Follow

HTTP Proxy With Internal RADIUS Authentication

Versions 3.0 & 5.0

Applies to Platform: UTM 3.0, UTM 5.0
Updated on: 25th of May 2018

Warning!

This lesson should be considered as a workaround and not as a standard practice! Proceed with care.

This article explains how to use the Endian Hotspot Radius Server to authenticate the HTTP Proxy users. This set up can prove useful because you can manage the users directly from the Endian GUI instead of setting up an external RADIUS Server with a front-end. 

If you have a 2.5 version, please follow this article.

Note

If you want to run this configuration on the BLUE interface, remember to disable the captive portal (see the section "Disable the Captive Portal coova-chilli" below).

Enable the Web Proxy

The first step is to enable the HTTP Proxy. Go to Menubar > Proxy > HTTP and click on the grey switch (which will turn green after the HTTP proxy has been started). Then, set the operational mode for each zone that should use authentication to not transparent, as this is the only one supported with authentication. In our example, we use the authentication only on the GREEN zone.

webproxy01.png

Configure Proxy Authentication

The next step is to configure the authentication method of the web proxy, which requires connecting the HTTP Proxy to the integrated Endian RADIUS server. Go to the Authentication tab (Menubar > Proxy > Http > Authentication) and select Radius in the drop-down menu Choose Authentication Method, then supply the following, necessary information:

  1. The Authentication Realm. You can use a string like Web Authentication.
  2. The RADIUS server IP Address, which is 127.0.0.1 for the integrated RADIUS server.
  3. The RADIUS server port, 1812.
  4. The Identifier, localhost.
  5. The shared secret, which is a string that you must copy from Menubar > Hotspot > Hotspot password.

radius01.png

Click on Save and then on Apply the changes to proceed.

Note

On the Endian UTM Appliances you can find the radius shared-secret also in file /etc/chilli/chilli.conf, along the configuration option radiussecret, like in the following example:
radiussecret QqzUjTRYI5QE7V10KhSxfv2t7

Create Ticket

It is mandatory to create a rate and associate it to a user, because RADIUS rejects the authentication, and therefore the access to the proxy of users without an assigned ticket. Hence, you need to define a time-based rate and associate a ticket with that rate to the user. From the hotspot administration interface, go to Tickets > Rates > Add Rate to open the ticket rate editor and supply the following data:

  1. A Rate Name to identify the ticket. We use free-post in the example.
  2. A Ticket Code. This can be any value (we use 123), and is mandatory even if it is used only by the ASA hotel management system.
  3. The Payment mode, which should be Post-Paid.
  4. The measuring mode, Time-Based.

ticket.png

Click on Save when you are done.

Create User Account

After the creation of a ticket rate, proceed to create a new account, then associate a ticket to that user. From the Hotspot Administration Interface, go to Accounts > List > Add Account to open the account editor, in which you should provide the following mandatory data:

  1. A (unique) Username. to identify the user.
  2. A Password for the account.
  3. Associate to the user a ticket, using the drop-down menu on the right-hand side of the interface, in the Ticket panel.
  4. Make sure the user is marked as Active.
  5. (Optional) You can add the account information.

user.png

Click on Save when you have finished.

Disable the Captive Portal coova-chilli (optional)

Warning

You must disable the chilli captive portal only if you want to run the HTTP Proxy authentication with RADIUS on the BLUE interface.

The coova-chilla captive portal by default intercepts all the traffic running through the BLUE interface and would interfere with the HTTP Proxy+RADIUS setup. Therefore, if you want that hosts in the BLUE zone use the RADIUS authentication, you must permanently disable chilli from starting. To do so, enter your Endian UTM Appliance and stop chilli:

root@endian:~# monit stop chilli

Then, edit the /var/efw/inithooks/start.local file. If it is empty, copy and paste both of the following lines. If it already exists and is not empy, copy only the second line and paste it at the bottom of the file:

#!/bin/sh
/etc/init.d/chilli stop

Finally, make sure that the file is executable:

root@endian:~# chmod 755 /var/efw/inithooks/start.local

This file will be included in the backups and will be restored if you import a backup after you reinstall the system. It will also be preserved in case of packages upgrade.

Client Connection to the Proxy

Once the whole setup has been completed, users can start connecting to the proxy to access the Internet. When they connect, a pop-up window will appear, in which users should insert their username and password.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments