Learn about FreeRADIUS
GovWifi currently has a set of 6 RADIUS servers. These servers control network access with AAA authentication.
- Runs on port 1812.
- Requests user details stored in the database via the Authentication API.
- We do not have different levels of access so this is a NOOP.
Runs on Port 1813.
While we don’t block accounting requests, we don’t do anything with them. If an organisation requires accounting, they can enable it on their local infrastructure.
FreeRADIUS is configured using a language called Unlang.
We favor keeping all complex functionality in the backend APIs, instead of in Unlang.
This way it is easier to test and change in the future.
This is the software installed on our RADIUS servers.
It is opensource and can be found on Github.
The RADIUS Healthcheck
The Route53 healthcheck connects to port
3000 on a specific radius machine. For example:
A ruby process listens on port
3000. When it receives a request for
"/", it automatically runs an
eapol_test command, which then connects to the Authentication API and returns a
200 response in case a successful response is received.
The configuration for the healthcheck
eapol_test can be found on GitHub.
If you need to manually test the healthcheck in a radius docker container you can do:
eapol_test -c /usr/src/healthcheck/peap-mschapv2.conf -s $(echo $HEALTH_CHECK_RADIUS_KEY)
The secret can also be found by logging in as a GovWifi administrator( for staging you would login here ), switching to the GDS CTS organisation, then selecting “Locations” and scrolling to “Health check user”
It should also be noted that the last login of the health check user is no longer recorded in the User database.
The failure of the health check does not actually trigger a new Radius docker container to be spawned. It only sends a notification email to firstname.lastname@example.org .
You can learn more about the healthcheck here.