 |
| Hotspot Topology - My version |
I am trying to setup this topology, so far i am able to configure the Laptop, AP and also the Freeradius. User can access the network after typing username and password and get authenticated by Freeradius.
My configuration :
1. Freebsd 8.0
2. Freeradius 2.1.10_2
3. Apache 1.3.42
4. Mysql5-Server
5.Php5
6.Php5-mysql
7.Php5-gd
8.Pear-db
9.Daloradius 0.9.9
step by step :
1. Install Freebsd + Apache + Mysql5-Server+Php5+Php5-mysql
2. Install Php5-gd
#cd /usr/ports/graphics/php5-gd
#make install clean
3.Install Pear-db
#cd /usr/ports/databases/pear-DB
#make install clean
4.Install Freeradius
#cd /usr/ports/net/freeradius2
#make install clean
5.This installation will create directory /usr/local/etc/raddb. All freeradius config files can be found in here.
- #cd /usr/local/etc/raddb
- vi radiusd.conf
- prefix = /usr/local
- exec_prefix = ${prefix}
- sysconfdir = ${prefix}/etc
- localstatedir = /var
- sbindir = ${exec_prefix}/sbin
- logdir = /var/log
- raddbdir = ${sysconfdir}/raddb
- radacctdir = ${logdir}/radacct
- name = radiusd
- confdir = ${raddbdir}
- run_dir = ${localstatedir}/run/${name}
- db_dir = ${raddbdir}
- libdir = /usr/local/lib/freeradius-2.1.10
- pidfile = ${run_dir}/${name}.pid
- user = freeradius
- group = freeradius
- max_request_time = 30
- cleanup_delay = 5
- max_requests = 1024
- listen {
- type = auth
- ipaddr = *
- port = 0
- }
- listen {
- ipaddr = *
- port = 0
- type = acct
- }
- hostname_lookups = no
- allow_core_dumps = no
- regular_expressions = yes
- extended_expressions = yes
- log {
- destination = files
- file = ${logdir}/radius.log
- syslog_facility = daemon
- stripped_names = no
- auth = no
- auth_badpass = yes
- auth_goodpass = no
- }
- checkrad = ${sbindir}/checkrad
- security {
- max_attributes = 200
- reject_delay = 1
- status_server = yes
- }
- proxy_requests = yes
- $INCLUDE proxy.conf
- $INCLUDE clients.conf
- thread pool {
- start_servers = 5
- max_servers = 32
- min_spare_servers = 3
- max_spare_servers = 10
- max_requests_per_server = 0
- }
- modules {
- $INCLUDE ${confdir}/modules/
- $INCLUDE eap.conf
- $INCLUDE sql.conf
- }
- instantiate {
- exec
- expr
- expiration
- logintime
- }
- $INCLUDE policy.conf
- $INCLUDE sites-enabled/
- vi site-enabled/default
--------------------------------------------------------------------------------------------------
- authorize {
- preprocess
- chap
- mschap
- digest
- suffix
- # ntdomain
- eap {
- ok = return
- }
- files
- sql
- expiration
- logintime
- pap
- }
- authenticate {
- Auth-Type PAP {
- pap
- }
- Auth-Type CHAP {
- chap
- }
- Auth-Type MS-CHAP {
- mschap
- }
- digest
- pam
- unix
- eap
- }
- preacct {
- preprocess
- acct_unique
- suffix
- files
- }
- accounting {
- detail
- sql
- sql_log
- exec
- attr_filter.accounting_response
- }
- session {
- radutmp
- sql
- }
- post-auth {
- sql
- sql_log
- exec
- wimax
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
- }
- pre-proxy {
- }
- post-proxy {
- eap
- }
- Vi /usr/local/etc/raddb/eap.conf
- eap {
- default_eap_type = ttls
- timer_expire = 60
- ignore_unknown_eap_types = no
- cisco_accounting_username_bug = no
- max_sessions = 4096
- md5 {
- }
- leap {
- }
- gtc {
- auth_type = PAP
- }
- tls {
- certdir = ${confdir}/certs
- cadir = ${confdir}/certs
- private_key_password = 1234567890
- private_key_file = ${certdir}/server.pem
- certificate_file = ${certdir}/server.pem
- CA_file = ${cadir}/ca.pem
- dh_file = ${certdir}/dh
- random_file = ${certdir}/random
- CA_path = ${cadir}
- cipher_list = "DEFAULT"
- cache {
- enable = no
- lifetime = 24 # hours
- max_entries = 255
- }
- verify {
- }
- }
- ttls {
- default_eap_type = mschapv2
- copy_request_to_tunnel = no
- use_tunneled_reply = yes
- virtual_server = "inner-tunnel"
- }
- peap {
- default_eap_type = mschapv2
- copy_request_to_tunnel = no
- use_tunneled_reply = no
- virtual_server = "inner-tunnel"
- }
- mschapv2 {
- }
- }
- vi /usr/local/etc/raddb/sql.conf
- sql {
- database = "mysql"
- driver = "rlm_sql_${database}"
- server = "localhost"
- login = "radadmin"
- password = "123qweasdzxc"
- radius_db = "radius"
- acct_table1 = "radacct"
- acct_table2 = "radacct"
- postauth_table = "radpostauth"
- authcheck_table = "radcheck"
- authreply_table = "radreply"
- groupcheck_table = "radgroupcheck"
- groupreply_table = "radgroupreply"
- usergroup_table = "radusergroup"
- deletestalesessions = yes
- sqltrace = yes
- sqltracefile = ${logdir}/sqltrace.sql
- num_sql_socks = 5
- connect_failure_retry_delay = 60
- lifetime = 0
- max_queries = 0
- readclients = yes
- nas_table = "nas"
- $INCLUDE sql/${database}/dialup.conf
- }
------------------------------------------------------------------------------------------------
Part 2 - Part 3
- vi /usr/local/etc/raddb/site-enabled/inner-tunnel
- server inner-tunnel {
- listen {
- ipaddr = 127.0.0.1
- port = 18120
- type = auth
- }
- authorize {
- chap
- mschap
- suffix
- update control {
- Proxy-To-Realm := LOCAL
- }
- eap {
- ok = return
- }
- files
- sql
- expiration
- logintime
- pap
- }
- authenticate {
- Auth-Type PAP {
- pap
- }
- Auth-Type CHAP {
- chap
- }
- Auth-Type MS-CHAP {
- mschap
- }
- unix
- eap
- }
- session {
- sql
- }
- post-auth {
- reply_log
- sql
- Post-Auth-Type REJECT {
- attr_filter.access_reject
- }
- }
- pre-proxy {
- }
- post-proxy {
- eap
- }
- }
- Note : On Freebsd system, my daloradius is unable to read the dictionary store in /usr/local/etc/raddb. after googling around i found the solution by changing the permission mode on /usr/local/etc/raddb.
- chmod 755 /usr/local/etc/raddb, which result as follow
- chown root : freeradius /usr/local/etc/raddb/dictionary
- chmod 644 /usr/local/etc/raddb/dictionary
- Login to your mysql server, create radius database
- #mysql -u root -p
- mysql > create database radius;
- mysql > grant all on radius.* to radadmin@localhost identified by "123qweasdzxc";
- mysql > flush privileges;
- mysql > quit
- test your Freeradius with the following command
- # radiusd -X
- if your configuration is OK, you will get
- If you are not seeing the above status, then recheck again your configuration
No comments:
Post a Comment