Skip to main content

Learn about FreeRADIUS

AAA

GovWifi currently has a set of 6 RADIUS servers. These servers control network access with AAA authentication. Exchange with Supplicant

Authentication

  • Runs on port 1812.
  • Requests user details stored in the database via the Authentication API.

Authorisation

  • We do not have different levels of access so this is a NOOP.

Accounting

  • Runs on Port 1813.

  • While we don’t block accounting requests, we don’t do anything with them. If an organisation requires accounting, they can enable it on their local infrastructure.

Unlang

FreeRADIUS is configured using a language called Unlang.

We favor keeping all complex functionality in the backend APIs, instead of in Unlang.

This way it is easier to test and change in the future.

FreeRADIUS

FreeRADIUS Server

This is the software installed on our RADIUS servers.

It is opensource and can be found on Github.

FreeRADIUS server

The RADIUS Healthcheck

The Route53 healthcheck connects to port 3000 on a specific radius machine. For example: http://12.345.678.91:3000/

A ruby process listens on port 3000. When it receives a request for "/", it automatically runs an eapol_test command, which then connects to the Authentication API and returns a 200 response in case a successful response is received.

The configuration for the healthcheck eapol_test can be found on GitHub.

If you need to manually test the healthcheck in a radius docker container you can do: eapol_test -c /usr/src/healthcheck/peap-mschapv2.conf -s $(echo $HEALTH_CHECK_RADIUS_KEY)

The secret can also be found by logging in as a GovWifi administrator( for staging you would login here ), switching to the GDS CTS organisation, then selecting “Locations” and scrolling to “Health check user”

It should also be noted that the last login of the health check user is no longer recorded in the User database.

The failure of the health check does not actually trigger a new Radius docker container to be spawned. It only sends a notification email to govwifi-devops@digital.cabinet-office.gov.uk .

You can learn more about the healthcheck here.

This page was last reviewed on 10 January 2021. It needs to be reviewed again on 10 July 2021 by the page owner #govwifi .
This page was set to be reviewed before 10 July 2021 by the page owner #govwifi. This might mean the content is out of date.