Line 4: |
Line 4: |
| | | |
| In this example we will perform a basic external Radius server configuration and test it with RUT device for Hotspot authentication. We will use ''freeradius'' package to set up a local Radius server on Ubuntu operating system. A router with a public IP address will be directly connected to the Radius server and forward authentication requests to a LAN IP address of the server via default Radius ports. | | In this example we will perform a basic external Radius server configuration and test it with RUT device for Hotspot authentication. We will use ''freeradius'' package to set up a local Radius server on Ubuntu operating system. A router with a public IP address will be directly connected to the Radius server and forward authentication requests to a LAN IP address of the server via default Radius ports. |
| + | [[File:External_Radius_server_topology_v1.png|alt=|center|772x772px]] |
| | | |
| ==Prerequisites== | | ==Prerequisites== |
Line 47: |
Line 48: |
| ---- | | ---- |
| | | |
− | Before we create a user and password, let's use MD5 encryption instead of a clear text password. We will generate MD5 for '''demo123''' password using the following command: | + | Before we create a user and password, let us use MD5 encryption instead of a clear text password. We will generate MD5 encryption for '''demo123''' password using the following command: |
| <pre> | | <pre> |
| echo -n demo123| md5sum | awk '{print $1}' | | echo -n demo123| md5sum | awk '{print $1}' |
Line 62: |
Line 63: |
| Reply-Message := "%{User-Name} authenticated successfully" | | Reply-Message := "%{User-Name} authenticated successfully" |
| </pre> | | </pre> |
| + | |
| + | Once these changes are made, start the freeradius service: |
| + | <pre> |
| + | sudo /etc/init.d/freeradius start |
| + | </pre> |
| + | |
| + | ==Preparing RUT1== |
| + | |
| + | Main requirements for RUT1: |
| + | *Static Public IP address |
| + | *Static lease set for Ubuntu server |
| + | *Ports 1812 and 1813 forwarding to local Ubuntu server |
| + | |
| + | Firstly, let us set a static lease for the Ubuntu machine running Radius server and configure port forwarding: |
| + | * Login to WebUI and navigate to Network → Interfaces → LAN |
| + | [[File:Networking Radius server LAN edit v2.png|border|class=tlt-border|1097x1097px]] |
| + | * Add a static lease to the MAC address of Ubuntu machine. |
| + | [[File:Networking Radius server Static lease v1.png|border|class=tlt-border|1095x1095px]] |
| + | * Navigate to Network → Firewall → Port Forwards and add two new rules to forward 1812 and 1813 ports from WAN to Radius server on the same ports. |
| + | [[File:Networking Radius server Port forwards v1.png|border|class=tlt-border|1095x1095px]] |
| + | |
| + | Radius server is now set with basic configuration and ready to be tested with RUT2 to authenticate Hotspot users. |
| + | |
| + | ==Preparing RUT2== |
| + | |
| + | ====Setting up Hotspot==== |
| + | ---- |
| + | |
| + | Main requirements for RUT2: |
| + | *Internet connection |
| + | *Hotspot service |
| + | |
| + | In order to start our Hotspot, we need to create a Wifi access point without a dedicated interface nor with any authentication: |
| + | * Navigate to Network → Wireless and click add |
| + | * Select "--No network--" in General setup → Network |
| + | [[File:Networking Radius server wireless general v1.png|border|class=tlt-border|1050x1050px]] |
| + | * Select "No encryption" in Wireless security → Encryption |
| + | * Save & Apply |
| + | [[File:Networking Radius server wireless security v1.png|border|class=tlt-border|1088x1088px]] |
| + | |
| + | * Navigate to Services → Hotspot (Or install the package if it is not present by navigating to Services → Package Manager) |
| + | * Add new Hotspot instance by selecting Wireless access point created earlier |
| + | * Enable the Hotspot and select Radius as Authentication mode in General settings. |
| + | [[File:Networking Radius server hotspot general v1.png|border|class=tlt-border|692x692px]] |
| + | * Go to Radius menu, insert Public IP of the Radius server (RUT1 WAN IP address) and Radius secret key we created for the client before. |
| + | [[File:Networking Radius server Radius hotspot settings v1.png|border|class=tlt-border|730x730px]] |
| + | |
| + | Our configuration is complete. |
| + | |
| + | ==Testing Authentication== |
| + | |
| + | Now that we have the setup configured, we can test if the server authenticates the users. |
| + | |
| + | In order to see authentication requests on the server side: |
| + | |
| + | a. Run radius server in debug mode by first disabling the freeradius service using command |
| + | <pre> |
| + | sudo /etc/init.d/freeradius stop |
| + | </pre> |
| + | and then running the following command: |
| + | <pre> |
| + | sudo freeradius -X |
| + | </pre> |
| + | |
| + | b. Tail the log file using the following command: |
| + | <pre> |
| + | sudo tail -f /var/log/freeradius/radius.log |
| + | </pre> |
| + | |
| + | Once we see the logs, we can connect to the Hotspot using user credentials defined from either a smartphone or another computer: |
| + | |
| + | * Connect to the wireless network |
| + | [[File:Networking Radius server wifi login v1.png|border|class=tlt-border|292x292px]] |
| + | * Login using credentials defined in the Radius server users |
| + | [[File:Networking Radius server hotspot login web v1.png|border|class=tlt-border|443x443px]] |
| + | * You should see authorization success window |
| + | [[File:Networking Radius server hotspot auth success v1.png|border|class=tlt-border|867x867px]] |
| + | * Logs should show Login OK message |
| + | [[File:Networking Radius server log message v1.png|border|class=tlt-border|864x864px]] |
| + | [[Category:WIFI]] |