Difference between revisions of "WiFi: HotSpot - CoovaChilli Instalasi Radius Server"

From OnnoWiki
Jump to navigation Jump to search
Line 199: Line 199:
* http://www.untruth.org/~josh/security/radius/radius-auth.html - Analisa Authentikasi RADIUS
* http://www.untruth.org/~josh/security/radius/radius-auth.html - Analisa Authentikasi RADIUS
==Pranala Menarik==
* [[WiFi: HotSpot - CoovaChilli Pendahuluan]]
* [[WiFi: HotSpot - CoovaChilli Kebutuhan Hardware dan Software]]
* [[WiFi: HotSpot - CoovaChilli Instalasi Radius Server]]
* [[WiFi: HotSpot - Instalasi CoovaChilli]]
* [[WiFi: HotSpot - CoovaChilli Instalasi Firewall]]
* [[WiFi: HotSpot - CoovaChilli Instalasi Apache dan SSL]]
* [[WiFi: HotSpot - CoovaChilli Fitur dan Keterangan Tambahan]]
* [[WiFi: HotSpot]]

Revision as of 09:45, 7 April 2010

Install Radius server and Database

sudo apt-get install freeradius freeradius-mysql

Create database to store usernames and passwords

mysql -u root -p Enter password:mysqladminsecret mysql> CREATE DATABASE radius; mysql> quit

Propergate database with tables created by the maker's of freeradius

zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius Enter password:mysqladminsecret

Note: for freeradius 2 mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql

mysql -u root -p Enter password:mysqladminsecret mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret'; mysql> FLUSH PRIVILEGES; mysql> quit

Tell freeradius where to find the database

nano -w /etc/freeradius/sql.conf

server = "localhost" login = "radius" password = "mysqlsecret"

Set FreeRadius server client password

nano -w /etc/freeradius/clients.conf

client {

   secret = radiussecret


Testing default file setup

The default FreeRadius setup authorize's usernames and passwords from a "file" found in /etc/freeradius/users. We should test the default FreeRadius setup before we change the authorization link from "file" to "sql" (mysql).

Add username an password to our user "file". edit "John Doe"

nano -w /etc/freeradius/users


"John Doe" Auth-Type := Local, User-Password == "hello"

              Reply-Message = "Hello, %u"

At this point you need to reboot your ubuntu box


Check FreeRadius config files.

sudo /etc/init.d/freeradius stop sudo freeradius -XXX

If all goes well the last line should display

Mon Jun 29 15:24:34 2009 : Debug: Ready to process requests.

Ctrl+C to exit.

Start FreeRadius again

sudo /etc/init.d/freeradius start

Test password authorization to "file"

sudo radtest "John Doe" hello 0 radiussecret

If all goes well you should get a reply

Sending Access-Request of id 136 to port 1812

       User-Name = "John Doe"
       User-Password = "hello"
       NAS-IP-Address =
       NAS-Port = 0

rad_recv: Access-Accept packet from host, id=136, length=37

       Reply-Message = "Hello, John Doe"

change authorization to sql

If the above tests worked we can now change authorization from "file" to "sql" nano -w /etc/freeradius/radiusd.conf Change:



  1. files
  1. sql



note for freeradius2: nano -w /etc/freeradius/sites-available/default

Note: You can only use one authorisation method at a time, not both. Therefore "files" section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql" SQL Logging

If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql

nano -w /etc/freeradius/sql.conf

sql {

       driver = "rlm_sql_mysql"
       server = "localhost"
       login = "radius"
       password = "mysqlsecret"
       radius_db = "radius"
       # Set to 'yes' to read radius clients from the database ('nas' table)
       readclient = yes ###change manually


nano -w /etc/freeradius/radiusd.conf

note for freeradius2: for the line $INCLUDE... -> /etc/freeradius/radiusd.conf nano -w /etc/freeradius/sites-available/default

       $INCLUDE ${confdir}/sql.conf

authorize {


} authenticate {

       Auth-Type PAP {
       Auth-Type CHAP {

} accounting {

       sql ###change manually

} session {

       sql ###change manually


Add users

echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius Enter password:mysqlsecret

coovachilli uses the username 'chillispot' with the password 'chillispot' for logging into the radius by default. Add this user in the table radcheck too.

its defined in the default config file /etc/chilli/config

HS_ADMUSR=chillispot HS_ADMPWD=chillispot

echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('chillispot', 'Password', 'chillispot');" | mysql -u radius -p radius Enter password:mysqlsecret

Restart Radius

sudo /etc/init.d/freeradius restart

Test link

sudo radtest mysqltest testsecret 0 radiussecret sudo radtest chillispot chillispot 0 radiussecret

If all goes well you should receive an Access-Accept response like this:

Sending Access-Request of id 180 to port 1812

       User-Name = "mysqltest"
       User-Password = "testsecret"
       NAS-IP-Address =
       NAS-Port = 0

rad_recv: Access-Accept packet from host, id=180, length=20


Pranala Menarik