Newsletter


Knowledge Base

Knowledgebase Home | Glossary | Favorites | Contact | Login Knowledgebase Home | Glossary | Favorites | Contact | Login
Search the Knowledgebase Browse by Category

[Advanced Search]
Using your own RADIUS server
Article Details

Last Updated
19th o June, 2009
Would you like to...
Print this pagePrint this page
Email this pageEmail this page
Post a commentPost a comment
Subscribe me
Add to favoritesAdd to favorites
Remove HighlightingRemove Highlighting
Edit this ArticleEdit this Article
Edit this Article Quick Edit
Export to PDF

The open-mesh routers are shipped with the CoovaChilli software (http://coova.org/wiki/index.php/CoovaChilli). This software provides authentication and restricted network access to WiFi network clients.

For instance, suppose you are managing a wireless network in a hotel. The open-mesh nodes are connected either as gateways or repeaters around the hotel. Now you want to require authentication from all clients and maybe even allow the clients to browse some sites (like internal web sites for the hotel or the hotel’s public website) without the need to authenticate themselves. The CoovaChilli software installed on the open-mesh routers lets you manage all of this and some more, with minimal additional effort.

Requirements

The following software is required for this installation:

  • CoovaChilli (Already installed on the Open-Mesh Routers)
  • FreeRadius
  • Apache
  • MySQL

This tutorial will show how to run all this software on a single machine. However, you could install Apache and MySQL on a separate one, or even have 4 different machines: you'll just need to adjust the configuration parameters of each piece of software.

Hardware Requirements

Any x86 PC will do

Open-Mesh Router Configuration (Via: DashBoard)

For this you must have access to the open-mesh dashboard. Visit http://dashboard.open-mesh.com to register or to login.

Log in to your Mesh Network:

Next go to “Edit Network”

Select “SSID #1”

 

Select “Manual RADIUS & Legacy options

After everything is in place, click on “Update Network Settings”. Then wait at least 20 minutes until the Node Devices update their configuration.

This is the only configuration needed on the Open-Mesh devices. Next is a How-To on situations when you do not have a Radius Server and a User Database setup. There will be another manual on how to utilize it using the Boardtown Platypus Accounting Software for ISPs.

Software Installation (Ubuntu example)

This is an example to install the software for an Ubuntu machine. This software could also be installed in any other distribution.

sudo apt-get install freeradius freeradius-mysql freeradius-dialupadmin

Create database to store usernames and passwords

mysql -u root -p

Enter password:mysqladminsecret

mysql> CREATE DATABASE radius;

mysql> quit 

Propagate database with tables created by the maker's of FreeRadius

zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius

Enter password:mysqladminsecret

mysql -u root -p

Enter password:mysqladminsecret

mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret';

mysql> FLUSH PRIVILEGES;

mysql> quit

Tell FreeRadius where to find of database

nano -w /etc/freeradius/sql.conf

server = "localhost"

login  = "radius"

password = "mysqlsecret"

Set FreeRadius server client password

nano -w /etc/freeradius/clients.conf

client 127.0.0.1 {

    secret = radiussecret

}

Testing default file setup

The default FreeRadius setup authorizes usernames and passwords from a "file" found in /etc/freeradius/users. We should test the default FreeRadius setup before we change the authorization link from "file" to "sql" (mysql).

Add username and password to our user "file". Edit "John Doe" entry.

nano -w /etc/freeradius/users

Uncomment

"John Doe"     Auth-Type := Local, User-Password == "hello"
              
Reply-Message = "Hello, %u"

At this point you need to reboot your ubuntu box

reboot

 

Check FreeRadius config files:

sudo /etc/init.d/freeradius stop
sudo freeradius -XXX -A

If all goes well the last line should display

Mon Mar 24 11:32:35 2008 : Info: Ready to process requests.

Ctrl+C to exit.

Start FreeRadius again:

sudo /etc/init.d/freeradius start

Test password authorization to "file":

sudo radtest "John Doe" hello 127.0.0.1 0 radiussecret

If all goes well you should get a reply:

Sending Access-Request of id 136 to 127.0.0.1 port 1812
        User-Name = "John Doe"
        User-Password = "hello"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37
        Reply-Message = "Hello, John Doe"

Change authorization to sql

If the above tests worked we can now change authorization from "file" to "sql"

Change:

nano -w /etc/freeradius/radiusd.conf
authorize {
        preprocess
#       auth_log
#       attr_filter
        chap
        mschap
#       digest
#       IPASS
        suffix
#       ntdomain
        eap
        files
#       sql
#       etc_smbpasswd
#       ldap
#       daily
#       checkval
}

to

authorize {
        preprocess
#       auth_log
#       attr_filter
        chap
        mschap
#       digest
#       IPASS
        suffix
#       ntdomain
        eap
#       files
        sql
#       etc_smbpasswd
#       ldap
#       daily
#       checkval
} 

Note: You can only use one authorization method at a time, not both. Therefore "files" section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql"

SQL Logging

If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to MySQL

nano -w /etc/freeradius/sql.conf
sql {
        driver = "rlm_sql_mysql"
        server = "localhost"
        login = "radius"
        password = "mysqlsecret"
        radius_db = "radius"
        [...]
        # Set to 'yes' to read radius clients from the database ('nas' table)
        readclient = yes ###change manually
}
nano -w /etc/freeradius/radiusd.conf
        $INCLUDE ${confdir}/sql.conf
authorize {
        preprocess
        chap
        suffix
        eap
        #files
        sql
}
authenticate {
        Auth-Type PAP {
          pap
        }
        Auth-Type CHAP {
          chap
        }
        eap
}
accounting {
        detail
        radutmp
        sql ###change manually
}
session {
        sql ###change manually
}

Add users

This is an example to add a user with all the necessary Radius Attributes. You can create a script that does this automatically for you.

1.) Login to mysql (mysql -u <mysql_user> -p <db_name>)
2.) Enter password: mysqlsecret
3.) Once logged in:
4.) Execute the following in mysql:
        
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('jdoe','Password','password');
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('jdoe','Service-Type','Framed-User’);
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('jdoe','Framed-Protocol','PPP');
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('jdoe','Digital-Access','TRUE');
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('jdoe','Session-Timeout','86400');
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('jdoe','Idle-Limit','600');
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('jdoe','ChilliSpot-Bandwidth-Max-Up','512');
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('jdoe','ChilliSpot-Bandwidth-Max-Down','1024');

Note that the last line is one same line. Also note that Session-Timeout is set to 24Hrs, Idle-Limit is set to 10 minutes and that the bandwidth specified is 1,024Kbit/s for download and 512Kbit/s for upload. This settings can be changed to fit your needs and per user.

Add dictionary entries

In order for the ChilliSpot-Bandwidth-Max-Up and ChilliSpot-Bandwidth-Max-Down attributes to work you must add them to the FreeRadius dictionary file.

To do this:

Copy the following files to /usr/local/share/freeradius/
        1. http://www.open-mesh.com/radius/dictionary.chillispot
        2. http://www.open-mesh.com/radius/dictionary.wispr
 
Then modify /etc/raddb/dictionary.
Add the following lines:
        1. $INCLUDE dictionary.chillispot
        2. $INCLUDE dictionary.wispr
 
If the lines already existed, uncomment them.

Restart Radius

sudo /etc/init.d/freeradius restart

Test link

sudo radtest jdoe password 127.0.0.1 0 radiussecret

If all goes well you should receive

Sending Access-Request of id 180 to 127.0.0.1 port 1812
        User-Name = "jdoe"
        User-Password = "password"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
        (. . .)
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=180, length=20

 

Apache Server

Create login page directory:

sudo mkdir -p /var/www/hotspot/cgi-bin

Create login page file: 

Download: http://www.open-mesh.com/radius/hotspotlogin.txt
Change it to a .cgi file.
Copy it to the /cgi-bin/ folder of the site to use.
Run chmod 755 to the file.
Verify permissions.

Change the UAMSecret to the one specified on the Open-Mesh Dashboard.

Look for the following line and change the secret to the one specified on dashboard.
$uamsecret = "CHANGETHISTOTHEUAMSECRETSPECIFIEDINDASHBOARD";

 

SSL

Apache Modules

To install the Apache2 module for MYSQL authentication, you can run the following command from a terminal prompt:

sudo apt-get install libapache2-mod-auth-mysql

Once you install the module, the module will be available in the /etc/apache2/mods-available directory. You can use thea2enmod command to enable a module. You can use the a2dismod command to disable a module. Once you enable the module, the module will be available in the the /etc/apache2/mods-enabled directory.

Setup up Apache and SSL

Use the following command:

tasksel

 

Create a Certificate

sudo apt-get install ssl-cert
sudo mkdir /etc/apache2/ssl

We need to find our host name for our cert

hostname -f

Hardcoding cert lifetime based on this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821#22

sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

(Answer questions)

  • Note: The "Host Name" must be fill out correctly with the host name of the server the certificate is for. This must be filled in. (commonName)

Host Name as per hostname -f

host.name #change to your host name

Install Module

The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.

sudo a2enmod ssl
/etc/init.d/apache2 force-reload

 

Create virtualhost

Create a virtualhost file so it looks something like this:

sudo nano -w /etc/apache2/sites-available/hotspot
NameVirtualHost 192.168.2.1:443
<VirtualHost 192.168.2.1:443>
        ServerAdmin webmaster@domain.org
        DocumentRoot "/var/www/hotspot"
        ServerName "192.168.2.1"
        <Directory "/var/www/hotspot/">
               
Options Indexes FollowSymLinks MultiViews
               
AllowOverride None
               
Order allow,deny
                allow from all
        </Directory> 
 
        Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/" 
        <Directory "/usr/share/freeradius-dialupadmin/htdocs/"> 
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
               
Order allow,deny
               
allow from all
        </Directory>
 
        ScriptAlias /cgi-bin/ /var/www/hotspot/cgi-bin/
        <Directory "/var/www/hotspot/cgi-bin/">
               
AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
               
Order allow,deny
               
Allow from all
        </Directory>
 
        ErrorLog /var/log/apache2/hotspot-error.log
 
        LogLevel warn
 
        CustomLog /var/log/apache2/hotspot-access.log combined
 
        ServerSignature On 
        SSLEngine on 
        SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

Enable SSL virtualhost

sudo a2ensite hotspot
/etc/init.d/apache2 reload

 

Listen Ports

HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file:

nano -w /etc/apache2/ports.conf
Listen 192.168.2.1:80
Listen 192.168.2.1:443
#<IfModule mod_ssl.c>
#    Listen 443
#</IfModule>

Don’t forget to modify:

sudo nano -w /etc/apache2/sites-available/default
NameVirtualHost *:80
<virtualhost *:80>

Server Root

nano -w /etc/apache2/apache2.conf

Add

ServerName 192.168.2.1

Edit host file

nano -w /etc/hosts
192.168.2.1    host.name host #change to your host name

Restart Apache server

sudo /etc/init.d/apache2 restart

Your web browser should be able to link to pages

https://192.168.2.1/cgi-bin/hotspotlogin.cgi

Finish

Reboot your computer and everything should work

reboot
Related Articles
No related articles were found.
Attachments
No attachments were found.

Powered by Interspire Knowledge Manager Knowledgebase Software