Django-freeradius - pycon.it · OpenWisp Openwisp è un insieme di moduli software che possono...

Django-freeradius

Fiorella De Luca - 22 Aprile 2018

@fiorella_deluca

OpenWisp

Openwisp è un insieme di moduli software che possono essere utilizzati per distribuire e gestire reti wireless. (wifi pubblico, backbone, mesh networks)

Argomenti trattati

● Che cos’è Freeradius?

● Installazione django-freeradius

● Installazione di freeradius

● Modelli e RESTful API

● Uso di django-freeradius

Che cos’è Freeradius?

● Protocollo AAA ○ Autenticazione○ Autorizzazione○ Accounting

● Server Radius open source più diffuso

Protocollo AAA Radius Freeradius

Radius (Remote Access Dial In User Service)

Nas (Radius Client)

Internet Radius Server

Shared Secret

Autenticazione & Autorizzazione

RADIUS Client

RADIUS: Access-Request

RADIUS: Access-AcceptOR

RADIUS: Access-Reject

RADIUS Server

Accounting

RADIUS Client

RADIUS Server

RADIUS: Accounting-Request

RADIUS: Accounting-Response

Start Accounting- Request acct_status_type Interim-Update Stop

[acct_status_type=start]

Django-freeradius

● Interfaccia web per gestire i database Freeradius basata su Django.

● RESTful API per gestire l’autorizzazione, la post autenticazione e

l’accounting di freeradius.

● È un’ app riutilizzabile ed estensibile.

Let’s start!

Django-freeradius - Installazione

Versione stabile da pypi:

● #create virtualenv mkvirtualenv radius

● pip install django-freeradius Versione di sviluppo:

● #create virtualenv mkvirtualenv radius

● pip install https://github.com/openwisp/django-freeradius/tarball/master

Aggiungo django_freeradius a INSTALLED_APPS:

● INSTALLED_APPS = [ # other apps 'django_freeradius',]

Aggiungo l’url in urls.py:

urlpatterns = [ # ... other urls in your project ... # django-freeradius urls # keep the namespace argument unchanged url(r'^', include('django_freeradius.urls', namespace='freeradius')),]

Integrazione in un’app django già esistente

Django-freeradius - Installazione

Installazione per lo sviluppo:

● git clone git://github.com/<your_username>/django-freeradius○ cd django-freeradius/

○ python setup.py develop

● pip install -r requirements-test.txt

● cd tests/○ ./manage.py migrate

○ ./manage.py createsuperuser

● ./manage.py runserver

○ (http://127.0.0.1:8000/admin/)

● ./runtests.py

Creare un database PostgreSQL:

● sudo apt-get install postgresql

● sudo -i -u postgres

● createuser -S nomeuser -P

● createdb nomedb -O nomeuser

http://127.0.0.1:8000/admin/

Database PostgreSQL

Django-freeradius

#django-freeradius/tests/local_settings.py DATABASES = {

'default': {

'ENGINE':

'django.db.backends.postgresql_psycopg2',

'NAME': '<db_name>',

'USER': '<db_user>',

'PASSWORD': '<db_password>',

'HOST': '127.0.0.1',

'PORT': '5432'

},

}

Freeradius - Installazione

● sudo apt-add-repository ppa:freeradius/stable-3.0

● sudo apt-get update

● sudo apt-get install freeradius freeradius-postgresql freeradius-rest

ubuntu 16.04

Freeradius - Configurazione

Esempio di configurazione usando il database PostgreSQL

#/etc/freeradius/3.0/mods-available/sqldriver = "rlm_sql_postgresql"dialect = "postgresql"

# Connection info:server = "localhost"port = 5432login = "<user>"password = "<password>"radius_db = "radius"

Freeradius

Freeradius - Configurazione moduli REST

# /etc/freeradius/3.0/mods-enabled/rest

connect_uri = "<url>"

authorize { uri = "${..connect_uri}/api/authorize/" method = 'post' body = 'json' data = '{"username": "%{User-Name}", "password": "%{User-Password}"}' tls = ${..tls}}


# /etc/freeradius/3.0/mods-enabled/rest# this section can be left emptyauthenticate {}

post-auth {

uri = "${..connect_uri}/api/postauth/"

method = 'post'

body = 'json'

data = '{"username": "%{User-Name}", "password": "%{User-Password}",

"reply":"%{reply:Packet-Type}", "called_station_id": "%{Called-Station-ID}",

"calling_station_id": "%{Calling-Station-ID}"}'

tls = ${..tls}

}


# /etc/freeradius/3.0/mods-enabled/restaccounting {

uri = "${..connect_uri}/api/accounting/"

method = 'post'

body = 'json'

data = '{"status_type": "%{Acct-Status-Type}", "session_id": "%{Acct-Session-Id}", "unique_id":

"%{Acct-Unique-Session-Id}", "username": "%{User-Name}", "realm": "%{Realm}", "nas_ip_address":

"%{NAS-IP-Address}", "nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}",

"session_time": "%{Acct-Session-Time}", "authentication": "%{Acct-Authentic}", "input_octets":

"%{Acct-Input-Octets}", "output_octets": "%{Acct-Output-Octets}", "called_station_id":

"%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}", "terminate_cause":

"%{Acct-Terminate-Cause}", "service_type": "%{Service-Type}", "framed_protocol":

"%{Framed-Protocol}", "framed_ip_address": "%{Framed-IP-Address}"}'

tls = ${..tls}

}

Abilitazione dei moduli configurati

● ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/sql

● ln -s /etc/freeradius/3.0/mods-available/rest/etc/freeradius/3.0/mods-enabled/rest

Restart freeradius to load the new configuration: service freeradius restart

# dobbiamo prima fermare il processo principale di freeradius

service freeradius stop

#lanciamo freeradius in modalità debug freeradius -X

Django-freeradius - Modelli

● RadiusGroup

● RadiusGroupUsers

● RadiusReply

● RadiusCheck

● RadiusAccounting

● Nas

● RadiusUserGroup

● RadiusGroupReply

● RadiusGroupCheck

● RadiusPostAuth

Modelli Astratti

#django_freeradius/base/models.pyfrom model_utils.fields import AutoCreatedField, AutoLastModifiedField

class TimeStampedEditableModel(models.Model): """ An abstract base class model that provides self-updating ``created`` and ``modified`` fields. """ created = AutoCreatedField(_('created'), editable=True) modified = AutoLastModifiedField(_('modified'), editable=True) class Meta: abstract = True

#django_freeradius/base/models.pyclass AbstractRadiusGroup(TimeStampedEditableModel):

id = models.UUIDField(primary_key=True, db_column='id')

group_name = models.CharField( verbose_name=_('groupname'),

max_length=255, unique=True,

db_column='groupname',

db_index=True)

priority = models.IntegerField(verbose_name=_('priority'), default=1)

creation_date = models.DateField(verbose_name=_('creation date'),

null=True, db_column='created_at')

modification_date = models.DateField(verbose_name=_('modification

date'),null=True,

db_column='updated_at')

notes = models.CharField(verbose_name=_('notes'), max_length=64,

blank=True, null=True)

class Meta:

db_table = 'radiusgroup'

verbose_name = _('radiusgroup')

verbose_name_plural = _('radiusgroups')

abstract = True

def __str__(self):

return self.group_name

Modelli Astratti

#django_freeradius/base/admin.py

from django.contrib.admin import ModelAdmin

class TimeStampedEditableAdmin(ModelAdmin): """ ModelAdmin for TimeStampedEditableModel """

def get_readonly_fields(self, request, obj=None): readonly_fields = super(TimeStampedEditableAdmin, self).get_readonly_fields(request, obj) return readonly_fields + ('created', 'modified')

class AbstractRadiusGroupAdmin(TimeStampedEditableAdmin): pass

Come creare un’app riutilizzabile

Installiamo swapper

pip install swapper

#django_freeradius/models.pyimport swapper

class RadiusGroup(AbstractRadiusGroup):

class Meta(AbstractRadiusGroup.Meta):

abstract = False

swappable = swapper.swappable_setting('django_freeradius',

'RadiusGroup')

Migrazioni

Utilizziamo Swapper negli script di migrazione:

● L’ordinamento delle dipendenze

● I riferimenti alle chiavi esterne

Esempio(sample_radius)

Aggiornamento di settings.py

RESTful API ( Autorizzazione, PostAuth, Accounting)

● Attivo il runserver della mia applicazione:○ cd django-freeradius

○ workon radius

○ cd tests/

○ ./manage.py runserver

● Attivo freeradius in modalità debug:○ freeradius -X

Django-freeradius - Autorizzazione



Access-Accept


Access-Reject

Django-freeradius - PostAuth





Django-freeradius - Accounting



● Creiamo un file in /tmp/accounting.txt

● Salviamo il file

● Apriamo il prompt dei comandi

● radclient -f /tmp/accounting.txt -x

127.0.0.1 acct testing123




Utilizzo di Django-freeradius

Django-freeradius potrà essere utilizzato dagli utenti per:

● auto-registrarsi● gestire il proprio account● consultare le statistiche

Le operazoni effettuate sull’interfaccia agiscono sulle tabelle di un DBMS relazionale, create e mantenute dal framework Django. Tali relazioni sono rese disponibili anche a un server RADIUS mediante opportune viste. Quest’ultimo servizio, interagendo con un Network Access Server (NAS) quale captive portal, implementerà l’autenticazione, l’autorizzazione e l’accounting (AAA) per il servizio WiFi.

,

Risorse utili

Organization Github Page: https://github.com/openwisp

Organization Website: http://openwisp.org/

Project Repository: https://github.com/openwisp/django-freeradius

Documentation: http://django-freeradius.readthedocs.io/en/latest/

https://github.com/openwisp

http://openwisp.org/

https://github.com/openwisp/django-freeradius

http://django-freeradius.readthedocs.io/en/latest/

Grazie!

Date post:	16-Aug-2019
Category:	Documents
Upload:	vothuy
View:	215 times
Download:	0 times

Django-freeradius - pycon.it · OpenWisp Openwisp è un insieme di moduli software che possono...

Documents