Django-freeradius
Fiorella De Luca - 22 Aprile 2018
@fiorella_deluca
OpenWisp
Openwisp è un insieme di moduli software che possono essere utilizzati per distribuire e gestire reti wireless. (wifi pubblico, backbone, mesh networks)
Argomenti trattati
● Che cos’è Freeradius?
● Installazione django-freeradius
● Installazione di freeradius
● Modelli e RESTful API
● Uso di django-freeradius
Che cos’è Freeradius?
● Protocollo AAA ○ Autenticazione○ Autorizzazione○ Accounting
● Server Radius open source più diffuso
Protocollo AAA Radius Freeradius
Radius (Remote Access Dial In User Service)
Nas (Radius Client)
Internet Radius Server
Shared Secret
Autenticazione & Autorizzazione
RADIUS Client
RADIUS: Access-Request
RADIUS: Access-AcceptOR
RADIUS: Access-Reject
RADIUS Server
Accounting
RADIUS Client
RADIUS Server
RADIUS: Accounting-Request
RADIUS: Accounting-Response
Start Accounting- Request acct_status_type Interim-Update Stop
[acct_status_type=start]
Django-freeradius
● Interfaccia web per gestire i database Freeradius basata su Django.
● RESTful API per gestire l’autorizzazione, la post autenticazione e
l’accounting di freeradius.
● È un’ app riutilizzabile ed estensibile.
Let’s start!
Django-freeradius - Installazione
Versione stabile da pypi:
● #create virtualenv mkvirtualenv radius
● pip install django-freeradius Versione di sviluppo:
● #create virtualenv mkvirtualenv radius
● pip install https://github.com/openwisp/django-freeradius/tarball/master
Aggiungo django_freeradius a INSTALLED_APPS:
● INSTALLED_APPS = [ # other apps 'django_freeradius',]
Aggiungo l’url in urls.py:
urlpatterns = [ # ... other urls in your project ... # django-freeradius urls # keep the namespace argument unchanged url(r'^', include('django_freeradius.urls', namespace='freeradius')),]
Integrazione in un’app django già esistente
Django-freeradius - Installazione
Installazione per lo sviluppo:
● git clone git://github.com/<your_username>/django-freeradius○ cd django-freeradius/
○ python setup.py develop
● pip install -r requirements-test.txt
● cd tests/○ ./manage.py migrate
○ ./manage.py createsuperuser
● ./manage.py runserver
○ (http://127.0.0.1:8000/admin/)
● ./runtests.py
Creare un database PostgreSQL:
● sudo apt-get install postgresql
● sudo -i -u postgres
● createuser -S nomeuser -P
● createdb nomedb -O nomeuser
Database PostgreSQL
Django-freeradius
#django-freeradius/tests/local_settings.py DATABASES = {
'default': {
'ENGINE':
'django.db.backends.postgresql_psycopg2',
'NAME': '<db_name>',
'USER': '<db_user>',
'PASSWORD': '<db_password>',
'HOST': '127.0.0.1',
'PORT': '5432'
},
}
Freeradius - Installazione
● sudo apt-add-repository ppa:freeradius/stable-3.0
● sudo apt-get update
● sudo apt-get install freeradius freeradius-postgresql freeradius-rest
ubuntu 16.04
Freeradius - Configurazione
Esempio di configurazione usando il database PostgreSQL
#/etc/freeradius/3.0/mods-available/sqldriver = "rlm_sql_postgresql"dialect = "postgresql"
# Connection info:server = "localhost"port = 5432login = "<user>"password = "<password>"radius_db = "radius"
Freeradius
Freeradius - Configurazione moduli REST
# /etc/freeradius/3.0/mods-enabled/rest
connect_uri = "<url>"
authorize { uri = "${..connect_uri}/api/authorize/" method = 'post' body = 'json' data = '{"username": "%{User-Name}", "password": "%{User-Password}"}' tls = ${..tls}}
Freeradius - Configurazione moduli REST
# /etc/freeradius/3.0/mods-enabled/rest# this section can be left emptyauthenticate {}
post-auth {
uri = "${..connect_uri}/api/postauth/"
method = 'post'
body = 'json'
data = '{"username": "%{User-Name}", "password": "%{User-Password}",
"reply":"%{reply:Packet-Type}", "called_station_id": "%{Called-Station-ID}",
"calling_station_id": "%{Calling-Station-ID}"}'
tls = ${..tls}
}
Freeradius - Configurazione moduli REST
# /etc/freeradius/3.0/mods-enabled/restaccounting {
uri = "${..connect_uri}/api/accounting/"
method = 'post'
body = 'json'
data = '{"status_type": "%{Acct-Status-Type}", "session_id": "%{Acct-Session-Id}", "unique_id":
"%{Acct-Unique-Session-Id}", "username": "%{User-Name}", "realm": "%{Realm}", "nas_ip_address":
"%{NAS-IP-Address}", "nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}",
"session_time": "%{Acct-Session-Time}", "authentication": "%{Acct-Authentic}", "input_octets":
"%{Acct-Input-Octets}", "output_octets": "%{Acct-Output-Octets}", "called_station_id":
"%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}", "terminate_cause":
"%{Acct-Terminate-Cause}", "service_type": "%{Service-Type}", "framed_protocol":
"%{Framed-Protocol}", "framed_ip_address": "%{Framed-IP-Address}"}'
tls = ${..tls}
}
Abilitazione dei moduli configurati
● ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/sql
● ln -s /etc/freeradius/3.0/mods-available/rest/etc/freeradius/3.0/mods-enabled/rest
Restart freeradius to load the new configuration: service freeradius restart
# dobbiamo prima fermare il processo principale di freeradius
service freeradius stop
#lanciamo freeradius in modalità debug freeradius -X
Django-freeradius - Modelli
● RadiusGroup
● RadiusGroupUsers
● RadiusReply
● RadiusCheck
● RadiusAccounting
● Nas
● RadiusUserGroup
● RadiusGroupReply
● RadiusGroupCheck
● RadiusPostAuth
Modelli Astratti
#django_freeradius/base/models.pyfrom model_utils.fields import AutoCreatedField, AutoLastModifiedField
class TimeStampedEditableModel(models.Model): """ An abstract base class model that provides self-updating ``created`` and ``modified`` fields. """ created = AutoCreatedField(_('created'), editable=True) modified = AutoLastModifiedField(_('modified'), editable=True) class Meta: abstract = True
#django_freeradius/base/models.pyclass AbstractRadiusGroup(TimeStampedEditableModel):
id = models.UUIDField(primary_key=True, db_column='id')
group_name = models.CharField( verbose_name=_('groupname'),
max_length=255, unique=True,
db_column='groupname',
db_index=True)
priority = models.IntegerField(verbose_name=_('priority'), default=1)
creation_date = models.DateField(verbose_name=_('creation date'),
null=True, db_column='created_at')
modification_date = models.DateField(verbose_name=_('modification
date'),null=True,
db_column='updated_at')
notes = models.CharField(verbose_name=_('notes'), max_length=64,
blank=True, null=True)
class Meta:
db_table = 'radiusgroup'
verbose_name = _('radiusgroup')
verbose_name_plural = _('radiusgroups')
abstract = True
def __str__(self):
return self.group_name
Modelli Astratti
#django_freeradius/base/admin.py
from django.contrib.admin import ModelAdmin
class TimeStampedEditableAdmin(ModelAdmin): """ ModelAdmin for TimeStampedEditableModel """
def get_readonly_fields(self, request, obj=None): readonly_fields = super(TimeStampedEditableAdmin, self).get_readonly_fields(request, obj) return readonly_fields + ('created', 'modified')
class AbstractRadiusGroupAdmin(TimeStampedEditableAdmin): pass
Come creare un’app riutilizzabile
Installiamo swapper
pip install swapper
#django_freeradius/models.pyimport swapper
class RadiusGroup(AbstractRadiusGroup):
class Meta(AbstractRadiusGroup.Meta):
abstract = False
swappable = swapper.swappable_setting('django_freeradius',
'RadiusGroup')
Migrazioni
Utilizziamo Swapper negli script di migrazione:
● L’ordinamento delle dipendenze
● I riferimenti alle chiavi esterne
Esempio(sample_radius)
Aggiornamento di settings.py
RESTful API ( Autorizzazione, PostAuth, Accounting)
● Attivo il runserver della mia applicazione:○ cd django-freeradius
○ workon radius
○ cd tests/
○ ./manage.py runserver
● Attivo freeradius in modalità debug:○ freeradius -X
Django-freeradius - Autorizzazione
Django-freeradius - Autorizzazione
Django-freeradius - Autorizzazione
Access-Accept
Django-freeradius - Autorizzazione
Access-Reject
Django-freeradius - PostAuth
Django-freeradius - PostAuth
Django-freeradius - PostAuth
Django-freeradius - PostAuth
Django-freeradius - PostAuth
Django-freeradius - Accounting
Django-freeradius - Accounting
Django-freeradius - Accounting
● Creiamo un file in /tmp/accounting.txt
● Salviamo il file
● Apriamo il prompt dei comandi
● radclient -f /tmp/accounting.txt -x
127.0.0.1 acct testing123
Django-freeradius - Accounting
Django-freeradius - Accounting
Django-freeradius - Accounting
Utilizzo di Django-freeradius
Django-freeradius potrà essere utilizzato dagli utenti per:
● auto-registrarsi● gestire il proprio account● consultare le statistiche
Le operazoni effettuate sull’interfaccia agiscono sulle tabelle di un DBMS relazionale, create e mantenute dal framework Django. Tali relazioni sono rese disponibili anche a un server RADIUS mediante opportune viste. Quest’ultimo servizio, interagendo con un Network Access Server (NAS) quale captive portal, implementerà l’autenticazione, l’autorizzazione e l’accounting (AAA) per il servizio WiFi.
,
Risorse utili
Organization Github Page: https://github.com/openwisp
Organization Website: http://openwisp.org/
Project Repository: https://github.com/openwisp/django-freeradius
Documentation: http://django-freeradius.readthedocs.io/en/latest/
Grazie!