RADIUSdesk

This is an old revision of the document!


APdesk - A Practical Example

  • You have been tasked to supply the various locations of the Bean There coffee shops with:
    • A Hotspot service for the clients.
    • Secure WiFi connection for the staff.
  • They have 30 locations spread across the major cities of the country.
  • You've got the last batch of the TP Link WR841 (version9) from a shop at a super cheap price and flashed them all with the MESHdesk firmware.

Some info about our server

  • We assume the following information
Item Detail
Server IP Address 198.27.111.78
Server FQDN rd01.wificity.asia
RADIUS Shared Secret testing123
SSID for Guests BeanThere
SSID for Staff BeanThere Staff
WPA2 Passphrase for staff stayoutbuddy

With these information handy we can now start with Bean There using APdesk


Steps involved

  • We will take the following steps to accomplish our goal
    1. Create an Access Point Profile.
    2. Edit the new Access Point Profile.
    3. Flash, set and point devices to our server.
    4. Attach devices to the Access Point Profile.
    5. Manage the attached devices.

Create an Access Point Profile

  • Log into RADIUSdesk. Select APdesk from the menu to open the APDesk applet.
  • Click on the Add button and specify the Access Point Profile name.

  • Select the newly created Access Point Profile and click on the Edit button to set up the profile.
  • This will open a new tab where you can define the characteristics of the profile.

Edit Access Point Profile

When we open an Access Point Profile to edit there are several sub-tabs where we define how our profile will behave.

  • SSIDs The various SSIDs which the Access Points that are associated with this profile will broadcast.
    • The maximum is 8 per radio. Thus on dual radio Access Points we can potentially broadcast up to 16 SSIDs!
  • Exit Points Here we specify how the SSIDs will be connected to the rest of the network. Options include:
    • LAN Bridge
    • Tagged LAN bridge
    • NAT with DHCP
    • Captive Portal
  • Common Settings Things like time and country and how often reports from Access Points should be submitted.
  • Devices List the devices associated with this profile.

Add the SSIDs

With this overview behind us we can start with our requirements. We will add the two SSIDs.

  • We choose both 2.4 and 5G frequency bands for each of the SSIDs though we only have single radio hardware. In future we might want to use dual radio hardware and then everything is already in place.
  • For the guest / visitors (open) SSID we enable Client isolation to prevent machine to machine communication.
  • On the (secured) SSID for the staff we do not enable Client isolation in case we need machine to machine communication.
  • You will notice bot has Connected to Exit maked in red as No. This is because we have not yet defined any exit points. This will be done next.

Add the Exit points

  • There are only one Ethernet bridge available. Once it is selected and used up it will not be listed as an option any more.
  • The Captive Portal type Exit Point have some values pre-populated specific to your server.
  • This is set in a configuration file and needs to reflect your installation for maximum efficiency. (On Nginx based installs it sits under /usr/share/nginx/html/cake2/rd_cake/Config/ApProfiles.php)
  • We assume that you created a Realm called Bean There as well as a Dynamic Login Page called Bean There initially.
  • These will be used here.
  • We choose to Auto-Add Dynamic RADIUS Client and Auto-Add Login Page. This is recommended since it reduces the administration when adding devices.

What If I don't select Auto-Add?

  • If you choose not to select the Auto-add function, you will have to add a Dynamic RADIUS client for each captive portal running on a device when you associate a device with a Access Point Profile
  • You will also have to link each captive portal running on a devices with a Dynamic Login Page.

The Nas-Id (a unique identifier per Captive Portal exit point) is generated using the following convention. <AP Profile Name with underscores>