Arief Yudhawarman

Masih belajar buat blog

Setup Free Radius dengan Autentikasi ke OpenLDAP

with one comment

Topologi

Topologi radius openldap

Topologi radius openldap


Server dan Router:

  1. OpenLDAP
    • ether0: 192.168.1.2
  2. Radius Server
    • ether0: 192.168.1.3
  3. Mikrotik
    • ether1: 192.168.1.1
    • ether2: 192.168.10.1


Konfigurasi Free Radius di Linux CentOS

Package yang dibutuhkan adalah freeradius. Instal dengan yum sehingga semua paket yang terkait ikut terinstall.


yum -y install freeradius


Kemudian edit file-file konfigurasi freeradius di folder /etc/raddb

  1. Edit Default Auth-Type pada file /etc/raddb/users
    # DEFAULT	Auth-Type = System
    DEFAULT	Auth-Type := LDAP
    	Fall-Through = 1
    

  2. Edit RADIUS client pada file /etc/raddb/clients.conf
    client 192.168.0.0/16 {
    	secret		= testing123
    	shortname	= private-network
    }
    

  3. File /etc/raddb/radiusd.conf

    Edit module ldap.

     ldap {
            server = "192.168.1.2"
            password = password
            identity = "cn=config"
            basedn = "dc=domain,dc=org"
            filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
    	start_tls = no
    	dictionary_mapping = ${raddbdir}/ldap.attrmap
    	ldap_connections_number = 5
    	password_attribute = userPassword
    	edir_account_policy_check=no
    	timeout = 4
    	timelimit = 3
    	net_timeout = 1
    	}
    


    Edit section authorize{}.

    authorize {
    	preprocess
    	chap
    	mschap
    	suffix
    	eap
    	files
    	ldap
    }
    


    Edit section authenticate{}.

    authenticate {
    	Auth-Type PAP {
    		pap
    	}
    	Auth-Type CHAP {
    		chap
    	}
    	Auth-Type MS-CHAP {
    		mschap
    	}
    	pam
    	unix
    	Auth-Type LDAP {
    		ldap
    	}
    	eap
    }
    


Setup Hotspot Captive Portal di Mikrotik

  • IP Pool
    [admin@Mikrotik] > /ip pool print 
     # NAME                 RANGES                         
     0 hs-pool-23           192.168.10.100-192.168.10.200
    

  • IP DHCP-Server
    [admin@Mikrotik] > /ip dhcp-server print 
    Flags: X - disabled, I - invalid 
     #   NAME      INTERFACE      RELAY      ADDRESS-POOL      LEASE-TIME ADD-ARP
     0   dhcp4     ether2                    hs-pool-23        1d        
     [admin@Mikrotik] > /ip dhcp-server network print 
     # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN
     0 192.168.10.0/24    192.168.10.1    192.168.10.1
    

  • Radius
    Setup Radius Server

    Setup Radius Server

  • IP Hotspot
    Setup Hotspot Server

    Setup Hotspot Server


    Setup Hotspot Server

    Setup Hotspot Server


    Setup Hotspot Server

    Setup Hotspot Server


    Setup Hotspot Server

    Setup Hotspot Server


Membuat account khusus untuk autentikasi ke Free Radius

Apabila OpenLDAP sudah mendukung SSO (Single Sign On) maka sebaiknya buat account khusus untuk tamu atau guest yang meminta akses ke internet melalui hotspot captive portal (account yang biasa tetap bisa login melalui menu hotspot captive portal). Account khusus ini tidak punya akses email, login domain dan juga akses ke file sharing.

Contoh Directory Information Tree (DIT) organisasi yang kita gunakan untuk kasus ini:

Contoh DIT

Contoh DIT


Pada contoh DIT di atas, kita akan membuat account khusus guest01 (uid=guest01,ou=people,dc=domain,dc=org). Untuk ini hanya diperlukan satu objectClass posixAccount dengan attribut-attribut loginShell, userPassword, gidNumber, homeDirectory, uid dan uidNumber.

Untuk menambahkan guest01 buat file guest01.ldif sebagai berikut:

dn: uid=guest01,ou=guests,dc=domain,dc=org
objectClass: organizationalPerson
objectClass: posixAccount
cn: Guest 01
sn: Guest 01
loginShell: /bin/false
userPassword: {SSHA}jKxt+BiJ1xQBKyHwL0oGZaSyygdif6E7
gidNumber: 12002
homeDirectory: /tmp
uid: tamu01
uidNumber: 14001


Dimana entry userPassword diperoleh dari eksekusi perintah:


slappasswd -s password


Menggunakan perintah ldapadd tambahkan user guest01.


ldapadd -h `hostname` -x -w passldap -c -D "cn=config" -f guest01.ldif


Setelah service freeradius running lakukan tes autentikasi user guest01 menggunakan perintah radtest.

[root@server ~]# radtest guest01 password 192.168.1.3 18212 testing123
Sending Access-Request of id 20 to 192.168.1.3 port 1812
	User-Name = "guest01"
	User-Password = "password"
	NAS-IP-Address = 255.255.255.255
	NAS-Port = 18212
rad_recv: Access-Accept packet from host 192.168.1.3:1812, id=20, length=20

Written by awarmanf

January 6, 2015 at 2:24 am

One Response

Subscribe to comments with RSS.

  1. BTW! I’d also like to point out that there is no justice in your statement about the new star wars movies. IMDB still has the third one ranked among t Click https://zhoutest.wordpress.com/

    flynncortez89378

    April 9, 2016 at 6:47 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: