|
|
(12 intermediate revisions by one other user not shown) |
Line 1: |
Line 1: |
− | __TOC__
| |
| | | |
− | ==Summary==
| |
− |
| |
− | In this example we will perform a basic external Radius server configuration and test it with RUT device for Hotspot authentication. We will use ''freeradius'' package to set up a local Radius server on Ubuntu operating system. A router with a public IP address will be directly connected to the Radius server and forward authentication requests to a LAN IP address of the server via default Radius ports.
| |
− | [[File:External_Radius_server_topology_v1.png|alt=|center|772x772px]]
| |
− |
| |
− | ==Prerequisites==
| |
− |
| |
− | *RUT1 - Router with a Public IP address to make local server able to accept external authentication requests
| |
− | *Ubuntu machine - To host a local freeradius server
| |
− | *RUT2 - To configure Hotspot and test Radius authentication method using our installed server
| |
− |
| |
− | ==Preparing Ubuntu machine==
| |
− |
| |
− | ====Installing the server====
| |
− | ----
| |
− |
| |
− | Firstly, update the package list and upgrade to the latest packages:
| |
− | <pre>
| |
− | sudo apt update
| |
− | sudo apt upgrade
| |
− | </pre>
| |
− |
| |
− | Next, install freeradius package:
| |
− | <pre>
| |
− | sudo apt install freeradius
| |
− | </pre>
| |
− |
| |
− | ====Defining a Client====
| |
− | ----
| |
− |
| |
− | Client - Hotspot that will use freeradius to authenticate users.
| |
− | In order to add/edit clients, we need to access clients.conf file, use your favourite text editor to access it:
| |
− | <pre>
| |
− | sudo nano /etc/freeradius/3.0/clients.conf
| |
− | </pre>
| |
− | For this example we will add the following lines in order to accept any IP address as a client:
| |
− | <pre>
| |
− | client 0.0.0.0/0 {
| |
− | secret = demosecret
| |
− | shortname = 0.0.0.0/0
| |
− | }
| |
− | </pre>
| |
− | Note: IP of a specific Public IP of the client can be used instead of 0.0.0.0/0
| |
− |
| |
− | ====Defining a User and Password====
| |
− | ----
| |
− |
| |
− | Before we create a user and password, let us use MD5 encryption instead of a clear text password. We will generate MD5 encryption for '''demo123''' password using the following command:
| |
− | <pre>
| |
− | echo -n demo123| md5sum | awk '{print $1}'
| |
− | </pre>
| |
− |
| |
− | We will now define credentials for user '''demo'''. Use your favourite text editor to open '''users''' file:
| |
− | <pre>
| |
− | sudo nano /etc/freeradius/3.0/users
| |
− | </pre>
| |
− |
| |
− | Add required lines to the file:
| |
− | <pre>
| |
− | demo MD5-Password:= "62cc2d8b4bf2d8728120d052163a77df"
| |
− | Reply-Message := "%{User-Name} authenticated successfully"
| |
− | </pre>
| |
− |
| |
− | Once these changes are made, start the freeradius service:
| |
− | <pre>
| |
− | sudo /etc/init.d/freeradius start
| |
− | </pre>
| |
− |
| |
− | ==Preparing RUT1==
| |
− |
| |
− | Main requirements for RUT1:
| |
− | *Static Public IP address
| |
− | *Static lease set for Ubuntu server
| |
− | *Ports 1812 and 1813 forwarding to local Ubuntu server
| |
− |
| |
− | Firstly, let us set a static lease for the Ubuntu machine running Radius server and configure port forwarding:
| |
− | * Login to WebUI and navigate to Network → Interfaces → LAN
| |
− | [[File:Networking Radius server LAN edit v2.png|border|class=tlt-border|1097x1097px]]
| |
− | * Add a static lease to the MAC address of Ubuntu machine.
| |
− | [[File:Networking Radius server Static lease v1.png|border|class=tlt-border|1095x1095px]]
| |
− | * Navigate to Network → Firewall → Port Forwards and add two new rules to forward 1812 and 1813 ports from WAN to Radius server on the same ports.
| |
− | [[File:Networking Radius server Port forwards v1.png|border|class=tlt-border|1095x1095px]]
| |
− |
| |
− | Radius server is now set with basic configuration and ready to be tested with RUT2 to authenticate Hotspot users.
| |
− |
| |
− | ==Preparing RUT2==
| |
− |
| |
− | ====Setting up Hotspot====
| |
− | ----
| |
− |
| |
− | Main requirements for RUT2:
| |
− | *Internet connection
| |
− | *Hotspot service
| |
− |
| |
− | In order to start our Hotspot, we need to create a Wifi access point without a dedicated interface nor with any authentication:
| |
− | * Navigate to Network → Wireless and click add
| |
− | * Select "--No network--" in General setup → Network
| |
− | [[File:Networking Radius server wireless general v1.png|border|class=tlt-border|1050x1050px]]
| |
− | * Select "No encryption" in Wireless security → Encryption
| |
− | * Save & Apply
| |
− | [[File:Networking Radius server wireless security v1.png|border|class=tlt-border|1088x1088px]]
| |
− |
| |
− | * Navigate to Services → Hotspot (Or install the package if it is not present by navigating to Services → Package Manager)
| |
− | * Add new Hotspot instance by selecting Wireless access point created earlier
| |
− | * Enable the Hotspot and select Radius as Authentication mode in General settings.
| |
− | [[File:Networking Radius server hotspot general v1.png|border|class=tlt-border|692x692px]]
| |
− | * Go to Radius menu, insert Public IP of the Radius server (RUT1 WAN IP address) and Radius secret key we created for the client before.
| |
− | [[File:Networking Radius server Radius hotspot settings v1.png|border|class=tlt-border|730x730px]]
| |
− |
| |
− | Our configuration is complete.
| |
− |
| |
− | ==Testing Authentication==
| |
− |
| |
− | Now that we have the setup configured, we can test if the server authenticates the users.
| |
− |
| |
− | In order to see authentication requests on the server side:
| |
− |
| |
− | a. Run radius server in debug mode by first disabling the freeradius service using command
| |
− | <pre>
| |
− | sudo /etc/init.d/freeradius stop
| |
− | </pre>
| |
− | and then running the following command:
| |
− | <pre>
| |
− | sudo freeradius -X
| |
− | </pre>
| |
− |
| |
− | b. Tail the log file using the following command:
| |
− | <pre>
| |
− | sudo tail -f /var/log/freeradius/radius.log
| |
− | </pre>
| |
− |
| |
− | Once we see the logs, we can connect to the Hotspot using user credentials defined from either a smartphone or another computer:
| |
− |
| |
− | * Connect to the wireless network
| |
− | [[File:Networking Radius server wifi login v1.png|border|class=tlt-border|292x292px]]
| |
− | * Login using credentials defined in the Radius server users
| |
− | [[File:Networking Radius server hotspot login web v1.png|border|class=tlt-border|443x443px]]
| |
− | * You should see authorization success window
| |
− | [[File:Networking Radius server hotspot auth success v1.png|border|class=tlt-border|867x867px]]
| |
− | * Logs should show Login OK message
| |
− | [[File:Networking Radius server log message v1.png|border|class=tlt-border|864x864px]]
| |
− | [[Category:WIFI]]
| |