Traffic Analysis


Internet Quota Management

If you are interested to know how I manage internet quota, please leave a commit. When I have time, I can slowly write a post to explain it.

Dynamic Clients with FreeRADIUS Using MAC-Address

This blog will show how to setup dynamic clients that do no have static ip address.

Details are coming soon!

802.1X/EAP User Authentication

This blog will how to configure FreeRADIUS to authenticate wireless users via 802.1X/EAP.  MySQL will be used an user store.
Wireless AP will be a MikroTik (MT) router. RADIUS server will be FreeRADIUS 2.2.5 running on Linux Mint Debian. This tutorial is only an instruction to setup a 802.1X/EAP wireless network. It will not explain how 802.1X/EAP wireless network works.

Radius Terminologies:
Clients: A client refers to a NAS, like an access point (AP). In this tutorial, it is the MT router.
NAS: Network access server.

Change Ownership:
Default FreeRADIUS configuration files are in /etc/freeradius. To work in this folder easier change the folder ownership.
$ sudo chown -R jake:freerad /etc/freeradius
Configure NAS:
For clients to work probably, NAS requires to have a static ip address. To enable dynamic clients with no static ip address, please see this post. This tutorial will assume all the clients have a static ip address. Client configuration can be stored in a file or MySQL. Below show how to configure the client file.
$ cd /etc/freeradius
Open the client file with an editor.
$ sudo vi clients.conf
This file is well documented. Read through it for your own understanding. Add a new client by copy and paste the following to the end of the clients.conf. Client's ip address is the ip that the RADIUS have to communicate with. If RADIUS is within the same local network, client's ip address is its local ip address. If RADIUS have to speak the client via the internet, client's ip address is the public ip address.
client 127.313.28.15{
 secret    = radius
 shortname = client_home
 nas_type  = mikrotik
 limit {
  max_connections = 0
  lifetime = 0
  idle_timeout = 30
MySQL Configuration:
Setting up the MySQL database: Username: radius. Password: radpass.
 mysql -uroot -p
   GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
Create the tables.
$sudo  mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql
$sudo mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql
Add the radius database information. 
$vi sql.conf
    driver = "rlm_sql_mysql"
    # Connection info:
    server = "localhost"
    port = 3306
    login = "radius"
    password = "radpass"
    read_groups = yes    
    read_clients = yes
Uncomment all sql in  /sites-enabled/default and /sites-enabled/inner-tunnel.
$ sudo sed -i s/^#.*sql$/sql/g sites-enabled/default
$ sudo sed -i s/^#.*sql$/sql/g /etc/freeradius/sites-enabled/inner-tunnel 
Add $INCLUDE sql.conf below $INCLUDE sites-enabled/ in /radiusd.conf.
Link sql.conf to modules.
$ cd modules 
$ ln -s sql.conf modules/sql
Disable Proxy:
sudo vi radiusd.conf
proxy_requests  = no
Configure EAP:
$ cd /etc/freeradius
$ sed -i s/use_tunneled_reply\ =\ no/use_tunneled_reply\ =\ yes/g  eap.conf
Disable PAP:
$ sed -i s/pap$/#pap/g  sites-enabled/default 
Run it:
$ sudo radiusd -X
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address port 18120 as server inner-tunnel
Ready to process requests.
Setup Test Environment:
Add Radius Client to Mk Router:
Setup MK Router to authenticate wireless network via EAP.
Add test username and password to MySQL. Try it.

FreeRADIUS build and install (Debian packages with rlm_raw patch)

This post will show how to build and install Debian packages for FreeRADIUS 2.2.5 with rlm_raw patch.

Machine: Linux Mint Debian Edition (LMDE) 64 bit

Download the source code:
Download the FreeRADIUS source file.
Extract the source code.
tar jxf freeradius-server-2.2.5.tar.bz2

Patch the code with rlm_raw:
This patch enable dynamic clients using mac address rather than static ip address.
Download the rlm_raw patch.
wget -O rlm_raw_patch
Add the rlm_raw patch
cd freeradius-server-2.2.5
patch -p1 < rlm_raw_patch
If all goes according to plan the following output should show on your screen:
$ patch -p1 < rlm_raw_patch 
patching file src/modules/rlm_raw/
patching file src/modules/rlm_raw/configure
patching file src/modules/rlm_raw/
patching file src/modules/rlm_raw/
patching file src/modules/rlm_raw/rlm_raw.c
patching file src/modules/stable
Hunk #1 FAILED at 39.
1 out of 1 hunk FAILED -- saving rejects to file src/modules/stable.rej
This simply means the last part of the patch did not happen. You can manually fix it by adding the rlm_raw to the bottom of the src/modules/stable file.
echo rlm_raw >> src/modules/stable

Install dependencies. This might take a while.
sudo apt-get install debhelper quilt autotools-dev libtool libltdl3-dev libssl-dev libpam0g-dev libmysqlclient-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev libperl-dev libpcap-dev python-dev libsnmp-dev libpq-dev
Build FreeRADIUS packages from the source. Be patient this will take some time too.
sudo fakeroot dpkg-buildpackage -b -uc
A successful build will show the following files:
ls ../*.deb

Install the newly built FreeRADIUS packages in the following sequence.
cd ..
sudo dpkg -i libfreeradius2_2.2.5+git_amd64.deb freeradius-common_2.2.5+git_all.deb
sudo dpkg -i freeradius_2.2.5+git_amd64.deb freeradius-krb5_2.2.5+git_amd64.deb freeradius-ldap_2.2.5+git_amd64.deb freeradius-dbg_2.2.5+git_amd64.deb freeradius-iodbc_2.2.5+git_amd64.deb 
sudo dpkg -i freeradius-mysql_2.2.5+git_amd64.deb freeradius-utils_2.2.5+git_amd64.deb 
A successful install should show the following:
$ sudo /etc/init.d/freeradius restart
[ ok ] Checking FreeRADIUS daemon configuration...done (Configuration appears to be OK.).
[ ok ] Stopping FreeRADIUS daemon: freeradius.
[ ok ] Starting FreeRADIUS daemon: freeradius.

  1. rlm_raw patch
  2. Build Debian packages


Router Model: Asus WL-500G Premium V2
Firmware Version: DD-WRT v24-sp2 (05/20/09) std-nokaid-usb - build 12171M NEWD Eko
~ # mkdir /mnt/opt
~ # mount -o bind /mnt/opt /opt

lamsao: the above links seem to be dead.  I found this link and it works.[dead links deleted]

wget -O - | tr -d '\r' > /tmp/
sh /tmp/

Search Path
Adding /opt/bin to search PATH will save us from tedious typing of /opt/bin for each command from /opt/bin. For running applications from /opt tree search path should be expanded with
~# export PATH=/opt/bin:/opt/sbin:$PATH 

Installing Samba 2
/opt/bin/ipkg-opt update 
/opt/bin/ipkg-opt remove samba
/opt/bin/ipkg-opt install samba2
/opt/bin/ipkg-opt install xinetd

Startup script for external hard disk

/opt/bin/ipkg-opt install e2fsprogs