Setup freeradius agar bisa otentifikasi dengan LDAP

Setup freeradius agar bisa otentifikasi dengan LDAP

Sebagai tahap integrasi antara radius dan LDAP yang mendukung One Account Policy, maka langkah ini merupakan langkah yang paling vital.

Artikel tentang LDAP bisa dibaca di

Fitur yang diinginkan dari otentifikasi LDAP ini yaitu :

  1. LDAP berada di server lain
  2. Semua akun menggunakan Nomor Induk Mahasiswa/Pegawai untuk akses (yaitu uid)
  3. Semua akun otomatis bisa akses ke hotspot melalui otentifikasi radius
  4. Pengaturan response atau output radius bukan dari LDAP tetapi dari script lain yang disesuaikan dengan manajemen voucher

1. Sesuaikan radius.conf

# vi /etc/radius.conf

Cari bagian seperti point a,b dan c dibawah ini dan disesuaikan
a. Seting ldap server

ldap {
server = “″
identity = “cn=manager,dc=uii,dc=ac,dc=id”
password = password
basedn = “dc=uii,dc=ac,dc=id”

#filter = “(uid=%{Stripped-User-Name:-%{User-Name}})”
filter = “(uid=%u)”
# base_filter = “(objectclass=radiusprofile)”

# set this to ‘yes’ to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no

# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = “demand”

# default_profile = “cn=radprofile,ou=dialup,o=My Org,c=UA”
# profile_attribute = “radiusProfileDn”
access_attr = “uid”

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5

timeout = 4
timelimit = 3
net_timeout = 1


b. authorize dengan ldap

# The ldap module will set Auth-Type to LDAP if it has not
# already been set

c. authenticate dengan ldap

# Uncomment it if you want to use ldap for authentication
# Note that this means “check plain-text password against
# the ldap database”, which means that EAP won’t work,
# as it does not supply a plain-text password.
Auth-Type LDAP {

2. Sesuaikan users

# vi /etc/raddb/users

Ubah Auth-Type dari system ke LDAP

# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#DEFAULT Auth-Type = System
# Fall-Through = 1

Fall-Through = 1

3. Uji coba


# radtest 999999 pwd 1812 radiusuii
Sending Access-Request of id 43 to port 1812
User-Name = “999999″
User-Password = “pwd”
NAS-IP-Address =
NAS-Port = 1812
rad_recv: Access-Accept packet from host, id=43, length=20

b. MySQL

# radtest prayitna prayitna 1812 radiusuii
Sending Access-Request of id 47 to port 1812
User-Name = “prayitna”
User-Password = “password1″
NAS-IP-Address =
NAS-Port = 1812
rad_recv: Access-Accept packet from host, id=47, length=44
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1500

c. file

# radtest user1 password1 1812 radiusuii
Sending Access-Request of id 52 to port 1812
User-Name = “user1″
User-Password = “password1″
NAS-IP-Address =
NAS-Port = 1812
rad_recv: Access-Accept packet from host, id=52, length=20


Memainkan file musik di terminal

Memainkan file musik di terminal

Di Linux kita tidak hanya bisa memutar file musik kesayangan anda menggunakan aplikasi berbasis GUI tapi kita juga bisa memakai terminal . Terasa seperti programmer handal atau pun para hacker. Pertama – tama kita harus menginstall terlebih dahulu aplikasi bernama sox untuk memainkan file seperti ogg, wav dll dan untuk file mp3 kita bisa menggunakan mpg123 atau ffmpeg.
Untuk menginstall mpg123 ketikkan perintah berikut di terminal anda. Catatan anda harus mempunyai koneksi internet atau mempunyai DVD repo yang sudah siap digunakan jika anda tidak punya keduannya bisa cari di repo kambing dengan browsing di warnet dan download file mpg123.

najat@najat-desktop:~$ sudo su
[sudo] password for najat:
root@najat-desktop:/home/najat# sudo apt-get install mpg123

jika sudah terinstall maka anda bisa menggunakannya dengan mengetikkan

root@najat-desktop:/home/najat/Music# mpg123 *mp3

Catatan anda terlebih dahulu membuka dir musik anda atau folder yang berisi file musik
dan mpg123 hanya mendukung file mp3 jadi untuk file lainnya anda bisa menggunakn sox

cara installnya sama anda tinggal mengetikkan

sudo apt-get install sox

untuk memainkan file musik anda tinggal ketikkan

play .ogg atau anda juga bisa menggunakan play *.ogg

sebaiknya membaca manualnya terlebih dahulu untuk mengetahui fitur lainnya yang ada seperti untuk memindahka lagu anda bisa menekan Ctrl -C dan untuk berhenti tekan Ctrl-C dua kali ata melakukan control lainnya untuk di mpg123 kita bisa mengetikkan perintah
mpg123 -C -z *mp3
yang artinya untuk memainkan file secara acak(random) dan memiliki akses kontrol untuk membesarkan/mengecilkan volume suara dengan menekan +/-, f untuk forward dan lain sebagainya .
Untuk membaca manualnya ketikkan saja
man mpg123 untuk melihat manual dari mpg123 atau man sox untuk melihat manual sox.

Langka Nih Materi Yang jarang dipakai:


Ni Command Lengkapnya :


mpg123 - play audio MPEG 1.0/2.0 file (layers 1, 2 and 3)


mpg123 [ -tscCvqy01m24 ] [ -b size ] [ -k num ] [ -n num ] [ -f factor ] [ -r rate ] [ -g gain ] [ -a dev ] [ -o s | -o h | -o l ] [ -d n ] [ -h n ] [ -p proxy ] [ -u u ] [ -@ file ] file ... | URL ... |



mpg123 reads one or more files (or standard input if ``- is specified) or URLs and plays them on the audio device (default) or outputs them to stdout. file/URL is assumed to be an MPEG-1/2 audio

bit stream.


mpg123 options may be either the traditional POSIX one letter options, or the GNU style long options. POSIX style options start with a single ``-, while GNU long

options start with ``--.

-t, --test

Test mode. The audio stream is decoded, but no output


-s, --stdout

The decoded audio samples are written to standard output, instead of playing them through the audio device. This option must be used if your audio hardware is not supported by mpg123. The output format is raw (headerless) linear PCM audio data, 16 bit, stereo, host byte


-c, --check

Check for filter range violations, and report them for each

frame if any occur.

-C, --control

Enable control keys. By default use 's' to stop, 'p' to pause, 'f' to jump forward to the next song, 'b' to jump back to the beginning of the song, ',' to rewind, '.' to

fast forward, and 'q' to quit.

-v, --verbose

Increase the verbosity level. For example, displays the

frame numbers during decoding.

-q, --quiet

Quiet. Suppress diagnostic messages.

-y, --resync

Try to resync and continue decoding if an error occurs in the input file. Also try to recover from certain broken headers. Useful if you have a broken MPEG file, on which mpg123 normally gives up saying `Illegal header'. Be careful: Broken locations in MPEG files might cause sharp, loud pops or clicks, which might damage your speakers if

played too loud.

-0, --single0; -1,


Decode only channel 0 (left) or channel 1 (right), respectively. These options are available for stereo MPEG

streams only.

-m, --singlemix

Mix both channels. This option is available for stereo MPEG layer-3 streams only. It takes less CPU time than full

stereo decoding.

-2, --2to1; -4,


Performs a downsampling of ratio 2:1 (22 kHz) or 4:1 (11 kHz) on the output stream, respectively. Saves some CPU cycles, but at least the 4:1 ratio sounds ugly. Please note, that does not change speed of the song. Ie the --2to1 option is the same like forcing the sampling output rate to -r

22050 on a 44.1 kHz song.

-b size, --buffer


Use an audio output buffer of size Kbytes. This is useful to bypass short periods of heavy system activity, which would normally cause the audio output to be interrupted. You should specify a buffer size of at least 1024 (i.e. 1 Mb, which equals about 6 seconds of audio data) or more; less than about 300 does not make much sense. The

default is 0, which turns buffering off.

-k num, --skip num

Skip first num frames. By default the decoding starts

at the first frame.

-n num, --frames


Decode only num frames. By default the complete

stream is decoded.

-f factor, --scale


Change scale factor (default: 32768).

-r rate, --rate


Set sample rate (default: automatic). You may want to change this if you need a constant output rate independed of the mpeg stream rate. mpg123 automagically converts the rate (down/up sampling) . You should then combine this with

--stereo or --mono.

-g gain, --gain


Set audio hardware output gain (default: don't


-a dev, --audiodevice


Specify the audio device to use. The default is system-dependent (usually /dev/audio or /dev/dsp). Use this option if you have multiple audio devices and the default is

not what you want.

-o s, --speaker

Direct audio output to the speaker.

-o h, --headphones

Direct audio output to the headphone connector.

-o l, --lineout

Direct audio output to the line-out connector.

-d n, --doublespeed


Only play every n'th frame. This will cause the MPEG stream to be played n times faster, which can be used for special effects. Can also be combined with the --halfspeed option to play 3 out of 4 frames etc. Don't expect great sound quality when using this


-h n, --halfspeed n

Play each frame n times. This will cause the MPEG stream to be played at 1/n'th speed (n times slower), which can be used for special effects. Can also be combined with the --doublespeed option to double every third frame or things like that. Don't expect great

sound quality when using this option.

-p URL | none, --proxy

URL | none

The specified proxy will be used for HTTP requests. It should be specified as full URL (``http://host.domain:port/), but the ``http:// prefix, the port number and the trailing slash are optional (the default port is 80). Specifying none means not to use any proxy, and to retrieve files directly from the respective servers. See also the ``HTTP SUPPORT


-u auth, --auth


HTTP authentication to use when recieving files via HTTP.

The format used is user:password.

-@ file, --list


Read filenames and/or URLs of MPEG audio streams from the specified file in addition to the ones specified on the command line (if any). Note that file can be either an ordinary file, a dash ``- to indicate that a list of filenames/URLs is to be read from the standard input, or an URL pointing to a an appropriate list file. Note: only one -@ option can be used (if more than one is specified, only the last one will be


-z, --shuffle

Shuffle play. Randomly shuffles the files specified on the

command line and in the list file.


Force stereo output


Forces reopen of the audiodevice after ever



Forces 8bit output

-w, --wav file

Write the song using the WAV format to the specified file Instead of a real filename you can use a dash ``- to indicate that the data is to be written to standard


-Z, --random

Full random play

Debian Wi-Fi hotspot using CoovaChilli, FreeRadius, MySQL and daloRADIUS

Debian Wi-Fi hotspot using CoovaChilli, FreeRadius, MySQL and daloRADIUS

I decide to create hotspot from my server to allow other connect to Internet for free. I used “Captive portal” solution based on these applications:

When somebody wants to connect to Internet using my wifi, the first page he can see is the register/login page (whatever page he wants to visit).
After registration/login he is able to connect to Internet.

So let’s see how I did it.

Let’s have one server with two network interfaces – first (eth0) goes to Internet, the second one (eth1) is the wifi for “unknown” clients.

Install basic software:

aptitude install mysql-server phpmyadmin freeradius freeradius-utils freeradius-mysql apache2 php-pear php-db a2enmod ssl a2ensite default-ssl service apache2 restart cd /tmp && wget '' tar xvzf daloradius-0.9-8.tar.gz mv /tmp/daloradius-0.9-8 /var/www/daloradius chown -R www-data:www-data /var/www/daloradius cp -r /var/www/daloradius/contrib/chilli/portal2/* /var/www/ rm /var/www/index.html

Because my machine is 64 bit I need to build CoovaChilli package myself:

aptitude --assume-yes install dpkg-dev debhelper libssl-dev cd /tmp wget -c tar xzf coova-chilli*.tar.gz cd coova-chilli* dpkg-buildpackage -rfakeroot

Install CoovaChilli:

cd .. dpkg -i coova-chilli_*_amd64.deb

Configure FreeRadius

Change /etc/freeradius/clients.conf:

client {  secret     = mysecret }

Change /etc/freeradius/sql.conf:

        server = "localhost"         login = "root"         password = "xxxx"

Uncomment in /etc/freeradius/sites-available/default:

authorize {           sql }   accounting {          sql }

Uncomment in /etc/freeradius/radiusd.conf:

       $INCLUDE sql.conf

Configure MySQL database for FreeRadius

mysql -u root --password=xxxx mysql> CREATE DATABASE radius; mysql> exit   mysql -u root --password=xxxx radius < /var/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

daloRADIUS configuration

Modify this file /var/www/daloradius/library/daloradius.conf.php

$configValues['CONFIG_DB_PASS'] = 'xxxx'; $configValues['CONFIG_MAINT_TEST_USER_RADIUSSECRET'] = 'mysecret'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';

You also need to modify following configuration files to setup sign in web pages /var/www/signup-*/library/daloradius.conf.php:

$configValues['CONFIG_DB_PASS'] = 'xxxx'; $configValues['CONFIG_DB_NAME'] = 'radius'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; $configValues['CONFIG_SIGNUP_SUCCESS_MSG_LOGIN_LINK'] = "
Click here"
. " to return to the Login page and start your surfing


Chnage lines in /var/www/signup*/index.php to (changed 'User-Password' -> 'Cleartext-Password' and '==' -> ':='):

  $sql = "INSERT INTO ".$configValues['CONFIG_DB_TBL_RADCHECK']." (id, Username, Attribute, op, Value) ".                                         " VALUES (0, '$username', 'Cleartext-Password', ':=', '$password')";

Another file need to be modified to communicate with CoovaChilli is/var/www/hotspotlogin/hotspotlogin.php

$uamsecret = "uamsecret";

Now you should be able to reach daloRADIUS installation on

username: administrator password: radius


We should not forget to enable packet forwarding and setup NAT:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward sed --in-place=.old 's/^#\(net.ipv4.ip_forward=1\)/\1/' /etc/sysctl.conf sysctl -p

CoovaChilli configuration

Let's start with /etc/chilli/defaults:

HS_NETWORK= HS_UAMLISTEN=   HS_RADSECRET=mysecret HS_UAMSECRET=uamsecret HS_UAMFORMAT=https://\$HS_UAMLISTEN/hotspotlogin/hotspotlogin.php HS_UAMHOMEPAGE=https://\$HS_UAMLISTEN

Then don't forget to enable CoovaChilli to start in /etc/default/chilli


Maybe you need to execute chilli and radius server with some debug options to see "errors" during client connection:

chilli --fg --debug freeradius -X

Few links we created:

  • - sign up page (if you don't have username/password)
  • - use for login to your portal
  • - daloradius admin page
  • - phpmyadmin page (useful for sql database)

This how-to describe simple configuration of CoovaChilli so there are many things to configure. I didn't mentioned anything about security - so it's up to you to tweak it yourself.

You can find additional info on this web page:

Engoy... ;-)