As a sysadmin, I’m all too familiar with major projects which require large pots of money, months to plan and get everyone moaning about how the new system runs slower than the old one. They tend to drag on as everyone and their mother wants to have input on how they think things should work, the project spec is normally re-written, tweaked and amended multiple times as users think of other things they want, and generally I am sick of the sight of the project by the time it concludes.
It makes for a welcome change when a fun little project pops its head up. Normally, these projects do nothing more than solve a niggly problem that most people may not have even noticed. They may only take a couple of days, and generally don’t cost the company any thing more than my time. This weeks pet project involved Linux with PHP, MySQL, Freeradius and some Ntop for good measure.
The basic problem was how to improve the administration of the companies wireless access points. We currently have a handful of access points (AP’s) which use Mac Authentication and WPA2 encryption, with each AP maintaining its own local list of Mac addresses (yes, I know Mac authentication is far from perfect, but it’s another layer in the defence against “The Bad Guys”). This means that whenever a new Mac address must be entered, it needs to be done on each of the AP’s. This requires each AP to be rebooted, which interrupts service for existing wireless users. In addition, the AP has no option to assign a description to each Mac address, nor does it allow for expiry of Mac addresses (which, when you often have temporary visitors using your wireless for short periods, is a nice thing to have). Unfortunately, the wireless network is not a priority for us, so we can’t purchase expensive management software, nor can we purchase “better” AP’s.
We already have an existing Linux system providing services on the wireless, so this week, I installed Freeradius and configured all of the AP’s to look to this for Mac authentication. This is great, because it means that any new Mac address only has to be entered in one location for it to be seen by all AP’s, and the AP’s don’t need a reboot each time.
Unfortunately, I am the only person in our department who is really comfortable with the Linux command line, and since Freeradius doesn’t really have a decent, simple GUI front end, I decided to write my own PHP front end to the radius system. I also did a spot of Ntop manipulation to provide administrators with the date that any given Mac address was last seen on the network to make it easier to purge old addresses. The benefits of this system include:
- Single web based front-end for all AP’s
- Allows for easy identification of Mac addresses
- Allows for automatic expiry of Mac addresses
- Allows administrators to see at a glance when a Mac address was last seen on the network.
The system uses Apache’s security mechanisms to prevent unauthorized users from accessing the web pages. As you can see from the screen shot below (click for a larger pic), the result is relatively simple, but should make our jobs much easier when managing wireless users. Note: the screen shot is from the development copy so I don’t accidentally disclose user names etc, hence the lack of valid information. Trust me, it does work in production!
I realise that I am barely scratching the surface of what Freeradius is capable of, but I feel this is a good starting point to both learn the product and to make some of our other system admins aware of the potential of open source software. And now I’m off to get a strong coffee and sit down to write a proposal for upgrading our Exchange site.