...
Code Block |
---|
.... wifi1:wifi ipv4 dynamic_shared |
In /etc/shorewall/shorewall.conf set:
Code Block |
---|
SAVE_IPSETS=Yes |
FreeRADIUS
Code Block |
---|
apt-get install freeradius |
Modify Add to /etc/freeradius/3.0/mods-available/eap:
comment the following:
...
shorewall/rules (replace IP addresses with actual IP address of wifi routers):
Code Block |
---|
ACCEPT:INFO(uid) wifi:192.168.9.2,192.168.9.3,192.168.9.4 md5$FW { # } udp 1812 |
FreeRADIUS
Code Block |
---|
apt-get install freeradius |
Modify /etc/freeradius/3.0/mods-available/eap:
comment the following:
Code Block |
---|
....
# md5 {
# }
....
# leap {
# }
....
# gtc {
# # The default challenge, which many clients
# # ignore..
# #challenge = "Password: "
#
# # The plain-text response which comes back
# # is put into a User-Password attribute,
# # and passed to another module for
# # authentication. This allows the EAP-GTC
# # response to be checked against plain-text,
# # or crypt'd passwords.
# #
# # If you say "Local" instead of "PAP", then
# # the module will look for a User-Password
# # configured for the request, and do the
# # authentication itself.
# #
# auth_type = PAP
# }
....
# tls {
# # Point to the common TLS configuration
# tls = tls-common
#
# #
# # As part of checking a client certificate, the EAP-TLS
# # sets some attributes such as TLS-Client-Cert-CN. This
# # virtual server has access to these attributes, and can
# # be used to accept or reject the request.
# #
# # virtual_server = check-eap-tls
# }
.... |
...
Modify /etc/freeradius/3.0/clients.conf, comment the 'client localhost' and 'client localhost_ipv6' section and add a few of these blocks at the end, one for each wifi router(replace with actual IP addresses of wifi routers):
Code Block |
---|
client test1 { # Replace test1 with a name for the routerwifi-ap1 { ipaddr = 192.168.9.2 secret = password # Replace with an actual password } client wifi-ap2 { ipaddr = 192.168.9.3 secret = password # Replace with an actual password } client wifi-ap3 { ipaddr = 192.168.9.2 # Replace with IP of the router4 secret = password # Replace with an actual password } |
...
Code Block |
---|
apt-get install mysql-server freeradius-mysql
mysql -uroot
CREATE DATABASE radius;
exit
mysql -uroot radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql |
...
Code Block |
---|
apt-get install libpam-script sshpass mkdir /usr/share/libpam-script/pam-script.d/pam_to_mysql_update cd /usr/share/libpam-script/pam-script.d/pam_to_mysql_update # Install the pam_to_mysql_update.sh script from the shwl_add_shwl_del_sl_pmu archive in here ln -s pam_to_mysql_update.sh pam_script_auth ln -s pam_to_mysql_update.sh pam_script_passwd mysql -uroot GRANT ALL on radius.radcheck TO 'freerad'@'localhost'; exit pam-auth-update # And, uncheck the box for "Support for authentication by external scripts" |
Add the following line at the end of /etc/pam.d/common-auth:
...