Results 1 to 5 of 5

Thread: HOW TO : Wifi Access Point with hostap + hostapd + freeradius + mysql backend Part 1

  1. #1
    Join Date
    Mar 2006
    Beans
    8
    Distro
    Dapper Drake Testing/

    HOW TO : Wifi Access Point with hostap + hostapd + freeradius + mysql backend Part 1

    Part 1


    This howto will allow you to setup a software access point on a Prism based card with hostap on your ubuntu but thats not all, this AP will support 128bit WEP rekeying every N seconds which makes it virtually imposible to crack, username/password authentication over a TLS/SSL tunnel using IEEE 802.1X from a radius server using a mysql database to store username/password information since using MSCHAP to authenticate requires that passwords are provided clear-text but they are transmited encrypted over the air. This way you can use web based radius administration to manage your accounts and have accounting at the same time. This setup supports both linux and windows clients. I believe that this is the best solution when you have to do with Prism based card that dont support WPA and I also believe that its the only way to run an access point. If someone feels diffently on this please post it here so I can shutdown my AP.

    I will divide this how in to parts 1 for setting up the access point and one to setup the clients


    Please note that this howto requires a certain amount of linux mysql and other administrative knowledge so I will not go in depth on a few steps

    Ok lets start.

    Lets setup our mysql server first

    Code:
    sudo apt-get install mysql-server mysql-server mysql-client
    mysqladmin -u root password
    <Enter your administrative password>
    I will describe the whole database here since its required to use accounting. This sql setup will allow you to use the dialupadmin web interface that is provided in the freeradius tarball.

    Code:
    -- MySQL dump 10.9
    --
    -- Host: localhost    Database: radius
    -- ------------------------------------------------------
    -- Server version	4.1.15-Debian_1ubuntu5-log
    
    /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
    /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
    /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
    /*!40101 SET NAMES utf8 */;
    /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
    /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
    /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
    /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
    
    --
    -- Table structure for table `badusers`
    --
    
    DROP TABLE IF EXISTS `badusers`;
    CREATE TABLE `badusers` (
      `id` int(10) NOT NULL auto_increment,
      `UserName` varchar(30) default NULL,
      `Date` datetime NOT NULL default '0000-00-00 00:00:00',
      `Reason` varchar(200) default NULL,
      `Admin` varchar(30) default '-',
      PRIMARY KEY  (`id`),
      KEY `UserName` (`UserName`),
      KEY `Date` (`Date`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `badusers`
    --
    
    
    /*!40000 ALTER TABLE `badusers` DISABLE KEYS */;
    LOCK TABLES `badusers` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `badusers` ENABLE KEYS */;
    
    --
    -- Table structure for table `mtotacct`
    --
    
    DROP TABLE IF EXISTS `mtotacct`;
    CREATE TABLE `mtotacct` (
      `MTotAcctId` bigint(21) NOT NULL auto_increment,
      `UserName` varchar(64) NOT NULL default '',
      `AcctDate` date NOT NULL default '0000-00-00',
      `ConnNum` bigint(12) default NULL,
      `ConnTotDuration` bigint(12) default NULL,
      `ConnMaxDuration` bigint(12) default NULL,
      `ConnMinDuration` bigint(12) default NULL,
      `InputOctets` bigint(12) default NULL,
      `OutputOctets` bigint(12) default NULL,
      `NASIPAddress` varchar(15) default NULL,
      PRIMARY KEY  (`MTotAcctId`),
      KEY `UserName` (`UserName`),
      KEY `AcctDate` (`AcctDate`),
      KEY `UserOnDate` (`UserName`,`AcctDate`),
      KEY `NASIPAddress` (`NASIPAddress`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `mtotacct`
    --
    
    
    /*!40000 ALTER TABLE `mtotacct` DISABLE KEYS */;
    LOCK TABLES `mtotacct` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `mtotacct` ENABLE KEYS */;
    
    --
    -- Table structure for table `nas`
    --
    
    DROP TABLE IF EXISTS `nas`;
    CREATE TABLE `nas` (
      `id` int(10) NOT NULL auto_increment,
      `nasname` varchar(128) NOT NULL default '',
      `shortname` varchar(32) default NULL,
      `type` varchar(30) default 'other',
      `ports` int(5) default NULL,
      `secret` varchar(60) NOT NULL default 'secret',
      `community` varchar(50) default NULL,
      `description` varchar(200) default 'RADIUS Client',
      PRIMARY KEY  (`id`),
      KEY `nasname` (`nasname`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `nas`
    --
    
    
    /*!40000 ALTER TABLE `nas` DISABLE KEYS */;
    LOCK TABLES `nas` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `nas` ENABLE KEYS */;
    
    --
    -- Table structure for table `radacct`
    --
    
    DROP TABLE IF EXISTS `radacct`;
    CREATE TABLE `radacct` (
      `RadAcctId` bigint(21) NOT NULL auto_increment,
      `AcctSessionId` varchar(32) NOT NULL default '',
      `AcctUniqueId` varchar(32) NOT NULL default '',
      `UserName` varchar(64) NOT NULL default '',
      `Realm` varchar(64) default '',
      `NASIPAddress` varchar(15) NOT NULL default '',
      `NASPortId` int(12) default NULL,
      `NASPortType` varchar(32) default NULL,
      `AcctStartTime` datetime NOT NULL default '0000-00-00 00:00:00',
      `AcctStopTime` datetime NOT NULL default '0000-00-00 00:00:00',
      `AcctSessionTime` int(12) default NULL,
      `AcctAuthentic` varchar(32) default NULL,
      `ConnectInfo_start` varchar(32) default NULL,
      `ConnectInfo_stop` varchar(32) default NULL,
      `AcctInputOctets` bigint(12) default NULL,
      `AcctOutputOctets` bigint(12) default NULL,
      `CalledStationId` varchar(50) NOT NULL default '',
      `CallingStationId` varchar(50) NOT NULL default '',
      `AcctTerminateCause` varchar(32) NOT NULL default '',
      `ServiceType` varchar(32) default NULL,
      `FramedProtocol` varchar(32) default NULL,
      `FramedIPAddress` varchar(15) NOT NULL default '',
      `AcctStartDelay` int(12) default NULL,
      `AcctStopDelay` int(12) default NULL,
      PRIMARY KEY  (`RadAcctId`),
      KEY `UserName` (`UserName`),
      KEY `FramedIPAddress` (`FramedIPAddress`),
      KEY `AcctSessionId` (`AcctSessionId`),
      KEY `AcctUniqueId` (`AcctUniqueId`),
      KEY `AcctStartTime` (`AcctStartTime`),
      KEY `AcctStopTime` (`AcctStopTime`),
      KEY `NASIPAddress` (`NASIPAddress`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `radacct`
    --
    
    
    /*!40000 ALTER TABLE `radacct` DISABLE KEYS */;
    LOCK TABLES `radacct` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `radacct` ENABLE KEYS */;
    
    --
    -- Table structure for table `radcheck`
    --
    
    DROP TABLE IF EXISTS `radcheck`;
    CREATE TABLE `radcheck` (
      `id` int(11) unsigned NOT NULL auto_increment,
      `UserName` varchar(64) NOT NULL default '',
      `Attribute` varchar(32) NOT NULL default '',
      `op` char(2) NOT NULL default '==',
      `Value` varchar(253) NOT NULL default '',
      PRIMARY KEY  (`id`),
      KEY `UserName` (`UserName`(32))
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `radcheck`
    --
    
    
    /*!40000 ALTER TABLE `radcheck` DISABLE KEYS */;
    LOCK TABLES `radcheck` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `radcheck` ENABLE KEYS */;
    
    --
    -- Table structure for table `radgroupcheck`
    --
    
    DROP TABLE IF EXISTS `radgroupcheck`;
    CREATE TABLE `radgroupcheck` (
      `id` int(11) unsigned NOT NULL auto_increment,
      `GroupName` varchar(64) NOT NULL default '',
      `Attribute` varchar(32) NOT NULL default '',
      `op` char(2) NOT NULL default '==',
      `Value` varchar(253) NOT NULL default '',
      PRIMARY KEY  (`id`),
      KEY `GroupName` (`GroupName`(32))
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `radgroupcheck`
    --
    
    
    /*!40000 ALTER TABLE `radgroupcheck` DISABLE KEYS */;
    LOCK TABLES `radgroupcheck` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `radgroupcheck` ENABLE KEYS */;
    
    --
    -- Table structure for table `radgroupreply`
    --
    
    DROP TABLE IF EXISTS `radgroupreply`;
    CREATE TABLE `radgroupreply` (
      `id` int(11) unsigned NOT NULL auto_increment,
      `GroupName` varchar(64) NOT NULL default '',
      `Attribute` varchar(32) NOT NULL default '',
      `op` char(2) NOT NULL default '=',
      `Value` varchar(253) NOT NULL default '',
      `prio` int(10) unsigned NOT NULL default '0',
      PRIMARY KEY  (`id`),
      KEY `GroupName` (`GroupName`(32))
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `radgroupreply`
    --
    
    
    /*!40000 ALTER TABLE `radgroupreply` DISABLE KEYS */;
    LOCK TABLES `radgroupreply` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `radgroupreply` ENABLE KEYS */;
    
    --
    -- Table structure for table `radpostauth`
    --
    
    DROP TABLE IF EXISTS `radpostauth`;
    CREATE TABLE `radpostauth` (
      `id` int(11) NOT NULL auto_increment,
      `user` varchar(64) NOT NULL default '',
      `pass` varchar(64) NOT NULL default '',
      `reply` varchar(32) NOT NULL default '',
      `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
      PRIMARY KEY  (`id`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `radpostauth`
    --
    
    
    /*!40000 ALTER TABLE `radpostauth` DISABLE KEYS */;
    LOCK TABLES `radpostauth` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `radpostauth` ENABLE KEYS */;
    
    --
    -- Table structure for table `radreply`
    --
    
    DROP TABLE IF EXISTS `radreply`;
    CREATE TABLE `radreply` (
      `id` int(11) unsigned NOT NULL auto_increment,
      `UserName` varchar(64) NOT NULL default '',
      `Attribute` varchar(32) NOT NULL default '',
      `op` char(2) NOT NULL default '=',
      `Value` varchar(253) NOT NULL default '',
      PRIMARY KEY  (`id`),
      KEY `UserName` (`UserName`(32))
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `radreply`
    --
    
    
    /*!40000 ALTER TABLE `radreply` DISABLE KEYS */;
    LOCK TABLES `radreply` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `radreply` ENABLE KEYS */;
    
    --
    -- Table structure for table `totacct`
    --
    
    DROP TABLE IF EXISTS `totacct`;
    CREATE TABLE `totacct` (
      `TotAcctId` bigint(21) NOT NULL auto_increment,
      `UserName` varchar(64) NOT NULL default '',
      `AcctDate` date NOT NULL default '0000-00-00',
      `ConnNum` bigint(12) default NULL,
      `ConnTotDuration` bigint(12) default NULL,
      `ConnMaxDuration` bigint(12) default NULL,
      `ConnMinDuration` bigint(12) default NULL,
      `InputOctets` bigint(12) default NULL,
      `OutputOctets` bigint(12) default NULL,
      `NASIPAddress` varchar(15) default NULL,
      PRIMARY KEY  (`TotAcctId`),
      KEY `UserName` (`UserName`),
      KEY `AcctDate` (`AcctDate`),
      KEY `UserOnDate` (`UserName`,`AcctDate`),
      KEY `NASIPAddress` (`NASIPAddress`),
      KEY `NASIPAddressOnDate` (`AcctDate`,`NASIPAddress`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `totacct`
    --
    
    
    /*!40000 ALTER TABLE `totacct` DISABLE KEYS */;
    LOCK TABLES `totacct` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `totacct` ENABLE KEYS */;
    
    --
    -- Table structure for table `usergroup`
    --
    
    DROP TABLE IF EXISTS `usergroup`;
    CREATE TABLE `usergroup` (
      `id` int(11) unsigned NOT NULL auto_increment,
      `UserName` varchar(64) NOT NULL default '',
      `GroupName` varchar(64) NOT NULL default '',
      PRIMARY KEY  (`id`),
      KEY `UserName` (`UserName`(32))
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `usergroup`
    --
    
    
    /*!40000 ALTER TABLE `usergroup` DISABLE KEYS */;
    LOCK TABLES `usergroup` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `usergroup` ENABLE KEYS */;
    
    --
    -- Table structure for table `userinfo`
    --
    
    DROP TABLE IF EXISTS `userinfo`;
    CREATE TABLE `userinfo` (
      `id` int(10) NOT NULL auto_increment,
      `UserName` varchar(30) default NULL,
      `Name` varchar(200) default NULL,
      `Mail` varchar(200) default NULL,
      `Department` varchar(200) default NULL,
      `WorkPhone` varchar(200) default NULL,
      `HomePhone` varchar(200) default NULL,
      `Mobile` varchar(200) default NULL,
      PRIMARY KEY  (`id`),
      KEY `UserName` (`UserName`),
      KEY `Departmet` (`Department`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
    
    --
    -- Dumping data for table `userinfo`
    --
    
    
    /*!40000 ALTER TABLE `userinfo` DISABLE KEYS */;
    LOCK TABLES `userinfo` WRITE;
    UNLOCK TABLES;
    /*!40000 ALTER TABLE `userinfo` ENABLE KEYS */;
    
    /*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
    /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
    /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
    /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
    /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
    /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
    /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

    Lets insert a username and password in the database

    Code:
    INSERT INTO `radcheck` VALUES (1,'phoboulinos','User-Password','==','supersecret');
    Lets create a user group to state that it will use EAP authentication

    Code:
    INSERT INTO `radgroupcheck` VALUES (1,'WifiAP-EAP','Auth-Type','==','EAP');
    Insert user "phoboulinos" in that group

    Code:
    INSERT INTO `usergroup` VALUES (6,'phoboulinos','WifiAP-EAP');
    Insert user information (Looks good in the radius log and web interface)

    Code:
    INSERT INTO `userinfo` VALUES (1,'phoboulinos','Stratos Goudelis','phobos@artica.gr','','-','-','-');
    Ok, now that our mysql database is setup we must compile freeradius from source (sorry guys), apperantly, the breezy deb does not have a TLS EAP module required in this setup.

    Get it here ftp://ftp.freeradius.org/pub/radius/...s-1.1.0.tar.gz
    There is a good howto on compiling freeradius and using it with mysql here : http://www.frontios.com/freeradius.html but not everything stated there is what we are trying to do here so some things may not work. Although the configuration about how to make freeradius use mysql is correct and just that.

    I will not go through the process of compiling freeradius (it been a while since I did it and I dont want to mess up my setup), I will tell though that you must compile it with all availiable options especially anything that has to to with TLS PEAP EAP SSL SQL MSCHAP

    We will configure freeradius later in this howto.

    Next we must setup hostap + hostapd

    If you have a Prism-based card ubuntu should already have inserted the module hostap and hostap_pci (if it a PCI). If you have a PCMCIA card or anything else with a Prism chip you must setup it up, I will not go in to that. Fortunatly the Ubuntu team has everyting compiled for hostap related functions and they did a very good job to.

    When you have made sure that the hostap modules are correclty inserted you should ... well look what I have done with my setup:

    File : /etc/network/interface
    Code:
    auto br0
    iface br0 inet static
           address 10.10.10.100
           netmask 255.255.255.128
           gateway 10.10.10.100 
           bridge_ports wlan0 eth0
           up \
           /sbin/iwconfig wlan0 essid MY_SSID && \
           /sbin/iwconfig wlan0 channel 8 && \
           /sbin/iwconfig wlan0 mode Master
    For the sake of privacy I used fake ips here but I normally use real ips and bridge my ethernet card with my wlan card so that the clients that use the access point will be able to use real ips to. I also use iwconfig to set my access point name, MY_SSID in this case, set the channel to 8 (use kismet to see which chanell is rarely used in your area) and set the card in Master mode.

    Please note that until hostapd launches the access point will be unecrypted and it should transmit every packet the bridge captures.

    Lets setup hostapd authenticator

    Code:
    sudo apt-get install hostapd hostap-utils

    Here is my /etc/hostapd/hostapd.conf

    Code:
    # Lose the comment after its line
    
    ssid=MY_SSID
    interface=wlan0 # The interface name of the card
    driver=hostap   # The card driver
    macaddr_acl=0
    accept_mac_file=/etc/hostapd.accept
    deny_mac_file=/etc/hostapd.deny
    ieee8021x=1    # Use 802.1X authentication
    wep_key_len_broadcast=13
    wep_key_len_unicast=13
    wep_rekey_period=300   # WEP rekeying interval
    own_ip_addr=10.10.10.100  # The interface IP
    nas_identifier=some_name
    auth_server_addr=127.0.0.1 # Where is the radius server
    auth_server_port=1812      # The port the radius server runs on
    auth_server_shared_secret=supersecretradiuskey  # This is used to authenticate the hostapd to the radius server so none can use your raduis server
    acct_server_addr=127.0.0.1 # Where is the radius server
    acct_server_port=1813      # Where the accounting port is (I think)
    acct_server_shared_secret=supersecretradiuskey # Same as above
    Here comes the hard part, configuring freeradius

    Go there the freeradius confs are, the default dir /usr/local/etc/raddb
    Leave everything as it is except what I say here, I will try to remember everything

    You must edit the following files and not replace them I will only show what I have edited.
    Also you might need to keep the original files because the comment they have are very informative.

    File : clients.conf

    Code:
    client 127.0.0.1 {
            secret          = supersecretradiuskey
            shortname       = some_name
    }
    This will accept connections only from localhost, (we dont want to show up in nmap now do we ? )


    File : eap.conf

    Code:
            eap {
                    default_eap_type = peap
                    timer_expire     = 60
                    ignore_unknown_eap_types = no
                    cisco_accounting_username_bug = no
                    md5 {
                    }
                    leap {
                    }
                    gtc {
                            auth_type = PAP
                    }
                    tls {
                            private_key_password = whatever
                            private_key_file = ${raddbdir}/certs/cert-srv.pem
                            certificate_file = ${raddbdir}/certs/cert-srv.pem
                            CA_file = ${raddbdir}/certs/demoCA/cacert.pem
                            dh_file = ${raddbdir}/certs/dh
                            random_file = /dev/urandom
                    }
                    peap {
                            default_eap_type = mschapv2
                    }
                    mschapv2 {
                    }
            }
    File : radiusd.conf
    NOTE: What follows is NOT the whole file, you must edit it and make the respective sections of it look like this
    Code:
    modules {
    	pap {
    		encryption_scheme = crypt
    	}
    	chap {
    		authtype = CHAP
    	}
    	pam {
    		pam_auth = radiusd
    	}
    	unix {
    		cache = no
    		cache_reload = 600
    		radwtmp = ${logdir}/radwtmp
    	}
    $INCLUDE ${confdir}/eap.conf
    	mschap {
    		authtype = MS-CHAP
    		
    		use_mppe = yes
    		require_encryption = yes
    		require_strong = yes
    	}
    	ldap {
    		server = "ldap.your.domain"
    		basedn = "o=My Org,c=UA"
    		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
    		start_tls = no
    		access_attr = "dialupAccess"
    		dictionary_mapping = ${raddbdir}/ldap.attrmap
    		ldap_connections_number = 5
    		timeout = 4
    		timelimit = 3
    		net_timeout = 1
    	}
    	realm IPASS {
    		format = prefix
    		delimiter = "/"
    		ignore_default = no
    		ignore_null = no
    	}
    	realm suffix {
    		format = suffix
    		delimiter = "@"
    		ignore_default = no
    		ignore_null = no
    	}
    	realm realmpercent {
    		format = suffix
    		delimiter = "%"
    		ignore_default = no
    		ignore_null = no
    	}
    	realm ntdomain {
    		format = prefix
    		delimiter = "\\"
    		ignore_default = no
    		ignore_null = no
    	}	
    	checkval {
    		item-name = Calling-Station-Id
    		check-name = Calling-Station-Id
    		data-type = string
    	}
    	
    	preprocess {
    		huntgroups = ${confdir}/huntgroups
    		hints = ${confdir}/hints
    		with_ascend_hack = no
    		ascend_channels_per_line = 23
    		with_ntdomain_hack = no
    		with_specialix_jetstream_hack = no
    		with_cisco_vsa_hack = no
    	}
    	files {
    		usersfile = ${confdir}/users
    		acctusersfile = ${confdir}/acct_users
    		preproxy_usersfile = ${confdir}/preproxy_users
    		compat = no
    	}
    	detail {
    		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
    		detailperm = 0600
    	}
    	acct_unique {
    		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
    	}
    	$INCLUDE  ${confdir}/sql.conf
    	
    	radutmp {
    		filename = ${logdir}/radutmp
    		username = %{User-Name}
    		case_sensitive = yes
    		check_with_nas = yes		
    		perm = 0600
    		callerid = "yes"
    	}
    	radutmp sradutmp {
    		filename = ${logdir}/sradutmp
    		perm = 0644
    		callerid = "no"
    	}
    	attr_filter {
    		attrsfile = ${confdir}/attrs
    	}
    	counter daily {
    		filename = ${raddbdir}/db.daily
    		key = User-Name
    		count-attribute = Acct-Session-Time
    		reset = daily
    		counter-name = Daily-Session-Time
    		check-name = Max-Daily-Session
    		allowed-servicetype = Framed-User
    		cache-size = 5000
    	}
    	sqlcounter dailycounter {
    		counter-name = Daily-Session-Time
    		check-name = Max-Daily-Session
    		sqlmod-inst = sql
    		key = User-Name
    		reset = daily
    		query = "SELECT SUM(AcctSessionTime - \
                     GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                     FROM radacct WHERE UserName='%{%k}' AND \
                     UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
    	}
    	sqlcounter monthlycounter {
    		counter-name = Monthly-Session-Time
    		check-name = Max-Monthly-Session
    		sqlmod-inst = sql
    		key = User-Name
    		reset = monthly
    		query = "SELECT SUM(AcctSessionTime - \
                     GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                     FROM radacct WHERE UserName='%{%k}' AND \
                     UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
    	}
    	always fail {
    		rcode = fail
    	}
    	always reject {
    		rcode = reject
    	}
    	always ok {
    		rcode = ok
    		simulcount = 0
    		mpp = no
    	}
    	expr {
    	}
    	digest {
    	}
    	exec {
    		wait = yes
    		input_pairs = request
    	}
    	exec echo {
    		wait = yes
    		program = "/bin/echo %{User-Name}"
    		input_pairs = request
    		output_pairs = reply
    	}
    	ippool main_pool {
    		range-start = 192.168.1.1
    		range-stop = 192.168.3.254
    		netmask = 255.255.255.0
    		cache-size = 800
    		session-db = ${raddbdir}/db.ippool
    		ip-index = ${raddbdir}/db.ipindex
    		override = no
    		maximum-timeout = 0
    	}
    }
    instantiate {
    	exec
    	expr
    }
    authorize {
    	preprocess
    	
    	chap
    	mschap
    	suffix
    	eap
    	files
    	sql
    }
    authenticate {
    	Auth-Type PAP {
    		pap
    	}
    	Auth-Type CHAP {
    		chap
    	}
    	Auth-Type MS-CHAP {
    		mschap
    	}
    	unix
    	eap
    }
    preacct {
    	preprocess
    	acct_unique
    	suffix
    	files
    }
    accounting {
    	detail
    	unix
    	radutmp
    	sql
    }
    session {
    	radutmp
    }
    post-auth {
    	sql
    }
    pre-proxy {
    }
    post-proxy {
    	eap
    }
    File : sql.conf
    NOTE: You can safely move the original file somewhere else for backup and make it look like this, just change the mysql username password

    Code:
    sql {
    	driver = "rlm_sql_mysql"
    	server = "localhost"
    	login = "root"
    	password = "<MYSQL Administrative password here>"
    	radius_db = "radius"
    	acct_table1 = "radacct"
    	acct_table2 = "radacct"
    	postauth_table = "radpostauth"
    	authcheck_table = "radcheck"
    	authreply_table = "radreply"
    	groupcheck_table = "radgroupcheck"
    	groupreply_table = "radgroupreply"
    	usergroup_table = "usergroup"
    	nas_table = "nas"
    	deletestalesessions = yes
    	sqltrace = no
    	sqltracefile = ${logdir}/sqltrace.sql
    	num_sql_socks = 5
    	connect_failure_retry_delay = 60
    	sql_user_name = "%{User-Name}"
    	authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
              FROM ${authcheck_table} \
              WHERE Username = '%{SQL-User-Name}' \
              ORDER BY id"
    	authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
              FROM ${authreply_table} \
              WHERE Username = '%{SQL-User-Name}' \
              ORDER BY id"
    	authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op  FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
    	authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op  FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
    	accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
    	accounting_update_query = "UPDATE ${acct_table1} \
              SET FramedIPAddress = '%{Framed-IP-Address}', \
              AcctSessionTime = '%{Acct-Session-Time}', \
              AcctInputOctets = '%{Acct-Input-Octets}', \
              AcctOutputOctets = '%{Acct-Output-Octets}' \
              WHERE AcctSessionId = '%{Acct-Session-Id}' \
              AND UserName = '%{SQL-User-Name}' \
              AND NASIPAddress= '%{NAS-IP-Address}'"
    	accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
    	accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
    	accounting_start_query_alt  = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
    	accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
    	accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
    	simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
    	group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'"
    	postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
    	readclients = yes
    }

    I think this is everything, now here are some tips running everything

    I suggest you run the radius server in verbose mode to report everything, very good for debugging purposes, something you may need to do.

    Code:
    # radiusd -X
    Same thing applies when running hostapd, you may need to see the messages hostapd prints to test everything

    Code:
    # hostapd /etc/hostapd/hostapd.conf
    Note: Run everything in this order:

    1. Ubuntu loads hostap modules for the card
    Note: Until hostapd starts the access point does not have encryption you should know that
    2. MySQL starts
    3. Radius server starts
    3. hostapd starts


    The dialupadmin web interface uses the sql database I described here BUT it does not support many of the thing we are doing here, I use a modified version (modified by me) I will post it here if neccesary but I thing that someone should make a new one.

    This is the end of Part 1
    Last edited by phoboulinos; April 2nd, 2006 at 04:51 AM.

  2. #2
    Join Date
    Sep 2005
    Beans
    56

    Re: HOW TO : Wifi Access Point with hostap + hostapd + freeradius + mysql backend Part 1

    And part two?

  3. #3
    Join Date
    Jul 2007
    Beans
    11

    Re: HOW TO : Wifi Access Point with hostap + hostapd + freeradius + mysql backend Par

    not a bad post, but is there a part 2?

  4. #4
    Join Date
    May 2008
    Beans
    137

    Re: HOW TO : Wifi Access Point with hostap + hostapd + freeradius + mysql backend Par

    Quote Originally Posted by sangamc View Post
    not a bad post, but is there a part 2?
    Yes there is:

    http://ubuntuforums.org/showthread.php?t=151782

  5. #5
    Join Date
    Aug 2011
    Beans
    1

    Re: HOW TO : Wifi Access Point with hostap + hostapd + freeradius + mysql backend Par

    Hi,

    I found this very nice howto, thanks for that !
    I've one question about the clear-text password in the database, there is no solution to encrypt the password with md5 or sha1 with EAP-TTLS ?

    Thanks for your help.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •