WiFi: HotSpot - CoovaChilli Instalasi Radius Server

From OnnoWiki
Revision as of 06:38, 2 March 2010 by Onnowpurbo (talk | contribs) (New page: Install Radius server and Database sudo apt-get install freeradius freeradius-mysql Create database to store usernames and passwords mysql -u root -p Enter password:mysqladminsecret mys...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Install Radius server and Database

sudo apt-get install freeradius freeradius-mysql

Create database to store usernames and passwords

mysql -u root -p Enter password:mysqladminsecret mysql> CREATE DATABASE radius; mysql> quit

Propergate database with tables created by the maker's of freeradius

zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius Enter password:mysqladminsecret

Note: for freeradius 2 mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql

mysql -u root -p Enter password:mysqladminsecret mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret'; mysql> FLUSH PRIVILEGES; mysql> quit

Tell freeradius where to find the database

nano -w /etc/freeradius/sql.conf

server = "localhost" login = "radius" password = "mysqlsecret"

Set FreeRadius server client password

nano -w /etc/freeradius/clients.conf

client 127.0.0.1 {

   secret = radiussecret

}

Testing default file setup

The default FreeRadius setup authorize's usernames and passwords from a "file" found in /etc/freeradius/users. We should test the default FreeRadius setup before we change the authorization link from "file" to "sql" (mysql).

Add username an password to our user "file". edit "John Doe"

nano -w /etc/freeradius/users

uncomment

"John Doe" Auth-Type := Local, User-Password == "hello"

              Reply-Message = "Hello, %u"

At this point you need to reboot your ubuntu box

reboot

Check FreeRadius config files.

sudo /etc/init.d/freeradius stop sudo freeradius -XXX

If all goes well the last line should display

Mon Jun 29 15:24:34 2009 : Debug: Ready to process requests.

Ctrl+C to exit.

Start FreeRadius again

sudo /etc/init.d/freeradius start

Test password authorization to "file"

sudo radtest "John Doe" hello 127.0.0.1 0 radiussecret

If all goes well you should get a reply

Sending Access-Request of id 136 to 127.0.0.1 port 1812

       User-Name = "John Doe"
       User-Password = "hello"
       NAS-IP-Address = 255.255.255.255
       NAS-Port = 0

rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37

       Reply-Message = "Hello, John Doe"

change authorization to sql

If the above tests worked we can now change authorization from "file" to "sql" nano -w /etc/freeradius/radiusd.conf Change:

files


to


  1. files
  1. sql


to


sql

note for freeradius2: nano -w /etc/freeradius/sites-available/default

Note: You can only use one authorisation method at a time, not both. Therefore "files" section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql" SQL Logging

If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql

nano -w /etc/freeradius/sql.conf

sql {

       driver = "rlm_sql_mysql"
       server = "localhost"
       login = "radius"
       password = "mysqlsecret"
       radius_db = "radius"
       [...]
       # Set to 'yes' to read radius clients from the database ('nas' table)
       readclient = yes ###change manually

}

nano -w /etc/freeradius/radiusd.conf

note for freeradius2: for the line $INCLUDE... -> /etc/freeradius/radiusd.conf nano -w /etc/freeradius/sites-available/default

       $INCLUDE ${confdir}/sql.conf

authorize {

       preprocess
       chap
       suffix
       eap
       #files
       sql

} authenticate {

       Auth-Type PAP {
         pap
       }
       Auth-Type CHAP {
         chap
       }
       eap

} accounting {

       detail
       radutmp
       sql ###change manually

} session {

       sql ###change manually

}

Add users

echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius Enter password:mysqlsecret

coovachilli uses the username 'chillispot' with the password 'chillispot' for logging into the radius by default. Add this user in the table radcheck too.

its defined in the default config file /etc/chilli/config

HS_ADMUSR=chillispot HS_ADMPWD=chillispot

echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('chillispot', 'Password', 'chillispot');" | mysql -u radius -p radius Enter password:mysqlsecret

Restart Radius

sudo /etc/init.d/freeradius restart

Test link

sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret sudo radtest chillispot chillispot 127.0.0.1 0 radiussecret

If all goes well you should receive an Access-Accept response like this:

Sending Access-Request of id 180 to 127.0.0.1 port 1812

       User-Name = "mysqltest"
       User-Password = "testsecret"
       NAS-IP-Address = 255.255.255.255
       NAS-Port = 0

rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=180, length=20