This is the FreeRADIUS configuration for the GovWiFi project.
Currently it is not possible to run this service from inside this repository alone.
We instead recommend using the acceptance-tests repo to set up a development environment for making changes to FreeRADIUS or the healthcheck service.
Makefile targets are:
make test
- Currently a no-op. Tests are located in the acceptance-tests repomake lint
- Runs linting on the healtcheck service, provided bygovuk-lint
This project has 2 main components; the RADIUS server, and the healthcheck service.
This RADIUS server is restarted daily by a separate app, the Safe Restarter.
The healthcheck service acts as an adapter to a monitoring service (Route53 Healthchecks).
When hit with a HTTP call, it will send a request to the radius server to ensure it can still
authorise users.
To accomplish this, eapol_test
is used to simulate authentication using PEAP-MSCHAPv2
.
All code is located under the healthcheck
directory.
FreeRadius is an implementation of the RADIUS protocol.
Our servers implement:
- EAP-TLS (client certificate authentication)
- PEAP-MSCHAPv2 (Protected EAP with username + password)
There are currently 5 files fetched when the service is initialised.
- clients.conf Allows access points to communicate with the radius servers. This is generated by the GovWifi Admin service.
- ca.pem, server.pem, server.key, comodo.pem Used to set up TLS tunnels, and authenticate clients using EAP-TLS
They are currently stored in an encrypted S3 bucket, and only the RADIUS servers are authorised to access files within the bucket.
Files are fetched once a night when the servers are restarted for updates.
When someone attempts to use GovWifi:
- The username and password is sent to the radius server
- Radius recieves, and sends a request to the authentication backend to fetch the known password
- The user password is checked against the known password
- the login attempt is logged in the logging backend
- either the user is accepted, or rejected depending on whether their password accepted.
- Fork the project
- Create a feature or fix branch
- Run the linter:
make lint
- Run the acceptance tests
- Raise a pull request