simllll / node-radius-server Goto Github PK

View Code? Open in Web Editor NEW

61.0 8.0 30.0 6.04 MB

Radius Server in node js optimized for google auth

Home Page: https://www.npmjs.com/package/radius-server

License: Other

TypeScript 96.57% Shell 0.75% JavaScript 2.68%

radius-server ldap freeradius imap pap jumpcloud ttls ldap-service

node-radius-server's Introduction

easy extensible NodeJS RADIUS Server

supports different authentification backends
- LDAP (e.g. for Google LDAP Service, but also any other LDAP service)
- HTTP
- IMAP
- SMTP
- Predefined / Static username and password
supports WPA2 Enterprise
- TTLS
- PAP / GTC

Protect your WIFI access with a username and password by a credential provider you already use!

Authentication tested with Windows, Linux, Android and Apple devices.

Introduction

This app provides a radius server to authenticate against an authentication service. To get this running you need:

An running Auth Service (e.g. LDAP Service / Google Suite Enterprise / Gloud Identity Premium)
Optional: Create your own SSL certificate (e.g. self signed via npm run create-certificate)
Check config.js and adapt to your needs

configure authentication: set authenticaiton to one of the provided authenticators, e.g.:

var config = {
	// ....
	authentication: 'GoogleLDAPAuth',
	authenticationOptions: {
		base: 'dc=hokify,dc=com'
	}
};

set radius secret

Install und build server: npm install && npm run build
Start server "npm run start"

Quick start for using it with Google LDAP

Install node js => 13.10.1
- easiest way is to install a node js version from nodejs.org or run "npx n latest" to install latest version.
Check out the config options, e.g. for google ldap, download your certificates from http://admin.google.com/ -> Apps -> LDAP -> Client download the files and name them "ldap.gsuite.key" and "ldap.gsuite.crt" accordingly (Ensure you have activated your newly created LDAP Client in Google Admin).
Switch to this directory and run "npx radius-server -s YourRadiusSecret"
Log into your WLAN Controller and configure the radius server to your newly running radius
On your clients, just connect to the WLAN, the clients should figure out the correct method by their own, if they don't use: WPA2-Enterprise -> EAP-TTLS -> PAP / CHAP
Log in with your google credentials (email + password, ... e.g. [email protected])

Configuration

For authentication see Authentication Details. For general config options run with --help or see see config.js in root.

Installation

npm install
npm run build

Usage

Ensure you have installed latest node version (>= 13.10.1) and run:

npm run start

Use as module

npm install radius-server

This allows this module to be used in other node projects:

  import { RadiusServer } from 'radius-server';

  const radiusServer = new RadiusServer({
      logger: this.logger,
      secret: this.secret,
      port: this.port,
      address: this.hostname,
      tlsOptions: this.tlsOptions,
      authentication: this
  });
  await radiusServer.start();

Known Issues / Disclaimer

Support for this has landed in node 13.10.1, therefore ensure you have installed at least this node version.

Inner Tunnel does not act differently, even though spec says that EAP-message are not allowed to get fragmented, this is not a problem right now, as the messages of the inner tunnel are small enough, but it could be a bug in the future. ways to approach this: refactor that the inner tunnel can set max fragment size, or rebuild eap fragments in ttls after inner tunnel response
VLAN support is not fully configurable right now

CONTRIBUTIONS WELCOME! If you are willing to help, just open a PR or contact me via bug system or [email protected].

Motivation

Why not Freeradius?

There are several reasons why I started implementing this radius server in node js. We are using freeradius right now, but have several issues which are hard to tackle due to the reason that freeradius is a complex software and supports many uses cases. It is also written in C++ and uses threads behind the scene. Therefore it's not easy to extend or modify it, or even bring new feature in. The idea of this project is to make a super simple node radius server, which is async by default. No complex thread handling, no other fancy thing. The basic goal is to make WPA2 authenticiation easy again.

802.1x protocol in node

Another motivation is that it is very exciting to see how wireless protocols have evolved, and see how a implementation like TTLS works.

Few alternatives (only non-free ones like Jumpcloud...)

Furthermore there are few alternatives out there, e.g. jumpcloud is non-free and I couldn't find many others.

Vision

As soon as I understood the TTLS PAP Tunnel approach, I had this vision of making Wlan Authentification easy for everyone. Why limit it to something "complex" like LDAP and co. This library aims to make it easy for everyone to implement either their own authentication mechanismus (e.g. against a database), or provides some mechansimns out of the box (e.g. imap, static, ldap,..).

node-radius-server's People

Contributors

Stargazers

Watchers

node-radius-server's Issues

Google LDAP - Multiple Base DN

Hi Guys,

Our Google workspace instance has 10+ domains which makes user search tricky, as requires multiple Base DN entries to find the users. I couldn't find a way to add more than one Base DN so far. Any advice would be appreciated.

Thanks!

SSL_export_keying_material not accessable

pending on nodejs/node#31802

this is necessary to calculate MS-MPPE-Send-Key and MS-MPPE-Recv-Key.

[EAPPacketHandler] unsupported type 3 stopping conversation

When trying to establish a connection I receive this message in return.
"[EAPPacketHandler] unsupported type 3 stopping conversation"

EAP-PEAP

Does this project have EAP-PEAP support?

Please declare license

Hi, I want to use this server implementation in production, but I need to make sure what license this project is released under.

Could you pick one and declare the license?

Thanks.

certificate routines:X509_check_private_key:key values mismatch

Hello

After run ./ssl/create.sh i have error

`_tls_common.js:145
c.context.setKey(pem, val.passphrase || passphrase);
^

Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
at Object.createSecureContext (_tls_common.js:145:19)
at Object. (/home/ruslan/Документы/node-radius-server/dist/tls/crypt.js:19:29)
at Module._compile (internal/modules/cjs/loader.js:1063:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
at Module.load (internal/modules/cjs/loader.js:928:32)
at Function.Module._load (internal/modules/cjs/loader.js:769:14)
at Module.require (internal/modules/cjs/loader.js:952:19)
at require (internal/modules/cjs/helpers.js:88:18)
at Object. (/home/ruslan/Документы/node-radius-server/dist/radius/handler/eap/eapMethods/EAP-TTLS.js:9:17)
at Module._compile (internal/modules/cjs/loader.js:1063:30) {
library: 'x509 certificate routines',
function: 'X509_check_private_key',
reason: 'key values mismatch',
code: 'ERR_OSSL_X509_KEY_VALUES_MISMATCH'
}`

Signed SSL Certificate

Hi! I am trying to find a way how to have a Signed SSL Certificate. It shows not trusted on devices not unless manually sign it.
is there a way to make my SSL certificate trusted?
thanks!

Google IMAP App specific Password

[IMAPAuth] imap auth failed Error: Application-specific password required: https://support.google.com/accounts/answer/185833 (Failure)

Has anyone come up with a work around for this? I'd like to whitelist this radius server

Having trouble with Windows & Android

I am super excited to find this package as I am like a lost boy trying to read through the Free Radius docs.

I am trying to put together a POC using the StaticAuth which if I can get working I will replace with our custom oAuth solution. However I am hitting a wall on Windows & Android. iOS and OSX connected without issues, from what I gather Android seems to want me to install the CA pem however even after that I can't get the credentials to validate. I don't have a windows machine on me but I am pretty sure its a similar problem my co-worker was having when we were testing.

I am hoping there is just something simple I am missing and if you have anything you can share to unblock me I will be really grateful!

Thanks for sharing this package regardless, it has helped me wrap my head around Radius servers very quickly.

SSL Wrong version number

Hi there,

First, thank you for your great work.

I tried out your lib in my auth-server project, but face a problem while using it on WPA2-enterprise.
The following error occurs: 140529911364936:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332
Note: this is when I build in docker, using the node:10-alpine image

When running locally on my mac I get the following error: 4520836544:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_srvr.c:643

I'm not really into SSL, so maybe you can clarify some things? (Debugging didn't help me, I got stuck at crypt.ts)

Can't gracefully close server when started programmatically

Re: #345

Currently, there's no way to stop the server when it is started from code unless you access the private UDPServer.server member. The associated PR adds a stop method.

Can't open google key and certificate file

Hi Guys,

Configured according to the md files. but got this errors:

app] Listener Port: 1812
[app] RADIUS Secret: CLEA$999
[app] Auth GoogleLDAPAuth
[app] cannot load auth mechanisms GoogleLDAPAuth
node:fs:585
handleErrorFromBinding(ctx);
^

Error: ENOENT: no such file or directory, open 'Google_2025_10_10_50052.key'
at Object.openSync (node:fs:585:3)
at Module.readFileSync (node:fs:453:35)
at new GoogleLDAPAuth (file:///Users/frankyan/Desktop/node-radius-server/dist/auth/GoogleLDAPAuth.js:10:21)
at file:///Users/frankyan/Desktop/node-radius-server/dist/app.js:50:16 {
errno: -2,
syscall: 'open',
code: 'ENOENT',
path: 'Google_2025_10_10_50052.key'

I put the files in ssl/cert.

Any hints?

Many thanks,

tls 1.3 support

right now tls 1.3 support is not working,
to workaround any issues (especially windows 11, update 22h2)
you can disable tls 1.3 for now by setting inside config.js

certificate: {
...other configs...
                secureProtocol: 'TLSv1_2_method'
}

for implementation details see see https://datatracker.ietf.org/doc/rfc9190/ especially point 2.3. Key Hierarchy

invalid username, not found in DN

Hi I have problem with authenticating the Google LDAP

I have followed the step in setting up client for LDAP but I couldn't get myself authenticated with the app. I have tried every settings in my google admin console but it still wont' authenticate me.

My Google Admin Console LDAP setup like this

Verify user credentials
Selected organizational units, groups and excluded groups (For my specified OU)

Read user information
Selected organizational units, groups and excluded groups (For my specified OU)

System Attributes - Checked
Read group information - Checked

And the status are ON

I have uploaded and rename the certificates and key in the root level directory of config file.

I'm so sorry for being completely noob I am just not sure how should i move forward with this.
any help is appreciated. Thanks!

Trouble connecting with WiFi

Hi,

I am trying out this radius-server, but everytime I try to connect with my wifi connected to this radius I get this error:
[UDPServer] no confirmation of last message from 192.168.2.56:59335, re-sending response... (bytes: 162, try: 2/3).

With sudo tcpdump -eqntl -i wlp5s0 port 1812, I receive all the traffic.. Ingoing and outgoing.