freeRADIUS WEB-UI on openwrt

I was searching around for a WebUI for freeRADIUS and i came accross this link:
It's a thesis by some guy. If you look at page 66, he mentions of a WebUI for managing freeRADIUS. And in requirements on page 78, he got it all running on a single openWRT device with less than 64MB RAM.
But i couldn't find any code it implement it myself. I would have to learn to build webui and do it myself it seems.
I have 2 openwrt devices, a TP Link Archer A7v5 and Mi Wifi Mini (both with 128MB RAM).
Does anyone know of a similar project where they have implemented a freeRADIUS webui running ON the openwrt device itself?

Also, off-topic, but i am looking into some info regarding how is bandwidth limit implemented on openwrt via RADIUS.
There is a "WISPr-Bandwidth-Max-Down" attribute in radius, but how does openwrt apply those values? There is no per-user bandwith limit implementation in openwrt right now. We would need some kind of package on the openwrt router device to read those radius attribute and apply bandwidth limits via maybe nftqos package or somehting.
Does anyone know of a similar implementation?

1 Like

In answer to your off topic comments:

The opennds package provides this.
Although support for radius would require development using the opennds fas api (I am aware of one or two implementations.)....

The question I pose though is "Why does anyone use radius these days?".

Sure, some large corporates have used radius for over 30 years but for new development, what does it give that can't be done easier in a variety of much less complicated ways?

such as? i'm curious how would you do "access control" regardless of physical connection, i.e. how to ensure userA should be in groupA with unique entitlements either connecting via cable or wifi, and userB in a different group?

openNDS does access control by user credentials, so yes, regardless of physical connection.
down/up quotas can be configured per user, per network or globally on an intranet.

Download rate, upload rate, download volume, upload volume, over-quota fair usage restriction, connection duration are all supported, both per user and/or per network.

Most commonly, user accounts are "self generated" as part of an autonomous system, but groups can easily be supported, simply by adding a "group" field to a predefined user database.

thanks for your reply but am afraid openNDS is captive portal:, is not it. so it looks cannot solve the following problem: users can connect to network via

  • a switch port (wired connection), any switch port; or
  • wifi

and still be part of assigned network which has its own address range, dns settings, routing etc. a solution which forces user to a vlan basically regardless physical connection (without the need to assign dedicated switch ports for example). RADIUS looks a more fitting solution imho.

Indeed it is.

Yes. That is what openNDS does by default.

Radius can't do that.
Radius (Remote Authentication Dial-In User Service) provides Authentication, Authorisation and Accounting.
It is normally a remote service and holds a database of predefined "user" credentials and can return data associated with a validated "user".
It has no control over local traffic. That must be done by either something on the network that all traffic passes through, or done by some application installed on the "user" device.

The question I posed earlier was "Why does anyone use radius these days?".

OpenNDS can talk to a Radius server for credential validation. But why bother? A simple custom database can do the job much more efficiently. A central openNDS FAS server with its own database is fast, efficient and simple to set up by any web designer with basic database programming knowledge.

If you are an ISP with 30 years investment in Radius, then fine, stick with it.

well, Dynamic VLAN Assignment allows the RADIUS server to dynamically assign a VLAN to a supplicant using Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-Id fields, so i think it can. there is a natural commonality in functionality (authenticate+authorization) but i am still not convinced a captive portal can do the same as a radius server.
would be happy to be proved wrong: if you can share an openNDS configuration which configures userA and userB differently (different network, different domain, different dns), thus userA and userB are isolated.

Dynamic vlan assignment does not allow a RADIUS server to do anything.
It is the other way round. A RADIUS server can supply information to a supplicant, just as any system could, from the selected contents of a database.

No one said a captive portal can do the same as a radius server.

A radius server is just a front end to a database (albeit with a very complex api).
Any captive portal can in principle use any database for client/user AAA, including a radius server.

What you are describing is different again to the OPs original "off topic" question.

I would be interested to see how a user device can connect and be identified without supplying credentials eg username and password. Mac address could be used I guess, but with mac randomisation more or less becoming universal......

But then, the OPs question is answered so no need to continue with this discussion, at least in this thread.

Everyone started shouting, trying to have the last word, and the whole meeting just descended into chaos.

perhaps this thread will give you an idea

1 Like

IMO, I kinda agree. I didn't had any knowledge of RADIUS before last year or so. And in the past year i have setup freeRADIUS in my local home network for wifi auth and even setup it's Dynamic Vlan (1 SSID, multiple password pointing to multiple vlan's) and i thought, Why is this soo complicated for something that is essentially doing something very simple (just passing values in response to a request). I get it that it was built quite some time ago, and i think it needs a more modern and simple implementation. But i guess, if it ain't broke then don't fix it.

I looked into openNDS a bit more, and it seems to provide per-user bandwidth/quota control.
Is there any way i can use openNDS just to control bandwidth limits without using it's captive portal/splash page part of it?
Also, i tried coovachilli quite long ago, and due to way it worked, any kind of software/hardware offloading didn't worked with coovachilli. Is it the same case with openNDS? I am just using Software Flow offloading on my Archer A7v5 (it doesn't support hardware flow offloading in openwrt).

You could, but then how do you differentiate between users? All you have is the mac address and that is most likely randomised these days.
It is a little different if you restrict connections to wireless only as the wpa_psk_file option could be used in some way, as @fekry11 mentioned.

I do not know the answer to that. openNDS uses only nftables, so does offloading bypass the nft ruleset?
I have not looked into it at all....

A quick test and a look at the nft ruleset with flow offloading enabled indicates that openNDS works with it as the openNDS forward chain has a higher priority than the fw4 flowtable.
ie openNDS gets in first. This indicates room for enhancement if openNDS added its own flowtable.

1 Like