Changes

Setting up external Radius server for RUTOS authentication (view source)

Revision as of 11:25, 28 November 2023

51 bytes added ,  11:25, 28 November 2023
m
no edit summary
Line 1: Line 1:  
==Summary==
 
==Summary==
In this example we will perform a basic Radius server configuration for router's SSH and WebUI authentication. We will use the ''freeradius'' package to set up a local Radius server on an Ubuntu virtual machine. Lastly, we will test the configuration.
+
In this example, we will set up Teltonika Networks router to use a Radius server for SSH and/or WebUI authentication. We will use the ''freeradius'' package to set up a local Radius server on an Ubuntu virtual machine. Then we will create a new user. Lastly, we will test the configuration.
    
This is the idea of how a Radius server is used for RUTOS authentication:<br>
 
This is the idea of how a Radius server is used for RUTOS authentication:<br>
Line 11: Line 11:  
==Preparing Ubuntu machine==
 
==Preparing Ubuntu machine==
 
====Installing the FreeRadius server====
 
====Installing the FreeRadius server====
Firstly, update the package list and upgrade the packages to their latest version:
+
Firstly, update the package source lists and upgrade the packages to their latest version:
 
  sudo apt update
 
  sudo apt update
 
  sudo apt upgrade
 
  sudo apt upgrade
Line 17: Line 17:  
Next, install the FreeRadius package:
 
Next, install the FreeRadius package:
 
  sudo apt install freeradius
 
  sudo apt install freeradius
====Defining a Client====
+
====Defining a client====
 
Client - a router that will use FreeRadius to authenticate WebUI and/or SSH users.  
 
Client - a router that will use FreeRadius to authenticate WebUI and/or SSH users.  
 
In order to add/edit clients, we need to access the '''clients.conf''' file. Use your favorite text editor to edit it:
 
In order to add/edit clients, we need to access the '''clients.conf''' file. Use your favorite text editor to edit it:
 
  sudo nano /etc/freeradius/3.0/clients.conf
 
  sudo nano /etc/freeradius/3.0/clients.conf
   −
For this example we will add the following lines in order to accept any IP address as a client:
+
For this example, we will add the following lines in order to accept any IP address as a client:
 
  client 0.0.0.0/0 {
 
  client 0.0.0.0/0 {
 
     secret = demoscrt
 
     secret = demoscrt
Line 30: Line 30:  
'''Note:''' a specific public IP of the client can be used instead of 0.0.0.0/0
 
'''Note:''' a specific public IP of the client can be used instead of 0.0.0.0/0
 
====Defining user login credentials====
 
====Defining user login credentials====
Before we create a user's login credentials, let's create an MD5 hash and use it instead of a clear text password. We will generate a hash value of '''demo123''' using the following command:
+
Before we create the user's login credentials, let's create an MD5 hash and use it instead of a clear text password. We will generate a hash value of '''demo123''' using the following command:
 
  echo -n demo123| md5sum | awk '{print $1}'
 
  echo -n demo123| md5sum | awk '{print $1}'
   Line 43: Line 43:  
  sudo /etc/init.d/freeradius start
 
  sudo /etc/init.d/freeradius start
 
==Preparing router==
 
==Preparing router==
===Creating a static IP lease for FreeRadius server===
+
===Setting a static IP for the FreeRadius server===
Firstly, we will set a static IP lease for the Ubuntu machine running FreeRadius server. To do that you can use two methods.
+
Firstly, we will set a static IP for the Ubuntu machine running FreeRadius server. To do that you can use two methods.
 
====First method====
 
====First method====
 
* Connect to the WebUI
 
* Connect to the WebUI
 
* Navigate to '''Status → Network → LAN'''
 
* Navigate to '''Status → Network → LAN'''
* In the '''DHCP Leases section''' you should add Ubuntu machine's IP address
+
* In the '''DHCP Leases section''' you should see Ubuntu machine's IP address
 
* Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease
 
* Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease
 
====Second method====
 
====Second method====
Line 59: Line 59:  
Now we will need to create a new user for SSH and/or WebUI access. To do that follow these steps:
 
Now we will need to create a new user for SSH and/or WebUI access. To do that follow these steps:
 
* Go to '''System → Administration → User Settings → System Users''' section
 
* Go to '''System → Administration → User Settings → System Users''' section
* In the Add new user section fill the user's login credentials.
+
* In the Add new user section fill in the user's login credentials.
You can specify your own custom role or choose one from the default roles. In this example, admin role was chosen.<br>
+
You can specify your own custom role or choose one from the default roles. In this example, the admin role was chosen.<br>
 
[[File:Networking create new rutos user for freeradius fw76 v1.png|border|class=tlt-border]]<br>
 
[[File:Networking create new rutos user for freeradius fw76 v1.png|border|class=tlt-border]]<br>
 
'''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file.
 
'''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file.
Line 70: Line 70:  
Now we will set the FreeRadius server's information on the router
 
Now we will set the FreeRadius server's information on the router
 
====For SSH authentication====
 
====For SSH authentication====
Firstly we will need to enable SSH access for the created user. To do that, follow these steps:
+
Firstly, we will need to enable SSH access for the created user. To do that, follow these steps:
 
* Go to '''System → Administration → User Settings → System Users''' section
 
* Go to '''System → Administration → User Settings → System Users''' section
 
* Press [[File:Networking edit button fw76 v1.png]] near the newly created user
 
* Press [[File:Networking edit button fw76 v1.png]] near the newly created user
Line 89: Line 89:  
To enable PAM authentication for WebUI, follow these steps:
 
To enable PAM authentication for WebUI, follow these steps:
 
* Go to '''System → Administration → Access Control → PAM''' section
 
* Go to '''System → Administration → Access Control → PAM''' section
* Press [[File:Networking edit button fw76 v1.png]] near the SSH instance
+
* Press [[File:Networking edit button fw76 v1.png]] near the WebUI instance
 
* '''Enable''' the '''instance'''
 
* '''Enable''' the '''instance'''
 
* Set '''module''' to '''RADIUS'''
 
* Set '''module''' to '''RADIUS'''
* In the '''Select users add '''the newly created '''user or enable''' PAM authentication '''for all users'''
   
* Set '''type''' to '''Required'''
 
* Set '''type''' to '''Required'''
 +
* In the '''Select users add the''' newly created '''user or enable''' PAM authentication '''for all users'''
 
* Set '''server''' to '''Ubuntu machine's IP'''
 
* Set '''server''' to '''Ubuntu machine's IP'''
 
* Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file
 
* Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/116462"

Navigation menu