GovWifi’s FreeRADIUS Implementation
GovWifi operates six FreeRADIUS servers, hosted on AWS.
The FreeRADIUS servers operated by the GovWifi team control network access with AAA authentication.
Authentication requests are received on the default port, 1812.
User details are checked against the GovWifi users database via the FreeRADIUS REST module, which communicates with the GovWifi Authentication API.
GovWifi authenticates users seeking to access WiFi networks operated by host organisations which have adopted the GovWifi service. It is not used to authorise users’ access to particular network services (though FreeRADIUS can be used for this).
The processing sections concerned with authorisation (distinct from the ‘authorize’ processing section, see above) are configured to carry out no operations in the GovWifi FreeRADIUS configuration.
Traffic on port 1813 isn’t routed through to FreeRADIUS.
FreeRADIUS is configured using a language called Unlang.
We favor keeping all complex functionality in the backend APIs, instead of in Unlang.
This way it is easier to test and change in the future.
This is the software installed on our RADIUS servers.
It is open source and can be found on Github.
The frontend health check
Within the frontend task, a Ruby process listens on port
it receives a request for
"/", it runs
eapol_test), which replicates the requests that
come from deployments of GovWifi. This includes connecting to the
Authentication and Logging APIs.
See the ‘Learn about FreeRADIUS’ page for more information on how FreeRADIUS works and how to configure it.