I'm trying to set up freeradius authorization for my captive portal. I use: as a WIFI router openwrt-22.03 + coova-chilli; freeradius 3 + postgresql;
`radius=# \dt
List of relations
Schema | Name | Type | Owner
--------+---------------+-------+----------
public | macs | table | postgres
public | nas | table | postgres
public | nasreload | table | postgres
public | radacct | table | postgres
public | radcheck | table | postgres
public | radgroupcheck | table | postgres
public | radgroupreply | table | postgres
public | radpostauth | table | postgres
public | radreply | table | postgres
public | radusergroup | table | postgres
(10 rows)
radius=# select * from radcheck;
id | username | attribute | op | value
-----+-------------------------+--------------------+----+-----------
326 | admin | Cleartext-Password | := | admin
327 | magicbook | Cleartext-Password | := | 33467784
radius=# select * from radusergroup;
id | username | groupname | priority
----+-----------+-----------+----------
8 | admin | admin | 0
9 | magicbook | user | 0
(2 rows)
radius=# select * from radgroupreply;
id | groupname | attribute | op | value
----+-----------+--------------+----+---------------------
1 | user | Service-Type | := | Framed-User
2 | admin | Service-Type | := | Administrative-User
radius=# select * from macs;
id | username | callingstationid
----+-----------+-------------------
25 | admin | 8C-7A-3D-90-07-08
27 | magicbook | 7C-C2-C6-1F-49-EE
(2 rows)`
I create a captive portal myself in the js language - https://github.com/Pavewleln/captive_portal. Website on html/css/js I also have my own server on Nodejs + expressjs, which processes everything that comes from the site and sends it to freeradius and vice versa.
Don’t ask why these technologies, I didn’t choose them, it’s necessary.
I seem to have the simplest authorization configured, just by username + password. I also have additional authorization configured by MAC address, but it is currently disabled. I set it up using this source - https://gist.github.com/nasirhafeez/6669b24aab0bda545f60f9da5ed14f25#user-mac-binding
I want to configure authorization for a regular user and an admin user. As I understand it, you need to use groups, or simply add another attribute to radcheck that can be used to check. But when I put something in a radusergroup, the username that the group is associated with will no longer be logged in.
`RADIUS request: {
[1] code: 'Access-Request',
[1] secret: 'testing123',
[1] attributes: [
[1] [ 'User-Name', 'magicbook' ],
[1] [ 'User-Password', '33467784' ],
[1] [ 'Calling-Station-Id', '8C-7A-3D-90-07-08' ]
[1] ]
[1] }
[1] RADIUS response: {
[1] code: 'Access-Reject',
[1] identifier: 137,
[1] length: 36,
[1] authenticator: <Buffer d2 5d 8c e9 a5 39 77 f8 a2 1b b1 10 2d 2b 56 8d>,
[1] attributes: { 'Reply-Message': 'Wrong Password' },
[1] raw_attributes: [ [ 18, <Buffer 57 72 6f 6e 67 20 50 61 73 73 77 6f 72 64> ] ]
[1] }`
This is an example of what I receive from the site, and what freeradius responds to me. (The code can be viewed here https://github.com/Pavewleln/captive_portal (server/controllers/user.controller.ts)).
I understand that most likely I’m not setting up groups correctly in freeradius, but I don’t understand how to set them up then, how can I implement an admin and a regular user.
How can I fix this, how to properly configure authorization, as well as admin and user authorization. If there are other customization options, then I'm willing to give up this one. I would be incredibly grateful if someone could post an example of a similar captive portal, also based on nodejs.