FREERADIUS SERVER

1. Install dependencies yang dibutuhkan untuk support SSL (pake libssl-dev, libmysqlclient-dev
atau libmysqlclient16-dev, libtool)
root@user:<dir>#
root@user:<dir>#
root@user:<dir>#
root@user:<dir>#

apt-get
apt-get
apt-get
apt-get

install
install
install
install

libssl-dev
libmysqlclient-dev
libmysqlclient16-dev
libtool

2. Ekstrak file freeradius-server-2.2.0.tar.bz2 dengan cara

root@user:<dir># tar -jxvf freeradius-server-2.2.0.tar.bz2

3. Buat folder baru di usr

root@user:<dir># mkdir /usr/local/radius

4. Masuk ke folder hasil ekstrak freeradius dan install

root@user:<dir># ./configure --prefix=/usr/local/radius --with-openssl
--with-rlm-sql-mysql
root@user:<dir># make && make install

5. Konfigurasi file freeradius (radius.conf, sql.conf, clients.conf)

root@user:<dir># cd /use/local/radius/etc/raddb
root@user:<dir># nano radius.conf
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct where
UserName='%{%k}'"
}
# $INCLUDE sql/mysql/counter.conf
# $INCLUDE sqlippool.conf
}
instantiate {
exec
expr
noresetcounter
# daily
expiration
logintime
}

root@user:<dir># nano sql.conf

database = "mysql"
driver = "rlm_sql_${database}"
# Connection info:
server = "localhost"
#port = 3306
login = "hotspot"
password = "hotspot"
radius_db = "hotspot"
root@user:<dir># nano clients.conf
client localhost {
ipaddr
= 127.0.0.1
# ipv6addr
= :: # any.
# netmask
= 32

#
#
#
#
}

::1 == localhost

secret
= radiussecret
require_message_authenticator = no
shortname
= localhost
nastype
= other
login
= !root
password
= someadminpas
virtual_server = home1
coa_server = coa

root@user:<dir># nano /usr/local/radius/etc/raddb/siteavailable/default

authorize {
# filter_username
preprocess
# auth_log
chap
mschap
# digest
# wimax
# IPASS
suffix
# ntdomain
eap {
ok = return
}
# unix
files
sql
noresetcounter

#
#
#
#

etc_smbpasswd
ldap
daily
checkval
expiration
logintime
pap

}
accounting {
detail
# daily
unix
radutmp
# sradutmp
# main_pool
sql
# if (noop) {
# ok
# }
# sql_log
# pgsql-voip
exec
attr_filter.accounting_response
}
session {
radutmp
sql
}
post-auth {
# main_pool
# reply_log
sql
# sql_log
# ldap
exec
# wimax
# update reply {
#
Reply-Message += "%{TLS-Cert-Serial}"
#
Reply-Message += "%{TLS-Cert-Expiration}"
#
Reply-Message += "%{TLS-Cert-Subject}"
#
Reply-Message += "%{TLS-Cert-Issuer}"
#
Reply-Message += "%{TLS-Cert-Common-Name}"
#
Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
#
Reply-Message += "%{TLS-Client-Cert-Serial}"
#
Reply-Message += "%{TLS-Client-Cert-Expiration}"
#
Reply-Message += "%{TLS-Client-Cert-Subject}"
#
Reply-Message += "%{TLS-Client-Cert-Issuer}"
#
Reply-Message += "%{TLS-Client-Cert-Common-Name}"
#
Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"

# }
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
sql
attr_filter.access_reject
}
}
6. Buat database baru
root@user:<dir># mysql u root p
mysql> CREATE DATABASE hotspot;
mysql> GRANT ALL PRIVILEGES ON hotspot.* hotspot@localhost
IDENTIFIED BY hotspot; (db, user, pass)
mysql> FLUSH PRIVILEGES;
mysql> quit;
7. Import schema.sql dan nas.sql untuk database yang telah dibuat (Skip jika memakai

Phpmyprepaid)
root@user:<dir># mysql u radius p radius <
/usr/local/radius/etc/raddb/sql/mysql/schema.sql
root@user:<dir># mysql u radius p radius <
/usr/local/radius/etc/raddb/sql/mysql/nas.sql
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES
('test','User-Password','test');
8. Aktifkan service radius dan cek koneksi
Terminal 1
root@user:<dir># /usr/local/radius/sbin/radius X
Terminal 2
root@user:<dir># /usr/local/radius/bin/radtest test test localhost 0
radiussecret

CHILLISPOT
1. Install chillispot_1.0-10_i386.deb
root@user:<dir># dpkg i force-architecture chillispot_1.010_i386.deb

2. konfigurasi chilli.conf
root@user:<dir># nano /etc/chilli.conf
#fg
#debug
#interval 3600
#pidfile /var/run/chilli.pid
#statedir ./
net 192.168.182.0/24
#dynip 192.168.182.0/24
#statip 192.168.182.0/24
dns1 208.67.222.222
dns2 208.67.220.220
#domain key.chillispot.org
#ipup /etc/chilli.ipup
#ipdown /etc/chilli.ipdown
#radiuslisten 127.0.0.1
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
#radiusauthport 1812
#radiusacctport 1813
radiussecret radiussecret
#radiusnasid nas01
#radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport
#radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport
#proxylisten 127.0.0.1
#proxyport 3128
#proxyclient 192.168.182.0/24
#proxysecret radiussecret
dhcpif wlan0
#dhcpmac 00:00:5E:00:02:00
#lease 600
uamserver https://192.168.182.1/login/login.php #sesuai path & file
uamhomepage http://192.168.182.1:3990/prelogin
uamsecret uamsecret
#uamlisten 192.168.182.1
#uamport 3990
uamallowed 192.168.137.2
#uamanydns
#macauth
#macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9
#macpasswd password
#macsuffix suffix

APACHE SSL
root@user:<dir># mkdir /etc/apache2/ssl
root@user:<dir># make-ssl-cert /usr/share/ssl-cert/ssleay.cnf
/etc/apache2/ssl/apache.pem
root@user:<dir># nano /etc/apache2/site-available/ssl
NameVirtualHost *:443
<virtualhost *:443>
ServerAdmin webmaster@localhost
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
DocumentRoot /var/www/
<directory />
Options FollowSymLinks
AllowOverride None
</directory>
<directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</directory>
</virtualhost>
root@user:<dir># a2enmod ssl
root@user:<dir># a2ensite ssl

PHPMYPREPAID
1. Install phpmyprepaid sesuai file config radius
2. Alter database
ALTER TABLE `usergroup` ADD `priority` INT( 11 ) NOT NULL DEFAULT 1
AFTER `location_id`;

3. Edit sql.conf
usergroup_table = "usergroup"

4. Edit /usr/local/radius/etc/raddb/dictionary
ATTRIBUTE Max-All-Session 3000 integer

SQUID PROXY
acl kejar src 192.168.182.0/24
acl block dstdomain -i "/etc/squid/block.txt"
acl dhuhur time SMTWHA 11:30-12:00
acl jumat time F 11:30-12:30
acl ashar time SMTWHFA 15:00-15:30
acl maghrib time SMTWHFA 17:00-18:00
acl download url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .tar .rpm
.zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov .msi
.mp4

http_access
http_access
http_access
http_access
http_access
http_access

deny block
deny dhuhur
deny jumat
deny ashar
deny maghrib
allow kejar

delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_class 2 2
delay_parameters 2 -1/2048000 10000/2049000
delay_access
delay_access
delay_access
delay_access

2
2
1
1

allow download
deny all
deny download
allow all

reply_body_max_size 50000000 allow download

NAT FIREWALL
#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet)
and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but
disallowed
#
to and from the internal interface.
# * NAT is enabled on the external interface.
IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="wlan0"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow releated, established and ssh on $EXTIF. Reject everything
else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT
#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP
#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as
chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow everything on loopback interface.

$IPTABLES -A INPUT -i lo -j ACCEPT
# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP
#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
##FOR SQUID##
##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT
##Allow transparent proxy (wiboon 2/2)
$IPTABLES -t mangle -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 -syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d
192.168.182.0/24 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 3128

Simpan dengan nama s40chilli.iptables, dan aktifkan setiap kali restart

root@user:<dir># nano /etc/rc.local
sh path/s40chilli.iptables

NB : For activated sh path/s40chilli.iptables