RADIUSdesk

This is an old revision of the document!


APdesk - A Practical Example

  • You have been tasked to supply the various locations of the Bean There coffee shops with:
    • A Hotspot service for the clients.
    • Secure WiFi connection for the staff.
  • They have 30 locations spread across the major cities of the country.
  • You've got the last batch of the TP Link WR841 (version9) from a shop at a super cheap price and flashed them all with the MESHdesk firmware.

Some info about our server

  • We assume the following information
Item Detail
Server IP Address 198.27.111.78
Server FQDN rd01.wificity.asia
RADIUS Shared Secret testing123
SSID for Guests Bean There
SSID for Staff Bean There Staff
WPA2 Passphrase for staff stayoutbuddy

With these information handy we can now start with Bean There using APdesk


Steps involved

We will take the following steps to accomplish our goal

  • Create an Access Point Profile.
  • Edit the new Access Point Profile.
  • Flash, set and point devices to our server.
  • Attach devices to the Access Point Profile.
  • Manage the attached devices.

Create an Access Point Profile

  • Log into RADIUSdesk. Select APdesk from the menu to open the APDesk applet.
  • Click on the Add button and specify the Access Point Profile name.

  • Select the newly created Access Point Profile and click on the Edit button to set up the profile.
  • This will open a new tab where you can define the characteristics of the profile.

Edit Access Point Profile

When we open an Access Point Profile to edit there are several sub-tabs where we define how our profile will behave.

  • SSIDs The various SSIDs which the Access Points that are attached with this profile will broadcast.
    • The maximum is 8 per radio. Thus on dual radio Access Points we can potentially broadcast up to 16 SSIDs!
  • Exit Points Here we specify how the SSIDs will be connected to the rest of the network. Options include
    • LAN Bridge
    • Tagged LAN bridge
    • NAT with DHCP
    • Captive Portal
  • Common Settings Things like time and country and how often reports from Access Points should be submitted.
  • Devices List the devices associated with this profile.

Add the SSIDs

With this overview behind us we can start with our requirements. We will add the two SSIDs.

  • We choose both 2.4 and 5G frequency bands for each of the SSIDs though we only have single radio hardware. In future we might want to use dual radio hardware and then everything is already in place.
  • For the guest / visitors (open) SSID we enable Client isolation to prevent machine to machine communication.
  • On the (secured) SSID for the staff we do not enable Client isolation in case we need machine to machine communication.
  • You will notice both has Connected to Exit marked in red as No. This is because we have not defined any exit points yet. This will be done next.

Add the Exit points

  • There are only one Ethernet bridge available. Once it is selected and used up it will not be listed as an option any more.
  • The Captive Portal type Exit Point have some values pre-populated specific to your server.
  • This is set in a configuration file and needs to reflect your installation for maximum efficiency. (On Nginx based installs it sits under /usr/share/nginx/html/cake2/rd_cake/Config/ApProfiles.php)
  • We assume that you created a Realm called Bean There as well as a Dynamic Login Page called Bean There initially.
  • These will be used here.
  • We choose to Auto-Add Dynamic RADIUS Client and Auto-Add Login Page. This is recommended since it reduces the administration when adding devices.

What If I don't select Auto-Add?

  • If you choose not to select the Auto-add function, you will have to add a Dynamic RADIUS client for each captive portal running on a device when you attach a device to an Access Point Profile
  • You will also have to link each captive portal running on a devices with a Dynamic Login Page.

The NAS-Id (a unique Identifier per Captive Portal exit point) is generated using the following convention.

  • Bean_There_ZA-Sandton-1_cp_27
    • The first bit is the Access Point Profile name underscored. (Bean_There)
    • The second bit is the Device name (ZA-Sandton-1)
    • The last bit is cp for Captive Portal.
    • Finally a number. This number is the Exit Point ID in the database.
    • Remember we can potentially run up to 16 Captive Portals on a single device! That's why we stick to numbers here.

Common Settings and Devices

  • The items in the common settings tab should be easy to understand. The Timezone effects the system time on the device so make sure it reflect the location where you are situated.
  • The Devices tab should be empty since we have not associated any devices with this profile.
  • Next we will set up one of our devices to be associated with this newly create Access Point Profile.

Flash, set and point devices to our server

  • We assume:
    • You have a Windows machine running the MESHdesk Node Config Utility
    • Set the Ethernet port to have IP Address 192.168.255.20
    • Flashed a TP-Link WR841ND with the latest MESHdesk firmware.
    • See the following screenshot of the MESHdesk Node Config Utility.
    • Note that the mode is set to Access Point

For the technical minded wanting to know how things work

config settings 'settings'
	option lan_up_file '/tmp/lan_up'
	option lan_down_file '/tmp/lan_down'
	option wifi_up_file '/tmp/wifi_up'
	option wifi_down_file '/tmp/wifi_down'
	option wifi_timeout '100'
	option config_file '/etc/MESHdesk/configs/current.json'
	option previous_config_file '/etc/MESHdesk/configs/previous.json'
	option heartbeat_interval '60'
	option config_server '192.168.255.20'
	option config_port '3000'
	option shared_secret 'verysecure'
	option heartbeat_dead_after '300'
	option gw_use_previous '1'
	option gw_auto_reboot '1'
	option first_run '1'
	option hardware 'dragino'
	option gw_dhcp_timeout '120'
	option gw_auto_reboot_time '600'
	option mode 'mesh'
  • After we set oud device to run in Access Point mode we can plug it onto our network and see if it contacts our server.

Attach devices to the Access Point Profile

  • Our device started up fine and it reported to the server under Detached Devices

  • Select the device and attach it to our newly create Access Point Profile. Remember to give it a descriptive name.
  • You can also fine tune the radio or radios, based on the Hardware Model you select. You might want to make sure these devices are assigned non overlapping channels where they are deployed close to each other.

  • This will move the device from the Detaches Devices list to the Attaches Devices list.
  • Wait approximately 5 minutes for the device to auto-reboot and fetch its settings.

View Attached Devices

  • APdesk offer various levels of viewing information on attached devices.
  • The first level gives a basic overview.

  • Should you wish to gain more insight simply select the device and click the View button to open a dedicated tab with more stats.
    • The Overview gives a detailed overview of the device including graphs of the clients connected and data used per SSID.

  • The SSID to Device tab gives more detail on the clients connected in terms of data usage and connectivity.