Line 1: |
Line 1: |
| ==Summary== | | ==Summary== |
− | In this example we will perform a basic Radius server configuration for router's SSH and WebUI authentication. We will use the ''freeradius'' package to set up a local Radius server on an Ubuntu virtual machine. Lastly, we will test the configuration. | + | In this example, we will set up a Teltonika Networks router to use a Radius server for SSH and/or WebUI authentication. We will use the ''freeradius'' package to set up a local Radius server on an Ubuntu virtual machine. Then we will create a new user. Lastly, we will test the configuration. |
| | | |
| This is the idea of how a Radius server is used for RUTOS authentication:<br> | | This is the idea of how a Radius server is used for RUTOS authentication:<br> |
Line 7: |
Line 7: |
| [[File:Networking freeradius lan topology diagram v1.png|border|class=tlt-border]] | | [[File:Networking freeradius lan topology diagram v1.png|border|class=tlt-border]] |
| ==Prerequisites== | | ==Prerequisites== |
− | *'''Router''' with the ability to install an additional package - PAM | + | *'''Router''' with the ability to install the PAM package and running firmware version 7.6 or later |
| *'''Ubuntu machine''' with the ability to host a local FreeRadius server | | *'''Ubuntu machine''' with the ability to host a local FreeRadius server |
| + | '''Note:''' in this example Ubuntu version 22.04.3 LTS was used |
| ==Preparing Ubuntu machine== | | ==Preparing Ubuntu machine== |
| ====Installing the FreeRadius server==== | | ====Installing the FreeRadius server==== |
− | Firstly, update the package list and upgrade the packages to their latest version: | + | Firstly, update the package source lists and upgrade the packages to their latest version: |
| sudo apt update | | sudo apt update |
| sudo apt upgrade | | sudo apt upgrade |
Line 17: |
Line 18: |
| Next, install the FreeRadius package: | | Next, install the FreeRadius package: |
| sudo apt install freeradius | | sudo apt install freeradius |
− | ====Defining a Client==== | + | ====Defining a client==== |
| Client - a router that will use FreeRadius to authenticate WebUI and/or SSH users. | | Client - a router that will use FreeRadius to authenticate WebUI and/or SSH users. |
| In order to add/edit clients, we need to access the '''clients.conf''' file. Use your favorite text editor to edit it: | | In order to add/edit clients, we need to access the '''clients.conf''' file. Use your favorite text editor to edit it: |
| sudo nano /etc/freeradius/3.0/clients.conf | | sudo nano /etc/freeradius/3.0/clients.conf |
− | | + | For this example, we will add the following lines in order to accept any IP address as a client: |
− | For this example we will add the following lines in order to accept any IP address as a client: | |
| client 0.0.0.0/0 { | | client 0.0.0.0/0 { |
| secret = demoscrt | | secret = demoscrt |
Line 30: |
Line 30: |
| '''Note:''' a specific public IP of the client can be used instead of 0.0.0.0/0 | | '''Note:''' a specific public IP of the client can be used instead of 0.0.0.0/0 |
| ====Defining user login credentials==== | | ====Defining user login credentials==== |
− | Before we create a user's login credentials, let's create an MD5 hash and use it instead of a clear text password. We will generate a hash value of '''demo123''' using the following command: | + | Before we create the user's login credentials, let's create an MD5 hash and use it instead of a clear text password. We will generate a hash value of '''demo123''' using the following command: |
| echo -n demo123| md5sum | awk '{print $1}' | | echo -n demo123| md5sum | awk '{print $1}' |
| | | |
Line 43: |
Line 43: |
| sudo /etc/init.d/freeradius start | | sudo /etc/init.d/freeradius start |
| ==Preparing router== | | ==Preparing router== |
− | ===Creating a static IP lease for FreeRadius server=== | + | ===Setting a static IP for the FreeRadius server=== |
− | Firstly, we will set a static IP lease for the Ubuntu machine running FreeRadius server. To do that you can use two methods. | + | Firstly, we will set a static IP for the Ubuntu machine running FreeRadius server. To do that you can use two methods. |
| ====First method==== | | ====First method==== |
| * Connect to the WebUI | | * Connect to the WebUI |
| * Navigate to '''Status → Network → LAN''' | | * Navigate to '''Status → Network → LAN''' |
− | * In the '''DHCP Leases section''' you should add Ubuntu machine's IP address | + | * In the '''DHCP Leases section''' you should see Ubuntu machine's IP address |
| * Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease | | * Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease |
| ====Second method==== | | ====Second method==== |
Line 59: |
Line 59: |
| Now we will need to create a new user for SSH and/or WebUI access. To do that follow these steps: | | Now we will need to create a new user for SSH and/or WebUI access. To do that follow these steps: |
| * Go to '''System → Administration → User Settings → System Users''' section | | * Go to '''System → Administration → User Settings → System Users''' section |
− | * In the Add new user section fill the user's login credentials. | + | * In the Add new user section fill in the user's login credentials. |
− | You can specify your own custom role or choose one from the default roles. In this example, admin role was chosen.<br> | + | You can specify your own custom role or choose one from the default roles. In this example, the admin role was chosen.<br> |
| [[File:Networking create new rutos user for freeradius fw76 v1.png|border|class=tlt-border]]<br> | | [[File:Networking create new rutos user for freeradius fw76 v1.png|border|class=tlt-border]]<br> |
| '''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file. | | '''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file. |
Line 70: |
Line 70: |
| Now we will set the FreeRadius server's information on the router | | Now we will set the FreeRadius server's information on the router |
| ====For SSH authentication==== | | ====For SSH authentication==== |
− | Firstly we will need to enable SSH access for the created user. To do that, follow these steps: | + | Firstly, we will need to enable SSH access for the created user. To do that, follow these steps: |
| * Go to '''System → Administration → User Settings → System Users''' section | | * Go to '''System → Administration → User Settings → System Users''' section |
| * Press [[File:Networking edit button fw76 v1.png]] near the newly created user | | * Press [[File:Networking edit button fw76 v1.png]] near the newly created user |
Line 89: |
Line 89: |
| To enable PAM authentication for WebUI, follow these steps: | | To enable PAM authentication for WebUI, follow these steps: |
| * Go to '''System → Administration → Access Control → PAM''' section | | * Go to '''System → Administration → Access Control → PAM''' section |
− | * Press [[File:Networking edit button fw76 v1.png]] near the SSH instance | + | * Press [[File:Networking edit button fw76 v1.png]] near the WebUI instance |
| * '''Enable''' the '''instance''' | | * '''Enable''' the '''instance''' |
| * Set '''module''' to '''RADIUS''' | | * Set '''module''' to '''RADIUS''' |
− | * In the '''Select users add '''the newly created '''user or enable''' PAM authentication '''for all users'''
| |
| * Set '''type''' to '''Required''' | | * Set '''type''' to '''Required''' |
| + | * In the '''Select users add the''' newly created '''user or enable''' PAM authentication '''for all users''' |
| * Set '''server''' to '''Ubuntu machine's IP''' | | * Set '''server''' to '''Ubuntu machine's IP''' |
| * Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file | | * Set '''secret''' to '''the one defined in''' the FreeRadius '''clients.conf''' file |
Line 124: |
Line 124: |
| [pap] = reject | | [pap] = reject |
| } # Auth-Type PAP = reject | | } # Auth-Type PAP = reject |
| + | [[Category:Router control and monitoring]] |