Ubuntu Server + Freeradius 2.0.x + coovachilli + Daloradius

so first thing first i needs :
- Ubuntu 10.04 (Lucid Lynx)
- Lamp Server
- DNS Server
- OpenSSH Server
- Radisu Management web based (daloradius)

1. setting up the server machine

Ubuntu 10.04
I'm using ubuntu 10.04 and installed it on my vmware to test it.
first thing first i need to install debian-archive-keyring so my package i want to install can be authenticated easily, command : sudo apt-get install debian-archive-keyring
and then invoke apt-get update
after that i enable internet forwarding so that another computer can send and receive packet from internet through my ubuntu. command : nano /etc/sysctl.conf and find line with net.ipv4.ip_forward=1 then remove the #.

Lamp Server
To install lamp server using command : sudo apt-get install lamp-server^
when the download is finished, there is another gui asking about password for mysql.
then when the server is running there is another problem, although i can say that not a much problem, there will be notification like this : "apache2: Could not reliably determine the server's fully qualified domain name, using for ServerName"
nano /etc/apache2/apache2.conf and add this line in the bottom : ServerName save, and then restart the apache /etc/init.d/apache2 restart

DNS Server
im using bind9 package for the dns server :
sudo apt-get install bind9
and then configure the forwarders :
nano /etc/bind/named.conf.options
then uncomment and fill the ip address with one you use

forwarders {;
then restart service /etc/init.d/bind9 restart

openSSH server
to install openssh server package :
sudo apt-get install openssh-server
print server
samba file server

2. setting up freeradius

install using :
sudo apt-get install freeradius freeradius-mysql
then choose yes, and continue downloading and installing
then stop the radius
/etc/init.d/freeradius stop
then run in debugging mode
freeradius -X
and if there are no errors detected (Ready to process requests.) then ctrl+c to stop and continue the next step

the next step is create radius database into mysql and create user named radius:
mysql -u root -p (then insert your password)
then type the following :
GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpassword'; (where you can change radpassword into anything you like for the user radius in mysql)

then insert the radius database into mysql :
mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql
insert your password for user root
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql
insert your password for user root
the next step is configure radius to connect to mysql :
nano /etc/freeradius/sql.conf
look for this line then change it accordingly :
server = "localhost" login = "radius" password = "radiussecret"
and then on the same file configuration change
# readclient = yes
readclient = yes
nano /etc/freeradius/clients.conf
look for
secret = testing123 change it into secret = radpassword and then at the bottom line add this line
client { //ip of server secret=radpassword }
next, i set up freeradius to use mysql for its database (backup it first)

cp /etc/freeradius/sites-available/default /etc/freeradius/sites-available/config nano /etc/freeradius/sites-available/default
in authorize section, looks for
files add # so that it become like this
# files

looks for another line below
# sql, remove # so it become like this

looks for another sql word on accounting section and session, if there is a (#) remove it
save dan exit
then make a user for testing the freeradius mysql -u root -p
then type your root password
mysql > use radius; mysql > INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('guest', 'password', 'guest') mysql > select * from radcheck where UserName='guest'; mysql > exit
next step is to activate sql module nano /etc/freeradius/radiusd.conf
remove comment from$INCLUDE sql.conf
add # pad file in /etc/hosts
#::1 localhost ip6-localhost ip6-loopback

3. Instalasi coova chili

download the package : wget http://coova-chilli.s3.amazonaws.com/coova-chilli_1.0.13-1_i386.deb
and then install it dpkg -i coova-chilli_1.0.13-1_i386.deb
copy default chilli configuration (for backup purpose) cp /etc/chilli/default /etc/chilli/config then create folder for hotspot web mkdir /var/www/hotspot cd /var/www/hotspot cp /etc/chilli/www/* /var/www/hotspot mkdir /var/www/hotspot/images cp /var/www/hotspot/coova.jpg /var/www/hotspot/images/ and also make folder for uam mkdir /var/www/hotspot/uam cd /var/www/hotspot/uam wget http://ap.coova.org/uam/ wget http://ap.coova.org/js/chilli.js change the configuration to use my ip address sed -i 's/ap.coova.org\/js\/chilli.js/\/uam\/chilli.js/g' /var/www/hotspot/uam/index.html edit chilli library to match my ip address sed -i 's/' /etc/chilli/www/ChilliLibrary.js sed -i 's/' /var/www/hotspot/ChilliLibrary.js configure chilli to start on boot nano /etc/default/chilli START_CHILLI=1 CONFFILE="/etc/chilli.conf" edit chilli configuration file nano /etc/chilli/default change accordingly HS_LANIF=eth0 # Subscriber Interface for client devices HS_NETWORK= # HotSpot Network (must include HS_UAMLISTEN) HS_NETMASK= # HotSpot Network Netmask HS_UAMLISTEN= # HotSpot IP Address (on subscriber network) HS_UAMPORT=3990 # HotSpot Port (on subscriber network) HS_NASID=nas01 HS_UAMSECRET=uamsecret HS_RADIUS= HS_RADIUS2= HS_RADSECRET=radpassword HS_UAMALLOW=www.google.com, HS_UAMSERVER= HS_UAMFORMAT=https://\$HS_UAMSERVER/uam/index.php HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html HS_UAMSERVICE= configure chilli firewall nano /etc/chilli/up.sh add this code at the bottom line # may not have been populated the first time; run again [ -e "/var/run/chilli.iptables" ] && sh /var/run/chilli.iptables 2>/dev/null # force-add the final rule necessary to fix routing tables iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE thats the end of setting up coovachilli

4. SSL configuration

install ssl sudo apt-get install libapache2-mod-auth-mysql make ssl folder mkdir /etc/apache2/ssl install certificate apt-get install ssl-cert view your hostname to make the certification hostname -f and then generate the certificate by using those hostname make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem editing your hostname nano /etc/hosts localhost ## your hostname enable ssl module a2enmod ssl reload/restart your apache /etc/init.d/apache2 force-reload create Virtual host for hotspot nano /etc/apache2/sites-available/hotspot then fill with this code (thx to zjapske for the code http://pastebin.com/HmqXvwfr)
NameVirtualHost <VirtualHost>     ServerAdmin webmaster@domain.org     DocumentRoot "/var/www/hotspot"     ServerName ""     <Directory "/var/www/hotspot/">         Options Indexes FollowSymLinks MultiViews         AllowOverride None         Order allow,deny         allow from all     </Directory>
    Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/"     <Directory "/usr/share/freeradius-dialupadmin/htdocs/">         Options Indexes FollowSymLinks MultiViews         AllowOverride None         Order allow,deny         allow from all     </Directory>     <Directory "/var/www/hotspot/cgi-bin/">         AllowOverride None         Options ExecCGI -MultiViews +SymLinksIfOwnerMatch         Order allow,deny         Allow from all     </Directory>     ErrorLog /var/log/apache2/hotspot-error.log     LogLevel warn     CustomLog /var/log/apache2/hotspot-access.log combined     ServerSignature On     SSLEngine on     SSLCertificateFile /etc/apache2/ssl/apache.pem </VirtualHost>

then enable virtual host a2ensite hotspot edit listening port nano /etc/apache2/ports.conf Listen *:443 Listen *:80 # # Listen 443 # edit site default nano /etc/apache2/sites-available/default NameVirtualHost *:80 create login page for the hotspot mkdir -p /var/www/hotspot/ cd /var/www/hotspot/ wget http://www.truesoft.co.th/wifi/uam.tgz tar -xzvf uam.tgz reboot the server end of ssl configuration

5. Instal DaloRadius (radius management interface)

For Daloradius i use daloradius-0.9-8, for version 9-9 i haven't try to use it yet, but i'll update it later
after download it go to the folder where daloradius located, then

tar -xzvf daloradius-0.9-8.tar.gz copy the directory into www cp daloradius-0.9-8 /var/www/ -R changing owner dan permission chown www-data:www-data /var/www/daloradius-0.9-8 -R chmod 644 /var/www/daloradius-0.9-8/library/daloradius.conf.php
then install daloradius database into mysql mysql -u root -p radius < /var/www/daloradius-0.9-8/contrib/db/mysql-daloradius.sql
change database configuration accordingly nano /var/www/daloradius-0.9-8/library/daloradius.conf.php 'FREERADIUS_VERSION' = '2'; 'CONFIG_DB_ENGINE' = 'mysql'; 'CONFIG_DB_HOST' = '' 'CONFIG_DB_USER' = 'radius' 'CONFIG_DB_PASS' = 'radpassword' 'CONFIG_DB_NAME' = 'radius' if something occured like : mysql connection error when you try to login just create another user 'radius' with same password, but instead of @'localhost' use @'%' mysql -u root -p GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'%' IDENTIFIED BY 'radpassword'; FLUSH PRIVILEGES;
after that make sure that these following package is installed sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5
then login to
login using username : administrator | password : radius
thats all thx, any question just add your comment bellow

source : http://opensource.telkomspeedy.com/forum/viewtopic.php?id=10812


configuration in ports.conf:
Listen *:443
Listen *:80
# Listen 443

can you tell me how should i put that configuration in ports.conf?thx..

This comment has been removed by the author.

For the Virtual host for hotspot


it means you just add
Listen *:443
and change Listen :80 to
Listen *:80

and then add # for any Listen 443 below those line

Thx Man i appreciate it, tq for the code, i edit my blog later...

Please can you procedure of testing a client after completing above process ..

I tried with below command but I got an error. Please can you give full procedure of testing a client.

radtest guest guest 0 radpassword

Here is the result after commiting this command on my machine:
#radtest guest guest 0 radpassword
Sending Access-Request of id 102 to port 1812
User-Name = "guest"
User-Password = "guest"
NAS-IP-Address =
NAS-Port = 0
rad_recv: Access-Accept packet from host port 1812, id=102, length=20

if you receive Access-Accept then your freeradius is already using sql for its user table
if you receive Access-Reject try run your freeradius using "freeradius -X" for debugging purpose

Dear Ryan,

I tried in debug mode and also get reject packet.
I completed till 2. setting up freeradius and tried.

# sudo freeradius -X

out after sending request from client..

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host port 46022, id=212, length=57
User-Name = "guest"
User-Password = "guest"
NAS-IP-Address =
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> guest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 212 to port 46022
Waking up in 4.9 seconds.
Cleaning up request 0 ID 212 with timestamp +10
Ready to process requests.

client output...

sudo radtest guest guest 0 radpassword
[sudo] password for sam:
Sending Access-Request of id 212 to port 1812
User-Name = "guest"
User-Password = "guest"
NAS-IP-Address =
NAS-Port = 0
rad_recv: Access-Reject packet from host port 1812, id=212, length=20

Please help me I am not understand what is the problem. I followed all the step correctly....

try editing and change accordingly file config in /etc/freeradius/sites-available/default instead of /etc/freeradius/sites-available/config

Thank you very much for the help.....

I did change in /etc/freeradius/sites-available/default and after I run the freeradius in Debug mode I got an error as below

ype, secret FROM nas
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
Failed to load clients from SQL.
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
/etc/freeradius/sql.conf[22]: Instantiation failed for module "sql"
/etc/freeradius/sites-enabled/default[159]: Failed to find module "sql".
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.

If I do changes in etc/freeradius/sites-available/config the freeradius in debug mode running correctly....

try to look again at /etc/freeradius/sql.conf at line 22 below,
server = "localhost"
login = "radius"
password = "radiussecret"

*and remove # from read client
readclient = yes

if those doesn't help try change the login using "root"

have you uncomment $include sql.conf
in /etc/freeradius/radiusd.conf ??

if it still doesn't work try uploading your sql.conf, radiusd.conf, clients.conf

Thank you very much for the help Ryan .... :)

The above problem I solved ...

I changed secret password in /etc/freeradius/sql.conf to radpassword ... :)

Sending Access-Request of id 13 to port 1812
User-Name = "guest"
User-Password = "guest"
NAS-IP-Address =
NAS-Port = 0
rad_recv: Access-Accept packet from host port 1812, id=13, length=2

I am newbie to freeradius this tutorial help me a lot....
Thanks once again to ryan ...

Works great!

tested on ubuntu 12.04 and 10.04 doloradius 9.8 and 9.9


Thanks For This Post Rayan, it is very usefull for me. may be you can able to help about ip addresses? bcz in this post you used 2 ip address pls spesifiy witch is eth0 and eth1 and how to give this. and i am noy understand.

edit site default
nano /etc/apache2/sites-available/default

NameVirtualHost *:80

please I have eth0(dhcp) and eth0 and I would like to use an AP for my captive portal.
can you edit to me how could i configured it?

please help

i have this error in my browser...

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

@hotspot-error.log file it says

[Fri Aug 17 11:26:25 2012] [warn] RSA server certificate CommonName (CN) `myservername' does NOT match server name!?

here's my /etc/hosts file localhost
xxx.xxx.xxx.xxx myservername

# The following lines are desirable for IPv6 capable hosts
#::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

and my /etc/hostname file also matches my server name

I had freeradius working and decided to follow your steps to install daloradius. I got the startup page but i can no longer proceed from there with "DB Error: extension not found". What i am worried about is that i can no longer access phpmyadmin using localhost/phpmyadmin. Any workaround?

This comment has been removed by the author.

Hi There,

Thanks for the this guide.

I any still confused on the IP addressing of this setup

Could you explain what IP goes where bases on this config.
E.G. what IP does eth0 and eth1
If you could post the output for 'ifconfig' that will be a big help.

A separate interface is also created tun0 by coovachilli. Where can I change the IP for this?


no clue about tun0 settings?and what about 2 diferent IP classes I understand that is for WAN but what about

hi Ryan,
this is a very helpful and very great guide for a newbie like me..
i have manage to follow your guide so far so good..just the problem is my client didnt land on the landing page instead it land on uam page...i have no idea about that...can you give me clue what or where to edit it?
T.I.A Ryan

Hi Ryan, i have an issue when testing coovachilli. When trying to connect a new PC thru Wifi connection it shows the Coova Redirecting page and after that it redirects to www.coova.org immediately, it doesnt show the login page. How can i solve that issue? Can you help me please?

This comment has been removed by the author.

Help me !!!!!!!!!
Mon Nov 24 15:38:32 2014 : Debug: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
Mon Nov 24 15:38:32 2014 : Debug: }
Mon Nov 24 15:38:32 2014 : Error: "rlm_sql mysql" is NOT an SQL driver!
Mon Nov 24 15:38:32 2014 : Error: /etc/freeradius/sql.conf[22]: Instantiation failed for module "sql"
Mon Nov 24 15:38:32 2014 : Error: /etc/freeradius/sites-enabled/default[159]: Failed to load module "sql".
Mon Nov 24 15:38:32 2014 : Error: /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.

Problème d'affichage de la page de daloradius "Erreur de connexion SSL"

Salut, tu as toujours besoin d'aide ?

Hi Ron,

Im having the similar issue. Did u solve it? If yes, plz share how it was resolved.

salut, j'ai vraiment besoin d'aide Antoine, s'il vous plait si vous pouvez me donnez votre adresse mail pour vous contacter. j'ai des dans l’intégration de openldap avec freeradius et daloradius.

http://ap.coova.org/uam is nto available .What to do?

http://ap.coova.org site is down from where i can download http://ap.coova.org/uam/ files :-(

hello all,

same problem for me.
did you find a solution ?