NT320-Final White Paper

Hotspot with Authentication to a Radius Server and LDAP DatabaseUsing DaloRADIUS

Ryan Ellingson Herzing University 12/19/15

Table of ContentsI. Executive Summary............................................................10II. Project Planning.................................................................11

Network DiagramTechnical PlanningDaloRADIUS Appliance SpecificationsPFSense SpecificationsLinksys AP SpecificationsWindows Client Specifications

III. Implementation..................................................................14Installation of DaloRADIUSLogin to DaloRADIUSCreate a Billing PlanPayPal Implementation (User Creation)Create a UserAdd Billing Plan to New UserNAS Listing in DaloRADIUSInstallation of PFSenseLogin to PFSense Web PortalEnable Captive PortalSet Radius AuthenticationSet AccountingSet DD-WRT IP AddressSSID

IV. Testing DaloRADIUS Authentication and Monitoring........22Installation of PFSenseGo to a WebsiteUsage StatisticsInstallation of PFSense

V. Conclusion..........................................................................24VI. Appendix.............................................................................25

Executive Summary

Wireless hotspots are necessary in nearly every public business ranging from airports to hotels, and even charter busses. Connecting to the internet should be seamless and affordable; not only for consumers, but also for the business that is hosting the public wireless internet. Payment plans should be laid out in a simple to understand fashion, while making the payment plan should happen at the click of a button (if said business decides to charge for internet use). Appliances like DaloRADIUS allow business to hit all of these marks and more.

DaloRADIUS is a free appliance that was created to allow users to login to a wireless hotspot seamlessly. It allows users and administrators to create an account with the click of a button, and link up a payment method. Plans are not simply pre-set with a “one size fits all” mentality. DaloRADIUS allows for granular editing of plans and rates, so that everyone is happy. The web GUI is streamlined, so that the learning curve is minimal.

Since FreeRadius is the backend of DaloRADIUS, the appliance is completely free for to setup and maintain.

Project Planning

For this project, an understanding of network layouts, firewall/Captive Portal, RADIUS servers, and wireless are needed.

Setting up the proper network for wireless hotspots is different for every business. While this network uses a PFSense Captive Portal, other networks might be able to rely on the Captive Portal built into an AP or their RADIUS appliance.

Setting up DaloRADIUS for PayPal use is possible through use of a PayPal Business account.

The AP used is also going to differ from network to network. This

project calls for an AP with DD-WRT, but most other AP’s should work if DD-WRT cannot be flashed onto the AP.

HOTSPOT WITH AUTHENTICATION TO A RADIUS SERVER AND LDAP DATABASE - DECEMBER 2015

Network Diagram

Figure 1 Network Diagram


Technical PlanningThe following specifications were used as part of the technical planning of the project entities. For this project, make a DaloRADIUS Appliance. This will house the FreeRADIUS application for authentication. It will also supply the Web GUI needed to manage the appliance. Also needed are a PFSense machine to host the Captive Portal that users will login with, a Linksys AP for users to wirelessly connect to, and a Windows client to test out functionality.

DaloRADIUS Appliance SpecificationsOperating System Linux (Centos or Ubuntu)Memory 512 MBHard Disk 20 GBNetwork Cards 1 NIC

PFSense SpecificationsOperating System PFSenseMemory 512 MBHard Disk 15 GBNetwork Cards 2 NIC

Linksys AP SpecificationsOperating System DD-WRT

Windows Client SpecificationsOperating System Windows 7Memory 4 GBHard Disk 60 GBNetwork Cards 1 NIC


ImplementationImplementation (for the purpose of this project) was completed in VMware Workstation 11. Depending on the network, the time that implementation will take may vary.

Installation of DaloRADIUSInstall DaloRADIUS onto a Linux Machine. During the original testing of this project, installation of DaloRADIUS was confirmed for both Centos 5.11 and Ubuntu Server 15.10. While it is possible to install DaloRADIUS, and all the other services needed to set the server up, it is possible to download a .OVA file from http://www.daloradius.com. This .OVA file included a configured DaloRADIUS appliance that was ready to go. The only thing needed was setting the right IP Address. For the purpose of this project, the .OVA file was used.

Figure 2 Set the IP Address of DaloRADIUS

Login to DaloRADIUSTo Login to DaloRADIUS, go to the web address listed in the RADIUS appliance. The address should look like http://10.16.15.2. Here, there are a few different options. Click on DaloRADIUS Platform. Login with Username: admin Password: admin. There will be another login prompt for the administrator. The default administrator account is Username: Administrator Password: radius.


http://10.16.15.2/

http://www.daloradius.com/

Figure 3 DaloRADIUS login

Create a Billing PlanCreate a Billing Plan by clicking on Billing >> Plan >> New Plan. This will specify how a user is going to pay (before or after they use the hotspot). This will also determine how much money they will pay and how often they will be charged.

Figure 4 Create Billing Plan


PayPal Implementation (User Creation)PayPal can be implemented into the system. For the purposes of this implementation, a PayPal account was not added (It is necessary to have a business account for everything to be paid to. This was difficult to do in a test environment.) In the console of DaloRADIUS, edit the signup-paypal/index.php file to add the business account, website hosting the signup success, cancel, and thank you page. If users are allowed to create their own account, they would get directed to the signup page directly after connecting. From there, their user account would be created, they would choose a plan, and they would link their paypal to their account. Again, for the purpose of this implementation, a PayPal account was not added, so instead a general user was created from the administrator.

Figure 5 PayPal User Self-Create

Create a UserDaloRADIUS is able to let users create their own profile and link up to PayPal. For the purposes of this project, the Administrator will create the user profile. Create a new user by going to Management >> New User.


Figure 6 Create User

Add Billing Plan to New UserAs stated previously, users will be able to add a billing plan to their account when they sign up for an account. The administrator is also able to do this in the event that a user chose the wrong plan. Edit the users account. On the account info tab, chose a plan. Note that once the plan gets applied, plan information, subscription analysis, and session info will start to populate with information.

Figure 7 Add Plan to User Account


NAS Listing in DaloRADIUSCreate a NAS listing that points to the IP address of the PFSense machine (RADIUS client). (This will be created in the next step.) Make sure to set a secret key.

Figure 8 NAS Listing in DaloRADIUS

Installation of PFSenseInstall PFSense on a machine. In this project, a PFSense live CD was used. Use default settings for PFSense’s installation. Once done, configure the interfaces Le0 for WAN and Le1 for LAN. WAN, for the purpose of this project, obtained an IP Address through DHCP, though a statically set IP Address should probably be set outside of a test environment. LAN has to be statically set. The IP Address that gets set for the LAN will be the address used to manage PFSense on the web.


Figure 9 Initial PFSense LAN Configuration

Login to PFSense Web PortalOpen a web browser and go to the IP Address of the LAN. This will bring up the PFSense Web Portal. Make sure the correct IP Addresses are set on both interfaces.

Figure 10 PFSense Set WAN IP

Enable Captive PortalIn the Services tab, click on Captive Portal. On the Captive Portal Tab, click Enable Captive Portal. Make sure the interface is set the LAN. In this project, Idle timeout and Hard Timeout were set to one minute for testing purposes. Set these to the appropriate time a customer should be logged into the hotspot network.


Figure 11 PFSense Captive Portal On LAN

Set Radius AuthenticationSet the Primary Radius Authentication to the IP address of the DaloRADIUS appliance (RADIUS Server). Keep the port default, and set the shared secret that was previously set in the NAS listing.

Figure 12 Set Radius Authentication

Set AccountingCheck "send RADIUS accounting packets" and select interim update. Also set the Radius NAS IP to the LAN.


Figure 13 Set Accounting

Set DD-WRT IP AddressGo to the IP address of the wireless access point. Set the gateway and DNS to point to the newly created PFSense machine. For lab testing purposes, DHCP was turned off so that clients would have to be statically set. In a real-world case, set DHCP.

Figure 14 DD-WRT Setting Up IP Address

SSIDSet the SSID of the wireless access point. (For other security purposes, set an administrative password on the AP so nobody can mess with the configurations.) Also set the wireless to WPA2 encryption.


Figure 15 DD-WRT SSID


Testing DaloRADIUS Authentication and MonitoringInstallation of PFSense

In a production environment, the AP would normally hand out DHCP for all clients that connect to the hotspot. For the purposes of this project, this was not possible in the test environment. As a result, set the IP Address to something within the LAN subnet, set the default gateway and primary DNS to the PFSense IP address, and set the alternate DNS to Google’s DNS.

Figure 16 Set the IP of Workstation

Go to a WebsiteTry connecting wirelessly to the hotspot and open the browser. Go to any website. The PFSense Captive Portal will appear, asking for the proper login. Since the administrator created the users, the user will not be directed to the user account setup page. After clicking continue, the user will be able to browse the internet.

Figure 17 Go to Website


Usage StatisticsOn DaloRADIUS, go to Management >> List Users >> [User] >> Edit Account. Under here, there will be usage information for said account. Billing history should show up daily, weekly, or monthly. Based on what plan was made, this will differ. At the end of the preset period, each user's billing statement will be generated.

Figure 18 Usage Statistics


Conclusion

To conclude, wireless hotspot networks that are easy to setup and connect to are drastically important for companies to have implemented. The process, at this point, is streamlined and nearly ready to go with minor configuration edits.

Some of the major issues that were seen in this project include installation of DaloRADIUS on Centos and Ubuntu Server. There are guides online for these two platforms, but ultimately are outdated. After working for two days on getting the platform setup, I found the .OVA file of the pre-configured appliance from DaloRADIUS.

Another issue faced was how user creation was done. Some businesses will want default guest accounts, while others will want users to create their own account. This, coupled with the fact that implementing a live PayPal account into the system is very difficult (since you need a business PayPal account) made the rate tracking very difficult and ultimately unusable in this project environment.

There was an issue getting the Captive Portal available on DaloRADIUS to work, so implementing PFSense was necessary.

Due to this being a test environment, DHCP on the AP caused a Spanning Tree Loop. Since this happened only because this project was implemented in a Herzing University test environment, cutting DHCP was also necessary. Instead, the workstation that connects to the hotspot did so with a static IP Address.

ReferencesWilson, C. (2015, December). AssistanceCann, J. (2015, December). AssistanceMorse, J. (2015, December). Assistancehttp://bit.ly/1ZhVqLeVirtual Machine daloRADIUS Administrator Guide Version 0.9-9


http://bit.ly/1ZhVqLe

Appendix

Figure 19 Rates

Figure 20 User Self-Created


Figure 21 PayPal Payment


Figure 22 PayPal Configuration

Figure 23 Invoice for User


Documents

NT320-Final White Paper