set '''module''' to '''RADIUS'''
| + | # Set '''module''' to '''RADIUS''' |
− | * Set '''type''' to '''Required'''
| + | # Set '''type''' to '''Required''' |
− | * Set '''server''' to '''Ubuntu machine's IP'''
| + | # Set '''server''' to '''Ubuntu machine's IP''' |
− | * Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file
| + | # Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file |
| * Leave '''Port''' and '''Timeout''' to their '''default''' values | | * Leave '''Port''' and '''Timeout''' to their '''default''' values |
− | [[File:Networking pam ssh freeradius config fw76 v1.png|border|class=tlt-border]] | + | [[File:Networking pam ssh freeradius config fw76 v3.png|border|class=tlt-border]] |
| * Press [[File:Networking save apply button fw76 v1.png]] | | * Press [[File:Networking save apply button fw76 v1.png]] |
| ====For WebUI authentication==== | | ====For WebUI authentication==== |
Line 90: |
Line 82: |
| * Go to '''System → Administration → Access Control → PAM''' section | | * Go to '''System → Administration → Access Control → PAM''' section |
| * Press [[File:Networking edit button fw76 v1.png]] near the WebUI instance | | * Press [[File:Networking edit button fw76 v1.png]] near the WebUI instance |
− | * '''Enable''' the '''instance'''
| + | # '''Enable''' the '''instance''' |
− | * Set '''module''' to '''RADIUS'''
| + | # Set '''module''' to '''RADIUS''' |
− | * Set '''type''' to '''Required'''
| + | # Set '''type''' to '''Required''' |
− | * In the '''Select users add the''' newly created '''user or enable''' PAM authentication '''for all users'''
| + | # In the '''Select users add the''' newly created '''user or enable''' PAM authentication '''for all users''' |
− | * Set '''server''' to '''Ubuntu machine's IP'''
| + | # Set '''server''' to '''Ubuntu machine's IP''' |
− | * Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file
| + | # Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file |
| * Leave '''Port''' and '''Timeout''' to their '''default''' values | | * Leave '''Port''' and '''Timeout''' to their '''default''' values |
− | [[File:Networking pam webui freeradius config fw76 v1.png|border|class=tlt-border]] | + | [[File:Networking pam webui freeradius config fw76 v3.png|border|class=tlt-border]] |
| * Press [[File:Networking save apply button fw76 v1.png]] | | * Press [[File:Networking save apply button fw76 v1.png]] |
| ==Testing configuration== | | ==Testing configuration== |