Freebsd + Freeradius (TTLS) + Daloradius + Access Point = Hotspot (Part3)

Windows 7  ( Client ) Configuration

• because i am using windows 7, then i will show you my windows 7 configuration
• Open Network and Sharing Center, then click on Manage Wireless Networks

• create the wireless profile. below example is base on my network environment, you need to adjust it with yours.

• after you click on Add, the choose manually create a network profile.
• you will reach the below windows page

• Click Next

• Click on Change connection settings

• Click Security Tab and then Click on settings

• Uncheck validate server certificate. since we use TTLS as our authentication method, then certificates should not and will not be use. 
• Click Ok
• and now you should be able to connect to your Hotspot/Wifi Access Point with Freeradius as authentication server.

Part 1 - Part 2

Freebsd + Freeradius (TTLS) + Daloradius + Access Point = Hotspot (Part2)

Let's continue the configuration.

now for daloradius installation

• #cd /home/username/ ( just to make sure that you are on your home directory)
• #wget http://sourceforge.net/projects/daloradius/files/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz/download. 
• the result is file with download as it's name. change it to daloradius.tar.gz with the command 
• #mv download daloradius.tar.gz
• extract the package, #tar -zxvf daloradius.tar.gz
• move the daloradius folder to /usr/local/www, #mv daloradius0.9-9 /usr/local/www/
• #chown -R www : www /usr/local/www/daloradius0.9-9
• #cd /usr/local/www/daloradius0.9-9/contrib/db
• insert the sql configuration,  #mysql -u root -p radiux < fr2-mysql-daloradius-and-freeradius.sql
• the above command is only apply to Freeradius version 2. 
• #cd /usr/local/www/daloradius0.9-9/library
• edit daloradius.conf and change the following lines
• #vi daloradius.conf.php

      ------------------------------------------------------------------------------------------------------

• $configValues['FREERADIUS_VERSION'] = '2';
• $configValues['CONFIG_DB_ENGINE'] = 'mysql';
• $configValues['CONFIG_DB_HOST'] = 'localhost';
• $configValues['CONFIG_DB_PORT'] = '3306';
• $configValues['CONFIG_DB_USER'] = 'radadmin';
• $configValues['CONFIG_DB_PASS'] = '123qweasdzxc';
• $configValues['CONFIG_DB_NAME'] = 'radius';

      ------------------------------------------------------------------------------------------------------

• config apache so it can show the daloradius on the browser
• # vi /usr/local/etc/apache/httpd.conf
• add the following lines

     ------------------------------------------------------------------------------------------------------

• Alias /daloradius "/usr/local/www/daloradius0.9-9/"
• <Directory "/usr/local/www/daloradius0.9-9">
•         Options Indexes FollowSymlinks MultiViews
•         AllowOverride None
•         Order allow,deny       
•         Allow from all
• </Directory>

     -------------------------------------------------------------------------------------------------------

• #apachectl restart
• Open your browser and point to http://your.server.ip/daloradius
• enter username : administrator and password : radius ( it's the default setting )
• after you login to daloradius web, create user for testing with the following criteria

• click apply.
• Note : I choose user-password as password type, because this type of password can be accept by radius when i insert the username and password value on the Authentication pop up windows later on.
• choose Edit User menu, we want to test the user account against the radius database
• Enter the username to test,  then click on the test connectivity button. the result as folllow

• you should be able to see Access-Accept if all configuration work properly.
• Next, we should configure the NAS on /usr/local/etc/raddb/clients.conf or in daloradius within Management menu -- Nas.
• vi /usr/local/etc/raddb/clients.conf

         -----------------------------------------------------------------------------------------------------

• client 192.168.0.0/16 {
•         secret          = testing123
•         shortname    = hotspot
•         nastype        = other
• }

          -----------------------------------------------------------------------------------------------------

• the above network netmask is assuming you have many Access Point that will be talking with the Freeradius for authentication. for further Clients.conf configuration you can see on the freeradius website

Configure the Wifi AP 

• Log on to your Access Point Web GUI
• change the wireless security setting to
• WPA Enterprise
• Radius Server IP                : 192.168.100.2
• Radius Authentication Port : 1812 

Part 1 - Part 3

Freebsd + Freeradius (TTLS) + Daloradius + Access Point = Hotspot (Part1)

Hotspot Topology - My version

I am trying to setup this topology, so far i am able to configure the Laptop, AP and also the Freeradius. User can access the network after typing username and password and get authenticated by Freeradius.

My configuration :

1. Freebsd 8.0

2. Freeradius 2.1.10_2

3. Apache 1.3.42

4. Mysql5-Server

5.Php5

6.Php5-mysql

7.Php5-gd

8.Pear-db

9.Daloradius 0.9.9

step by step :

1. Install Freebsd + Apache + Mysql5-Server+Php5+Php5-mysql

2. Install Php5-gd

    #cd /usr/ports/graphics/php5-gd

    #make install clean

3.Install Pear-db

   #cd /usr/ports/databases/pear-DB

   #make install clean

4.Install Freeradius

   #cd /usr/ports/net/freeradius2

   #make install clean 

5.This installation will create directory /usr/local/etc/raddb. All freeradius config files can be found in here.

• #cd /usr/local/etc/raddb
• vi radiusd.conf

         ------------------------------------------------------------------------------------------------------

• prefix = /usr/local
• exec_prefix = ${prefix}
• sysconfdir = ${prefix}/etc
• localstatedir = /var
• sbindir = ${exec_prefix}/sbin
• logdir = /var/log
• raddbdir = ${sysconfdir}/raddb
• radacctdir = ${logdir}/radacct
• 
  
• name = radiusd
• 
  
• confdir = ${raddbdir}
• run_dir = ${localstatedir}/run/${name}
• 
  
• db_dir = ${raddbdir}
• 
  
• libdir = /usr/local/lib/freeradius-2.1.10
• 
  
• pidfile = ${run_dir}/${name}.pid
• 
  
• user = freeradius
• group = freeradius
• 
  
• max_request_time = 30
• 
  
• cleanup_delay = 5
• 
  
• max_requests = 1024
• 
  
• listen {
• type = auth
• ipaddr = *
• port = 0
• }
• 
  
• listen {
• ipaddr = *
• port = 0
• type = acct
• }
• 
  
• hostname_lookups = no
• 
  
• allow_core_dumps = no
• 
  
• regular_expressions = yes
• extended_expressions = yes
• 
  
• log {
• destination = files
• file = ${logdir}/radius.log
• syslog_facility = daemon
• stripped_names = no
• auth = no
• auth_badpass = yes
• auth_goodpass = no
• }
• 
  
• checkrad = ${sbindir}/checkrad
• 
  
• security {
• max_attributes = 200
• reject_delay = 1
• status_server = yes
• }
• 
  
• proxy_requests  = yes
• $INCLUDE proxy.conf
• 
  
• $INCLUDE clients.conf
• 
  
• thread pool {
• start_servers = 5
• max_servers = 32
• min_spare_servers = 3
• max_spare_servers = 10
• max_requests_per_server = 0
• }
• 
  
• modules {
• $INCLUDE ${confdir}/modules/
• $INCLUDE eap.conf
• $INCLUDE sql.conf
• }
• 
  
• instantiate {
• exec
• expr
• expiration
• logintime
• }
• 
  
• $INCLUDE policy.conf
• $INCLUDE sites-enabled/

       -------------------------------------------------------------------------------------------------

• vi site-enabled/default

     --------------------------------------------------------------------------------------------------

• authorize {
• preprocess
• chap
• mschap
• digest
• suffix
• # ntdomain
• eap {
• ok = return
• }
• files
• sql
• expiration
• logintime
• pap
• }
• 
  
• authenticate {
• Auth-Type PAP {
• pap
• }
• Auth-Type CHAP {
• chap
• }
• Auth-Type MS-CHAP {
• mschap
• }
• digest
• pam
• unix
• eap
• }
• 
  
• preacct {
• preprocess
• acct_unique
• suffix
• files
• }
• 
  
• accounting {
• detail
• sql
• sql_log
• exec
• attr_filter.accounting_response
• }
• 
  
• session {
• radutmp
• sql
• }
• 
  
• post-auth {
• sql
• sql_log
• exec
• wimax
• 
  
• Post-Auth-Type REJECT {
• attr_filter.access_reject
• }
• }
• 
  
• pre-proxy {
• }
• 
  
• post-proxy {
• eap
• }

       -----------------------------------------------------------------------------------------------------

• Vi /usr/local/etc/raddb/eap.conf

      ------------------------------------------------------------------------------------------------------

• eap {
• default_eap_type = ttls
• timer_expire     = 60
• ignore_unknown_eap_types = no
• cisco_accounting_username_bug = no
• max_sessions = 4096
• md5 {
• }
• leap {
• }
• gtc {
• auth_type = PAP
• }
• 
  
• tls {
• certdir = ${confdir}/certs
• cadir = ${confdir}/certs
• private_key_password = 1234567890
• private_key_file = ${certdir}/server.pem
• certificate_file = ${certdir}/server.pem
• CA_file = ${cadir}/ca.pem
• dh_file = ${certdir}/dh
• random_file = ${certdir}/random
• CA_path = ${cadir}
• cipher_list = "DEFAULT"
• 
  
• cache {
•      enable = no    
•      lifetime = 24 # hours
•      max_entries = 255
• }
• 
  
• verify {
• }
• }
• 
  
• ttls {
• default_eap_type = mschapv2
• copy_request_to_tunnel = no
• use_tunneled_reply = yes
• virtual_server = "inner-tunnel"
• }
• 
  
• peap {
• default_eap_type = mschapv2
• copy_request_to_tunnel = no
• use_tunneled_reply = no
• virtual_server = "inner-tunnel"
• }
• 
  
• mschapv2 {
• }
• }

       --------------------------------------------------------------------------------------------------

• vi /usr/local/etc/raddb/sql.conf

     ---------------------------------------------------------------------------------------------------

• sql {
• database = "mysql"
• driver = "rlm_sql_${database}"
• server = "localhost"
• login = "radadmin"
• password = "123qweasdzxc"
• radius_db = "radius"
• acct_table1 = "radacct"
• acct_table2 = "radacct"
• postauth_table = "radpostauth"
• authcheck_table = "radcheck"
• authreply_table = "radreply"
• groupcheck_table = "radgroupcheck"
• groupreply_table = "radgroupreply"
• usergroup_table = "radusergroup"
• deletestalesessions = yes
• sqltrace = yes
• sqltracefile = ${logdir}/sqltrace.sql
• num_sql_socks = 5
• connect_failure_retry_delay = 60
• lifetime = 0
• max_queries = 0
• readclients = yes
• nas_table = "nas"
• $INCLUDE sql/${database}/dialup.conf
• }

          ------------------------------------------------------------------------------------------------

• vi /usr/local/etc/raddb/site-enabled/inner-tunnel

      ---------------------------------------------------------------------------------------------------

• server inner-tunnel {
• listen {
•        ipaddr = 127.0.0.1
•        port = 18120
•        type = auth
• }
• 
  
• authorize {
• chap
• mschap
• suffix
• update control {
•       Proxy-To-Realm := LOCAL
• }
• 
  
• eap {
• ok = return
• }
• 
  
• files
• 
  
• sql
• 
  
• expiration
• logintime
• 
  
• pap
• }
• 
  
• authenticate {
• Auth-Type PAP {
• pap
• }
• 
  
• Auth-Type CHAP {
• chap
• }
• 
  
• Auth-Type MS-CHAP {
• mschap
• }
• 
  
• unix
• eap
• }
• 
  
• session {
• sql
• }
• 
  
• 
  
• post-auth {
• reply_log
• sql
• 
  
• Post-Auth-Type REJECT {
• attr_filter.access_reject
• }
• 
  
• }
• 
  
• pre-proxy {
• 
  
• }
• 
  
• post-proxy {
• eap
• }
• 
  
• } 

        -------------------------------------------------------------------------------------------------

• Note : On Freebsd system, my daloradius is unable to read the dictionary store in /usr/local/etc/raddb. after googling around i found the solution by changing the permission mode on /usr/local/etc/raddb.
• chmod 755 /usr/local/etc/raddb, which result as follow

• chown root : freeradius /usr/local/etc/raddb/dictionary 
• chmod 644 /usr/local/etc/raddb/dictionary

• Login to your mysql server, create radius database
• #mysql -u root -p
• mysql > create database radius;
• mysql > grant all on radius.* to radadmin@localhost identified by "123qweasdzxc";
• mysql > flush privileges;
• mysql > quit
• test your Freeradius with the following command
• # radiusd -X 
• if your configuration is OK, you will get

• If you are not seeing the above status, then recheck again your configuration

Part 2 - Part 3