75
edits
Changes
Setting up external Radius server for RUTOS authentication (view source)
Revision as of 16:33, 23 November 2023
, 16:33, 23 November 2023Created page with "==Summary== In this example we will perform a basic Radius server configuration for router's SSH and WebUI authentication. We will use ''freeradius'' package to set up a local..."
==Summary==
In this example we will perform a basic Radius server configuration for router's SSH and WebUI authentication. We will use ''freeradius'' package to set up a local Radius server on Ubuntu operating system. Lastly we will test the configuration with a RUT series device.<br>
[[File:Networking freeradius lan principle diagram v1.png|border|class=tlt-border]]
==Topology used in this example==
[[File:Networking freeradius lan topology diagram v1.png|border|class=tlt-border]]
==Prerequisites==
*'''Router''' with the ability to install an additional PAM package
*'''Ubuntu machine''' with the ability to host a local FreeRadius server
==Preparing Ubuntu machine==
====Installing the FreeRadius server====
Firstly, update the package list and upgrade the packages to their latest version:
sudo apt update
sudo apt upgrade
Next, install the FreeRadius package:
sudo apt install freeradius
====Defining a Client====
Client - router that will use FreeRadius to authenticate WebUI and/or SSH users.
In order to add/edit clients, we need to access the '''clients.conf''' file. Use your favorite text editor to access it:
sudo nano /etc/freeradius/3.0/clients.conf
For this example we will add the following lines in order to accept any IP address as a client:
client 0.0.0.0/0 {
secret = demoscrt
shortname = 0.0.0.0/0
}
'''Note:''' IP of a specific Public IP of the client can be used instead of 0.0.0.0/0
====Defining a User and Password====
Before we create a user's login credentials, let's use an MD5 hash instead of a clear text password. We will generate a hash value of '''demo123''' using the following command:
echo -n demo123| md5sum | awk '{print $1}'
We will now define credentials for user '''demo'''. Use your favorite text editor to access it:
sudo nano /etc/freeradius/3.0/users
Add required lines to the file:
demo MD5-Password:= "62cc2d8b4bf2d8728120d052163a77df"
Reply-Message := "Hello, %{User-Name}"
Once these changes are made, start the FreeRadius service:
sudo /etc/init.d/freeradius start
==Preparing the router==
===Creating a static IP lease for FreeRadius server===
Firstly, we will set a static IP lease for the Ubuntu machine running FreeRadius server. To do that you can use two methods.
====First method====
* Connect to the WebUI
* Navigate to '''Status → Network → LAN'''
* In the '''DHCP Leases section''' you should the Ubuntu machine's IP
* Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease
====Second method====
* Connect to the WebUI
* Navigate to '''Network → DHCP → Static Leases'''
* Add the Ubuntu machine's MAC, IP, and provide a description
[[File:Networking add static lease fw76 v1.png|border|class=tlt-border]]
* Press [[File:Networking save apply button fw76 v1.png]]
===Creating a new RUTOS user===
Now we will need to create a new user with SSH access. To do that follow these steps:
* Go to '''System → Administration → User Settings → System Users''' section
* In the Add new user section fill the user's login credentials.
You can specify your own custom role or choose one from the default roles. In this example, admin role was chosen.
[[File:Networking new device user fw76 v1.png|border|class=tlt-border]]<br>
'''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file.
* Press [[File:Networking edit button fw76 v1.png]] near the newly created user
* '''Enable''' the SSH access
* Press [[File:Networking save apply button fw76 v1.png]]
===PAM package installation===
Now we will need to install a PAM package, to do that follow these steps:
* Go to '''System → Package Manager → Packages'''
* Install the PAM package
===Radius server configuration===
Now we will set the FreeRadius server's information on the router
====For SSH authentication====
* Go to '''System → Administration → Access Control → PAM''' section
* Press [[File:Networking edit button fw76 v1.png]] near the SSH instance
* Enable the instance
* Set module to RADIUS
* Set type to Required
* Set server to Ubuntu machine's IP
* Set secret to the one defined in the FreeRadius '''clients.conf''' file
* Leave Port and Timeout to their default values
[[File:Networking pam ssh freeradius config fw76 v1.png|border|class=tlt-border]]
* Press [[File:Networking save apply button fw76 v1.png]]
====For WebUI authentication====
* Go to '''System → Administration → Access Control → PAM''' section
* Press [[File:Networking edit button fw76 v1.png]] near the SSH instance
* Enable the instance
* Set module to RADIUS
* Select the newly created user or enable PAM authentication for all users
* Set type to Required
* Set server to Ubuntu machine's IP
* Set secret to the one defined in the FreeRadius '''clients.conf''' file
* Leave Port and Timeout to their default values
[[File:Networking pam webui freeradius config fw76 v1.png|border|class=tlt-border]]
* Press [[File:Networking save apply button fw76 v1.png]]
==Testing Authentication==
Now that we have the setup configured, we can test if the server authenticates the users.
In order to see authentication requests on the server side:
a. Run radius server in debug mode by first disabling the freeradius service using command
<pre>
sudo /etc/init.d/freeradius stop
</pre>
and then running the following command:
<pre>
sudo freeradius -X
</pre>
b. Tail the log file using the following command:
<pre>
sudo tail -f /var/log/freeradius/radius.log
</pre>
Once we see the logs, we can connect to the Hotspot using user credentials defined from either a smartphone or another computer:
* Connect to the wireless network
[[File:Networking Radius server wifi login v1.png|border|class=tlt-border|292x292px]]
* Login using credentials defined in the Radius server users
[[File:Networking Radius server hotspot login web v1.png|border|class=tlt-border|443x443px]]
* You should see authorization success window
[[File:Networking Radius server hotspot auth success v1.png|border|class=tlt-border|867x867px]]
* Logs should show Login OK message
[[File:Networking Radius server log message v1.png|border|class=tlt-border|864x864px]]
[[Category:WIFI]]
In this example we will perform a basic Radius server configuration for router's SSH and WebUI authentication. We will use ''freeradius'' package to set up a local Radius server on Ubuntu operating system. Lastly we will test the configuration with a RUT series device.<br>
[[File:Networking freeradius lan principle diagram v1.png|border|class=tlt-border]]
==Topology used in this example==
[[File:Networking freeradius lan topology diagram v1.png|border|class=tlt-border]]
==Prerequisites==
*'''Router''' with the ability to install an additional PAM package
*'''Ubuntu machine''' with the ability to host a local FreeRadius server
==Preparing Ubuntu machine==
====Installing the FreeRadius server====
Firstly, update the package list and upgrade the packages to their latest version:
sudo apt update
sudo apt upgrade
Next, install the FreeRadius package:
sudo apt install freeradius
====Defining a Client====
Client - router that will use FreeRadius to authenticate WebUI and/or SSH users.
In order to add/edit clients, we need to access the '''clients.conf''' file. Use your favorite text editor to access it:
sudo nano /etc/freeradius/3.0/clients.conf
For this example we will add the following lines in order to accept any IP address as a client:
client 0.0.0.0/0 {
secret = demoscrt
shortname = 0.0.0.0/0
}
'''Note:''' IP of a specific Public IP of the client can be used instead of 0.0.0.0/0
====Defining a User and Password====
Before we create a user's login credentials, let's use an MD5 hash instead of a clear text password. We will generate a hash value of '''demo123''' using the following command:
echo -n demo123| md5sum | awk '{print $1}'
We will now define credentials for user '''demo'''. Use your favorite text editor to access it:
sudo nano /etc/freeradius/3.0/users
Add required lines to the file:
demo MD5-Password:= "62cc2d8b4bf2d8728120d052163a77df"
Reply-Message := "Hello, %{User-Name}"
Once these changes are made, start the FreeRadius service:
sudo /etc/init.d/freeradius start
==Preparing the router==
===Creating a static IP lease for FreeRadius server===
Firstly, we will set a static IP lease for the Ubuntu machine running FreeRadius server. To do that you can use two methods.
====First method====
* Connect to the WebUI
* Navigate to '''Status → Network → LAN'''
* In the '''DHCP Leases section''' you should the Ubuntu machine's IP
* Press [[File:Networking create static button from DHCP leases section v1.png]] near the instance to create a static IP lease
====Second method====
* Connect to the WebUI
* Navigate to '''Network → DHCP → Static Leases'''
* Add the Ubuntu machine's MAC, IP, and provide a description
[[File:Networking add static lease fw76 v1.png|border|class=tlt-border]]
* Press [[File:Networking save apply button fw76 v1.png]]
===Creating a new RUTOS user===
Now we will need to create a new user with SSH access. To do that follow these steps:
* Go to '''System → Administration → User Settings → System Users''' section
* In the Add new user section fill the user's login credentials.
You can specify your own custom role or choose one from the default roles. In this example, admin role was chosen.
[[File:Networking new device user fw76 v1.png|border|class=tlt-border]]<br>
'''Remember:''' use the '''same username as in''' FreeRadius '''users''' file. The password can be different, compared to the one in FreeRadius '''users''' file.
* Press [[File:Networking edit button fw76 v1.png]] near the newly created user
* '''Enable''' the SSH access
* Press [[File:Networking save apply button fw76 v1.png]]
===PAM package installation===
Now we will need to install a PAM package, to do that follow these steps:
* Go to '''System → Package Manager → Packages'''
* Install the PAM package
===Radius server configuration===
Now we will set the FreeRadius server's information on the router
====For SSH authentication====
* Go to '''System → Administration → Access Control → PAM''' section
* Press [[File:Networking edit button fw76 v1.png]] near the SSH instance
* Enable the instance
* Set module to RADIUS
* Set type to Required
* Set server to Ubuntu machine's IP
* Set secret to the one defined in the FreeRadius '''clients.conf''' file
* Leave Port and Timeout to their default values
[[File:Networking pam ssh freeradius config fw76 v1.png|border|class=tlt-border]]
* Press [[File:Networking save apply button fw76 v1.png]]
====For WebUI authentication====
* Go to '''System → Administration → Access Control → PAM''' section
* Press [[File:Networking edit button fw76 v1.png]] near the SSH instance
* Enable the instance
* Set module to RADIUS
* Select the newly created user or enable PAM authentication for all users
* Set type to Required
* Set server to Ubuntu machine's IP
* Set secret to the one defined in the FreeRadius '''clients.conf''' file
* Leave Port and Timeout to their default values
[[File:Networking pam webui freeradius config fw76 v1.png|border|class=tlt-border]]
* Press [[File:Networking save apply button fw76 v1.png]]
==Testing Authentication==
Now that we have the setup configured, we can test if the server authenticates the users.
In order to see authentication requests on the server side:
a. Run radius server in debug mode by first disabling the freeradius service using command
<pre>
sudo /etc/init.d/freeradius stop
</pre>
and then running the following command:
<pre>
sudo freeradius -X
</pre>
b. Tail the log file using the following command:
<pre>
sudo tail -f /var/log/freeradius/radius.log
</pre>
Once we see the logs, we can connect to the Hotspot using user credentials defined from either a smartphone or another computer:
* Connect to the wireless network
[[File:Networking Radius server wifi login v1.png|border|class=tlt-border|292x292px]]
* Login using credentials defined in the Radius server users
[[File:Networking Radius server hotspot login web v1.png|border|class=tlt-border|443x443px]]
* You should see authorization success window
[[File:Networking Radius server hotspot auth success v1.png|border|class=tlt-border|867x867px]]
* Logs should show Login OK message
[[File:Networking Radius server log message v1.png|border|class=tlt-border|864x864px]]
[[Category:WIFI]]