How to install and use
Currently it is not possible to run this service from inside this repository alone.
We instead recommend using the acceptance-tests repo to set up a development environment for making changes to FreeRADIUS or the healthcheck service.
Makefile targets are:
make test- Currently a no-op. Tests are located in the acceptance-tests repo
make lint- Runs linting on the healtcheck service, provided by
How it pieces together
This project has 2 main components; the RADIUS server, and the healthcheck service.
This RADIUS server is restarted daily by a separate app, the Safe Restarter.
The healthcheck service acts as an adapter to a monitoring service (Route53 Healthchecks).
When hit with a HTTP call, it will send a request to the radius server to ensure it can still
To accomplish this,
eapol_test is used to simulate authentication using
All code is located under the
FreeRadius is an implementation of the RADIUS protocol.
Our servers implement:
- EAP-TLS (client certificate authentication)
- PEAP-MSCHAPv2 (Protected EAP with username + password)
There are currently 5 files fetched when the service is initialised.
- clients.conf Allows access points to communicate with the radius servers. This is generated by the GovWifi Admin service.
- ca.pem, server.pem, server.key, comodo.pem Used to set up TLS tunnels, and authenticate clients using EAP-TLS
They are currently stored in an encrypted S3 bucket, and only the RADIUS servers are authorised to access files within the bucket.
Files are fetched once a night when the servers are restarted for updates.
High Level Process
When someone attempts to use GovWifi:
- The username and password is sent to the radius server
- Radius recieves, and sends a request to the authentication backend to fetch the known password
- The user password is checked against the known password
- the login attempt is logged in the logging backend
- either the user is accepted, or rejected depending on whether their password accepted.
How to contribute
- Fork the project
- Create a feature or fix branch
- Run the linter:
- Run the acceptance tests
- Raise a pull request