Simple Captive Portal
Apa itu captive portal ? cek disini :
dan pada dasarnya seperti ini :
Captive Portal merupakan suatu teknik autentikasi dan pengamanan data yang lewat dari network internal ke network eksternal. Captive Portal sebenarnya merupakan mesin router atau gateway yang memproteksi atau tidak mengizinkan adanya trafik, sampai user melakukan registrasi terlebih dahulu ke dalam sistem. Biasanya Captive Portal ini digunakan pada infrastruktur wireless seperti hotspot area, tapi tidak menutup kemungkinan diterapkan pada jaringan kabel.
Ok, langsung aja, kita akan bikin Captive Portal sederhana, dengan menggunakan :
- Mandriva Linux 2009.1 (http://www.mandriva.com)
- Coova Chilli (http://www.coova.org)
- Freeradius (http://www.freeradius.org)
- 2 Ethernet card, 1 ke arah Internet, 1 ke arah LAN
MySQL nya ? ntar aja, kita mo bikin captive portal sesimple dulu. Lanjut …
Install Mandriva 2009.1, bisa merujuk ke http://howtoforge.net/the-perfect-desktop-mandriva-one-2009.1-with-gnome , lainnya terserah Anda :).
Setelah instalasi Mandriva Linux, jangan lupa install webserver nya :
urpmi apache
Setelah ok semua, kita lanjut ke instalasi inti dari captive portal itu sendiri, yaitu coova-chilli dan Freeradius. Oiya, sebelome untuk melanjutkan proses ini, jangan lupa juga menyambungkan mandriva linux ke repository terdekat. Gambarannya isa diliat disini : http://blitar.linux.or.id/2008/12/17/mandriva-2009-add-repo/.
Install Coova ChilliSpot
urpmi chillispot
atau
urpmi coova
Setelah selesai, langsung jalankan :
/etc/init.d/chilli start
atau
service chilli start
Dengan perintah diatas, disamping kita menjalankan service/layanan captive portal, kita juga menggenerate otomatis konfigurasi untuk captive portal. Dan konfigurasi standar hasil generate ini di letakkan di :
/etc/chilli/
[server@smpn1ksb ~]$ ls -l /etc/chilli
total 40
-rw-r–r– 1 root root 5776 2009-06-22 11:58 defaults
-rwxr-xr-x 1 root root 385 2008-12-17 06:33 down.sh*
-rwxr-xr-x 1 root root 8045 2008-12-17 06:33 functions*
-rw-r–r– 1 root root 0 2009-06-23 06:00 hs.conf
-rw-r–r– 1 root root 0 2009-06-23 06:00 local.conf
-rw-r–r– 1 root root 851 2009-06-23 03:42 main.conf
-rwxr-xr-x 1 root root 319 2009-06-23 05:42 route.sh*
-rwxr-xr-x 1 root root 1596 2009-06-23 05:36 up.sh*
drwxr-xr-x 2 root root 4096 2009-06-21 09:32 www/
-rwxr-xr-x 1 root root 670 2008-12-17 06:33 wwwsh*
[server@smpn1ksb ~]$
Untuk file /etc/chilli.conf jangan diutak atik, biarkan standar/default dulu. Dengan hasil konfigurasi seperti diatas. Captive Portal ini sudah bisa digunakan.
Diagram gambar Jaringan :
Internet <> Modem <> Captive Portal <> LAN
Meskipun captive portal sudah bisa digunakan, dan bisa melayani permintaan dari LAN. Ini masih ada kelemahannya. Kelemahannnya adalah :
- Langsung tersambung ke server radius coova.org
- Tidak bisa langsung digunakan untuk akses internet, harus daftar ke coova.org
Untuk mengatasi kelemahan tersebut, kita akan pasang Server Radius sendiri menggunakan Freeradius.
Install freeradius.
urpmi freeradius
Konfigurasi awal freeradius ada di /etc/raddb
[server@smpn1ksb ~]$ ls -l /etc/raddb/
total 196
-rw-r—– 1 root radius 671 2009-03-17 10:51 acct_users
-rw-r—– 1 root root 4174 2009-03-17 10:51 attrs
-rw-r—– 1 root root 458 2009-03-17 10:51 attrs.access_reject
-rw-r—– 1 root root 437 2009-03-17 10:51 attrs.accounting_response
-rw-r—– 1 root root 2022 2009-03-17 10:51 attrs.pre-proxy
drwxr-x— 2 root root 4096 2009-06-22 04:28 certs/
-rw-r—– 1 root radius 6548 2009-06-22 11:34 clients.conf
-rw-r—– 1 root root 877 2009-03-17 10:51 dictionary
-rw-r—– 1 root root 14731 2009-03-17 10:51 eap.conf
-rwxr-xr-x 1 root root 4609 2009-03-17 10:51 example.pl*
-rw-r—– 1 root root 12597 2009-03-17 10:51 experimental.conf
-rw-r—– 1 root root 2352 2009-03-17 10:51 hints
-rw-r—– 1 root root 1604 2009-03-17 10:51 huntgroups
drwxr-x— 2 root root 4096 2009-06-22 04:27 modules/
-rw-r—– 1 root root 1154 2009-03-17 10:51 policy.conf
-rw-r—– 1 root root 4873 2009-03-17 10:51 policy.txt
-rw-r—– 1 root radius 984 2009-03-17 10:51 preproxy_users
-rw-r—– 1 root root 24732 2009-03-17 10:51 proxy.conf
-rw-r—– 1 root root 26417 2009-06-22 04:45 radiusd.conf
drwxr-x— 2 root root 4096 2009-06-22 09:28 sites-available/
drwxr-x— 2 root root 4096 2009-06-22 04:27 sites-enabled/
drwxr-xr-x 3 root root 4096 2009-06-22 04:28 sql/
-rw-r—– 1 root root 3046 2009-06-22 04:29 sql.conf
-rw-r—– 1 root root 2178 2009-03-17 10:51 sqlippool.conf
-rw-r—– 1 root root 3450 2009-03-17 10:51 templates.conf
-rw-r—– 1 root radius 6557 2009-06-22 09:29 users
[server@smpn1ksb ~]$
Edit file /etc/raddb/clients.conf. Trus cari baris secret, dan ganti seperti dibawah ini:
secret = radiussecret
Edit file /etc/raddb/users. Trus tambahkan di bagian paling bawah baris berikut :
bayu Cleartext-Password := “bayu”
Kemudian tes radius server nya dengan menjalankan perintah
di bawah ini :
[root@smpn1ksb server]# radiusd -X
FreeRADIUS Version 2.1.5, for host i586-mandriva-linux-gnu, built on Mar 17 2009 at 10:50:43
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting – reading configuration files …
including configuration file /etc/raddb/radiusd.conf
—cutted—
radiusd: #### Opening IP addresses and Ports ####
listen {
type = “auth”
ipaddr = *
port = 0
}
listen {
type = “acct”
ipaddr = *
port = 0
}
listen {
type = “control”
listen {
socket = “/var/run/radiusd/radiusd.sock”
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
Tuh berhasil, setingan kita tidak ada yang salah. Matikan dengan cara menekan tombol Ctrl + C
Setelah itu baru jalankan service/layanan radius server dengan perintah seperti dibawah ini :
[root@smpn1ksb server]# service radiusd start
Starting freeradius [ OK ]
[root@smpn1ksb server]#
Tes Radius server nya :
[root@smpn1ksb server]# radtest bayu bayu 127.0.0.1 1812 radiussecret
Sending Access-Request of id 76 to 127.0.0.1 port 1812
User-Name = “bayu”
User-Password = “bayu”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=76, length=20
[root@smpn1ksb server]#
Done, Freeradius untuk Radius Server sudah OK. Kalo gak percaya, coba tes aja sekali lagi dengan ini :
[root@smpn1ksb raddb]# radtest bayu keren 127.0.0.1 1812 radiussecret
Sending Access-Request of id 247 to 127.0.0.1 port 1812
User-Name = “bayu”
User-Password = “keren”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=247, length=20
[root@smpn1ksb raddb]#
Access Reject !!!
Ok selanjutnya menggabungkan Coova Chilli dengan FreeRadius.
Edit langsung ke file /etc/chilli/defaults, isinya akan seperti ini (sesuaikan dengan sikon yang ada)
# -*- /bin/sh -*-
#
# Coova-Chilli Default Configurations.
# To customize, copy this file to /etc/chilli/config
# and edit to your liking. This is included in shell scripts
# that configure chilli and related programs before file ‘config’.###
# Local Network Configurations
## HS_WANIF=eth0 # WAN Interface toward the Internet
HS_LANIF=eth1 # Subscriber Interface for client devices
HS_NETWORK=10.10.10.0 # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.255.0 # HotSpot Network Netmask
HS_UAMLISTEN=10.10.10.1 # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990 # HotSpot Port (on subscriber network)# HS_DYNIP=
# HS_DYNIP_MASK=255.255.255.0
# HS_STATIP=
# HS_STATIP_MASK=255.255.255.0
# HS_DNS_DOMAIN=
HS_DNS1=127.0.0.1
#DNS ini saya pake dnsmasq
#HS_DNS2=###
# HotSpot settings for simple Captive Portal
#
HS_NASID=nas01
HS_UAMSECRET=uamsecret
#untuk di pasangin ke hotspotlogin.cgi
HS_RADIUS=127.0.0.1
#HS_RADIUS2=rad01.coova.org – aslinya
HS_RADIUS2=127.0.0.1
#HS_RADSECRET=coova-anonymous – aslinya
HS_RADSECRET=radiussecret
#udah diganti kaya tadi
#HS_UAMALLOW=coova.org – aslinya
HS_UAMALLOW=www.blitar.org
#contoh diatas adalah situs yang langsung isa di akses tanpa auth# Put entire domains in the walled-garden with DNS inspection
# HS_UAMDOMAINS=”.paypal.com,.paypalobjects.com”# Optional initial redirect and RADIUS settings
# HS_SSID=<ssid> # To send to the captive portal
# HS_NASMAC=<mac address> # To explicitly set Called-Station-Id
# HS_NASIP=<ip address> # To explicitly set NAS-IP-Address# The server to be used in combination with HS_UAMFORMAT to
# create the final chilli ‘uamserver’ url configuration.
#HS_UAMSERVER=coova.org – aslinya
HS_UAMSERVER=10.10.10.1
#webserver yang melayani auth# Use HS_UAMFORMAT to define the actual captive portal url.
# Shell variable replacement takes place when evaluated, so here
# HS_UAMSERVER is escaped and later replaced by the pre-defined
# HS_UAMSERVER to form the actual “–uamserver” option in chilli.
#HS_UAMFORMAT=https://\$HS_UAMSERVER/p/uam/chilli – aslinya
HS_UAMFORMAT=https://\$HS_UAMSERVER/cgi-bin/hotspotlogin.cgi# Same principal goes for HS_UAMHOMEPAGE.
HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html# This option will be configured to be the WISPr LoginURL as well
# as provide “uamService” to the ChilliController. The UAM Service is
# described in: http://coova.org/wiki/index.php/CoovaChilli/UAMService
#
#HS_UAMSERVICE=https://coova.org/app/uam/auth – aslinya
HS_UAMSERVICE=https://10.1.0.1/cgi-bin/hotspotlogin.cgi###
# Features not activated per-default (default to off)
—cutted—
Done konfigurasi default Coova Chillinya, sekarang pasang file hotspotlogin.cgi ke /var/www/cgi-bin
[root@smpn1ksb raddb]# cp /usr/share/doc/coova-chilli/hotspotlogin.cgi /var/www/cgi-bin/hotspotlogin.cgi
Trus
chmod a+x /var/www/cgi-bin/hotspotlogin.cgi
Kemudian edit file tersebut di baris ini dan sesuaikan :
# Shared secret used to encrypt challenge with. Prevents dictionary attacks.
# You should change this to your own shared secret.
#$uamsecret = “ht2eb8ej6s4et3rg1ulp”; – aslinya
$uamsecret = “uamsecret”;
#sesuai dengan /etc/chilli/defaults
dan
# Uncomment the following line if you want to use ordinary user-password
# for radius authentication. Must be used together with $uamsecret.
#$userpassword=1;
$userpassword=1;
Selesai…
Kemudian jalankan webserver nya
[root@smpn1ksb raddb]# /etc/init.d/httpd start
Starting httpd: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@smpn1ksb raddb]#
Trus yang penting lagi, edit file /etc/chilli/up.sh, dan tambahkan baris berikut :
—cutted—
[ "$HS_LOCAL_DNS" = "on" ] && \
ipt -I PREROUTING -t nat -i $IF -p udp –dport 53 -j DNAT –to-destination $ADDR
/etc/chilli/route.sh
}
Bikin file route.sh
vim /etc/chilli/route.sh
Isinya :
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
Simpan dan ubah menjadi executable
chmod a+x /etc/chilli/route.sh
Done lagi 
Cek semuanya agar jalan dengan normal :
[root@smpn1ksb raddb]# service chilli restart
Shutting down chilli: [ OK ]
Starting chilli: [ OK ]
[root@smpn1ksb raddb]# service radiusd restart
Stopping freeradius [ OK ]
Starting freeradius [ OK ]
[root@smpn1ksb raddb]# service httpd restart
Shutting down httpd: [ OK ]
Starting httpd: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@smpn1ksb raddb]#
Silahkan di coba
Lainnya
- shorewall : bagaimana dengan virtual IP
- Pointing
- Location survey
- Yahoo Messenger Port List
- Pilih mana ?
- Charles si Kucing Persia
- membuat repository PLF
- Bikin Server Linux Lebih Asyik
- rakus
- Contoh Aplikasi htb.init
