Description
The service is used to provide AAA mechanisms for Wi-Fi users connected with WPA-enterprise (EAP). Access points provide RADIUS authorization and authentication with the servers, and the servers request client data from a database. RADIUS also performs support functions for user authorization via ESR/BRAS.
Starting/stopping procedure
To stop the service, the following command is used:
service eltex-radius stop
To start the service after stopping:
service eltex-radius start
To check the service status, use the command:
service eltex-radius status
This will be followed by a message:
eltex-radius start/running, process <pid>
if the service is running or by
eltex-radius stop/waiting
if it is not.
Configuration
Configuration file is located in /etc/eltex-radius. Of all the files, the following ones can be edited:
local.conf- basic parameters that may need to be editedcerts/server.crt- server certificate used in EAP-TLScerts/server.key- server private key used in EAP-TLScerts/ca/*.pem- root CA certificates (it is recommended to set local.pem name for CA certificate and define it in the local.conf when configuring EAP-TLS)
Start in debugging mode: eltex-radius -X
/etc/eltex-radius/local.conf
Main configuration file. Contains the following parameters:
- Listened ports configuration:
auth_port=1812 acct_port=1813 inner_tunnel_port=18121
- Configuring connection to radius database:
# MySQL database db_host="localhost" db_port=3306 db_login="radius" db_password="radpass" db_name="radius"
- The option than enables/disables SSID block check. If it is set to 1, users will not be able to log in on SSID blocked via EMS.
ssid_check_enabled=1
- Configuring connection to wireless database:
# MySQL 'wireless' database wireless_db_host="localhost" wireless_db_port=3306 wireless_db_login="javauser" wireless_db_password="javapassword" wireless_db_name="wireless"
- Connection to PCRF:
# PCRF pcrf_host="127.0.0.1" pcrf_port=7080 pcrf_enabled=1
- The name of CA certificate used for TLS authorization and server sertificate key. These parameters will be changed automatically during the running of certificate installation script included into eltex-radius-nbi package.
# EAP ca_cert_name="local.pem" tls_key_password="1234
- Configuring request proxying to another RADIUS server:
proxy_auth=0 proxy_domain_regex="^(.+\.)?enterprise\.root$" proxy_host="127.0.0.1" proxy_port=18121 proxy_secret="eltex"
- Enabling special authorization request processing algorithms for some vendors' devices.
ubi_vendor_regex="Apple|Ubiquiti" vendor_group_enabled=1
- Configuring dynamic clients for authorization:
# Settings of runtime NAS discovery dynamic_clients=false dynamic_client_subnet=192.168.0.0/16 dynamic_client_lifetime=3600 dynamic_client_rate_limit=false
NAS table
This table is included into radius database and contains addresses of clients (access points) that are allowed to send user authorization requests. If a client is not included into the table, authorization requests will be ignored. When the contents of the table is changed, restart eltex-radius. When EMS object tree is changed (access points are added/removed), the table is updated automatically, and eltex-radius is restarted.
Logging
Server logging can be configured in a section of /etc/eltex-radius/radiusd.conf log file. By default, the section is as follows:
log {
destination = syslog
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_denied = "You are already logged in - access denied"
}
Short description of significant parameters of the section is given below:
Parameter | Description |
destination | log destination that can take two values:
|
file | file path that is set by default to ${logdir}/radius.loglogdir = /var/log/eltex-radius thus, a log file is located in /var/log/eltex-radius/radius.log |
syslog_facility | facility, a log category for Syslog logging |
auth | to log authorization requests, values yes or no are accepted |
Log rotation
For log rotation using logrotate, a configuration file should be created, the following is the example:
/var/log/eltex-radius/radius.log {
daily
rotate 31
create 640 eltxrad eltxrad
compress
delaycompress
notifempty
missingok
postrotate
invoke-rc.d eltex-radius reload >/dev/null 2>&1 || true
endscript
}
For the case considered,
daily— rotate files daily;rotate 31— rotate files for the last 31 days;create 640 eltxrad eltxrad— create a new file with access rights 640, set owner to eltxrad, set group ownership to eltxrad. This is the account the server is running under;postrotate- reload the server to start logging to the created file.