Skip to main content

GovWifi’s FreeRADIUS Implementation

GovWifi operates six FreeRADIUS servers, hosted on AWS.

The FreeRADIUS servers operated by the GovWifi team control network access with AAA authentication.

Exchange with Supplicant

Authentication

Authentication requests are received on the default port, 1812.

User details are checked against the GovWifi users database via the FreeRADIUS REST module, which communicates with the GovWifi Authentication API.

Authorisation

GovWifi authenticates users seeking to access WiFi networks operated by host organisations which have adopted the GovWifi service. It is not used to authorise users’ access to particular network services (though FreeRADIUS can be used for this).

The processing sections concerned with authorisation (distinct from the ‘authorize’ processing section, see above) are configured to carry out no operations in the GovWifi FreeRADIUS configuration.

Accounting

Traffic on port 1813 isn’t routed through to FreeRADIUS.

Unlang

FreeRADIUS is configured using a language called Unlang.

We favor keeping all complex functionality in the backend APIs, instead of in Unlang.

This way it is easier to test and change in the future.

FreeRADIUS

FreeRADIUS Server

This is the software installed on our RADIUS servers.

It is open source and can be found on Github.

FreeRADIUS server

The frontend health check

Within the frontend task, a Ruby process listens on port 3000. When it receives a request for "/", it runs eapol_test), which replicates the requests that come from deployments of GovWifi. This includes connecting to the Authentication and Logging APIs.

Learn More

See the ‘Learn about FreeRADIUS’ page for more information on how FreeRADIUS works and how to configure it.

This page was last reviewed on 19 August 2022. It needs to be reviewed again on 19 February 2023 by the page owner #govwifi .
This page was set to be reviewed before 19 February 2023 by the page owner #govwifi. This might mean the content is out of date.