?WiFi: Testing ITried radius as a service using a captive portal on a SD-WAN edge

ITried has just launched radius as a service as view in this interview with Aki Anastasiou :

I use Reyee Access Points in the house that are not enterprise enabled to use with WiFi radius authentication so I decided to use a captive portal. This is how its configured and will basically work with any WiFi hardware:

First fire up a container on the SD-WAN edge:

The container will have two interfaces, one being to the LAN via a bridge and the other the the WiFi VLAN using a MACVLAN. The SSID on the WiFi can be Open.

Install the pre-requisites and software:

sudo apt-get install build-essential libssl-dev libjson-c-dev gengetopt devscripts debhelper
wget https://github.com/coova/coova-chilli/archive/refs/tags/1.6.tar.gz
tar -xzvf 1.6.tar.gz
cd coova-chilli-1.6
debuild -i -us -uc -b
cd ..
sudo dpkg --install ./coova-chilli_1.6_amd64.deb
sudo nano /etc/default/chilli

START_CHILLI=1
CONFFILE="/etc/chilli.conf"
HS_USER="chilli"

sudo systemctl enable chilli        

Modify the following files:

# /etc/chilli/config
HS_LOC_NAME="Dias Crescent"
HS_WANIF=host0????????????????? # WAN Interface toward the Internet
HS_LANIF=mv-br0.200???????????? # Subscriber Interface for client devices
HS_NETWORK=192.168.254.0??????? # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.255.0??????? # HotSpot Network Netmask
HS_UAMLISTEN=192.168.254.254??? # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990???????????????? # HotSpot UAM Port (on subscriber network)
HS_UAMUIPORT=4990?????????????? # HotSpot UAM "UI" Port (on subscriber network, for embedded portal)
HS_NASID=diascr
HS_UAMSECRET=fusion???????????? # Set to be your UAM secret
HS_UAMALIASNAME=chilli
HS_NASIP=154.88.88.88??? ?????? # To explicitly set NAS-IP-Address
HS_UAMSERVER=$HS_UAMLISTEN
HS_MACAUTH=on?????????????????? # To turn on MAC Authentication
HS_TCP_PORTS="80 23 8000"
HS_MODE=hotspot
HS_TYPE=chillispot
HS_WWWDIR=/etc/chilli/www
HS_WWWBIN=/etc/chilli/wwwsh
HS_PROVIDER=Coova
HS_PROVIDER_LINK=https://www.coova.org/
HS_COAPORT=3799
HS_DNS1=192.168.88.254
HS_DNS2=192.168.88.254
HS_RADIUS=radius_01.example.com # ITried radius server
HS_RADIUS2=radius_01.example.com # ITried radius server
HS_UAMDOMAINS="amastelek.com fusionsdwan.co.za googleapis.com absa.co.za"
HS_RADSECRET=fusion???????????? # Set to be your RADIUS shared secret
HS_RADAUTH=31106                # ITtried radius authentication port
HS_RADACCT=30357                # ITtried radius accounting port
HS_AAA="radius"
HS_UAMALLOW=192.168.88.254      # Allow DNS access        

# /etc/chilli/ipup.sh
# UAM server specified as 192.168.254.254
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 80 --dst 192.168.254.254 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 443 --dst 192.168.254.254 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 22 --dst 192.168.254.254 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 8000 --dst 192.168.254.254 -j ACCEPT
# force-add the final rule necessary to fix routing tables (Enabling NAT)
iptables -F POSTROUTING -t nat
iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE         

# /etc/chilli/ipdown.sh
# UAM server specified as 10.1.0.1 
iptables -D INPUT -i tun0 -p tcp -m tcp --dport 80 --dst 192.168.254.254 -j ACCEPT
iptables -D INPUT -i tun0 -p tcp -m tcp --dport 443 --dst 192.168.254.254 -j ACCEPT
iptables -D INPUT -i tun0 -p tcp -m tcp --dport 22 --dst 192.168.254.254 -j ACCEPT
iptables -D INPUT -i tun0 -p tcp -m tcp --dport 8000 --dst 192.168.254.254 -j ACCEPT        

Now kick the tyres:

sudo service chilli stop
sudo service chilli start
sudo service chilli status        

If you have followed the instructions it should be active - if not the debug. You can now use the WiFI SSID granting you Internet access after having authenticated using the ITried radius as a service!

*Ronald works connecting Internet inhabiting things at Fusion Broadband.