Setup freeradius agar bisa otentifikasi dengan LDAP

Sebagai tahap integrasi antara radius dan LDAP yang mendukung One Account Policy, maka langkah ini merupakan langkah yang paling vital.

Artikel tentang LDAP bisa dibaca di http://kusprayitna.staff.uii.ac.id/category/application/ldap-application/

Fitur yang diinginkan dari otentifikasi LDAP ini yaitu :

1. LDAP berada di server lain
2. Semua akun menggunakan Nomor Induk Mahasiswa/Pegawai untuk akses (yaitu uid)
3. Semua akun otomatis bisa akses ke hotspot melalui otentifikasi radius
4. Pengaturan response atau output radius bukan dari LDAP tetapi dari script lain yang disesuaikan dengan manajemen voucher

1. Sesuaikan radius.conf

# vi /etc/radius.conf

Cari bagian seperti point a,b dan c dibawah ini dan disesuaikan
a. Seting ldap server

ldap {
server = “192.168.0.4″
identity = “cn=manager,dc=uii,dc=ac,dc=id”
password = password
basedn = “dc=uii,dc=ac,dc=id”
#filter = “(uid=%{Stripped-User-Name:-%{User-Name}})”
filter = “(uid=%u)”
# base_filter = “(objectclass=radiusprofile)”

# set this to ‘yes’ to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no

# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = “demand”

# default_profile = “cn=radprofile,ou=dialup,o=My Org,c=UA”
# profile_attribute = “radiusProfileDn”
access_attr = “uid”

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5

timeout = 4
timelimit = 3
net_timeout = 1
}

b. authorize dengan ldap

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap

c. authenticate dengan ldap

# Uncomment it if you want to use ldap for authentication
#
# Note that this means “check plain-text password against
# the ldap database”, which means that EAP won’t work,
# as it does not supply a plain-text password.
Auth-Type LDAP {
ldap
}

2. Sesuaikan users

# vi /etc/raddb/users

Ubah Auth-Type dari system ke LDAP

#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULT Auth-Type = System
# Fall-Through = 1

DEFAULT Auth-Type := LDAP
Fall-Through = 1

3. Uji coba

a. LDAP

# radtest 999999 pwd 127.0.0.1 1812 radiusuii
Sending Access-Request of id 43 to 127.0.0.1 port 1812
User-Name = “999999″
User-Password = “pwd”
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=43, length=20

b. MySQL

# radtest prayitna prayitna 127.0.0.1 1812 radiusuii
Sending Access-Request of id 47 to 127.0.0.1 port 1812
User-Name = “prayitna”
User-Password = “password1″
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=44
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1500

c. file

# radtest user1 password1 127.0.0.1 1812 radiusuii
Sending Access-Request of id 52 to 127.0.0.1 port 1812
User-Name = “user1″
User-Password = “password1″
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=52, length=20

Berhasil

Memainkan file musik di terminal

Di Linux kita tidak hanya bisa memutar file musik kesayangan anda menggunakan aplikasi berbasis GUI tapi kita juga bisa memakai terminal . Terasa seperti programmer handal atau pun para hacker. Pertama – tama kita harus menginstall terlebih dahulu aplikasi bernama sox untuk memainkan file seperti ogg, wav dll dan untuk file mp3 kita bisa menggunakan mpg123 atau ffmpeg.
Untuk menginstall mpg123 ketikkan perintah berikut di terminal anda. Catatan anda harus mempunyai koneksi internet atau mempunyai DVD repo yang sudah siap digunakan jika anda tidak punya keduannya bisa cari di repo kambing dengan browsing di warnet dan download file mpg123.

najat@najat-desktop:~$ sudo su
[sudo] password for najat:
root@najat-desktop:/home/najat# sudo apt-get install mpg123

jika sudah terinstall maka anda bisa menggunakannya dengan mengetikkan

root@najat-desktop:/home/najat/Music# mpg123 *mp3

Catatan anda terlebih dahulu membuka dir musik anda atau folder yang berisi file musik
dan mpg123 hanya mendukung file mp3 jadi untuk file lainnya anda bisa menggunakn sox

cara installnya sama anda tinggal mengetikkan

sudo apt-get install sox

untuk memainkan file musik anda tinggal ketikkan

play .ogg atau anda juga bisa menggunakan play *.ogg

sebaiknya membaca manualnya terlebih dahulu untuk mengetahui fitur lainnya yang ada seperti untuk memindahka lagu anda bisa menekan Ctrl -C dan untuk berhenti tekan Ctrl-C dua kali ata melakukan control lainnya untuk di mpg123 kita bisa mengetikkan perintah
mpg123 -C -z *mp3
yang artinya untuk memainkan file secara acak(random) dan memiliki akses kontrol untuk membesarkan/mengecilkan volume suara dengan menekan +/-, f untuk forward dan lain sebagainya .
Untuk membaca manualnya ketikkan saja
man mpg123 untuk melihat manual dari mpg123 atau man sox untuk melihat manual sox.

Langka Nih Materi Yang jarang dipakai:

Link

http://cipanaslinuxer.wordpress.com/2009/11/05/memainkan-file-musik-di-terminal/

Ni Command Lengkapnya :

NAME

mpg123 - play audio MPEG 1.0/2.0 file (layers 1, 2 and 3)

SYNOPSIS

mpg123 [ -tscCvqy01m24 ] [ -b size ] [ -k num ] [ -n num ] [ -f factor ] [ -r rate ] [ -g gain ] [ -a dev ] [ -o s | -o h | -o l ] [ -d n ] [ -h n ] [ -p proxy ] [ -u u ] [ -@ file ] file ... | URL ... | -

DESCRIPTION

mpg123 reads one or more files (or standard input if ``- is specified) or URLs and plays them on the audio device (default) or outputs them to stdout. file/URL is assumed to be an MPEG-1/2 audio bit stream.

OPTIONS

mpg123 options may be either the traditional POSIX one letter options, or the GNU style long options. POSIX style options start with a single ``-, while GNU long options start with ``--.

-t, --test

Test mode. The audio stream is decoded, but no output occurs.

-s, --stdout

The decoded audio samples are written to standard output, instead of playing them through the audio device. This option must be used if your audio hardware is not supported by mpg123. The output format is raw (headerless) linear PCM audio data, 16 bit, stereo, host byte order.

-c, --check

Check for filter range violations, and report them for each frame if any occur.

-C, --control

Enable control keys. By default use 's' to stop, 'p' to pause, 'f' to jump forward to the next song, 'b' to jump back to the beginning of the song, ',' to rewind, '.' to fast forward, and 'q' to quit.

-v, --verbose

Increase the verbosity level. For example, displays the frame numbers during decoding.

-q, --quiet

Quiet. Suppress diagnostic messages.

-y, --resync

Try to resync and continue decoding if an error occurs in the input file. Also try to recover from certain broken headers. Useful if you have a broken MPEG file, on which mpg123 normally gives up saying `Illegal header'. Be careful: Broken locations in MPEG files might cause sharp, loud pops or clicks, which might damage your speakers if played too loud.

-0, --single0; -1, --single1

Decode only channel 0 (left) or channel 1 (right), respectively. These options are available for stereo MPEG streams only.

-m, --singlemix

Mix both channels. This option is available for stereo MPEG layer-3 streams only. It takes less CPU time than full stereo decoding.

-2, --2to1; -4, --4to1

Performs a downsampling of ratio 2:1 (22 kHz) or 4:1 (11 kHz) on the output stream, respectively. Saves some CPU cycles, but at least the 4:1 ratio sounds ugly. Please note, that does not change speed of the song. Ie the --2to1 option is the same like forcing the sampling output rate to -r 22050 on a 44.1 kHz song.

-b size, --buffer size

Use an audio output buffer of size Kbytes. This is useful to bypass short periods of heavy system activity, which would normally cause the audio output to be interrupted. You should specify a buffer size of at least 1024 (i.e. 1 Mb, which equals about 6 seconds of audio data) or more; less than about 300 does not make much sense. The default is 0, which turns buffering off.

-k num, --skip num

Skip first num frames. By default the decoding starts at the first frame.

-n num, --frames num

Decode only num frames. By default the complete stream is decoded.

-f factor, --scale factor

Change scale factor (default: 32768).

-r rate, --rate rate

Set sample rate (default: automatic). You may want to change this if you need a constant output rate independed of the mpeg stream rate. mpg123 automagically converts the rate (down/up sampling) . You should then combine this with --stereo or --mono.

-g gain, --gain gain

Set audio hardware output gain (default: don't change).

-a dev, --audiodevice dev

Specify the audio device to use. The default is system-dependent (usually /dev/audio or /dev/dsp). Use this option if you have multiple audio devices and the default is not what you want.

-o s, --speaker

Direct audio output to the speaker.

-o h, --headphones

Direct audio output to the headphone connector.

-o l, --lineout

Direct audio output to the line-out connector.

-d n, --doublespeed n

Only play every n'th frame. This will cause the MPEG stream to be played n times faster, which can be used for special effects. Can also be combined with the --halfspeed option to play 3 out of 4 frames etc. Don't expect great sound quality when using this option.

-h n, --halfspeed n

Play each frame n times. This will cause the MPEG stream to be played at 1/n'th speed (n times slower), which can be used for special effects. Can also be combined with the --doublespeed option to double every third frame or things like that. Don't expect great sound quality when using this option.

-p URL | none, --proxy URL | none

The specified proxy will be used for HTTP requests. It should be specified as full URL (``http://host.domain:port/), but the ``http:// prefix, the port number and the trailing slash are optional (the default port is 80). Specifying none means not to use any proxy, and to retrieve files directly from the respective servers. See also the ``HTTP SUPPORT section.

-u auth, --auth auth

HTTP authentication to use when recieving files via HTTP. The format used is user:password.

-@ file, --list file

Read filenames and/or URLs of MPEG audio streams from the specified file in addition to the ones specified on the command line (if any). Note that file can be either an ordinary file, a dash ``- to indicate that a list of filenames/URLs is to be read from the standard input, or an URL pointing to a an appropriate list file. Note: only one -@ option can be used (if more than one is specified, only the last one will be recognized).

-z, --shuffle

Shuffle play. Randomly shuffles the files specified on the command line and in the list file.

--stereo

Force stereo output

--reopen

Forces reopen of the audiodevice after ever song

--8bit

Forces 8bit output

-w, --wav file

Write the song using the WAV format to the specified file Instead of a real filename you can use a dash ``- to indicate that the data is to be written to standard out.

-Z, --random

Full random play

Debian Wi-Fi hotspot using CoovaChilli, FreeRadius, MySQL and daloRADIUS

I decide to create hotspot from my server to allow other connect to Internet for free. I used “Captive portal” solution based on these applications:

• CoovaChilli
• FreeRadius
• MySQL
• daloRADIUS

When somebody wants to connect to Internet using my wifi, the first page he can see is the register/login page (whatever page he wants to visit).
After registration/login he is able to connect to Internet.

So let’s see how I did it.

Let’s have one server with two network interfaces – first (eth0) goes to Internet, the second one (eth1) is the wifi for “unknown” clients.

Install basic software:

aptitude install mysql-server phpmyadmin freeradius freeradius-utils freeradius-mysql apache2 php-pear php-db a2enmod ssl a2ensite default-ssl service apache2 restart cd /tmp && wget 'http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius-0.9-8/daloradius-0.9-8.tar.gz' tar xvzf daloradius-0.9-8.tar.gz mv /tmp/daloradius-0.9-8 /var/www/daloradius chown -R www-data:www-data /var/www/daloradius cp -r /var/www/daloradius/contrib/chilli/portal2/* /var/www/ rm /var/www/index.html

Because my machine is 64 bit I need to build CoovaChilli package myself:

aptitude --assume-yes install dpkg-dev debhelper libssl-dev cd /tmp wget -c http://ap.coova.org/chilli/coova-chilli-1.2.2.tar.gz tar xzf coova-chilli*.tar.gz cd coova-chilli* dpkg-buildpackage -rfakeroot

Install CoovaChilli:

cd .. dpkg -i coova-chilli_*_amd64.deb

Configure FreeRadius

Change /etc/freeradius/clients.conf:

client 127.0.0.1 {  secret     = mysecret }

Change /etc/freeradius/sql.conf:

        server = "localhost"         login = "root"         password = "xxxx"

Uncomment in /etc/freeradius/sites-available/default:

authorize {           sql }   accounting {          sql }

Uncomment in /etc/freeradius/radiusd.conf:

       $INCLUDE sql.conf

Configure MySQL database for FreeRadius

mysql -u root --password=xxxx mysql> CREATE DATABASE radius; mysql> exit   mysql -u root --password=xxxx radius < /var/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

daloRADIUS configuration

Modify this file /var/www/daloradius/library/daloradius.conf.php

$configValues['CONFIG_DB_PASS'] = 'xxxx'; $configValues['CONFIG_MAINT_TEST_USER_RADIUSSECRET'] = 'mysecret'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';

You also need to modify following configuration files to setup sign in web pages /var/www/signup-*/library/daloradius.conf.php:

$configValues['CONFIG_DB_PASS'] = 'xxxx'; $configValues['CONFIG_DB_NAME'] = 'radius'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; $configValues['CONFIG_SIGNUP_SUCCESS_MSG_LOGIN_LINK'] = "
Click here".                                         " to return to the Login page and start your surfing

";

Chnage lines in /var/www/signup*/index.php to (changed 'User-Password' -> 'Cleartext-Password' and '==' -> ':='):

  $sql = "INSERT INTO ".$configValues['CONFIG_DB_TBL_RADCHECK']." (id, Username, Attribute, op, Value) ".                                         " VALUES (0, '$username', 'Cleartext-Password', ':=', '$password')";

Another file need to be modified to communicate with CoovaChilli is/var/www/hotspotlogin/hotspotlogin.php

$uamsecret = "uamsecret";

Now you should be able to reach daloRADIUS installation on http://127.0.0.1/daloradius/

username: administrator password: radius

Routing

We should not forget to enable packet forwarding and setup NAT:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward sed --in-place=.old 's/^#\(net.ipv4.ip_forward=1\)/\1/' /etc/sysctl.conf sysctl -p

CoovaChilli configuration

Let's start with /etc/chilli/defaults:

HS_NETWORK=192.168.10.0 HS_UAMLISTEN=192.168.10.1   HS_RADSECRET=mysecret HS_UAMSECRET=uamsecret HS_UAMFORMAT=https://\$HS_UAMLISTEN/hotspotlogin/hotspotlogin.php HS_UAMHOMEPAGE=https://\$HS_UAMLISTEN

Then don't forget to enable CoovaChilli to start in /etc/default/chilli

START_CHILLI=1

Maybe you need to execute chilli and radius server with some debug options to see "errors" during client connection:

chilli --fg --debug freeradius -X

Few links we created:

• http://192.168.10.1/signup-free/ - sign up page (if you don't have username/password)
• http://192.168.10.1:3990/prelogin - use for login to your portal
• http://192.168.10.1/daloradius/ - daloradius admin page
• http://192.168.10.1/phpmyadmin/ - phpmyadmin page (useful for sql database)

This how-to describe simple configuration of CoovaChilli so there are many things to configure. I didn't mentioned anything about security - so it's up to you to tweak it yourself.

You can find additional info on this web page:

https://help.ubuntu.com/community/WifiDocs/CoovaChilli

http://linux.xvx.cz/2010/03/debian-wi-fi-hotspot-using-coovachilli-freeradius-mysql-and-daloradius/

Engoy...