Segui

HTTP Proxy - Authentication (internal RADIUS)

Applies to Platform: UTM 2.4, UTM 2.5
Updated on: 20th of November 2012

Warning!

This lesson should be considered as a workaround and not as a standard practice! Proceed with care.

This article explains how to use the Endian Hotspot Radius Server to authenticate the HTTP Proxy users. This set up can prove useful because you can manage the users directly from the Endian GUI instead of setting up an external RADIUS Server with a front-end.

Note

If you want to run this configuration on the BLUE interface, remember to disable the captive portal (see the section "Disable the Captive Portal coova-chilli" below).

Enable the Web Proxy

The first step is to enable the HTTP Proxy. Go to Menubar > Proxy > HTTP and click on the grey switch (which will turn green when enabled). Then, set the operational mode for each zone that should be filtered to not transparent, as this is the only one supported with authentication.

media_1301348839683.png

Configure Proxy Authentication

The next step is to configure the authentication method of the web proxy, which requires connecting the HTTP Proxy to the integrated Endian RADIUS server. Go to the Authentication tab and supply the following, necessary information:

  1. The Authentication Realm. You can use a string like Web Authentication.
  2. The RADIUS server IP Address, which is 127.0.0.1 for the integrated RADIUS server.
  3. The RADIUS server port, 1812.
  4. The Identifier, localhost.
  5. The shared secret, that you must copy from Menubar > Hotspot > Hotspot password.

radius-conf.png

Click on Save and then on Apply the changes to proceed.

Note

On the Endian UTM Appliances you can find the radius shared-secret also in file /etc/chilli/chilli.conf.

Create Ticket

You need to define a time-based rate and associate a ticket with that rate to a user. The creation of a rate is mandatory as RADIUS needs a ticket associated to a user, otherwise it rejects access to the user. Hence, from the hotspot administration interface, go to Tickets > Rates > Add Rate to open the ticket rate editor and supply the following data:

  1. A Rate Name to identify the ticket.
  2. A Ticket Code.
  3. The Payment mode, which should be Post-Paid.
  4. The measuring mode, Time-Based.

ticket-hotspot.png

 

Click on Save when you are done.

Create User Account

After the creation of a ticket rate, proceed to create a new user account, then associate a ticket to her/him. From the Hotspot Administration Interface, go to Accounts > List > Add Account to open the account editor, in which you should provide the following mandatory data:

  1. A (unique) Username. to identify the user.
  2. A Password for the account.
  3. Associate to the user a ticket, using the drop-down menu on the right-hand side.
  4. Mark the user as Active.
  5. (Optional) You can add the account information.

user-creation.png


Click on Save when you have finished.

Disable the Captive Portal coova-chilli (optional)

Warning

You must disable the captive portal only if you want to run the HTTP Proxy auth+RADIUS on the blue interface.

If you want to run the HTTP Proxy with RADIUS authentication (instead of the default hotspot authentication) on the BLUE zone, you have to disable coova-chilli. Indeed, the coova-chilla captive portal by default intercepts all the traffic running through the BLUE interface and would interfere with the HTTP Proxy+RADIUS setup. It is therefore necessary to disable the captive portal at startup. To do so, enter your Endian UTM Appliance and stop chilli:

root@endian:~# monit stop chilli

Then, edit the /var/efw/inithooks/start.local file. If it is empty, copy and paste both of the following lines. If it already exists and is not empy, copy only the second line and paste it at the bottom of the file:

#!/bin/sh
/etc/init.d/chilli stop

Finally, make sure that the file is executable:

root@endian:~# chmod 755 /var/efw/inithooks/start.local

Client Connection to the Proxy

Once the whole setup has been completed, users can start connecting to the proxy to access the Internet. When they connect, a pop-up window will appear, in which users should insert their username and password.

Questo articolo ti è stato utile?
Utenti che ritengono sia utile: 0 su 0
Altre domande? Invia una richiesta

Commenti