No reference to the ‘American Pie’ movie. Seriously people, get your minds out of the gutter – this is a Tech blog!
A couple of posts back (like 7 or 8 months ago actually) I said I’d let you guys know what I was going to do with my Raspberry Pi which I got for Christmas last year. Lots of ideas were available – turning it into a media server was the foremost suggestion by most folks, but given that I already had my DLNA NAS perfectly setup, that was never an option. Eventually, I decided to use it as a Radius authenticator. And why did I decide that? Well basically because of people streaming in and out of my place and most wanting to use the wifi (a blazing fast fibre connection tends to attract requests like that from my guests). Having gotten tired of keying in the authentication protocols for them, I figured a good use of the Pi would be to have some sort of hotspot authentication going on together with a older Linksys WRT54GL wireless router I had lying around which had been installed with OpenWRT (you can use Tomato or DD-WRT as well with Chillispot or CoovaChilli). I had set this up previously on a Slackware and Ubuntu box so it wasn’t really rocket science but I’ll detail what I did anyway for those looking to do similar.
Now I didn’t want a common name and password that everyone could share around – thats poor security any way you look at it and while I’m not a professional IT security specialist by trade, I still dabble a lot in security (and circumventing it) unofficially (don’t ask, the less you know the less liable you’ll be – call it ‘plausible deniability’ if you want), so it would be embarrassingly idiotic of me to have a common userid/password system in place on anything. While in NTU for work and visits, I noted their SMS system in allowing outsiders to temporarily gain access to their wireless systems and thought it was a good idea. In our little island, every local mobile number must be registered to a real person (as compared to email address which you can create at will), giving me record of exactly who used my system (and essentially someone to blame if there was any abuse). Since I couldn’t find a reliable and viable internet SMS gateway that I could control via CLI, I decided on an email system:
- the potential user would hook onto my open wireless system
- the open system would allow them to log in (if they have a userid and password) or go to a sign up page where they would need to supply a valid email (as their userid) and a choice password.
- the sign up page would then email me the request and I would click a link embedded in the email to approve/disapprove the sign up
- after a predefined time period the userid would be removed from the radius server
If you’ve ever administered a mailing list, you’ll see how similar it is to managing users on the list with the exception that the above system has no way to inform the user if their sign up was approved or not (which is why I let them choose their own password). I could send them an email, but there is no guarantee that they have a 3G/LTE connection to receive the email. If I had an internet SMS gateway, I could program things so that the system just takes in the user’s mobile number and on approval for a temporary sign up, will SMS a randomly generated password back to the user’s mobile. Actually I could just build an SMS gateway with the Pi, but I make do with what I have.
Now this is going to be a looooooonnnnnnggggg instructional, as such I’m breaking it up into several posts, so one has to try to keep focused (especially with the long winded way I rant on and on about even the simplest of things).
So here we go – lets get the Pi set up as a Radius server and authenticator. You’re of course going to need the Pi already set up with its base – Raspbian or some server version for the Pi. I suggest the latter since the desktop just slows the whole thing down and you don’t need the desktop at all – you can disable the desktop but theres still a lot of un-needed stuff on Raspbian, so the stripped down server version is the best bet. Make sure your Pi has a fixed IP address and note it down using ifconfig:
root@rpi:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr c1:02:ca:bd:79:b1
inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6398 errors:0 dropped:0 overruns:0 frame:0
TX packets:1894 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1162288 (1.1 MiB) TX bytes:328810 (321.1 KiB)
You can then configure your router to reserve the same IP address for the Pi’s MAC (HWaddr above) – see your router’s manual for more info. If you want to set the static IP from the Pi itself, make sure you know the netmask, gateway and broadcast of your network. Fire up your favorite editor (I use nano) and edit /etc/network/interfaces and change iface eth0 inet dhcp to:
iface eth0 inet static address 192.168.1.20 netmask 255.255.255.0 gateway 192.168.1.1 network 192.168.1.0 broadcast 192.168.1.255
Those are the network values for my network, so substitute your own. Seriously its a lot easier for the less network inclined to just use the router to reserve a specific IP for the Pi via its MAC address.
The essentials
What are you going to need? Basically a webserver (Apache2), a database server (MySQL), a scripting language to process requests (perl or php – I used perl) and of course the Free Radius authentication server (and its hooks to MySQL)
sudo apt-get install mysql-client mysql-server sudo apt-get install freeradius freeradius-utils freeradius-mysql sudo apt-get install apache2 openssl perl
Do note, that apt-get may ask for passwords and stuff while setting up MySQL, so take note of the passwords you supply it with as you’ll need them later.
Configuring the various servers
Apache
Configure the Apache webserver by editing the /etc/apache2/sites-available/default. You can actually safely leave this as what it came as or just add in your proper email address if you want.
Next we need to setup the SSL certs. Reason for this is because the radius auth should happen over an encrypted session. The hotspotlogin script you’ll be using later will check for an encrypted session and if it doesn’t find one, this (yes, thats my home wireless logo which I designed – don’t go copying it!) is what you’ll get:
You could make do without an encrypted session and edit the hotspotlogin script to bypass the check, but when you’re dealing with passwords, don’t be an idiot about things, even if its just a home system you’re setting up.
Now when you install openssl, ssl-cert will be installed as well and this gives you a set of self signed certs already (ssl-cert-snakeoil.pem and ssl-cert-snakeoil.key). You can use this if you want or generate your own keys. I’ll go through generating your own just in case:
root@rpi:~# apache2-ssl-certificate creating selfsigned certificate replace it with one signed by a certification authority (CA) enter your ServerName at the Common Name prompt If you want your certificate to expire after x days call this programm with -days x Generating a 1024 bit RSA private key ............++++++ ..........................++++++ writing new private key to '/etc/apache2/ssl/apache.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [SG]: State or Province Name (full name) [Some-State]:Sinagpore Locality Name (eg, city) []:Singapore Organization Name (eg, company; recommended) []:MDS Organizational Unit Name (eg, section) []: server name (eg. ssl.domain.tld; required!!!) []:rpi Email Address []: someuser@some.email.address
Then configure the Apache SSL configuration. Most of it will already be in the default-ssl file in /etc/apache2/sites-available and its safe to use whats there, just replace the ssl-cert-snakeoil.pem with the full path of the apache.pem file generated in the step above (if you generate your own cert). Comment out the ssl-cert-snakeoil.key:
SSLCertificateFile /etc/apache2/ssl/apache.pem
Go to /etc/apache2/sites-enabled and soft link the default-ssl files from /etc/apache2/sites-available to /etc/apache2/sites-enabled with a prefix number (tells the system what order to start up the websites in)
root@rpi:~# cd /etc/apache2/sites-enabled root@rpi:/etc/apache2/sites-enabled# ln -s ../sites-available/default-ssl 001-default-ssl
Restart apache and you should be able to use any browser to go to https://<your-ip-address> as shown.
MySQL Database Server
There isn’t much to do for MySQL. The passwords should have been setup during the apt-get installation already so no worries about that. The initial databases would also have been installed then. Don’t worry about the tables for the users as yet, the schema for that gets set up later with Free Radius.
You will however, need to create an empty database for Free Radius in MySQL called (unsurprisingly), radius:
root@rpi:~# mysql -u root -p -h localhost
You will be prompted for your MySQL root password (which you would have set during the MySQL installation) and after correctly entering it you will be at the mysql prompt where you can then create your database:
mysql> create database radius; Query OK, 1 row affected (0.00 sec)
Lets now set a user and password to access the radius database – as a matter of security, you don’t want to have the MySQL superadmin root user do this. Create the user and set its permissions – firstly to allow it to connect from localhost with a password and secondly giving it full permissions over the tables in the radius database:
mysql> grant usage on *.* to radius@localhost identified by ‘myr4d1u5p455’; Query OK, 0 rows affected (0.00 sec) mysql> grant all privileges on radius.* to radius@localhost; Query OK, 0 rows affected (0.00 sec) mysql> exit;
You may now log in to MySQL as user radius from localhost with the password ‘myr4d1u5p455’.
Setting up the Free Radius server is pretty long, so I’m pushing that to a post all by itself.
UPDATE:
Got a 3G USB dongle and setup an SMS gate way on the Pi itself for a much better temporary user sign up system.
Comments (0)