RADIUS Authenticated SSID

TIP OpenWiFi 2.0

When authenticating clients with back office RADIUS systems, the configuration of OpenWiFi permits this on a per SSID basis.

Simple RADIUS

    "interfaces": [
        {
            "name": "WAN",
            "role": "upstream",
            "ethernet": [
                {
                    "select-ports": [
                        "WAN*"
                    ]
                }
            ],
            "ipv4": {
                "addressing": "dynamic"
            },
            "ssids": [
                {
                    "name": "OpenWifi",
                    "wifi-bands": [
                        "5G"
                    ],
                    "bss-mode": "ap",
                    "encryption": {
                        "proto": "wpa2",
                        "ieee80211w": "optional"
                    },
                    "radius": {
                        "authentication": {
                            "host": "192.168.178.192",
                            "port": 1812,
                            "secret": "secret"
                        },
                        "accounting": {
                            "host": "192.168.178.192",
                            "port": 1813,
                            "secret": "secret"
                        }
                    }
                }
            ]
        },

EAP-Local SSID

            "ssids": [
                {
                    "name": "OpenWifi",
                    "wifi-bands": [
                        "2G"
                    ],
                    "bss-mode": "ap",
                    "encryption": {
                        "proto": "wpa2",
                        "ieee80211w": "optional"
                    },
                    "certificates": {
                        "ca-certificate": "/etc/ucentral/cas.pem",
                        "certificate": "/etc/ucentral/cert.pem",
                        "private-key": "/etc/ucentral/key.pem"
                    },
                    "radius": {
                        "local": {
                            "server-identity": "OpenWiFi-Local-EAP",
                            "users": [
                                {
                                    "user-name": "open",
                                    "password": "wifi"
                                }
                            ]
                        }
                    }
                }
            ]
        },

Many parameters are possible with RADIUS authentications given the many methods in use worldwide. Many of the EAP methods have configuration options described below.

RADIUS Attribute	Description
nas-identifier	Unique NAS Id used with RADIUS server
chargeable-user-id	Chargeable User Entity per RFC4372
local	Local RADIUS within AP device server-identity users - Local EAP users based on username, PreShared Key and VLAN id
authentication	RADIUS server host IP address port ( example 1812) secret ( Shared secret with RADIUS server ) Additional methods within Access-Request request-attribute ( id of RADIUS server ) id ( numeric value of RADIUS server ) value Any sub-value defined as integer RADIUS attribute value
accounting	RADIUS server host IP address port ( example 1813) secret ( Shared secret with RADIUS server ) Additional methods within Access-Request sent in Accounting request-attribute ( id of RADIUS server ) id ( numeric value of RADIUS server ) value Any sub-value defined as integer RADIUS attribute value
accounting	interval ( Interim accounting interval defined in seconds )