Learn about FreeRADIUS
GovWifi currently has a set of six RADIUS servers. These servers control network access with AAA authentication.
- Runs on port 1812.
- Requests user details stored in the database via the Authentication API.
- We do not have different levels of access so this is a NOOP.
- Runs on Port 1813. Although port 1813 is open and running GovWifi does not perform any accounting.
- We don’t block accounting requests, but we don’t do anything with them –– instead our configuration returns a NOOP. If an organisation requires accounting, they can enable it on their local infrastructure.
FreeRADIUS is configured using a language called Unlang.
We favor keeping all complex functionality in the backend APIs, instead of in Unlang.
This way it is easier to test and change in the future.
This is the software installed on our RADIUS servers.
It is open source and can be found on Github.
The RADIUS Healthcheck
The Route53 healthcheck connects to port
3000 on a specific FreeRADIUS servers. For example:
A Ruby process listens on port
3000. When it receives a request for
"/", it automatically runs an
eapol_test command, which then connects to the Authentication API and returns a
200 response in case a successful response is received.
The configuration for the healthcheck
eapol_test can be found on GitHub.
If you need to manually test the healthcheck in a radius docker container you can do:
eapol_test -c /usr/src/healthcheck/peap-mschapv2.conf -s $(echo $HEALTH_CHECK_RADIUS_KEY)
The secret can also be found by logging in as a GovWifi administrator( for staging you would login here ), switching to the GDS CTS organisation, then selecting “Locations” and scrolling to “Health check user”
It should also be noted that the last login of the health check user is no longer recorded in the User database.
The failure of the health check does not actually trigger a new Radius docker container to be spawned. It only sends a notification email to email@example.com .
You can learn more about the healthcheck here.