Teltonika Networks Wiki

Changes

Setting up external Radius server for Hotspot authentication (view source)

Revision as of 10:54, 4 August 2023

3,575 bytes added ,  10:54, 4 August 2023
no edit summary
Line 4: Line 4:     
In this example we will perform a basic external Radius server configuration and test it with RUT device for Hotspot authentication. We will use ''freeradius'' package to set up a local Radius server on Ubuntu operating system. A router with a public IP address will be directly connected to the Radius server and forward authentication requests to a LAN IP address of the server via default Radius ports.
 
In this example we will perform a basic external Radius server configuration and test it with RUT device for Hotspot authentication. We will use ''freeradius'' package to set up a local Radius server on Ubuntu operating system. A router with a public IP address will be directly connected to the Radius server and forward authentication requests to a LAN IP address of the server via default Radius ports.
 +
[[File:External_Radius_server_topology_v1.png|alt=|center|772x772px]]
    
==Prerequisites==
 
==Prerequisites==
Line 47: Line 48:  
----
 
----
   −
Before we create a user and password, let's use MD5 encryption instead of a clear text password. We will generate MD5 for '''demo123''' password using the following command:
+
Before we create a user and password, let us use MD5 encryption instead of a clear text password. We will generate MD5 encryption for '''demo123''' password using the following command:
 
<pre>
 
<pre>
 
echo -n demo123| md5sum | awk '{print $1}'
 
echo -n demo123| md5sum | awk '{print $1}'
Line 62: Line 63:  
         Reply-Message := "%{User-Name} authenticated successfully"
 
         Reply-Message := "%{User-Name} authenticated successfully"
 
</pre>
 
</pre>
 +
 +
Once these changes are made, start the freeradius service:
 +
<pre>
 +
sudo /etc/init.d/freeradius start
 +
</pre>
 +
 +
==Preparing RUT1==
 +
 +
Main requirements for RUT1:
 +
*Static Public IP address
 +
*Static lease set for Ubuntu server
 +
*Ports 1812 and 1813 forwarding to local Ubuntu server
 +
 +
Firstly, let us set a static lease for the Ubuntu machine running Radius server and configure port forwarding:
 +
* Login to WebUI and navigate to Network → Interfaces → LAN
 +
[[File:Networking Radius server LAN edit v2.png|border|class=tlt-border|1097x1097px]]
 +
* Add a static lease to the MAC address of Ubuntu machine.
 +
[[File:Networking Radius server Static lease v1.png|border|class=tlt-border|1095x1095px]]
 +
* Navigate to Network → Firewall → Port Forwards and add two new rules to forward 1812 and 1813 ports from WAN to Radius server on the same ports.
 +
[[File:Networking Radius server Port forwards v1.png|border|class=tlt-border|1095x1095px]]
 +
 +
Radius server is now set with basic configuration and ready to be tested with RUT2 to authenticate Hotspot users.
 +
 +
==Preparing RUT2==
 +
 +
====Setting up Hotspot====
 +
----
 +
 +
Main requirements for RUT2:
 +
*Internet connection
 +
*Hotspot service
 +
 +
In order to start our Hotspot, we need to create a Wifi access point without a dedicated interface nor with any authentication:
 +
* Navigate to Network → Wireless and click add
 +
* Select "--No network--" in General setup → Network
 +
[[File:Networking Radius server wireless general v1.png|border|class=tlt-border|1050x1050px]]
 +
* Select "No encryption" in Wireless security → Encryption
 +
* Save & Apply
 +
[[File:Networking Radius server wireless security v1.png|border|class=tlt-border|1088x1088px]]
 +
 +
* Navigate to Services → Hotspot (Or install the package if it is not present by navigating to Services → Package Manager)
 +
* Add new Hotspot instance by selecting Wireless access point created earlier
 +
* Enable the Hotspot and select Radius as Authentication mode in General settings.
 +
[[File:Networking Radius server hotspot general v1.png|border|class=tlt-border|692x692px]]
 +
* Go to Radius menu, insert Public IP of the Radius server (RUT1 WAN IP address) and Radius secret key we created for the client before.
 +
[[File:Networking Radius server Radius hotspot settings v1.png|border|class=tlt-border|730x730px]]
 +
 +
Our configuration is complete.
 +
 +
==Testing Authentication==
 +
 +
Now that we have the setup configured, we can test if the server authenticates the users.
 +
 +
In order to see authentication requests on the server side:
 +
 +
a. Run radius server in debug mode by first disabling the freeradius service using command
 +
<pre>
 +
sudo /etc/init.d/freeradius stop
 +
</pre>
 +
and then running the following command:
 +
<pre>
 +
sudo freeradius -X
 +
</pre>
 +
 +
b. Tail the log file using the following command:
 +
<pre>
 +
sudo tail -f /var/log/freeradius/radius.log
 +
</pre>
 +
 +
Once we see the logs, we can connect to the Hotspot using user credentials defined from either a smartphone or another computer:
 +
 +
* Connect to the wireless network
 +
[[File:Networking Radius server wifi login v1.png|border|class=tlt-border|292x292px]]
 +
* Login using credentials defined in the Radius server users
 +
[[File:Networking Radius server hotspot login web v1.png|border|class=tlt-border|443x443px]]
 +
* You should see authorization success window
 +
[[File:Networking Radius server hotspot auth success v1.png|border|class=tlt-border|867x867px]]
 +
* Logs should show Login OK message
 +
[[File:Networking Radius server log message v1.png|border|class=tlt-border|864x864px]]
 +
[[Category:WIFI]]
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/97606...109886"