Skip to content
This repository has been archived by the owner on Apr 4, 2018. It is now read-only.

alphagov/user.wifi

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Documentation for user.wifi code

This repo is now deprecated: it has been superseded by govwifi.

This is the documentation for the user.wifi backend infrastructure. If you’ve found this from a search online for user.wifi, and would like to use the service [read this] () If you’d like to implement user.wifi at a site where you offer guest wifi [read this] (https://governmenttechnology.blog.gov.uk/2016/06/17/wi-fi-security-and-government-wide-roaming-solutions/).

Note there are multiple copies of this repo, the one under AlistairHCowan in github is the master at the time of writing.

Table of contents

Elevator pitch - user.wifi

A secure guest wi-fi service for UK government buildings.

Backend architecture

Overview

User.wifi :

  • Onboarding process
  • new guest wi-fi users can sign up by SMS, user.wifi creating and issuing a unique and unchanging user + password and storing these in a database
  • has a similar process for sponsored sign up by email
  • accepts RADIUS requests from users attempting to join the user.wifi SSID in government buildings, and checks against the database
  • additionally checks if the site has a 'snowflake' rule requiring additional log in requirements to be met, and notifys the user of these requirements by SMS
  • Sites wishing to roll out user.wifi need to connect their APs or AP controllers to user.wifi Q: how? IPSEC tunnel? is this always the case? what does it terminate on? what automation exists

To accomplish the above we have the following components:

  • A database to store details of sites, users and passwords
  • An API (RESTful) tier that talks to the database, making changes as required
  • A RADIUS tier that APs use to connect to that talks to the API tier

Database

There are two databases, one for dev, which supports the user.wifi.dev SSID, and one for prod, which supports user.wifi.

API tier

This is a cluster of docker containers running apache + php. The bulk of this repository is the php and other data that builds and runs these docker containers.

RADIUS tier

This is a cluster of docker containers running a copy of freeradius, with an experimental API backend extension compiled in. These apply some basic ACLs to incoming requests, then handle reformating them as API calls and handing the to the API tier. There is also a healthcheck HTTP service running, which checks the health of freeradius and it’s connection to the API, and will return an error code if a fault is detected -- this is required for healthchecking.

Connectivity tier

Sadly, because Cisco suck, we use fixed IP addresses for connectivity to the RADIUS tier. These are elastic IPs, which should NEVER be returned to the AWS pool as this would require the field-reconfiguration of every government site using user.wifi.

Management and Development tier

Q: where does the kiosk docker instance fit into this?

[AWS account] (https://344618620317.signin.aws.amazon.com/console)

SSH dev/test/management host

ssh admin@52.50.52.124

If your source IP isn’t in the Security Group, you’ll be denied.

Commiting, building and releasing

Debugging and logging

To-do (features)

Following would be nice

  • Logs to cloudwatch
  • Alerts from cloudwatch
  • hotspot map of users joining user.wifi

To-do (build and management)

Following items need doing

  • automate dev box backups
  • install Jenkins on dev box
  • make the dev box rebuildable with code on demand
  • sort out the multiple repos and move everything to one place
  • more documentation
  • docker configuration to be moved to version control, perhaps with more use of environment variables with secrets elsewhere?
  • port the whole thing to GCE
  • replace systemd with init and friends

Processes

To be documented:

  • Site onboarding
  • Site decommissioning
  • Site IP address change
  • User phone number change
  • User password reset

Further documentation

Links to documentation for departments and end users

Output of pentest

Available on request from Alistair Cowan [mailto:alistair.cowan@digital.cabinet-office.gov.uk]

Braindump

docker-wifi-backend, docker-radius-rest, docker-wifi-kiosk dev box actually runs dev prod runs under terraform , dev runs under dev box rds for dev seperate for prod config in containers, not to be made public enrolment.cfg, along with apache in /etc all messages in /messages it will retry sms providers as required radius west will self destruct nightly and rebuild it’s grabs a file from wifi-backend with wget ... destroy all in the event of a new site

About

No description, website, or topics provided.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages