Applies to Platform: UTM 2.4, UTM 2.5
Updated on: 20th of November 2012
This article explains how to use the Endian Hotspot Radius Server to authenticate the HTTP Proxy users. This set up can prove useful because you can manage the users directly from the Endian GUI instead of setting up an external RADIUS Server with a front-end.
Enable the Web Proxy
The first step is to enable the HTTP Proxy. Go to Menubar > Proxy > HTTP and click on the grey switch (which will turn green when enabled). Then, set the operational mode for each zone that should be filtered to not transparent, as this is the only one supported with authentication.
Configure Proxy Authentication
The next step is to configure the authentication method of the web proxy, which requires connecting the HTTP Proxy to the integrated Endian RADIUS server. Go to the Authentication tab and supply the following, necessary information:
- The Authentication Realm. You can use a string like Web Authentication.
- The RADIUS server IP Address, which is 127.0.0.1 for the integrated RADIUS server.
- The RADIUS server port, 1812.
- The Identifier, localhost.
- The shared secret, that you must copy from Menubar > Hotspot > Hotspot password.
Click on Save and then on Apply the changes to proceed.
You need to define a time-based rate and associate a ticket with that rate to a user. The creation of a rate is mandatory as RADIUS needs a ticket associated to a user, otherwise it rejects access to the user. Hence, from the hotspot administration interface, go to Tickets > Rates > Add Rate to open the ticket rate editor and supply the following data:
- A Rate Name to identify the ticket.
- A Ticket Code.
- The Payment mode, which should be Post-Paid.
- The measuring mode, Time-Based.
Create User Account
After the creation of a ticket rate, proceed to create a new user account, then associate a ticket to her/him. From the Hotspot Administration Interface, go to Accounts > List > Add Account to open the account editor, in which you should provide the following mandatory data:
- A (unique) Username. to identify the user.
- A Password for the account.
- Associate to the user a ticket, using the drop-down menu on the right-hand side.
- Mark the user as Active.
- (Optional) You can add the account information.
Click on Save when you have finished.
Disable the Captive Portal coova-chilli (optional)
If you want to run the HTTP Proxy with RADIUS authentication (instead of the default hotspot authentication) on the BLUE zone, you have to disable coova-chilli. Indeed, the coova-chilla captive portal by default intercepts all the traffic running through the BLUE interface and would interfere with the HTTP Proxy+RADIUS setup. It is therefore necessary to disable the captive portal at startup. To do so, enter your Endian UTM Appliance and stop chilli:
root@endian:~# monit stop chilli
Then, edit the /var/efw/inithooks/start.local file. If it is empty, copy and paste both of the following lines. If it already exists and is not empy, copy only the second line and paste it at the bottom of the file:
Finally, make sure that the file is executable:
root@endian:~# chmod 755 /var/efw/inithooks/start.local
Client Connection to the Proxy
Once the whole setup has been completed, users can start connecting to the proxy to access the Internet. When they connect, a pop-up window will appear, in which users should insert their username and password.