Applies to Platform: UTM 3.0, UTM 5.0
Updated on: 25th of May 2018
This article explains how to use the Endian Hotspot Radius Server to authenticate the HTTP Proxy users. This set up can prove useful because you can manage the users directly from the Endian GUI instead of setting up an external RADIUS Server with a front-end.
If you have a 2.5 version, please follow this article.
Enable the Web Proxy
The first step is to enable the HTTP Proxy. Go to Menubar > Proxy > HTTP and click on the grey switch (which will turn green after the HTTP proxy has been started). Then, set the operational mode for each zone that should use authentication to not transparent, as this is the only one supported with authentication. In our example, we use the authentication only on the GREEN zone.
Configure Proxy Authentication
The next step is to configure the authentication method of the web proxy, which requires connecting the HTTP Proxy to the integrated Endian RADIUS server. Go to the Authentication tab (Menubar > Proxy > Http > Authentication) and select Radius in the drop-down menu Choose Authentication Method, then supply the following, necessary information:
- The Authentication Realm. You can use a string like Web Authentication.
- The RADIUS server IP Address, which is 127.0.0.1 for the integrated RADIUS server.
- The RADIUS server port, 1812.
- The Identifier, localhost.
- The shared secret, which is a string that you must copy from Menubar > Hotspot > Hotspot password.
Click on Save and then on Apply the changes to proceed.
It is mandatory to create a rate and associate it to a user, because RADIUS rejects the authentication, and therefore the access to the proxy of users without an assigned ticket. Hence, you need to define a time-based rate and associate a ticket with that rate to the user. From the hotspot administration interface, go to Tickets > Rates > Add Rate to open the ticket rate editor and supply the following data:
- A Rate Name to identify the ticket. We use free-post in the example.
- A Ticket Code. This can be any value (we use 123), and is mandatory even if it is used only by the ASA hotel management system.
- The Payment mode, which should be Post-Paid.
- The measuring mode, Time-Based.
Click on Save when you are done.
Create User Account
After the creation of a ticket rate, proceed to create a new account, then associate a ticket to that user. From the Hotspot Administration Interface, go to Accounts > List > Add Account to open the account editor, in which you should provide the following mandatory data:
- A (unique) Username. to identify the user.
- A Password for the account.
- Associate to the user a ticket, using the drop-down menu on the right-hand side of the interface, in the Ticket panel.
- Make sure the user is marked as Active.
- (Optional) You can add the account information.
Click on Save when you have finished.
Disable the Captive Portal coova-chilli (optional)
The coova-chilla captive portal by default intercepts all the traffic running through the BLUE interface and would interfere with the HTTP Proxy+RADIUS setup. Therefore, if you want that hosts in the BLUE zone use the RADIUS authentication, you must permanently disable chilli from starting. To do so, enter your Endian UTM Appliance and stop chilli:
root@endian:~# monit stop chilli
Then, edit the /var/efw/inithooks/start.local file. If it is empty, copy and paste both of the following lines. If it already exists and is not empy, copy only the second line and paste it at the bottom of the file:
Finally, make sure that the file is executable:
root@endian:~# chmod 755 /var/efw/inithooks/start.local
This file will be included in the backups and will be restored if you import a backup after you reinstall the system. It will also be preserved in case of packages upgrade.
Client Connection to the Proxy
Once the whole setup has been completed, users can start connecting to the proxy to access the Internet. When they connect, a pop-up window will appear, in which users should insert their username and password.