Apa itu captive portal ? cek disini :

• http://en.wikipedia.org/wiki/Captive_portal
• http://www.zeroshell.net/eng/captiveportaldetails/
• dll

dan pada dasarnya seperti ini :

Captive Portal merupakan suatu teknik autentikasi dan pengamanan data yang lewat dari network internal ke network eksternal. Captive Portal sebenarnya merupakan mesin router atau gateway yang memproteksi atau tidak mengizinkan adanya trafik, sampai user melakukan registrasi terlebih dahulu ke dalam sistem. Biasanya Captive Portal ini digunakan pada infrastruktur wireless seperti hotspot area, tapi tidak menutup kemungkinan diterapkan pada jaringan kabel.

Ok, langsung aja, kita akan bikin Captive Portal sederhana, dengan menggunakan :

• Mandriva Linux 2009.1 (http://www.mandriva.com)
• Coova Chilli (http://www.coova.org)
• Freeradius (http://www.freeradius.org)
• 2 Ethernet card, 1 ke arah Internet, 1 ke arah LAN

MySQL nya ? ntar aja, kita mo bikin captive portal sesimple dulu. Lanjut …

Install Mandriva 2009.1, bisa merujuk ke http://howtoforge.net/the-perfect-desktop-mandriva-one-2009.1-with-gnome , lainnya terserah Anda :).

Setelah instalasi Mandriva Linux, jangan lupa install webserver nya :

urpmi apache

Setelah ok semua, kita lanjut ke instalasi inti dari captive portal itu sendiri, yaitu coova-chilli dan Freeradius. Oiya, sebelome untuk melanjutkan proses ini, jangan lupa juga menyambungkan mandriva linux ke repository terdekat. Gambarannya isa diliat disini : http://blitar.linux.or.id/2008/12/17/mandriva-2009-add-repo/.

Install Coova ChilliSpot

urpmi chillispot

atau

urpmi coova

Setelah selesai, langsung jalankan :

/etc/init.d/chilli start

atau

service chilli start

Dengan perintah diatas, disamping kita menjalankan service/layanan captive portal, kita juga menggenerate otomatis konfigurasi untuk captive portal. Dan konfigurasi standar hasil generate ini di letakkan di :

/etc/chilli/

[server@smpn1ksb ~]$ ls -l /etc/chilli
total 40
-rw-r–r– 1 root root 5776 2009-06-22 11:58 defaults
-rwxr-xr-x 1 root root  385 2008-12-17 06:33 down.sh*
-rwxr-xr-x 1 root root 8045 2008-12-17 06:33 functions*
-rw-r–r– 1 root root    0 2009-06-23 06:00 hs.conf
-rw-r–r– 1 root root    0 2009-06-23 06:00 local.conf
-rw-r–r– 1 root root  851 2009-06-23 03:42 main.conf
-rwxr-xr-x 1 root root  319 2009-06-23 05:42 route.sh*
-rwxr-xr-x 1 root root 1596 2009-06-23 05:36 up.sh*
drwxr-xr-x 2 root root 4096 2009-06-21 09:32 www/
-rwxr-xr-x 1 root root  670 2008-12-17 06:33 wwwsh*
[server@smpn1ksb ~]$

Untuk file /etc/chilli.conf jangan diutak atik, biarkan standar/default dulu. Dengan hasil konfigurasi seperti diatas. Captive Portal ini sudah bisa digunakan.

Diagram gambar Jaringan :

Internet <> Modem <> Captive Portal <> LAN

Meskipun captive portal sudah bisa digunakan, dan bisa melayani permintaan dari LAN. Ini masih ada kelemahannya. Kelemahannnya adalah :

• Langsung tersambung ke server radius coova.org
• Tidak bisa langsung digunakan untuk akses internet, harus daftar ke coova.org

Untuk mengatasi kelemahan tersebut, kita akan pasang Server Radius sendiri menggunakan Freeradius.

Install freeradius.

urpmi freeradius

Konfigurasi awal freeradius ada di /etc/raddb

[server@smpn1ksb ~]$ ls -l /etc/raddb/
total 196
-rw-r—– 1 root radius   671 2009-03-17 10:51 acct_users
-rw-r—– 1 root root    4174 2009-03-17 10:51 attrs
-rw-r—– 1 root root     458 2009-03-17 10:51 attrs.access_reject
-rw-r—– 1 root root     437 2009-03-17 10:51 attrs.accounting_response
-rw-r—– 1 root root    2022 2009-03-17 10:51 attrs.pre-proxy
drwxr-x— 2 root root    4096 2009-06-22 04:28 certs/
-rw-r—– 1 root radius  6548 2009-06-22 11:34 clients.conf
-rw-r—– 1 root root     877 2009-03-17 10:51 dictionary
-rw-r—– 1 root root   14731 2009-03-17 10:51 eap.conf
-rwxr-xr-x 1 root root    4609 2009-03-17 10:51 example.pl*
-rw-r—– 1 root root   12597 2009-03-17 10:51 experimental.conf
-rw-r—– 1 root root    2352 2009-03-17 10:51 hints
-rw-r—– 1 root root    1604 2009-03-17 10:51 huntgroups
drwxr-x— 2 root root    4096 2009-06-22 04:27 modules/
-rw-r—– 1 root root    1154 2009-03-17 10:51 policy.conf
-rw-r—– 1 root root    4873 2009-03-17 10:51 policy.txt
-rw-r—– 1 root radius   984 2009-03-17 10:51 preproxy_users
-rw-r—– 1 root root   24732 2009-03-17 10:51 proxy.conf
-rw-r—– 1 root root   26417 2009-06-22 04:45 radiusd.conf
drwxr-x— 2 root root    4096 2009-06-22 09:28 sites-available/
drwxr-x— 2 root root    4096 2009-06-22 04:27 sites-enabled/
drwxr-xr-x 3 root root    4096 2009-06-22 04:28 sql/
-rw-r—– 1 root root    3046 2009-06-22 04:29 sql.conf
-rw-r—– 1 root root    2178 2009-03-17 10:51 sqlippool.conf
-rw-r—– 1 root root    3450 2009-03-17 10:51 templates.conf
-rw-r—– 1 root radius  6557 2009-06-22 09:29 users
[server@smpn1ksb ~]$

Edit file /etc/raddb/clients.conf. Trus cari baris secret, dan ganti seperti dibawah ini:

secret        = radiussecret

Edit file /etc/raddb/users. Trus tambahkan di bagian paling bawah baris berikut :

bayu Cleartext-Password := “bayu”

Kemudian tes radius server nya dengan menjalankan perintah
di bawah ini :

[root@smpn1ksb server]# radiusd -X
FreeRADIUS Version 2.1.5, for host i586-mandriva-linux-gnu, built on Mar 17 2009 at 10:50:43
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting – reading configuration files …
including configuration file /etc/raddb/radiusd.conf
—cutted—
radiusd: #### Opening IP addresses and Ports ####
listen {
type = “auth”
ipaddr = *
port = 0
}
listen {
type = “acct”
ipaddr = *
port = 0
}
listen {
type = “control”
listen {
socket = “/var/run/radiusd/radiusd.sock”
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.

Tuh berhasil, setingan kita tidak ada yang salah. Matikan dengan cara menekan tombol Ctrl + C
Setelah itu baru jalankan service/layanan radius server dengan perintah seperti dibawah ini :

[root@smpn1ksb server]# service radiusd start
Starting freeradius [ OK ]
[root@smpn1ksb server]#

Tes Radius server nya :

[root@smpn1ksb server]# radtest bayu bayu 127.0.0.1 1812 radiussecret
Sending Access-Request of id 76 to 127.0.0.1 port 1812
User-Name = “bayu”
User-Password = “bayu”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=76, length=20
[root@smpn1ksb server]#

Done, Freeradius untuk Radius Server sudah OK. Kalo gak percaya, coba tes aja sekali lagi dengan ini :

[root@smpn1ksb raddb]# radtest bayu keren 127.0.0.1 1812 radiussecret
Sending Access-Request of id 247 to 127.0.0.1 port 1812
User-Name = “bayu”
User-Password = “keren”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=247, length=20
[root@smpn1ksb raddb]#

Access Reject !!!

Ok selanjutnya menggabungkan Coova Chilli dengan FreeRadius.
Edit langsung ke file /etc/chilli/defaults, isinya akan seperti ini (sesuaikan dengan sikon yang ada)

# -*- /bin/sh -*-
#
# Coova-Chilli Default Configurations.
# To customize, copy this file to /etc/chilli/config
# and edit to your liking. This is included in shell scripts
# that configure chilli and related programs before file ‘config’.

###
# Local Network Configurations
#

# HS_WANIF=eth0 # WAN Interface toward the Internet
HS_LANIF=eth1 # Subscriber Interface for client devices
HS_NETWORK=10.10.10.0 # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.255.0 # HotSpot Network Netmask
HS_UAMLISTEN=10.10.10.1 # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990 # HotSpot Port (on subscriber network)

# HS_DYNIP=
# HS_DYNIP_MASK=255.255.255.0
# HS_STATIP=
# HS_STATIP_MASK=255.255.255.0
# HS_DNS_DOMAIN=
HS_DNS1=127.0.0.1
#DNS ini saya pake dnsmasq
#HS_DNS2=

###
# HotSpot settings for simple Captive Portal
#
HS_NASID=nas01
HS_UAMSECRET=uamsecret
#untuk di pasangin ke hotspotlogin.cgi
HS_RADIUS=127.0.0.1
#HS_RADIUS2=rad01.coova.org – aslinya
HS_RADIUS2=127.0.0.1
#HS_RADSECRET=coova-anonymous – aslinya
HS_RADSECRET=radiussecret
#udah diganti kaya tadi
#HS_UAMALLOW=coova.org – aslinya
HS_UAMALLOW=www.blitar.org
#contoh diatas adalah situs yang langsung isa di akses tanpa auth

# Put entire domains in the walled-garden with DNS inspection
# HS_UAMDOMAINS=”.paypal.com,.paypalobjects.com”

# Optional initial redirect and RADIUS settings
# HS_SSID=<ssid> # To send to the captive portal
# HS_NASMAC=<mac address> # To explicitly set Called-Station-Id
# HS_NASIP=<ip address> # To explicitly set NAS-IP-Address

# The server to be used in combination with HS_UAMFORMAT to
# create the final chilli ‘uamserver’ url configuration.
#HS_UAMSERVER=coova.org – aslinya
HS_UAMSERVER=10.10.10.1
#webserver yang melayani auth

# Use HS_UAMFORMAT to define the actual captive portal url.
# Shell variable replacement takes place when evaluated, so here
# HS_UAMSERVER is escaped and later replaced by the pre-defined
# HS_UAMSERVER to form the actual “–uamserver” option in chilli.
#HS_UAMFORMAT=https://\$HS_UAMSERVER/p/uam/chilli – aslinya
HS_UAMFORMAT=https://\$HS_UAMSERVER/cgi-bin/hotspotlogin.cgi

# Same principal goes for HS_UAMHOMEPAGE.
HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html

# This option will be configured to be the WISPr LoginURL as well
# as provide “uamService” to the ChilliController. The UAM Service is
# described in: http://coova.org/wiki/index.php/CoovaChilli/UAMService
#
#HS_UAMSERVICE=https://coova.org/app/uam/auth – aslinya
HS_UAMSERVICE=https://10.1.0.1/cgi-bin/hotspotlogin.cgi

###
# Features not activated per-default (default to off)
—cutted—

Done konfigurasi default Coova Chillinya, sekarang pasang file hotspotlogin.cgi ke /var/www/cgi-bin

[root@smpn1ksb raddb]# cp /usr/share/doc/coova-chilli/hotspotlogin.cgi /var/www/cgi-bin/hotspotlogin.cgi

Trus

chmod a+x /var/www/cgi-bin/hotspotlogin.cgi

Kemudian edit file tersebut di baris ini dan sesuaikan :

# Shared secret used to encrypt challenge with. Prevents dictionary attacks.
# You should change this to your own shared secret.
#$uamsecret = “ht2eb8ej6s4et3rg1ulp”; – aslinya
$uamsecret = “uamsecret”;
#sesuai dengan /etc/chilli/defaults

dan

# Uncomment the following line if you want to use ordinary user-password
# for radius authentication. Must be used together with $uamsecret.
#$userpassword=1;
$userpassword=1;

Selesai…

Kemudian jalankan webserver nya

[root@smpn1ksb raddb]# /etc/init.d/httpd start
Starting httpd: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@smpn1ksb raddb]#

Trus yang penting lagi, edit file /etc/chilli/up.sh, dan tambahkan baris berikut :

—cutted—
[ "$HS_LOCAL_DNS" = "on" ] && \
ipt -I PREROUTING -t nat -i $IF -p udp –dport 53 -j DNAT –to-destination $ADDR
/etc/chilli/route.sh
}

Bikin file route.sh

vim /etc/chilli/route.sh

Isinya :

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Simpan dan ubah menjadi executable

chmod a+x /etc/chilli/route.sh

Done lagi

Cek semuanya agar jalan dengan normal :

[root@smpn1ksb raddb]# service chilli restart
Shutting down chilli: [ OK ]
Starting chilli: [ OK ]
[root@smpn1ksb raddb]# service radiusd restart
Stopping freeradius [ OK ]
Starting freeradius [ OK ]
[root@smpn1ksb raddb]# service httpd restart
Shutting down httpd: [ OK ]
Starting httpd: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@smpn1ksb raddb]#

Silahkan di coba