WiFi: HotSpot - CoovaChilli Instalasi Radius Server
Install Radius server and Database
sudo apt-get install freeradius freeradius-mysql
Create database to store usernames and passwords
mysql -u root -p Enter password:mysqladminsecret mysql> CREATE DATABASE radius; mysql> quit
Propergate database with tables created by the maker's of freeradius
zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius Enter password:mysqladminsecret
Note: for freeradius 2 mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql
mysql -u root -p Enter password:mysqladminsecret mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret'; mysql> FLUSH PRIVILEGES; mysql> quit
Tell freeradius where to find the database
nano -w /etc/freeradius/sql.conf
server = "localhost" login = "radius" password = "mysqlsecret"
Set FreeRadius server client password
nano -w /etc/freeradius/clients.conf
client 127.0.0.1 {
secret = radiussecret
}
Testing default file setup
The default FreeRadius setup authorize's usernames and passwords from a "file" found in /etc/freeradius/users. We should test the default FreeRadius setup before we change the authorization link from "file" to "sql" (mysql).
Add username an password to our user "file". edit "John Doe"
nano -w /etc/freeradius/users
uncomment
"John Doe" Auth-Type := Local, User-Password == "hello"
Reply-Message = "Hello, %u"
At this point you need to reboot your ubuntu box
reboot
Check FreeRadius config files.
sudo /etc/init.d/freeradius stop sudo freeradius -XXX
If all goes well the last line should display
Mon Jun 29 15:24:34 2009 : Debug: Ready to process requests.
Ctrl+C to exit.
Start FreeRadius again
sudo /etc/init.d/freeradius start
Test password authorization to "file"
sudo radtest "John Doe" hello 127.0.0.1 0 radiussecret
If all goes well you should get a reply
Sending Access-Request of id 136 to 127.0.0.1 port 1812
User-Name = "John Doe" User-Password = "hello" NAS-IP-Address = 255.255.255.255 NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37
Reply-Message = "Hello, John Doe"
change authorization to sql
If the above tests worked we can now change authorization from "file" to "sql" nano -w /etc/freeradius/radiusd.conf Change:
files
to
- files
- sql
to
sql
note for freeradius2: nano -w /etc/freeradius/sites-available/default
Note: You can only use one authorisation method at a time, not both. Therefore "files" section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql" SQL Logging
If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql
nano -w /etc/freeradius/sql.conf
sql {
driver = "rlm_sql_mysql" server = "localhost" login = "radius" password = "mysqlsecret" radius_db = "radius" [...] # Set to 'yes' to read radius clients from the database ('nas' table) readclient = yes ###change manually
}
nano -w /etc/freeradius/radiusd.conf
note for freeradius2: for the line $INCLUDE... -> /etc/freeradius/radiusd.conf nano -w /etc/freeradius/sites-available/default
$INCLUDE ${confdir}/sql.conf
authorize {
preprocess chap suffix eap #files sql
} authenticate {
Auth-Type PAP { pap } Auth-Type CHAP { chap } eap
} accounting {
detail radutmp sql ###change manually
} session {
sql ###change manually
}
Add users
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius Enter password:mysqlsecret
coovachilli uses the username 'chillispot' with the password 'chillispot' for logging into the radius by default. Add this user in the table radcheck too.
its defined in the default config file /etc/chilli/config
HS_ADMUSR=chillispot HS_ADMPWD=chillispot
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('chillispot', 'Password', 'chillispot');" | mysql -u radius -p radius Enter password:mysqlsecret
Restart Radius
sudo /etc/init.d/freeradius restart
Test link
sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret sudo radtest chillispot chillispot 127.0.0.1 0 radiussecret
If all goes well you should receive an Access-Accept response like this:
Sending Access-Request of id 180 to 127.0.0.1 port 1812
User-Name = "mysqltest" User-Password = "testsecret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=180, length=20
Referensi
- http://www.untruth.org/~josh/security/radius/radius-auth.html - Analisa Authentikasi RADIUS