AAA (Authentication, Authorization, Accounting), in hotspot

Here, I would like to share a bit about the workflow or operation of an authentication system, commonly referred to as AAA (Authentication, Authorization, Accounting), in hotspot login.

The authentication system in question involves the integration of two different applications/services: FreeRADIUS and OpenLDAP.

I utilize FreeRADIUS to handle login requests from network devices. Meanwhile, I use OpenLDAP as the storage for user data, passwords, and groups.

One of the most common implementations by combining these two applications/services is the hotspot authentication system. In this system, users will log in to the hotspot page, and then the gateway will check the username-password with the radius and so forth.

One unique and somewhat tricky feature for me is when the radius server needs to check if the username belongs to a group allowed to log in to the hotspot or not.

In reality, the capabilities of FreeRADIUS go beyond that. Another example that can be implemented is filtering users based on MAC addresses, grouping IP addresses that users will receive (for example, users in group A get IP 192.168.0.X, while group B gets 192.168.1.X), and so on. Yes, it does require a bit of effort for implementation, but it can still be done.