Saturday, 1 October 2011

Ubuntu Server + Freeradius 2.0.x + coovachilli + Daloradius


so first thing first i needs :
- Ubuntu 10.04 (Lucid Lynx)
- Lamp Server
- DNS Server
- OpenSSH Server
- Radisu Management web based (daloradius)

1. setting up the server machine

Ubuntu 10.04
I'm using ubuntu 10.04 and installed it on my vmware to test it.
first thing first i need to install debian-archive-keyring so my package i want to install can be authenticated easily, command : sudo apt-get install debian-archive-keyring
and then invoke apt-get update
after that i enable internet forwarding so that another computer can send and receive packet from internet through my ubuntu. command : nano /etc/sysctl.conf and find line with net.ipv4.ip_forward=1 then remove the #.

Lamp Server
To install lamp server using command : sudo apt-get install lamp-server^
when the download is finished, there is another gui asking about password for mysql.
then when the server is running there is another problem, although i can say that not a much problem, there will be notification like this : "apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName"
nano /etc/apache2/apache2.conf and add this line in the bottom : ServerName 127.0.0.1 save, and then restart the apache /etc/init.d/apache2 restart

DNS Server
im using bind9 package for the dns server :
sudo apt-get install bind9
and then configure the forwarders :
nano /etc/bind/named.conf.options
then uncomment and fill the ip address with one you use

forwarders {
8.8.8.8;
};
then restart service /etc/init.d/bind9 restart

openSSH server
to install openssh server package :
sudo apt-get install openssh-server
print server
samba file server
webmin

2. setting up freeradius

install using :
sudo apt-get install freeradius freeradius-mysql
then choose yes, and continue downloading and installing
then stop the radius
/etc/init.d/freeradius stop
then run in debugging mode
freeradius -X
and if there are no errors detected (Ready to process requests.) then ctrl+c to stop and continue the next step

the next step is create radius database into mysql and create user named radius:
mysql -u root -p (then insert your password)
then type the following :
CREATE DATABASE radius;
GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpassword'; (where you can change radpassword into anything you like for the user radius in mysql)
FLUSH PRIVILEGES;
quit


then insert the radius database into mysql :
mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql
insert your password for user root
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql
insert your password for user root
the next step is configure radius to connect to mysql :
nano /etc/freeradius/sql.conf
look for this line then change it accordingly :
server = "localhost" login = "radius" password = "radiussecret"
and then on the same file configuration change
# readclient = yes
into
readclient = yes
nano /etc/freeradius/clients.conf
look for
secret = testing123 change it into secret = radpassword and then at the bottom line add this line
client 192.168.1.0/24 { //ip of server secret=radpassword }
next, i set up freeradius to use mysql for its database (backup it first)

cp /etc/freeradius/sites-available/default /etc/freeradius/sites-available/config nano /etc/freeradius/sites-available/default
in authorize section, looks for
files add # so that it become like this
# files

looks for another line below
# sql, remove # so it become like this
sql

looks for another sql word on accounting section and session, if there is a (#) remove it
save dan exit
then make a user for testing the freeradius mysql -u root -p
then type your root password
mysql > use radius; mysql > INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('guest', 'password', 'guest') mysql > select * from radcheck where UserName='guest'; mysql > exit
next step is to activate sql module nano /etc/freeradius/radiusd.conf
remove comment from$INCLUDE sql.conf
add # pad file in /etc/hosts
#::1 localhost ip6-localhost ip6-loopback

3. Instalasi coova chili

download the package : wget http://coova-chilli.s3.amazonaws.com/coova-chilli_1.0.13-1_i386.deb
and then install it dpkg -i coova-chilli_1.0.13-1_i386.deb
copy default chilli configuration (for backup purpose) cp /etc/chilli/default /etc/chilli/config then create folder for hotspot web mkdir /var/www/hotspot cd /var/www/hotspot cp /etc/chilli/www/* /var/www/hotspot mkdir /var/www/hotspot/images cp /var/www/hotspot/coova.jpg /var/www/hotspot/images/ and also make folder for uam mkdir /var/www/hotspot/uam cd /var/www/hotspot/uam wget http://ap.coova.org/uam/ wget http://ap.coova.org/js/chilli.js change the configuration to use my ip address sed -i 's/ap.coova.org\/js\/chilli.js/192.168.0.1\/uam\/chilli.js/g' /var/www/hotspot/uam/index.html edit chilli library to match my ip address sed -i 's/192.168.182.1/192.168.0.1/g' /etc/chilli/www/ChilliLibrary.js sed -i 's/192.168.182.1/192.168.0.1/g' /var/www/hotspot/ChilliLibrary.js configure chilli to start on boot nano /etc/default/chilli START_CHILLI=1 CONFFILE="/etc/chilli.conf" edit chilli configuration file nano /etc/chilli/default change accordingly HS_LANIF=eth0 # Subscriber Interface for client devices HS_NETWORK=192.168.1.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETMASK=255.255.255.0 # HotSpot Network Netmask HS_UAMLISTEN=192.168.1.1 # HotSpot IP Address (on subscriber network) HS_UAMPORT=3990 # HotSpot Port (on subscriber network) HS_NASID=nas01 HS_UAMSECRET=uamsecret HS_RADIUS=127.0.0.1 HS_RADIUS2=127.0.0.1 HS_RADSECRET=radpassword HS_UAMALLOW=www.google.com,192.168.1.0/24 HS_UAMSERVER=192.168.1.1 HS_UAMFORMAT=https://\$HS_UAMSERVER/uam/index.php HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html HS_UAMSERVICE=https://192.168.1.1/cgi-bin/hotspotlogin.cgi configure chilli firewall nano /etc/chilli/up.sh add this code at the bottom line # may not have been populated the first time; run again [ -e "/var/run/chilli.iptables" ] && sh /var/run/chilli.iptables 2>/dev/null # force-add the final rule necessary to fix routing tables iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE thats the end of setting up coovachilli

4. SSL configuration

install ssl sudo apt-get install libapache2-mod-auth-mysql make ssl folder mkdir /etc/apache2/ssl install certificate apt-get install ssl-cert view your hostname to make the certification hostname -f and then generate the certificate by using those hostname make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem editing your hostname nano /etc/hosts 127.0.0.1 localhost 192.168.0.1 ## your hostname enable ssl module a2enmod ssl reload/restart your apache /etc/init.d/apache2 force-reload create Virtual host for hotspot nano /etc/apache2/sites-available/hotspot then fill with this code (thx to zjapske for the code http://pastebin.com/HmqXvwfr)
NameVirtualHost 192.168.0.1:443 <VirtualHost 192.168.0.1:443>     ServerAdmin webmaster@domain.org     DocumentRoot "/var/www/hotspot"     ServerName "192.168.0.1"     <Directory "/var/www/hotspot/">         Options Indexes FollowSymLinks MultiViews         AllowOverride None         Order allow,deny         allow from all     </Directory>
    Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/"     <Directory "/usr/share/freeradius-dialupadmin/htdocs/">         Options Indexes FollowSymLinks MultiViews         AllowOverride None         Order allow,deny         allow from all     </Directory>     <Directory "/var/www/hotspot/cgi-bin/">         AllowOverride None         Options ExecCGI -MultiViews +SymLinksIfOwnerMatch         Order allow,deny         Allow from all     </Directory>     ErrorLog /var/log/apache2/hotspot-error.log     LogLevel warn     CustomLog /var/log/apache2/hotspot-access.log combined     ServerSignature On     SSLEngine on     SSLCertificateFile /etc/apache2/ssl/apache.pem </VirtualHost>

then enable virtual host a2ensite hotspot edit listening port nano /etc/apache2/ports.conf Listen *:443 Listen *:80 # # Listen 443 # edit site default nano /etc/apache2/sites-available/default NameVirtualHost *:80 create login page for the hotspot mkdir -p /var/www/hotspot/ cd /var/www/hotspot/ wget http://www.truesoft.co.th/wifi/uam.tgz tar -xzvf uam.tgz reboot the server end of ssl configuration

5. Instal DaloRadius (radius management interface)

For Daloradius i use daloradius-0.9-8, for version 9-9 i haven't try to use it yet, but i'll update it later
after download it go to the folder where daloradius located, then


tar -xzvf daloradius-0.9-8.tar.gz copy the directory into www cp daloradius-0.9-8 /var/www/ -R changing owner dan permission chown www-data:www-data /var/www/daloradius-0.9-8 -R chmod 644 /var/www/daloradius-0.9-8/library/daloradius.conf.php
then install daloradius database into mysql mysql -u root -p radius < /var/www/daloradius-0.9-8/contrib/db/mysql-daloradius.sql
change database configuration accordingly nano /var/www/daloradius-0.9-8/library/daloradius.conf.php 'FREERADIUS_VERSION' = '2'; 'CONFIG_DB_ENGINE' = 'mysql'; 'CONFIG_DB_HOST' = '127.0.0.1' 'CONFIG_DB_USER' = 'radius' 'CONFIG_DB_PASS' = 'radpassword' 'CONFIG_DB_NAME' = 'radius' if something occured like : mysql connection error when you try to login just create another user 'radius' with same password, but instead of @'localhost' use @'%' mysql -u root -p GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'%' IDENTIFIED BY 'radpassword'; FLUSH PRIVILEGES;
after that make sure that these following package is installed sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5
then login to http://192.168.1.1/daloradius-0.9-8/login.php
login using username : administrator | password : radius
thats all thx, any question just add your comment bellow

source : http://opensource.telkomspeedy.com/forum/viewtopic.php?id=10812
http://manajung.blogspot.com/2010/01/daloradius-on-ubunto-910.html

24 comments:

  1. configuration in ports.conf:
    Listen *:443
    Listen *:80
    #
    # Listen 443
    #

    can you tell me how should i put that configuration in ports.conf?thx..

    ReplyDelete
    Replies
    1. it means you just add
      Listen *:443
      and change Listen :80 to
      Listen *:80

      and then add # for any Listen 443 below those line

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. For the Virtual host for hotspot

    http://pastebin.com/HmqXvwfr

    ReplyDelete
    Replies
    1. Thx Man i appreciate it, tq for the code, i edit my blog later...

      Delete
  4. Please can you procedure of testing a client after completing above process ..

    I tried with below command but I got an error. Please can you give full procedure of testing a client.

    radtest guest guest 127.0.0.1 0 radpassword

    ReplyDelete
    Replies
    1. Here is the result after commiting this command on my machine:
      #radtest guest guest 127.0.0.1 0 radpassword
      Sending Access-Request of id 102 to 127.0.0.1 port 1812
      User-Name = "guest"
      User-Password = "guest"
      NAS-IP-Address = 192.168.0.1
      NAS-Port = 0
      rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=102, length=20

      if you receive Access-Accept then your freeradius is already using sql for its user table
      if you receive Access-Reject try run your freeradius using "freeradius -X" for debugging purpose

      Delete
    2. Dear Ryan,

      I tried in debug mode and also get reject packet.
      I completed till 2. setting up freeradius and tried.

      # sudo freeradius -X

      out after sending request from client..

      Listening on authentication address * port 1812
      Listening on accounting address * port 1813
      Listening on proxy address * port 1814
      Ready to process requests.
      rad_recv: Access-Request packet from host 127.0.0.1 port 46022, id=212, length=57
      User-Name = "guest"
      User-Password = "guest"
      NAS-IP-Address = 192.168.0.1
      NAS-Port = 0
      +- entering group authorize {...}
      ++[preprocess] returns ok
      ++[chap] returns noop
      ++[mschap] returns noop
      [suffix] No '@' in User-Name = "guest", looking up realm NULL
      [suffix] No such realm "NULL"
      ++[suffix] returns noop
      [eap] No EAP-Message, not doing EAP
      ++[eap] returns noop
      ++[unix] returns notfound
      ++[files] returns noop
      ++[expiration] returns noop
      ++[logintime] returns noop
      [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
      ++[pap] returns noop
      No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
      Failed to authenticate the user.
      Using Post-Auth-Type Reject
      +- entering group REJECT {...}
      [attr_filter.access_reject] expand: %{User-Name} -> guest
      attr_filter: Matched entry DEFAULT at line 11
      ++[attr_filter.access_reject] returns updated
      Delaying reject of request 0 for 1 seconds
      Going to the next request
      Waking up in 0.9 seconds.
      Sending delayed reject for request 0
      Sending Access-Reject of id 212 to 127.0.0.1 port 46022
      Waking up in 4.9 seconds.
      Cleaning up request 0 ID 212 with timestamp +10
      Ready to process requests.

      client output...

      sudo radtest guest guest 127.0.0.1 0 radpassword
      [sudo] password for sam:
      Sending Access-Request of id 212 to 127.0.0.1 port 1812
      User-Name = "guest"
      User-Password = "guest"
      NAS-IP-Address = 192.168.0.1
      NAS-Port = 0
      rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=212, length=20

      Please help me I am not understand what is the problem. I followed all the step correctly....

      Delete
    3. try editing and change accordingly file config in /etc/freeradius/sites-available/default instead of /etc/freeradius/sites-available/config

      Delete
    4. Thank you very much for the help.....

      I did change in /etc/freeradius/sites-available/default and after I run the freeradius in Debug mode I got an error as below

      ype, secret FROM nas
      rlm_sql (sql): Ignoring unconnected handle 4..
      rlm_sql (sql): Ignoring unconnected handle 3..
      rlm_sql (sql): Ignoring unconnected handle 2..
      rlm_sql (sql): Ignoring unconnected handle 1..
      rlm_sql (sql): Ignoring unconnected handle 0..
      rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
      Failed to load clients from SQL.
      rlm_sql (sql): Closing sqlsocket 4
      rlm_sql (sql): Closing sqlsocket 3
      rlm_sql (sql): Closing sqlsocket 2
      rlm_sql (sql): Closing sqlsocket 1
      rlm_sql (sql): Closing sqlsocket 0
      /etc/freeradius/sql.conf[22]: Instantiation failed for module "sql"
      /etc/freeradius/sites-enabled/default[159]: Failed to find module "sql".
      /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.


      If I do changes in etc/freeradius/sites-available/config the freeradius in debug mode running correctly....

      Delete
    5. try to look again at /etc/freeradius/sql.conf at line 22 below,
      server = "localhost"
      login = "radius"
      password = "radiussecret"

      *and remove # from read client
      readclient = yes

      if those doesn't help try change the login using "root"

      have you uncomment $include sql.conf
      in /etc/freeradius/radiusd.conf ??

      if it still doesn't work try uploading your sql.conf, radiusd.conf, clients.conf

      Delete
    6. Thank you very much for the help Ryan .... :)

      The above problem I solved ...

      I changed secret password in /etc/freeradius/sql.conf to radpassword ... :)

      Sending Access-Request of id 13 to 127.0.0.1 port 1812
      User-Name = "guest"
      User-Password = "guest"
      NAS-IP-Address = 192.168.0.1
      NAS-Port = 0
      rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=2

      I am newbie to freeradius this tutorial help me a lot....
      Thanks once again to ryan ...

      Delete
  5. Works great!

    tested on ubuntu 12.04 and 10.04 doloradius 9.8 and 9.9

    thanks

    ReplyDelete
  6. Thanks For This Post Rayan, it is very usefull for me. may be you can able to help about ip addresses? bcz in this post you used 2 ip address pls spesifiy witch is eth0 and eth1 and how to give this. and i am noy understand.

    edit site default
    nano /etc/apache2/sites-available/default

    NameVirtualHost *:80

    ReplyDelete
  7. please I have eth0(dhcp) and eth0 and I would like to use an AP for my captive portal.
    can you edit to me how could i configured it?

    ReplyDelete
  8. please help

    i have this error in my browser...

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)



    @hotspot-error.log file it says

    [Fri Aug 17 11:26:25 2012] [warn] RSA server certificate CommonName (CN) `myservername' does NOT match server name!?

    here's my /etc/hosts file

    127.0.0.1 localhost
    xxx.xxx.xxx.xxx myservername

    # The following lines are desirable for IPv6 capable hosts
    #::1 ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    and my /etc/hostname file also matches my server name

    ReplyDelete
  9. I had freeradius working and decided to follow your steps to install daloradius. I got the startup page but i can no longer proceed from there with "DB Error: extension not found". What i am worried about is that i can no longer access phpmyadmin using localhost/phpmyadmin. Any workaround?

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Hi There,

    Thanks for the this guide.

    I any still confused on the IP addressing of this setup

    Could you explain what IP goes where bases on this config.
    E.G. what IP does eth0 and eth1
    If you could post the output for 'ifconfig' that will be a big help.

    A separate interface is also created tun0 by coovachilli. Where can I change the IP for this?


    Thanks

    ReplyDelete
  12. no clue about tun0 settings?and what about 2 diferent IP classes 192.168.182.1/192.168.0.1/ I understand that 192.168.0.1 is for WAN but what about 192.168.182.1?

    ReplyDelete
  13. hi Ryan,
    this is a very helpful and very great guide for a newbie like me..
    i have manage to follow your guide so far so good..just the problem is my client didnt land on the landing page instead it land on uam page...i have no idea about that...can you give me clue what or where to edit it?
    T.I.A Ryan

    ReplyDelete
  14. Hi Ryan, i have an issue when testing coovachilli. When trying to connect a new PC thru Wifi connection it shows the Coova Redirecting page and after that it redirects to www.coova.org immediately, it doesnt show the login page. How can i solve that issue? Can you help me please?

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. Help me !!!!!!!!!
    Mon Nov 24 15:38:32 2014 : Debug: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    Mon Nov 24 15:38:32 2014 : Debug: }
    Mon Nov 24 15:38:32 2014 : Error: "rlm_sql mysql" is NOT an SQL driver!
    Mon Nov 24 15:38:32 2014 : Error: /etc/freeradius/sql.conf[22]: Instantiation failed for module "sql"
    Mon Nov 24 15:38:32 2014 : Error: /etc/freeradius/sites-enabled/default[159]: Failed to load module "sql".
    Mon Nov 24 15:38:32 2014 : Error: /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.

    ReplyDelete