Blog

Configure a Raspberry Pi running OpenWrt and Coova Chilli to authenticate visitors to Active Directory

In this document, I will show you how to install a radius server on a Microsoft Active Directory Domain Controller. Microsoft use the name Network Policy Server (NPS) for it's radius implementation.

Schema

Raspberry Pi installation

Prerequisite

The prerequisite for this installation is to configure the Rapberry Pi as a routed Access Point as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/create-a-routed-access-point-with-raspberry-pi-and-openwrt/

Once this is done, you should have a Raspberry Pi running OpenWrt and configured as a routed Access Point. The SSID visible to the visitors will be "Guest", but you can rename it easily as you want.

Next, install the local splash page as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/how-to-build-a-captive-portal-with-coova-chilli-and-a-local-splash-page-on-a-raspberry-pi-running-openwrt/

Once this is done, the people connecting to your hostspot will be presented a splash page where they can log on. In this article, we will mainly focus on installing NPS on the Domain Controller in order to authenticate our users

Install Network Policy Server (NPS) on the Active Directory Domain Controller

This procedure is straight forward (add the role " Network Policy and Access Services")

Configure NPS

The NPS configuration is done with the specific Network Policy Server MMC available from Server Manager

Add a radius client (for our Raspberry Pi Access Point)

Configure a Shared Secret specific for your need (in my case "testing123")

Add a Network Policy (just for testing, these parameters can be edited later)

  • Policy name: Allow-2mbs-1min

This policy should allow our visitors to login to our hotspot for a period of 1min and with a bandwidth of 2Mb/s

Select the AD group that will be allowed (our visitors should be member of this group for the policy to apply)

  • Windows group: LAN\DL-Radius-Allow-2Mbs

Set the authentication method (allow unencrypted authentication)

Warning: notice that the user passwords will travel the network unencrypted !

If this is a problem for you, a solution would be to use TekRadius (available at this URL https://www.kaplansoft.com/tekradius/) instead of NPS.

You should then configure coova-chilli to use radsec tunneling protocol (RFC6614). To my knowledge, Microsoft NPS does not support this protocol.

Set the session timeout to 1 min (testing purpose)

Configure an interim accounting record interval of 10sec (testing)

And use a vendor specific attribute to limit the bandwidth to 2Mb/s (testing)

A list of usable attributes can be found on following link: https://support.ignitenet.com/portal/kb/articles/what-are-the-supported-radius-attributes-in-coovachilli-captive-portal

Here we will use attribute 8 from vendor 14122 (WISPr-Bandwidth-Max-Down)

And we will do the same to limit the bandwidth in the opposite direction

Verify that NPS will log events in Eventviewer by right-clicking on the root of the MMC

Now activate auditing for NPS

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
And check result

auditpol /get /subcategory:"Network Policy Server"
Output

Finally, configure NPS to log access to an XML log file

This is done by configuring accounting to log events in a log file

Test that NPS is working

To confirm that our NPS is now able to authenticate users, will use a free tool like "NTRadPing" available on this link: https://www.novell.com/coolsolutions/tools/14377.html

As you can see, the response code is "Access-Accept" and the attributes we specified are there

We can also check the EventViewer of the NPS to search for a corresponding event

As you can see, event 6272 was logged

Configure coova-chilli

Modify your config file so that coova-chilli use your radius server

nano /etc/config/chilli

Adapt the radius part to fulfill your needs by editing following content

 

#
# Sample Coova-Chilli configuration file modified by gremaudpi
#

config chilli

option interval 3600
option swapoctets 1        

######## TUN and DHCP Parameters ########
    
option tundev 'tun0'
option dhcpif 'wlan0'
option net 192.168.182.0/24
option lease 600
option dns1 8.8.8.8
option dns2 8.8.4.4
option ipup '/etc/chilli/up.sh'
option ipdown '/etc/chilli/down.sh'

######## Radius parameters ########

option radiusserver1 '192.168.0.33'
option radiusserver2 ''
option radiusauthport 1812
option radiusacctport 1813
option radiussecret 'testing123'
option radiusnasid 'ap001'
option ssid 'ACME-company'

######## Universal access method (UAM) parameters ########

option uamlisten 192.168.182.1
option uamserver 'http://192.168.0.30/hotspotlogin/hotspotlogin.php'
option uamsecret 'greatsecret'
option uamallowed ''
option uamdomain ''
option uamanydns 1
option uamaliasname 'login'
option nouamsuccess 1

Restart chilli

/etc/init.d/chilli restart

Verify that chilli loaded our configuration by looking at following file

cat /var/run/chilli*.conf

Test the complete solution

Log on to the Guest SSID using a WiFi client (I use a smartphone)

You should be prompted for a password

Be sure to provide username and credential from an Active Directory user that is member of the allowed group

 

If login is successful, check that the bandwidth is limited

And that the session is disconnected after 1min

Again, check the EventViewer for success event

View the log files

To parse your log files on the NPS server you can use a too called "IAS Log viewer" available from this URL: https://www.deepsoftware.com/iasviewer/

This tool will show you a table formatted view of the XML log files generated by NPS

And can generate cool reports too

That's all folks …

Tags: , , , , , , , , ,

Leave a Reply