In this document, I will show you how to install a radius server on a Microsoft Active Directory Domain Controller. Microsoft use the name Network Policy Server (NPS) for it's radius implementation.
Schema
Raspberry Pi installation
Prerequisite
The prerequisite for this installation is to configure the Rapberry Pi as a routed Access Point as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/create-a-routed-access-point-with-raspberry-pi-and-openwrt/
Once this is done, you should have a Raspberry Pi running OpenWrt and configured as a routed Access Point. The SSID visible to the visitors will be "Guest", but you can rename it easily as you want.
Next, install the local splash page as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/how-to-build-a-captive-portal-with-coova-chilli-and-a-local-splash-page-on-a-raspberry-pi-running-openwrt/
Once this is done, the people connecting to your hostspot will be presented a splash page where they can log on. In this article, we will mainly focus on installing NPS on the Domain Controller in order to authenticate our users
Install Network Policy Server (NPS) on the Active Directory Domain Controller
This procedure is straight forward (add the role " Network Policy and Access Services")
Configure NPS
The NPS configuration is done with the specific Network Policy Server MMC available from Server Manager
Add a radius client (for our Raspberry Pi Access Point)
Configure a Shared Secret specific for your need (in my case "testing123")
Add a Network Policy (just for testing, these parameters can be edited later)
- Policy name: Allow-2mbs-1min
This policy should allow our visitors to login to our hotspot for a period of 1min and with a bandwidth of 2Mb/s
Select the AD group that will be allowed (our visitors should be member of this group for the policy to apply)
- Windows group: LAN\DL-Radius-Allow-2Mbs
Set the authentication method (allow unencrypted authentication)
Warning: notice that the user passwords will travel the network unencrypted !
If this is a problem for you, a solution would be to use TekRadius (available at this URL https://www.kaplansoft.com/tekradius/) instead of NPS.
You should then configure coova-chilli to use radsec tunneling protocol (RFC6614). To my knowledge, Microsoft NPS does not support this protocol.
Set the session timeout to 1 min (testing purpose)
Configure an interim accounting record interval of 10sec (testing)
And use a vendor specific attribute to limit the bandwidth to 2Mb/s (testing)
A list of usable attributes can be found on following link: https://support.ignitenet.com/portal/kb/articles/what-are-the-supported-radius-attributes-in-coovachilli-captive-portal
Here we will use attribute 8 from vendor 14122 (WISPr-Bandwidth-Max-Down)
And we will do the same to limit the bandwidth in the opposite direction
Verify that NPS will log events in Eventviewer by right-clicking on the root of the MMC
Now activate auditing for NPS
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
And check result
auditpol /get /subcategory:"Network Policy Server"
Output
Finally, configure NPS to log access to an XML log file
This is done by configuring accounting to log events in a log file
Test that NPS is working
To confirm that our NPS is now able to authenticate users, will use a free tool like "NTRadPing" available on this link: https://www.novell.com/coolsolutions/tools/14377.html
As you can see, the response code is "Access-Accept" and the attributes we specified are there
We can also check the EventViewer of the NPS to search for a corresponding event
As you can see, event 6272 was logged
Configure coova-chilli
Modify your config file so that coova-chilli use your radius server
nano /etc/config/chilli
Adapt the radius part to fulfill your needs by editing following content
# config chilli option interval 3600 ######## TUN and DHCP Parameters ######## ######## Radius parameters ######## option radiusserver1 '192.168.0.33' ######## Universal access method (UAM) parameters ######## option uamlisten 192.168.182.1 |
Restart chilli
/etc/init.d/chilli restart
Verify that chilli loaded our configuration by looking at following file
cat /var/run/chilli*.conf
Test the complete solution
Log on to the Guest SSID using a WiFi client (I use a smartphone)
You should be prompted for a password
Be sure to provide username and credential from an Active Directory user that is member of the allowed group
If login is successful, check that the bandwidth is limited
And that the session is disconnected after 1min
Again, check the EventViewer for success event
View the log files
To parse your log files on the NPS server you can use a too called "IAS Log viewer" available from this URL: https://www.deepsoftware.com/iasviewer/
This tool will show you a table formatted view of the XML log files generated by NPS
And can generate cool reports too
That's all folks …