Professional Documents
Culture Documents
1/07)
Date of birth
: 31 OKTOBER 1989
Title
Academic Session
: 2012/2013
RESTRICTED
OPEN ACCESS
SIGNATURE
891106-10-5399
SIGNATURE OF SUPERVISOR
If the thesis is CONFIDENTIAL or RESTRICTED, please attach with the letter from
the organization with period and reasons for confidentiality or restriction.
I hereby declare that I have read this report and in my opinion, this thesis is
sufficient in terms of scope and quality for the award of degree of Bachelor of
Engineering (Electrical-Telecommunication)
Signature
: ..
Name of Supervisor
Date
A thesis submitted in partial fulfillment of the requirements for the award of the
degree of Bachelor of Engineering (Electrical - Telecommunication)
JUNE 2013
ii
Signature
: ....
Name
Date
iii
iv
ACKNOWLEDGEMENT
First of all, Alhamdulillah praise to the mighty Allah for the guidance, strength
and passion given to me for my final year project. Peace and blessing upon Prophet
Muhammad S.A.W who has bring the light to all mankind.
This research project would not have been possible without the support of many
people. First of all, I wish to express our gratitude to my supervisor, En. Alias Mohd
who was abundantly help and offered invaluable assistance, support and guidance.
Special thanks to IT technician lab En. Abdul Rahman Sattar bin Salleh and
Puan. Sri Mahrani binti Abdul Azes for assist me to provide the facilities I needed. They
too gave me the advice for the basics of the setting Apache server and other information
needed.
Besides that, special thanks also to my senior En. Hamdan bin Sayuti for the
great help in developed the server and solved errors. Last but not least, I would like to
express my sincere appreciation to my beloved parents and friends for their
understanding in the time to accomplish the given project and at the same time
supported me for everything I do in my life. Thus, they have given me courage and
strength to perform well in everything.
ABSTRACT
vi
ABSTRAK
vii
TABLE OF CONTENT
CHAPTER
TITLE
PAGE
DECLARATION
ii
DEDICATION
iii
ACKNOWLEDGEMENT
iv
ABSTRACT
ABSTRAK
vi
TABLE OF CONTENTS
vii
LIST OF TABLES
xi
LIST OF FIGURES
xii
LIST OF ABBREVIATIONS
xiii
INTRODUCTION
1.1 Introduction
0-2
5-6
ix
LITERATURE REVIEW
2.1 Introduction
8-9
10
11
12
12-13
14
10-11
14-15
16
METHODOLOGY
3.1 Introduction
17-18
18-20
21-23
24-29
30-34
3.6 Summary
35
4.1 Introduction
4.1.1 FeeRADIUS is Ready for Process
Request
36
36-37
37
38
39
40
4.2 Discussion
41-42
4.3 Summary
42
5.1 Introduction
43
5.2 Conclusion
43-44
5.3 Recommendation
44-45
BIBLIOGRAPHY
46
xi
LIST OF TABLES
TABLE NO.
TITLE
PAGE
Table 1.1
Table 1.2
Table 3.2
18
xii
LIST OF FIGURES
FIGURE NO
TITLE
PAGE
Figure 3.1
18
Figure 3.3a
21
Figure 3.3b
23
Figure 3.4
29
Figure 3.5a
30
Figure 3.5b
31
Figure 3.5c
32
Figure 3.5d
33
Figure 4.1a
37
Figure 4.1b
40
Figure 5.3
45
xiii
LIST OF ABBREVIATIONS
AAA
PAP
AP
Access Point
RS
Radius Server
RADIUS
LDAP
TCP
PC
Personal Computer
WLAN
NAS
CHAPTER 1
INTRODUCTION
1.1
Introduction
As the technology lead the world, people can access to the network easily as
long as there is WiFi connection in their place. Therefore, it is one of convenience for
users to communicate in social network where they are. Even when they are eating and
chatting in KFC, Burger King, Dunkin Donut or others place, users can access the
internet by asking the password from the worker. Same goes in universities and
workplace, users need to enter the username and password in order to access the
internet. They are given their own username and password by the administrator of the
universities and workplace. Only the person who have the authentic username and
password allowed to access the internet.
1.2
Problem Statement
Currently when the user want to access to internet in FKE, they will be asked to
enter the password. So, for those that does not know the password will fail to get access.
Therefore, this project is implemented to manage the access to the wireless network in
FKE. In this project, FreeRADIUS server will communicate with user credentials to
allow only user that have their profiles in the database to access to WiFi FKE.
FreeRADIUS is totally free of charge since it is open source, friendly and very cost
effective.
1.3
Objectives of Project
1.4
Scope of Project
The scope of project is to manage access to the wireless network in FKE. These
projects focus on managing the user access to the FKE WiFi network. Only the students
and staffs in FKE that have correct user credentials allow to access the network.
1.5
Work Contribution
Handle the authentication of the user before accessing to the FKE WiFi network.
1.6
Work schedule
In this project, work schedule was designed to make the project well organised
as follow the Final Year Project plan by Faculty of Electrical Engineering.
Based on Table 1.1 above, in the second week of semester 1, there is FYP
briefing by Dr. Asrul Izam, the coordinator of Final Year Project. Then, it is continued
with FYP research methodology briefing by Assoc. Prof. Dr. Muhammad Ramlee bin
Kamarudin. In the following week, there is suggestion and briefing by the supervisor
regarding to the project. The preparation for the FYP1 takes three weeks after project
briefing by the supervisor. The preparation is focus on literature review, backgroud of
the project and expected result of the project. For the FYP1 presentation, there are five
panels that will evaluate the planning of the project. At the end of semester 1, the project
report was submitted.
Table1.2 shows the work schedule for FYP2. At the beginning of the semester 2,
literature review still continue in order to have more information regarding the project.
For the following weeks, the works continue with the programming in Ubuntu software.
During the programming session, there are some errors occur. So, for the week 4, it is
more focusing in the troubleshooting and system enhancement. The presentation of the
project held on week 15. Therefore, two weeks before, it is involves the preparation of
the preparation. The thesis draft will be submitted after the presentation done.
1.7
Organization of Thesis
The thesis has been divided into five chapters. Chapter 1 is about the background
of the FreeRADIUS server. The problem statement, objectives, scope of study and the
work schedule also are explained in this chapter. In Chapter 2, some review for this
project main topic which is FreeRADIUS server, some relevant information for
developing FreeRADIUS server. Chapter 3 briefly explains the review of methodology
on how this project was successfully completed while Chapter 4 consists of the result of
the system development. The discussions on troubleshooting during the process are also
discussed in this chapter. Lastly, the recommendation and conclusion for future work
are
described
in
Chapter
5.
CHAPTER 2
LITERATURE REVIEW
2.1
Introduction
This chapter provides the essential background theory and literature reviews
on the FreeRADIUS, Authentication, Authorization and Accounting (AAA)
services, ChilliSpot Captive Portal and some related information about DD-WRT.
In modern world, WiFi network can be accessed from mobile phone, laptop,
personal computer (PC) and iPad wherever there is coverage to it. In reality the
access to the WiFi network should be managed properly in order to have a secure
network and manageable authentication system. The authentication system should
be able to provide user credentials (with login and password) in order to limit and
grant the access to the WiFi network to the eligible users only.
RADIUS server is not a database and it does not contain database, but it is a
protocol that defines the way to communicate with a user credentials. The only
correct user credentials allowed to access the network after being authenticate by
FreeRADIUS server.
10
2.2
Benefits of FreeRADIUS
The most important features of FreeRADIUS that cause it to lead as the best
server is it are open source. It means that FreeRADIUS server is totally free of
charge. Hence, it is very economically and very cost effective for developer to
implement it. Meanwhile, as FreeRADIUS is open source that can be adapted,
changed, expanded and fixed by developer.
2.3
11
2.4
Operation of FreeRADIUS
12
2.5
User Storage
User storages are the place where the user details like username and
password are kept to provide to FreeRADIUS server to validate the user during the
authentication process. MySQL and LDAP are the examples of user storage. In
WWW space popular web environments like Yahoo and Google, these common
webs allow users to use their user storage through web services.
2.5.1
13
In LDAP user storages, directories are designed for fast reading. Directories
entries can be illustrated as a relational database. Each entry has their fields about
attribute value pairs. For each entry, it should have at least one type object class
associated with it. An entry can have various types and types can be added or
deleted from an entry at a given time.
Each directory entry is separately updated. Hence, the existing data may
temporarily not be synchronized with each other. Since each entry should be
updated separately, the updated directory that involves multiple directories can
create temporary directory as there are no transactions.
Basically, directories frequently query than they are updated. Thus, LDAP
directories are optimized for querying. LDAP run through TCP/IP, and its
implemented using the client-server model.
14
2.5.2
2.6
15
16
2.7
DD-WRT
Due to developed technology, people are prompted to keep updated with the
latest info by having connection to the internet over a wireless compared to LAN.
Wireless can be implemented anywhere and the routers are the crucial devices to
makes it happen. Hence, to make the router be more supercharge and have proper
advantage, DD-WRT will boost up the routers range, adding features and many
more.
CHAPTER 3
METHODOLOGY
3.1
Introduction
This section describes about the process on how to develop the FreeRADIUS server
in FKE WiFi network. Figure 3.1 shows the process involves in developing the
FreeRADIUS server. The process starts with the installation of FreeRADIUS in web-based
Ubuntu server. Next, the both of FreeRADIUS server and Access Point were configured and
linked to each other. At the end of the process, FreeRADIUS server will communicate with
user credentials for authentication, authorization and accounting when users would like to
access the WiFi network.
18
Start
Configuration of FreeRADIUS
server
Link AP to RS
User Credentials
End
3.2
Installation of FreeRADIUS
Based on the Figure 3.1 above, first and foremost Ubuntu software was installed
in personal computer (PC) and in the Ubuntu itself FreeRADIUS server also installed.
By having pre-build FreeRADIUS package, it provides advantages to the server.
19
Resolving dependencies is automatically taken care of. This includes taking care
of future security updates, keeping track of all optional packages that were
required to be installed with our packages, and also ensuring the correct version
of a dependency package is installed.
For every process to be done in Ubuntu, user must be in root. Before changing
to the root user, for every time the root users password will be asked. The only correct
password can change user into root user. The bash command is as the following.
sudo su
Before changing to root user, the root users password will be ask for each time.
The only valid password inserted can change user into root user.
In order to develop FreeRADIUS server, the most important thing is to install the
FreeRADIUS packet. FreeRADIUS was chosen as it have rich features and easy to
implement. The following bash command was typed.
20
The FreeRADIUS package will be save in file system folder under etc directory.
Therefore, the configuration files in FreeRADIUS package can be find in
/etc/freeradius/(configuration file).
Table 3.2 below shows the availability packages with its own description
provides by FreeRADIUS since it have feature rich piece of software.
Package Name
Short Description
freeradius
freeradius-dbg
libfreeradius2
freeradius-ldap
freeradius-common
freeradius-iodbc
freeradius-krb5
freeradius-utils
freeradius-postgresql
freeradius-mysql
freeradius-dialupadmin
freeradius-dev
21
3.3
The Apache web server is widely used in various operating systems such Linux,
NetWare, Unix, Solaris and many more. In the others word, Apache can be known as
Apache HTTP Server, which is website services by an established standard in the online
distribution. Apache web server is well persist and often updated with new useful
features and operations up to the latest quality and protection requirements in HTTP
management delivery.
To build an Apache web server, the most important thing is to install the Apache
by following bash command:
#
In order to ensure the Apache installed correctly, web browser Apache should be
tested by typing the web address http://localhost/ in the web browser.
22
After successfully installing Apache, Figure 3.3a shows It works. Then, PHP
was installed by following bash command.
PHP needs to work with Apache. In order to ensure it, the following bash
command was typed.
To ensure the PHP work well, the web address http://localhost/testphp.php was
typed in web browser to test it. The following Figure 3.3b shows the successful
installation and configuration of PHP.
23
PHP can be used on all major operating systems, including Linux. Most of the
web server nowadays supported by PHP. This includes Apache, IIS, and any web server
that can utilize the FastCGI PHP binary, like lighttpd and nginx. PHP works as either a
module, or as a CGI processor. So with PHP, developer has the freedom of choosing an
operating system and a web server.
24
3.4
Once the FreeRADIUS was installed correctly by the above process, all
configurations of FreeRADIUS files will be test. This is very important as the
FreeRADIUS should work properly, FreeRADIUS was run in debugging mode. Before
that, FreeRADIUS operation must be stop. The following bash command was typed.
freeradius -X
To edit the radiusd.conf configuration file, the following command was typed at
terminal prompt.
25
Then, some change was done in the part of content of the radiusd.conf
configuration file as the following whereas the others line remain the same.
The "log" section of the radiusd.conf file is where the primary logging
configuration for the FreeRADIUS server is located. This is a log file per request, once
the server has accepted the request as being from a valid client. Messages that are not
associated with a request still go to radius.log. Therefore, in this configuration file,
Stripped_name was set to yes. Same goes to auth, log_ auth_badpass and
log_auth_goodpass was also set to yes to make the login process work well.
Meanwhile, the others comment remain the same. If this configuration parameter is set,
then log messages for a request go to this file.
26
In this configuration files, there are packets to listen for and only some allowed
value provide included auth and acct packets as they listen to authentication and
accounting process. Therefore the first port need to listen is authentication port and it
was marked as port 1812. The authorization process also will be referred to port 1812.
27
Next, the packet will listen to the port 1813 which belongs to accounting
process. The ipaddr comment as * means that any IP address either global 192.168.1.1
or localhost 127.0.0.1 can be entered as long as the IP address not stated. While the
comment of interface was set to eth0 because it is not strictly necessary for sites since
many IP addresses on one interface. Therefore, it will listen to all addresses for eth0.
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype= other
}
The clients.conf file is used to define clients to the FreeRADIUS server. When
the user/client want to access to the internet, the process request will sent to the
FreeRADIUS server by using 127.0.0.1 IP address. Meanwhile, testing123 is the
password
or
shared
secret
used
by
FreeRADIUS.
The
comments
of
28
The nastype (network access service type) tells checkrad.pl which specific
NAS method to use to query the NAS for simultaneous use. The permitted NAS types
provide by the freeradius are cisco, computane, Livingston, max40xx, multitech,
netserver, pathras, paton, portslave, tc and usrhiper. In this project the nastype was set to
other, it means that NAS type not specific to the permitted NAS type provided but it
can suit for all other types.
For this project, Jannah was defined as a test user. Therefore, the following lines
were added at the top of the user file. The second and third lines are intended by a single
tab character.
The content of the users file is used for both authorization and authentication
purposes. Jannah was defined as a user. When she wants to access the internet, she will
send the access-request packet by using 192.168.1.65 IP address. Then, the action will
be taken by FreeRADIUS server either to accept or reject the request. FreeRADIUS
server wills response the request process by message reply as Hello, Jannah. Once the
step above was done, means that the basic FreeRADIUS was setup. Next, for
authentication process, it involves the supply of a username and password.
29
The comment in the debugging mode shows that FreeRADIUS is ready for
process request since it already listens to the authentication, authorization and
accounting address and port.
30
3.5
Basically, to build this system, not all routers can be used since not all firmware
are support the router. Therefore, the router needs to transform to DD-WRT by
installing the correct firmware in router itself. By having DD-WRT in the system, the
developer can make the ChilliSpot captive portal to authenticate the user. User need to
enter the username and password in ChilliSpot captive portal before access to the
internet.
31
The default LAN IP address of this router is 192.168.1.1. Then, this IP address
was entered to login to the router. System Tools was selected and then Firmware
Upgrade was click. The factory-to-ddwrt.bin file was chosen upgraded button was
clicked. The router will restart automatically once the upgraded session completed.
The Administration was clicked from DD-WRT menu and Firmware upgrade
was selected as shown in Figure 3.5b. The tl-wr740nv4-webflash.bin file was chosen
and upgrade button was clicked. Now, the router will upgrade to DD-WRT.
32
Once the Firmware was upgraded, the router was already transformed to DDWRT. Then, some changes need to be done in DD-WRT. First and foremost, the
wireless router needs to have internet access. The internet browser was open to the
default IP address of the router which is http://192.168.1.1. The routers username and
password was changed when the Administration mode was click. The configuration
continues by making change on Setup mode under Basic Setup option.
In this mode, there are some setting needs to be change under DHCP setting as
shown in Figure 3.5c. At first, DHCP Server was enabled. For start IP address menu, it
was set to 192.168.1.100 as same as default IP address for the router. The Maximum
DHCP users were set to 50 as the only 50 is a standard number for a home router. The
time limit for each users/clients can have connections within 1440 minutes as same as
24 hours. Last but not least, deselect DHCP-Authoritative and Apply Setting button at
the bottom was click.
33
The next setup for DD-WRT, it involves the basic setup mode under Wireless
option. The Wireless Network Name (SSID) was set as hotspot. Hotspot is a site that
provides internet access via wireless local area network (WLAN) through the router that
connected to internet service provider. In the other word, hotspot use WiFi technology.
Since this project use ChilliSpot captive portal, there is a need to configure
Hotspot menu under Service option as shown in Figure 3.5d. At first, ChilliSpot menu
need to be enable. In this project, the network connection use is WiFi, so that separate
WiFi from the LAN bridge menu need to be enable.
34
Both Primary and Backup Radius Server IP/DNS was set to 192.168.1.2. It
means that if the server breakdown, the backup server will refer to the primary Radius
server. Since it has the same IP, there is no backup server when the server breakdown.
Remote network is technology that allows logging into a system. Therefore, the default
IP address of router which is 192.168.1.1 was set as remote network.
When users want to access to the network, they will enter the address in the web
browser. The web browser will attempt to open a URL that has been redirected. In this
project, https://192.168.1.2/cgi-bin/hotspotlogin.cgi/ is the Redirect URL that was set in
the router. It means that, the Redirect URL will allow the user to login into the router
and server before accessing to the network. Since the project developed over a wireless
network, the DHCP interface menu was set as Wireless Local Area Network (WLAN).
Last but not least, the ID-Hotspot was set for Radius NAS ID as the router act as hotspot
device. The router will be rebooting after the setting applied into it.
After finishing the configuration process, the full process of login user will be
tested. Users need to enter the username and password on login page. By entering the
username and password, the access-request packet will be sent to the FreeRADIUS
server. If the users enter the correct user credentials, FreeRADIUS will response the
access-accept packet. Otherwise, FreeRADIUS will response the access-reject packet.
After that, FreeRADIUS server will authenticate the users before they can access to the
network.
35
3.6
Summary
CHAPTER 4
4.1
Introduction
4.1.1
37
At first the server will listen to the authentication address and sent it to the port
1812 for identifies the user. The Server also will listen to the port 1813 for accounting
process. Finally, the respond as Ready to process request shows that FreeRADIUS
server is ready to accept user request in order to access the network.
4.1.2
Login Page
The Figure 4.1a below shows the popup login page when the user want to access
the WiFi in FKE. Logging in can also be known as signing in process of individual
access to a computer system which controlled by user credentials through identifying
and accounting the users. In this project, the user test defined as Jannah for both
username and password in users file.
38
4.1.3
When the user login in FKE WiFi Network Access Login Page by entering
username and password, they actually was sent the access-request packet to the
FreeRADIUS server. The request packet will be authenticate in port 1812 as it was sent
to 127.0.0.1 IP address of FreeRADIUS. FreeRADIUS will response Access-Accept or
Access-Reject based on the credentials entered by users. The Access-Accept packet
comment in above described that FreeRADIUS has accept the request of the user since
user has enterd the correct user credentials.
39
4.1.4
Next, the user need to be authenticate before accessing the WiFi network.
The [pap] User authenticated successfully comment shows the user has been
authenticated successfully by FreeRADIUS server by communicating with the user
credentials. Therefore, user can access to the network.
40
4.1.5
Figure 4.1b shows the overall process of the project in a simple FKE WiFi
network. When user want to access to the network FKE WiFi, the login page will be
popup and users will be asked to enter their credentials (e.g. username and password).
FreeRADIUS server will supervise user access to the FKE WiFi network by
communicating with user credentials for authentication, authorization and accounting.
41
4.2
Discussion
In developing the FreeRADIUS server, there are many errors occur. During the
development process, some files need to be configured. For every configuration, the
FreeRADIUS server must be tested to prevent any error. To make sure the entire
configuration file working well, FreeRADIUS system was tested by typing freeradiusX. If the configuration works well, it will show Ready to process request at the last
line. But, when there are problems, the response will appear as the following.
Then, to overcome the error, the existing FreeRADIUS will be closed by using
the startup script as following.
#>
/etc/init.d/radiusd stop
#>
killallradiusd
Once the FreeRADIUS is ready, the next process will be easy to be carried out.
Meanwhile, if the others error occurs, the forum and discussion in the internet are
referred in order to find the correct solutions.
42
On the other hand, setting up the AP has some problem because not all AP is
compatible with the system. The configuration of AP also has some error since the
firmware installed is not support for the AP itself. Then, the firmware need to be
installed again. Once the correct firmware installed, some configuration need to be done
in the AP. Then, the AP reset again, the problem occur when the AP could not be reset
and restart because of the firmware could not support the configuration change that has
been made.
4.3
Summary
have been
briefly explained
and discussed in
this
chapter.
CHAPTER 5
5.1
Introduction
For this chapter, the conclusion will be discussed about FreeRADIUS server
and the future work will be recommended in order to achieve the objectives of the
project.
5.2
Conclusion
44
5.3
Recommendation
LDAP Data Interchange Format (LDIF) is a standard format that used to add
or modify the directorys data. The directory contents delivered as a set of records by
LDIF, one record specifically for each object or entry. Figure 5.3 shows the tree
structure of using LDIF.
45
MY Domain Inc
Radius
Users
Profiles
Admins
Based on the tree structure above, the organization called My Domain Inc is
the root of the tree structure. It is belongs to the dcObject and organization object
classes. Radius is one of the organizational units which consist of three suborganizational unit called users, profiles and admins. In others word, an
organizational unit can be can be illustrate as a folder which belongs to the
organizational object class.
Users under radius organizational unit belong to the person and radiusProfile
object classes. Users can be more than one. Meanwhile profiles organizational unit
contains two user templates. For example are students and teachers, they have
different profiles belongs to the person and radiusProfile object classes. But, they
need to be under users organizational unit and act as a group. Last but not least,
FreeRADIUS will use to bind the user with LDAP directory under organizational
unit. The rights if this user can be fine-tuned for maximum security. This user does
not require belongs to the radiusProfile object class.
46
BIBLIOGRAPHY
1) Authenticating
Wi-Fi
Users
with
FreeRADIUS
(http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS).
(Posted by Carla Schroder on Wed, Oct 12,2011 )
2) Dirk van der Walt. FreeRADIUS Beginners Guide.Packt Publishing Ltd., 2011
3) Phanimahesh. ApacheMySQLPHP. Last accessed on Mei 28, 2013 from Ubuntu documentation.
https://help.ubuntu.com/community/ApacheMySQLPHP
4) FreeRadius install howto (3). Retrieved on 29 December 2012 from ServerAdminBlog:
http://www.serveradminblog.com/2011/03/freeradius-install-howto-3/
5)
Do
It
Yourself.
http://ediy.com.my/index.php/blog/item/7-dd-wrt-on-tp-link-tl-
wr740n-router
6) FreeRadius install howto (3). Retrieved 29 December 2012 from ServerAdminBlog:
http://www.serveradminblog.com/2011/03/freeradius-install-howto-3/
7)
Keller, Dan (2004). Installing and Operating a RADIUS Server. Retrieved 30 December 2012
from CNIT 107: http://www.wifi.keller.com/CNIT107HW7.html
9) Security TechCenter (2006). Secure Wireless Access Point Configuration. Retrieved 29 December
2012 from Security TechCenter: http://technet.microsoft.com/en-us/library/cc875845.aspx
10) Tuttle, Steven, Ehlenberger, Ami, Gorthi, Ramakrishna, Leiserson, Jay,Macbeth, Richard, Owen,
Nathan and Storrs, Michael (2004). Understanding LDAP - Design and Implementation.
Retrieved
29
December
2012
from
ibm.com/redbooks:
http://www.redbooks.ibm.com/redbooks/SG244986/wwhelp/wwhimpl/js/html/wwhelp.htm