Scribd
Upload
455 views11 pages

Freeradius Server PDF

This document provides instructions for setting up a Freeradius server with MySQL database for authentication, along with Chillispot for wireless access control and authentication redirection. The key steps include: 1. Installing Freeradius and its dependencies, and configuring radius.conf, sql.conf and clients.conf files. 2. Creating a MySQL database and importing schema.sql and nas.sql. 3. Configuring Chillispot's chilli.conf file and enabling authentication redirection to the specified UAM server URL. 4. Setting up a firewall script that allows established connections from Chillispot, only SSH on the external interface, and enables NAT.

Uploaded by

Serco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
455 views11 pages

Freeradius Server PDF

This document provides instructions for setting up a Freeradius server with MySQL database for authentication, along with Chillispot for wireless access control and authentication redirection. The key steps include: 1. Installing Freeradius and its dependencies, and configuring radius.conf, sql.conf and clients.conf files. 2. Creating a MySQL database and importing schema.sql and nas.sql. 3. Configuring Chillispot's chilli.conf file and enabling authentication redirection to the specified UAM server URL. 4. Setting up a firewall script that allows established connections from Chillispot, only SSH on the external interface, and enables NAT.

Uploaded by

Serco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

FREERADIUS SERVER

1. Install dependencies yang dibutuhkan untuk support SSL (pake libssl-dev, libmysqlclient-dev
atau libmysqlclient16-dev, libtool)
root@user:<dir>#
root@user:<dir>#
root@user:<dir>#
root@user:<dir>#

apt-get
apt-get
apt-get
apt-get

install
install
install
install

libssl-dev
libmysqlclient-dev
libmysqlclient16-dev
libtool

2. Ekstrak file freeradius-server-2.2.0.tar.bz2 dengan cara


root@user:<dir># tar -jxvf freeradius-server-2.2.0.tar.bz2

3. Buat folder baru di usr


root@user:<dir># mkdir /usr/local/radius

4. Masuk ke folder hasil ekstrak freeradius dan install


root@user:<dir># ./configure --prefix=/usr/local/radius --with-openssl
--with-rlm-sql-mysql
root@user:<dir># make && make install

5. Konfigurasi file freeradius (radius.conf, sql.conf, clients.conf)


root@user:<dir># cd /use/local/radius/etc/raddb
root@user:<dir># nano radius.conf
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct where
UserName='%{%k}'"
}
# $INCLUDE sql/mysql/counter.conf
# $INCLUDE sqlippool.conf
}
instantiate {
exec
expr
noresetcounter
# daily
expiration
logintime
}

root@user:<dir># nano sql.conf


database = "mysql"
driver = "rlm_sql_${database}"
# Connection info:
server = "localhost"
#port = 3306
login = "hotspot"
password = "hotspot"
radius_db = "hotspot"
root@user:<dir># nano clients.conf
client localhost {
ipaddr
= 127.0.0.1
# ipv6addr
= :: # any.
# netmask
= 32

#
#
#
#
}

::1 == localhost

secret
= radiussecret
require_message_authenticator = no
shortname
= localhost
nastype
= other
login
= !root
password
= someadminpas
virtual_server = home1
coa_server = coa

root@user:<dir># nano /usr/local/radius/etc/raddb/siteavailable/default


authorize {
# filter_username
preprocess
# auth_log
chap
mschap
# digest
# wimax
# IPASS
suffix
# ntdomain
eap {
ok = return
}
# unix
files
sql
noresetcounter

#
#
#
#

etc_smbpasswd
ldap
daily
checkval
expiration
logintime
pap

}
accounting {
detail
# daily
unix
radutmp
# sradutmp
# main_pool
sql
# if (noop) {
# ok
# }
# sql_log
# pgsql-voip
exec
attr_filter.accounting_response
}
session {
radutmp
sql
}
post-auth {
# main_pool
# reply_log
sql
# sql_log
# ldap
exec
# wimax
# update reply {
#
Reply-Message += "%{TLS-Cert-Serial}"
#
Reply-Message += "%{TLS-Cert-Expiration}"
#
Reply-Message += "%{TLS-Cert-Subject}"
#
Reply-Message += "%{TLS-Cert-Issuer}"
#
Reply-Message += "%{TLS-Cert-Common-Name}"
#
Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
#
Reply-Message += "%{TLS-Client-Cert-Serial}"
#
Reply-Message += "%{TLS-Client-Cert-Expiration}"
#
Reply-Message += "%{TLS-Client-Cert-Subject}"
#
Reply-Message += "%{TLS-Client-Cert-Issuer}"
#
Reply-Message += "%{TLS-Client-Cert-Common-Name}"
#
Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"

# }
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
sql
attr_filter.access_reject
}
}
6. Buat database baru
root@user:<dir># mysql u root p
mysql> CREATE DATABASE hotspot;
mysql> GRANT ALL PRIVILEGES ON hotspot.* hotspot@localhost
IDENTIFIED BY hotspot; (db, user, pass)
mysql> FLUSH PRIVILEGES;
mysql> quit;
7. Import schema.sql dan nas.sql untuk database yang telah dibuat (Skip jika memakai

Phpmyprepaid)
root@user:<dir># mysql u radius p radius <
/usr/local/radius/etc/raddb/sql/mysql/schema.sql
root@user:<dir># mysql u radius p radius <
/usr/local/radius/etc/raddb/sql/mysql/nas.sql
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES
('test','User-Password','test');
8. Aktifkan service radius dan cek koneksi
Terminal 1
root@user:<dir># /usr/local/radius/sbin/radius X
Terminal 2
root@user:<dir># /usr/local/radius/bin/radtest test test localhost 0
radiussecret

CHILLISPOT
1. Install chillispot_1.0-10_i386.deb
root@user:<dir># dpkg i force-architecture chillispot_1.010_i386.deb

2. konfigurasi chilli.conf
root@user:<dir># nano /etc/chilli.conf
#fg
#debug
#interval 3600
#pidfile /var/run/chilli.pid
#statedir ./
net 192.168.182.0/24
#dynip 192.168.182.0/24
#statip 192.168.182.0/24
dns1 208.67.222.222
dns2 208.67.220.220
#domain key.chillispot.org
#ipup /etc/chilli.ipup
#ipdown /etc/chilli.ipdown
#radiuslisten 127.0.0.1
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
#radiusauthport 1812
#radiusacctport 1813
radiussecret radiussecret
#radiusnasid nas01
#radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport
#radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport
#proxylisten 127.0.0.1
#proxyport 3128
#proxyclient 192.168.182.0/24
#proxysecret radiussecret
dhcpif wlan0
#dhcpmac 00:00:5E:00:02:00
#lease 600
uamserver https://192.168.182.1/login/login.php #sesuai path & file
uamhomepage http://192.168.182.1:3990/prelogin
uamsecret uamsecret
#uamlisten 192.168.182.1
#uamport 3990
uamallowed 192.168.137.2
#uamanydns
#macauth
#macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9
#macpasswd password
#macsuffix suffix

APACHE SSL
root@user:<dir># mkdir /etc/apache2/ssl
root@user:<dir># make-ssl-cert /usr/share/ssl-cert/ssleay.cnf
/etc/apache2/ssl/apache.pem
root@user:<dir># nano /etc/apache2/site-available/ssl
NameVirtualHost *:443
<virtualhost *:443>
ServerAdmin webmaster@localhost
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
DocumentRoot /var/www/
<directory />
Options FollowSymLinks
AllowOverride None
</directory>
<directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</directory>
</virtualhost>
root@user:<dir># a2enmod ssl
root@user:<dir># a2ensite ssl

PHPMYPREPAID
1. Install phpmyprepaid sesuai file config radius
2. Alter database
ALTER TABLE `usergroup` ADD `priority` INT( 11 ) NOT NULL DEFAULT 1
AFTER `location_id`;

3. Edit sql.conf
usergroup_table = "usergroup"

4. Edit /usr/local/radius/etc/raddb/dictionary
ATTRIBUTE Max-All-Session 3000 integer

SQUID PROXY
acl kejar src 192.168.182.0/24
acl block dstdomain -i "/etc/squid/block.txt"
acl dhuhur time SMTWHA 11:30-12:00
acl jumat time F 11:30-12:30
acl ashar time SMTWHFA 15:00-15:30
acl maghrib time SMTWHFA 17:00-18:00
acl download url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .tar .rpm
.zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov .msi
.mp4

http_access
http_access
http_access
http_access
http_access
http_access

deny block
deny dhuhur
deny jumat
deny ashar
deny maghrib
allow kejar

delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_class 2 2
delay_parameters 2 -1/2048000 10000/2049000
delay_access
delay_access
delay_access
delay_access

2
2
1
1

allow download
deny all
deny download
allow all

reply_body_max_size 50000000 allow download

NAT FIREWALL
#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet)
and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but
disallowed
#
to and from the internal interface.
# * NAT is enabled on the external interface.
IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="wlan0"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow releated, established and ssh on $EXTIF. Reject everything
else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT
#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP
#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as
chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow everything on loopback interface.


$IPTABLES -A INPUT -i lo -j ACCEPT
# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP
#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
##FOR SQUID##
##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT
##Allow transparent proxy (wiboon 2/2)
$IPTABLES -t mangle -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 -syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d
192.168.182.0/24 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 3128

Simpan dengan nama s40chilli.iptables, dan aktifkan setiap kali restart


root@user:<dir># nano /etc/rc.local
sh path/s40chilli.iptables

NB : For activated sh path/s40chilli.iptables

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy