Description
The service is used to provide AAA mechanisms for Wi-Fi users connected with WPA-enterprise (EAP). Access points provide RADIUS authorization and authentication with the servers, and the servers request client data from a database. RADIUS also performs support functions for user authorization via ESR/BRAS.
Starting/stopping procedure
To stop the service, the following command is used:
service eltex-radius stop
To start the service after stopping:
service eltex-radius start
To check the service status, use the command:
service eltex-radius status
This will be followed by a message:
eltex-radius start/running, process <pid>
if the service is running or by
eltex-radius stop/waiting
if it is not.
Configuration
Configuration file is located in /etc/eltex-radius
. Of all the files, the following ones can be edited:
local.conf
- basic parameters that may need to be editedcerts/server.crt
- server certificate used in EAP-TLScerts/server.key
- server private key used in EAP-TLScerts/ca/*.pem
- root CA certificates (it is recommended to set local.pem name for CA certificate and define it in the local.conf when configuring EAP-TLS)
Start in debugging mode: eltex-radius -X
/etc/eltex-radius/local.conf
Main configuration file. Contains the following parameters:
- Listened ports configuration:
auth_port=1812 acct_port=1813 inner_tunnel_port=18121
- Configuring connection to radius database:
# MySQL database db_host="localhost" db_port=3306 db_login="radius" db_password="radpass" db_name="radius"
- The option than enables/disables SSID block check. If it is set to 1, users will not be able to log in on SSID blocked via EMS.
ssid_check_enabled=1
- Configuring connection to wireless database:
# MySQL 'wireless' database wireless_db_host="localhost" wireless_db_port=3306 wireless_db_login="javauser" wireless_db_password="javapassword" wireless_db_name="wireless"
- Connection to PCRF:
# PCRF pcrf_host="127.0.0.1" pcrf_port=7080 pcrf_enabled=1
- The name of CA certificate used for TLS authorization and server sertificate key. These parameters will be changed automatically during the running of certificate installation script included into eltex-radius-nbi package.
# EAP ca_cert_name="local.pem" tls_key_password="1234
- Configuring request proxying to another RADIUS server:
proxy_auth=0 proxy_domain_regex="^(.+\.)?enterprise\.root$" proxy_host="127.0.0.1" proxy_port=18121 proxy_secret="eltex"
- Enabling special authorization request processing algorithms for some vendors' devices.
ubi_vendor_regex="Apple|Ubiquiti" vendor_group_enabled=1
- Configuring dynamic clients for authorization:
# Settings of runtime NAS discovery dynamic_clients=false dynamic_client_subnet=192.168.0.0/16 dynamic_client_lifetime=3600 dynamic_client_rate_limit=false
NAS table
This table is included into radius database and contains addresses of clients (access points) that are allowed to send user authorization requests. If a client is not included into the table, authorization requests will be ignored. When the contents of the table is changed, restart eltex-radius. When EMS object tree is changed (access points are added/removed), the table is updated automatically, and eltex-radius is restarted.
Logging
Server logging can be configured in a section of /etc/eltex-radius/radiusd.conf
log file. By default, the section is as follows:
log { destination = syslog colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_denied = "You are already logged in - access denied" }
Short description of significant parameters of the section is given below:
Parameter | Description |
destination | log destination that can take two values:
|
file | file path that is set by default to ${logdir}/radius.loglogdir = /var/log/eltex-radius thus, a log file is located in /var/log/eltex-radius/radius.log |
syslog_facility | facility, a log category for Syslog logging |
auth | to log authorization requests, values yes or no are accepted |
Log rotation
For log rotation using logrotate, a configuration file should be created, the following is the example:
/var/log/eltex-radius/radius.log { daily rotate 31 create 640 eltxrad eltxrad compress delaycompress notifempty missingok postrotate invoke-rc.d eltex-radius reload >/dev/null 2>&1 || true endscript }
For the case considered,
daily
— rotate files daily;rotate 31
— rotate files for the last 31 days;create 640 eltxrad eltxrad
— create a new file with access rights 640, set owner to eltxrad, set group ownership to eltxrad. This is the account the server is running under;postrotate
- reload the server to start logging to the created file.