Description

The service is used to provide AAA mechanisms for Wi-Fi users connected with WPA-enterprise (EAP). Access points provide RADIUS authorization and authentication with the servers, and the servers request client data from a database. RADIUS also performs support functions for user authorization via ESR/BRAS.

The service is installed from the package eltex-radius.

Starting/stopping procedure

To stop the service, the following command is used:

service eltex-radius stop

To start the service after stopping:

service eltex-radius start

To check the service status, use the command:

service eltex-radius status

This will be followed by a message:

eltex-radius start/running, process <pid>

if the service is running or by

eltex-radius stop/waiting

if it is not.

Configuration

Configuration file is located in /etc/eltex-radius. Of all the files, the following ones can be edited:

  • local.conf - basic parameters that may need to be edited
  • certs/server.crt - server certificate used in EAP-TLS
  • certs/server.key - server private key used in EAP-TLS
  • certs/ca/*.pem - root CA certificates (it is recommended to set local.pem name for CA certificate and define it in the local.conf when configuring EAP-TLS)

Start in debugging mode: eltex-radius -X

/etc/eltex-radius/local.conf

Main configuration file. Contains the following parameters:

  • Listened ports configuration:
auth_port=1812
acct_port=1813
inner_tunnel_port=18121
  • Configuring connection to radius database:
# MySQL database
db_host="localhost"
db_port=3306
db_login="radius"
db_password="radpass"
db_name="radius"
  • The option than enables/disables SSID block check. If it is set to 1, users will not be able to log in on SSID blocked via EMS.
ssid_check_enabled=1
  • Configuring connection to wireless database:
# MySQL 'wireless' database
wireless_db_host="localhost"
wireless_db_port=3306
wireless_db_login="javauser"
wireless_db_password="javapassword"
wireless_db_name="wireless"
  • Connection to PCRF:
# PCRF
pcrf_host="127.0.0.1"
pcrf_port=7080
pcrf_enabled=1
  • The name of CA certificate used for TLS authorization and server sertificate key. These parameters will be changed automatically during the running of certificate installation script included into eltex-radius-nbi package.
# EAP
ca_cert_name="local.pem"
tls_key_password="1234
  • Configuring request proxying to another RADIUS server:
proxy_auth=0
proxy_domain_regex="^(.+\.)?enterprise\.root$"
proxy_host="127.0.0.1"
proxy_port=18121
proxy_secret="eltex"
  • Enabling special authorization request processing algorithms for some vendors' devices.
ubi_vendor_regex="Apple|Ubiquiti"
vendor_group_enabled=1
  • Configuring dynamic clients for authorization:
# Settings of runtime NAS discovery
dynamic_clients=false
dynamic_client_subnet=192.168.0.0/16
dynamic_client_lifetime=3600
dynamic_client_rate_limit=false

NAS table

This table is included into radius database and contains addresses of clients (access points) that are allowed to send user authorization requests. If a client is not included into the table, authorization requests will be ignored. When the contents of the table is changed, restart eltex-radius. When EMS object tree is changed (access points are added/removed), the table is updated automatically, and eltex-radius is restarted.

Logging

Server logging can be configured in a section of /etc/eltex-radius/radiusd.conf log file. By default, the section is as follows:

log {
	destination = syslog
	colourise = yes
	file = ${logdir}/radius.log
	syslog_facility = daemon
	stripped_names = no
	auth = yes
	auth_badpass = yes
	auth_goodpass = yes
	msg_denied = "You are already logged in - access denied"
}


Short description of significant parameters of the section is given below:

Parameter

Description

destination

log destination that can take two values:

  • syslog — the default, processing is done by a system Syslog daemon

  • file — manual logging to a file specified in file parameter|

file

file path that is set by default to ${logdir}/radius.loglogdir = /var/log/eltex-radius thus, a log file is located in /var/log/eltex-radius/radius.log

syslog_facility

facility, a log category for Syslog logging

auth

to log authorization requests, values yes or no are accepted

Log rotation

For log rotation using logrotate, a configuration file should be created, the following is the example:

/etc/logrotate.d/eltex-radius
/var/log/eltex-radius/radius.log {
        daily
        rotate 31
        create 640 eltxrad eltxrad
        compress
        delaycompress
        notifempty
        missingok
        postrotate
                invoke-rc.d eltex-radius reload >/dev/null 2>&1 || true
        endscript
}


For the case considered,

  • daily — rotate files daily;
  • rotate 31 — rotate files for the last 31 days;
  • create 640 eltxrad eltxrad — create a new file with access rights 640, set owner to eltxrad, set group ownership to eltxrad. This is the account the server is running under;
  • postrotate - reload the server to start logging to the created file.


  • Нет меток