PSZ 19:16 (Pind.

1/07)

UNIVERSITI TEKNOLOGI MALAYSIA

DECLARATION OF THESIS / UNDERGRADUATE PROJECT PAPER AND COPYRIGHT

Authors full name

: NURUL JANNAH BINTI RAMLY

Date of birth

: 31 OKTOBER 1989

Title

: DEVELOPMENT OF FreeRADIUS SERVER for FACULTY OF

ELECTRICAL ENGINEERING WiFi NETWORK

Academic Session

: 2012/2013

I declare that this thesis is classified as:

CONFIDENTIAL

(Contains confidential information under the

Official SecretAct 1972)*

RESTRICTED

(Contains restricted information as specified by

the organization where research was done)*

OPEN ACCESS

I agree that my thesis to be published as online

open access(full text)

I acknowledged that Universiti Teknologi Malaysia reserves the right as follows:

1.
2.
3.

The thesis is the property of Universiti Teknologi Malaysia.

The Library of Universiti Teknologi Malaysia has the right to make copies
for the purpose of research only.
The Library has the right to make copies of the thesis for academic
exchange.
Certified by:

SIGNATURE
891106-10-5399

(NEW IC NO. /PASSPORT NO.)

Date: JUNE 2013
NOTE : *

SIGNATURE OF SUPERVISOR

EN. ALIAS BIN MOHD

NAME OF SUPERVISOR
Date: JUNE 2013

If the thesis is CONFIDENTIAL or RESTRICTED, please attach with the letter from
the organization with period and reasons for confidentiality or restriction.

I hereby declare that I have read this report and in my opinion, this thesis is
sufficient in terms of scope and quality for the award of degree of Bachelor of
Engineering (Electrical-Telecommunication)

Signature

: ..

Name of Supervisor

: En. Alias bin Mohd

Date

DEVELOPMENT OF FreeRADIUS SERVER FOR FACULTY OF

ELECTRICAL ENGINEERING WiFi NETWORK

NURUL JANNAH BINTI RAMLY

A thesis submitted in partial fulfillment of the requirements for the award of the
degree of Bachelor of Engineering (Electrical - Telecommunication)

Faculty of Electrical Engineering

UniversitiTeknologi Malaysia

JUNE 2013

ii

I declare that this thesis entitled

Development of FreeRADIUS Server for Faculty of Electrical Engineering
WiFi Network is the result of my own research except as cited in the
references.

Signature

: ....

Name

: Nurul Jannah binti Ramly

Date

: 24th June 2013

iii

Dedicated with deepest love to:

My beloved parents Hj.Ramly and Hjh. Mariah and siblings. Not to

forget my dear friends for being there whenever I need them.

iv

ACKNOWLEDGEMENT

First of all, Alhamdulillah praise to the mighty Allah for the guidance, strength
and passion given to me for my final year project. Peace and blessing upon Prophet
Muhammad S.A.W who has bring the light to all mankind.

This research project would not have been possible without the support of many
people. First of all, I wish to express our gratitude to my supervisor, En. Alias Mohd
who was abundantly help and offered invaluable assistance, support and guidance.

Special thanks to IT technician lab En. Abdul Rahman Sattar bin Salleh and
Puan. Sri Mahrani binti Abdul Azes for assist me to provide the facilities I needed. They
too gave me the advice for the basics of the setting Apache server and other information
needed.

Besides that, special thanks also to my senior En. Hamdan bin Sayuti for the
great help in developed the server and solved errors. Last but not least, I would like to
express my sincere appreciation to my beloved parents and friends for their
understanding in the time to accomplish the given project and at the same time
supported me for everything I do in my life. Thus, they have given me courage and
strength to perform well in everything.

ABSTRACT

Remote Authentication Dial In User Services (RADIUS) is a distributed

client/server system that secures networks against unauthorized access. It also provides
authentication, authorization and accounting (AAA) services. Among the RADIUS
server, FreeRADIUS is one of the popular open source software that is implemented in
Linux. Thus, open source FreeRADIUS can be used as the substitution of the current
commercial product in Universiti Teknologi Malaysia. When a wireless user attempts to
log in and authenticate to an access point whose access is controlled by a FreeRADIUS
server, the user will be authenticated by FreeRADIUS server by communicating with
user credentials.

vi

ABSTRAK

Dail Pengesahan Jauh Dalam Perkhidmatan Pengguna (RADIUS) adalah

pelanggan / pelayan sistem teragih yang menjamin rangkaian terhadap capaian yang
tidak dibenarkan. Ia juga menyediakan pengesahan, kebenaran dan perakaunan (AAA).
Antara pelayan RADIUS, FreeRADIUS adalah salah satu perisian sumber terbuka
popular yang dilaksanakan dalam Linux. Oleh itu, FreeRADIUS sumber terbuka boleh
digunakan sebagai penggantian produk komersial semasa di Universiti Teknologi
Malaysia. Apabila pengguna tanpa wayar cuba untuk log masuk dan mengesahkan
untuk pusat akses yang akses dikawal oleh pelayan FreeRADIUS, pengguna akan
disahkan oleh pelayan FreeRADIUS dengan berkomunikasi dengan kelayakan
pengguna.

vii

TABLE OF CONTENT

CHAPTER

TITLE

PAGE

DECLARATION

ii

DEDICATION

iii

ACKNOWLEDGEMENT

iv

ABSTRACT

ABSTRAK

vi

TABLE OF CONTENTS

vii

LIST OF TABLES

xi

LIST OF FIGURES

xii

LIST OF ABBREVIATIONS

xiii

INTRODUCTION

1.1 Introduction

0-2

1.2 Problem Statement

1.3 Objective of Project

1.4 Scope of Project

1.5 Work Contribution

1.6 Work Schedule

5-6

1.7 Organization of Thesis

ix

LITERATURE REVIEW

2.1 Introduction

8-9

2.2 Benefits of FreeRADIUS

10

2.3 Authentication, Authorization, Accounting

2.4 Operation of FreeRADIUS

11

2.5 User Storages

12

2.3.1 LDAP as User Storage

12-13

2.3.2 MySQL as User Storage

14

2.6 ChilliSpot Captive Portal

2.7 DD-WRT

10-11

14-15
16

METHODOLOGY

3.1 Introduction

17-18

3.2 Installation of FreeRADIUS

18-20

3.3 Setting Up Ubuntu as Apache Web Server

21-23

3.4 Configuration of FreeRADIUS Server

24-29

3.5 Configuration of Access Point

30-34

3.6 Summary

35

RESULT AND DISCUSSION

4.1 Introduction
4.1.1 FeeRADIUS is Ready for Process
Request

36
36-37

4.1.2 Login Page

37

4.1.3 FreeRADIUS Receive the Process

Request

38

4.1.4 FreeRADIUS Authenticate the User

39

4.1.5 Overall Process of The Project

40

4.2 Discussion

41-42

4.3 Summary

42

CONCLUSION AND RECOMMENDATION

5.1 Introduction

43

5.2 Conclusion

43-44

5.3 Recommendation

44-45

BIBLIOGRAPHY

46

xi

LIST OF TABLES

TABLE NO.

TITLE

PAGE

Table 1.1

Work schedule for FYP1

Table 1.2

Work schedule for FYP2

Table 3.2

Package installed in FreeRADIUS

18

xii

LIST OF FIGURES

FIGURE NO

TITLE

PAGE

Figure 3.1

Basic Principle of Developing FreeRADIUS Server

18

Figure 3.3a

Successful Installation of Apache

21

Figure 3.3b

Successful Installation and Configuration of PHP

23

Figure 3.4

FreeRADIUS in Debugging Mode

29

Figure 3.5a

TP-Link TL-Wr740N Router

30

Figure 3.5b

Screenshot for Firmware Upgrading

31

Figure 3.5c

Screenshot for Basic Setup in Setup Mode

32

Figure 3.5d

Screenshot for Service Setting in Hotspot Mode

33

Figure 4.1a

Popup Login Page

37

Figure 4.1b

The Overall Process of The Project

40

Figure 5.3

The Tree Structure by Using LDIF

45

xiii

LIST OF ABBREVIATIONS

AAA

Authentication, Authorization, Acccounting

PAP

Password Authentication Protocol

AP

Access Point

RS

Radius Server

RADIUS

Remote Authentication Dial In User

LDAP

Lightweight Directory Access Protocol

TCP

Transmission control Protocol

PC

Personal Computer

WLAN

Wireless Local Access Network

NAS

Network Access Server

CHAPTER 1

INTRODUCTION

1.1

Introduction

Currently, the usage of wireless is very extensive in community. WLAN

(Wireless Local Area Network) functions the same as wired which is to connect a group
of computers. Since it is wireless, WLAN does not require expensive wiring.
Therefore, it is generally easier, faster and cheaper to set up. Basically, wireless network
operate using radio waves to provide strong internet and network connections. The basic
device in wireless network is an Access Point (AP) which works to broadcast a wireless
signal that computers can detect and link into it.

As the technology lead the world, people can access to the network easily as
long as there is WiFi connection in their place. Therefore, it is one of convenience for
users to communicate in social network where they are. Even when they are eating and
chatting in KFC, Burger King, Dunkin Donut or others place, users can access the
internet by asking the password from the worker. Same goes in universities and
workplace, users need to enter the username and password in order to access the
internet. They are given their own username and password by the administrator of the
universities and workplace. Only the person who have the authentic username and
password allowed to access the internet.

As a network administrator, an external RADIUS server on Linux responsible to

authenticate users, particularly against LDAP server, acknowledge the users to
centralize the information stored in the LDAP server and verified by the RADIUS
server. By having both of them the access process will be more protected. The well
known open source implementation of RADIUS is FreeRADIUS.

1.2

Problem Statement

In an internet-connected world, the information can be accessed by clicks of a

button. For Faculty Electrical Engineering (FKE) students and staffs, it is important to
keep update about current issues via mobile phone, personal computer (PC) and iPad.
As they need to find information frequently, they need to access WiFi network in a fast
and easy way.

Currently when the user want to access to internet in FKE, they will be asked to
enter the password. So, for those that does not know the password will fail to get access.
Therefore, this project is implemented to manage the access to the wireless network in
FKE. In this project, FreeRADIUS server will communicate with user credentials to
allow only user that have their profiles in the database to access to WiFi FKE.
FreeRADIUS is totally free of charge since it is open source, friendly and very cost
effective.

1.3

Objectives of Project

The main objective of this project is to develop a FreeRADIUS authentication

system for the user access to the FKE WiFi network and control wireless access through
the Access Point in that network.

1.4

Scope of Project

The scope of project is to manage access to the wireless network in FKE. These
projects focus on managing the user access to the FKE WiFi network. Only the students
and staffs in FKE that have correct user credentials allow to access the network.

1.5

Work Contribution

Without a prefect planning of what to do for the progress of project, the

development of FreeRADIUS server will not be able to meet the deadline. The
contributions of this project are:

Development of FreeRADIUS server

Control users access to the FKE WiFi network

Handle the authentication of the user before accessing to the FKE WiFi network.

1.6

Work schedule

In this project, work schedule was designed to make the project well organised
as follow the Final Year Project plan by Faculty of Electrical Engineering.

Table 1.1 : work schedule for FYP 1

Based on Table 1.1 above, in the second week of semester 1, there is FYP
briefing by Dr. Asrul Izam, the coordinator of Final Year Project. Then, it is continued
with FYP research methodology briefing by Assoc. Prof. Dr. Muhammad Ramlee bin
Kamarudin. In the following week, there is suggestion and briefing by the supervisor
regarding to the project. The preparation for the FYP1 takes three weeks after project
briefing by the supervisor. The preparation is focus on literature review, backgroud of
the project and expected result of the project. For the FYP1 presentation, there are five
panels that will evaluate the planning of the project. At the end of semester 1, the project
report was submitted.

Table 1.2 : work schedule for FYP 2

Table1.2 shows the work schedule for FYP2. At the beginning of the semester 2,
literature review still continue in order to have more information regarding the project.
For the following weeks, the works continue with the programming in Ubuntu software.
During the programming session, there are some errors occur. So, for the week 4, it is
more focusing in the troubleshooting and system enhancement. The presentation of the
project held on week 15. Therefore, two weeks before, it is involves the preparation of
the preparation. The thesis draft will be submitted after the presentation done.

1.7

Organization of Thesis

The thesis has been divided into five chapters. Chapter 1 is about the background
of the FreeRADIUS server. The problem statement, objectives, scope of study and the
work schedule also are explained in this chapter. In Chapter 2, some review for this
project main topic which is FreeRADIUS server, some relevant information for
developing FreeRADIUS server. Chapter 3 briefly explains the review of methodology
on how this project was successfully completed while Chapter 4 consists of the result of
the system development. The discussions on troubleshooting during the process are also
discussed in this chapter. Lastly, the recommendation and conclusion for future work
are

described

in

Chapter

5.

CHAPTER 2

LITERATURE REVIEW

2.1

Introduction

This chapter provides the essential background theory and literature reviews
on the FreeRADIUS, Authentication, Authorization and Accounting (AAA)
services, ChilliSpot Captive Portal and some related information about DD-WRT.

Nowadays, technology is the main priority in various fields. Same goes in

internet networking, most technology developer have been rightfully nervous about
the security of wireless development in the past and even today wireless
development suffers from the perception of not being secure ever.

In modern world, WiFi network can be accessed from mobile phone, laptop,
personal computer (PC) and iPad wherever there is coverage to it. In reality the
access to the WiFi network should be managed properly in order to have a secure
network and manageable authentication system. The authentication system should
be able to provide user credentials (with login and password) in order to limit and
grant the access to the WiFi network to the eligible users only.

Hence, the authentication of accessing the network needs to be implemented.

Users need to be authenticated for attaining the access to various interfaces of
services and functions. Remote Authentication Dial In User (RADIUS) server is a
software or protocol that contains authentication, authorization and accounting
(AAA) services for computers to achieve access of network services. RADIUS is a
distributed client/server system that secures networks against unauthorized access.

AAA services organize systematically to control the access to network in

order for it to become more secure. FreeRADIUS is the worlds most popular
RADIUS server available today. It is the basis for multiple commercial offerings.
Besides that, the FreeRADIUS-based authentication service is cost-effective as the
FreeRADIUS is open source, fast, feature-rich and friendly to be implemented.

RADIUS server is not a database and it does not contain database, but it is a
protocol that defines the way to communicate with a user credentials. The only
correct user credentials allowed to access the network after being authenticate by
FreeRADIUS server.

10
2.2

Benefits of FreeRADIUS

FreeRADIUS is worlds most popular server mobilized by RADIUS server.

It is considered as a high performance, highly configurable and feature rich
RADIUS server that commercially used today. Therefore it supports the wireless
authentication such as EAP, MySQL, LDAP and many more. Consequently,
FreeRADIUS server arranged by millions of the user system.

The most important features of FreeRADIUS that cause it to lead as the best
server is it are open source. It means that FreeRADIUS server is totally free of
charge. Hence, it is very economically and very cost effective for developer to
implement it. Meanwhile, as FreeRADIUS is open source that can be adapted,
changed, expanded and fixed by developer.

2.3

Authentication, Authorization and Accounting

Authentication is the process of defining the identity of user. It will

communicate between the client computer and server computer about the digital
entity. In a network, the named list will be authenticating first. To approve the
users identity, the systems assess the claimed identity and its correlates the entity.
Usernames, password, clients MAC address and others may be utilized as entity.

Authorization is the admittance of certain model of charter based on their

authentication. It will describe which group they belonged to, then the charter will
be admittance. Authorization comprises of time constraint, physical location
constraint or multiple login constraint by the same users.

11

Accounting describe about the tracking process of network resource used by

users for capacity purpose and analysis inclination, cost allocation and billing.
Besides that, accounting process will record the authentication and authorization
failures occur when the user access the network. Consequently, it will provide the
auditing function, which allows verifying the correctness executes founded on
accounting data.

2.4

Operation of FreeRADIUS

FreeRADIUS is an open source with have feature-rich implementation of the

RADIUS protocol. FreeRADIUS manage the access of user to the network by
having communication with user credentials. The operation of the FreeRADIUS is
as following.

1. The Network Access Server (NAS) is connected by the user. An Access-Require

packet which contain username and password will be send by NAS to
FreeRADIUS server.
2. The validity of the username and password will be check by FreeRADIUS server.
3. An Access-Accept packet will be sent by the RADIUS server to the NAS if the
authentication is successful. Hence, users are allowed to access the network.
Otherwise, Access-Reject packet will be returned by the RADIUS server and the
user access will be refused by NAS if authentication is unsuccessful.
4. The successfully authenticated of logged-in time and date will be recorded.

12

2.5

User Storage

User storages are the place where the user details like username and
password are kept to provide to FreeRADIUS server to validate the user during the
authentication process. MySQL and LDAP are the examples of user storage. In
WWW space popular web environments like Yahoo and Google, these common
webs allow users to use their user storage through web services.

2.5.1

LDAP as User Storage

Lightweight Directory Access Protocol (LDAP) is an open industry standard

and it is widely used as a protocol online directory information. It will ask and
modifying entries sequentially over TCP/IP. Thus, it will determine the information
that should be made available to a user.

The simplest implementation of LDAP comprise of username and password

of the users being stored. Therefore, once they login, the username and password
will verify the identity of user. LDAP has widely attained recognition as the
directory access method of the internet, thus becoming strategic within corporate
intranets. The data stored in LDAP directories can be shared by various
applications.

13

In LDAP user storages, directories are designed for fast reading. Directories
entries can be illustrated as a relational database. Each entry has their fields about
attribute value pairs. For each entry, it should have at least one type object class
associated with it. An entry can have various types and types can be added or
deleted from an entry at a given time.

Each directory entry is separately updated. Hence, the existing data may
temporarily not be synchronized with each other. Since each entry should be
updated separately, the updated directory that involves multiple directories can
create temporary directory as there are no transactions.

Basically, directories frequently query than they are updated. Thus, LDAP
directories are optimized for querying. LDAP run through TCP/IP, and its
implemented using the client-server model.

14

2.5.2

MySQL as User Storage

MySQL is an open source relational database, FreeRADIUS can connect to

an SQL to retrieve a users details. The FreeRADIUS SQL modules work in pairs.
A generic SQL module used a specific database module to interact with the
database. This allows easy support for different database. The generic SQL module
utilizes the specific database module to retrieve the information from a database.

Since MySQL is popular open source database, it is easy to configure and

most of people are familiar with it. FreeRADIUS deployments with MySQL
outnumber FreeRADIUS with any other database.

2.6

ChilliSpot Captive Portal

Chillispot is an open source Captive Portal wireless or Local Area Network

(LAN) access point controller. As the public HotSpot is very popular among
developer since it support the web based login, it also crucial for authenticating
users.

Apart from that, authentication, authorization and accounting (AAA)

services are provided by RADIUS server.

15

ChilliSpot Captive Portal can be implemented for single router to cover up

in a small range area or can achieve to cover a huge area by extended with the use
of external services. By having Chillispot service in the system, it will ease the
wireless or LAN connected computers to display a login page on users browser.
Besides that, redirection occurs on the first web page until the users give the
respond to login. Furthermore, it also will limit the bandwidth usage and limit the
number of times within a given period hotspot.

There are two additional services needed by ChilliSpot as it cannot work

alone. One of them is Radius server because it contains of authentication and
accounting services. In order to offer the advance services, the Radius server and
web server will be tightly integrated. For the next additional services needed is
ChilliSpot Service Provider (CSP) because it has the additional services needed to
make the ChilliSpot works well.

On the other hand, some prerequisites need to fulfill in order to build a

ChilliSpot Captive Portal. First and foremost is DD-WRT compatible devices
programmed with a distribution of DD-WRT containing ChilliSpot service.
Installing right firmware attempts to transform the typical router to the DD-WRT
compatible device. For the next, an Ethernet cable needed to connect between the
LAN port of laptop and LAN port on DD-WRT device.

16

2.7

DD-WRT

DD-WRT is an open source alternative firmware to the routers. Typical

router like D-Link, Linksys, TP-Link or others are bounded to their software itself.
The features provided by each router are nice arrangements, but still need to follow
the limitation given. Besides that, there is a need to push the router to become more
extreme in application when the warranty of routers expired and shuck their
limitations. Therefore, DD-WRT will help a lot to achieve it.

Due to developed technology, people are prompted to keep updated with the
latest info by having connection to the internet over a wireless compared to LAN.
Wireless can be implemented anywhere and the routers are the crucial devices to
makes it happen. Hence, to make the router be more supercharge and have proper
advantage, DD-WRT will boost up the routers range, adding features and many
more.

The features provided by DD-WRT are access restriction, bandwidth

monitoring, Hotspot system, HTTP redirect, Security log and others. The features
provided are much helpful in order to make a better system.

CHAPTER 3

METHODOLOGY

3.1

Introduction

This section describes about the process on how to develop the FreeRADIUS server
in FKE WiFi network. Figure 3.1 shows the process involves in developing the
FreeRADIUS server. The process starts with the installation of FreeRADIUS in web-based
Ubuntu server. Next, the both of FreeRADIUS server and Access Point were configured and
linked to each other. At the end of the process, FreeRADIUS server will communicate with
user credentials for authentication, authorization and accounting when users would like to
access the WiFi network.

18

Start

Install FreeRADIUS in Ubuntu

Set Ubuntu as apache web server

Configuration of access point

Configuration of FreeRADIUS
server
Link AP to RS
User Credentials

End

Figure 3.1: Basic Principle of Developing FreeRADIUS Server

3.2

Installation of FreeRADIUS

Based on the Figure 3.1 above, first and foremost Ubuntu software was installed
in personal computer (PC) and in the Ubuntu itself FreeRADIUS server also installed.
By having pre-build FreeRADIUS package, it provides advantages to the server.

19

The advantages of FreeRADIUS server is as following:

Resolving dependencies is automatically taken care of. This includes taking care
of future security updates, keeping track of all optional packages that were
required to be installed with our packages, and also ensuring the correct version
of a dependency package is installed.

The Linux distributors QA testing ensures properly working software.

Updates are taken care of by the Linux distributor.

Distribution-specific tweaks are already implemented.

For every process to be done in Ubuntu, user must be in root. Before changing
to the root user, for every time the root users password will be asked. The only correct
password can change user into root user. The bash command is as the following.

sudo su

Before changing to root user, the root users password will be ask for each time.
The only valid password inserted can change user into root user.

In order to develop FreeRADIUS server, the most important thing is to install the
FreeRADIUS packet. FreeRADIUS was chosen as it have rich features and easy to
implement. The following bash command was typed.

sudo apt-get install freeradius

20

The FreeRADIUS package will be save in file system folder under etc directory.
Therefore, the configuration files in FreeRADIUS package can be find in
/etc/freeradius/(configuration file).

Table 3.2 below shows the availability packages with its own description
provides by FreeRADIUS since it have feature rich piece of software.

Package Name

Short Description

freeradius

FreeRADIUS server package

freeradius-dbg

Contains detached debugging symbols for FreeRADIUS packages

libfreeradius2

FreeRADIUS shared library

freeradius-ldap

LDAP module for FreeRADIUS server

freeradius-common

FreeRADIUS common files, includes dictionaries, and man pages

freeradius-iodbc

iODBC module for FreeRADIUS server

freeradius-krb5

Kerberos module for FreeRADIUS server

freeradius-utils

FreeRADIUS client utilities, including programs like radclient,

radtest, smbencrypt, radsniff and radzap

freeradius-postgresql

PostgreSQL module for FreeRADIUS server

freeradius-mysql
freeradius-dialupadmin
freeradius-dev

MySQL module for FreeRADIUS server

Web management add-on
FreeRADIUS shared library development files

Table 3.2: Package installed in FreeRADIUS

21

3.3

Setting up Ubuntu as Apache Web Server

The Apache web server is widely used in various operating systems such Linux,
NetWare, Unix, Solaris and many more. In the others word, Apache can be known as
Apache HTTP Server, which is website services by an established standard in the online
distribution. Apache web server is well persist and often updated with new useful
features and operations up to the latest quality and protection requirements in HTTP
management delivery.
To build an Apache web server, the most important thing is to install the Apache
by following bash command:
#

sudo apt-get install apache2

In order to ensure the Apache installed correctly, web browser Apache should be
tested by typing the web address http://localhost/ in the web browser.

Figure 3.3a: Successful Installation of Apache

22

After successfully installing Apache, Figure 3.3a shows It works. Then, PHP
was installed by following bash command.

sudo apt-get install php5 libapache2-mod-php5

PHP needs to work with Apache. In order to ensure it, the following bash
command was typed.

sudo /etc/init.d/apache2 restart

The configuration file of testphp.php was edited as following comment in to test

the PHP.

<?php phpinfo(); ?>

To ensure the PHP work well, the web address http://localhost/testphp.php was
typed in web browser to test it. The following Figure 3.3b shows the successful
installation and configuration of PHP.

23

Figure 3.3b: Successful Installation and Configuration of PHP

PHP can be used on all major operating systems, including Linux. Most of the
web server nowadays supported by PHP. This includes Apache, IIS, and any web server
that can utilize the FastCGI PHP binary, like lighttpd and nginx. PHP works as either a
module, or as a CGI processor. So with PHP, developer has the freedom of choosing an
operating system and a web server.

24

3.4

Configuration of FreeRADIUS Server

Once the FreeRADIUS was installed correctly by the above process, all
configurations of FreeRADIUS files will be test. This is very important as the
FreeRADIUS should work properly, FreeRADIUS was run in debugging mode. Before
that, FreeRADIUS operation must be stop. The following bash command was typed.

sudo /etc/init.d/freeradius stop

freeradius -X

To edit the radiusd.conf configuration file, the following command was typed at
terminal prompt.

sudo gedit /etc/freeradius/radiusd.conf

25

Then, some change was done in the part of content of the radiusd.conf
configuration file as the following whereas the others line remain the same.

#Log the full User-Name attribute, as it was found in the request

#allowed values: {no,yes}
#
Stripped_names = yes
#Log authentication request to the log file
#
# allowed values: {no, yes}
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if its rejected
# auth_goodpass - logs password if its correct
#
# allowed values: {no, yes}
log_auth_badpass = yes
log_auth_goodpass = yes

The "log" section of the radiusd.conf file is where the primary logging
configuration for the FreeRADIUS server is located. This is a log file per request, once
the server has accepted the request as being from a valid client. Messages that are not
associated with a request still go to radius.log. Therefore, in this configuration file,
Stripped_name was set to yes. Same goes to auth, log_ auth_badpass and
log_auth_goodpass was also set to yes to make the login process work well.
Meanwhile, the others comment remain the same. If this configuration parameter is set,
then log messages for a request go to this file.

26

Since it still in radiusd.conf, look for port authentication request, it is tightly

related to the process of verifying a users identity linking the additional information to
the users login session. Then for accounting request, it is highly describes about
statistic session for billing, system diagnosis and usage planning record by log files.

# Port on which to listen.

# Allowed values are:
#
integer port number (1812)
#
0 means use /etc/services for the proper port
port = 1812
#This second listen section is for listening on the accounting
#port, too.
#
listen {
ipaddr = *
#
ipv6addr = ::
port = 1813
type = acct
#
interface = eth0
#
clients = per_socket_clients
}

In this configuration files, there are packets to listen for and only some allowed
value provide included auth and acct packets as they listen to authentication and
accounting process. Therefore the first port need to listen is authentication port and it
was marked as port 1812. The authorization process also will be referred to port 1812.

27

Next, the packet will listen to the port 1813 which belongs to accounting
process. The ipaddr comment as * means that any IP address either global 192.168.1.1
or localhost 127.0.0.1 can be entered as long as the IP address not stated. While the
comment of interface was set to eth0 because it is not strictly necessary for sites since
many IP addresses on one interface. Therefore, it will listen to all addresses for eth0.

The installation of FreeRADIUS contains default client called localhost.

Confirm the following entry exists in the clients.conf file.

client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype= other
}

The clients.conf file is used to define clients to the FreeRADIUS server. When
the user/client want to access to the internet, the process request will sent to the
FreeRADIUS server by using 127.0.0.1 IP address. Meanwhile, testing123 is the
password

or

shared

secret

used

by

FreeRADIUS.

The

comments

of

require_message_authenticator = no means server just need the username and

password to authenticate, the others thing will not take as consideration.

28

The nastype (network access service type) tells checkrad.pl which specific
NAS method to use to query the NAS for simultaneous use. The permitted NAS types
provide by the freeradius are cisco, computane, Livingston, max40xx, multitech,
netserver, pathras, paton, portslave, tc and usrhiper. In this project the nastype was set to
other, it means that NAS type not specific to the permitted NAS type provided but it
can suit for all other types.

For this project, Jannah was defined as a test user. Therefore, the following lines
were added at the top of the user file. The second and third lines are intended by a single
tab character.

Jannah Cleartext-Password := Jannah

Framed-IP-Address = 192.168.1.65,
Reply-Message = Hello, %{User-Name}

The content of the users file is used for both authorization and authentication
purposes. Jannah was defined as a user. When she wants to access the internet, she will
send the access-request packet by using 192.168.1.65 IP address. Then, the action will
be taken by FreeRADIUS server either to accept or reject the request. FreeRADIUS
server wills response the request process by message reply as Hello, Jannah. Once the
step above was done, means that the basic FreeRADIUS was setup. Next, for
authentication process, it involves the supply of a username and password.

29

If all configuration files of FreeRADIUS is working properly, the comment on

debugging mode is as shown in Figure 3.4.

Figure 3.4: FreeRADIUS in Debugging Mode

The comment in the debugging mode shows that FreeRADIUS is ready for
process request since it already listens to the authentication, authorization and
accounting address and port.

30

3.5

Configuration of Access Point

In this project, Access Point used is TP-Link TL-Wr740N Router. It is a

combined wired/wireless network connection device integrated with internet-sharing
router and 4-port switch. The Figure 3.5a below shows the image of TP-Link TLWr740N Router.

Figure 3.5a: TP-Link TL-Wr740N Router

Basically, to build this system, not all routers can be used since not all firmware
are support the router. Therefore, the router needs to transform to DD-WRT by
installing the correct firmware in router itself. By having DD-WRT in the system, the
developer can make the ChilliSpot captive portal to authenticate the user. User need to
enter the username and password in ChilliSpot captive portal before access to the
internet.

31

Hence, the TP-Link TL-Wr740N Router needs to configure in order to transform

it to the DD-WRT. At first, the correct Firmware was downloaded. Downloading the
wrong Firmware will cause the router to brick. For this router, both of factory-toddwrt.bin& tl-wr740nv4-webflash.bin files were downloaded. The factory-to-ddwrt.bin
was upgraded first before flashed tl-wr740nv4-webflash.bin.

The default LAN IP address of this router is 192.168.1.1. Then, this IP address
was entered to login to the router. System Tools was selected and then Firmware
Upgrade was click. The factory-to-ddwrt.bin file was chosen upgraded button was
clicked. The router will restart automatically once the upgraded session completed.

The Administration was clicked from DD-WRT menu and Firmware upgrade
was selected as shown in Figure 3.5b. The tl-wr740nv4-webflash.bin file was chosen
and upgrade button was clicked. Now, the router will upgrade to DD-WRT.

Figure 3.5b: Screenshot for Firmware Upgrading

32

Once the Firmware was upgraded, the router was already transformed to DDWRT. Then, some changes need to be done in DD-WRT. First and foremost, the
wireless router needs to have internet access. The internet browser was open to the
default IP address of the router which is http://192.168.1.1. The routers username and
password was changed when the Administration mode was click. The configuration
continues by making change on Setup mode under Basic Setup option.

Figure 3.5c: Screenshot for Basic Setup in Setup Mode

In this mode, there are some setting needs to be change under DHCP setting as
shown in Figure 3.5c. At first, DHCP Server was enabled. For start IP address menu, it
was set to 192.168.1.100 as same as default IP address for the router. The Maximum
DHCP users were set to 50 as the only 50 is a standard number for a home router. The
time limit for each users/clients can have connections within 1440 minutes as same as
24 hours. Last but not least, deselect DHCP-Authoritative and Apply Setting button at
the bottom was click.

33

The next setup for DD-WRT, it involves the basic setup mode under Wireless
option. The Wireless Network Name (SSID) was set as hotspot. Hotspot is a site that
provides internet access via wireless local area network (WLAN) through the router that
connected to internet service provider. In the other word, hotspot use WiFi technology.

Since this project use ChilliSpot captive portal, there is a need to configure
Hotspot menu under Service option as shown in Figure 3.5d. At first, ChilliSpot menu
need to be enable. In this project, the network connection use is WiFi, so that separate
WiFi from the LAN bridge menu need to be enable.

Figure 3.5d: Screenshot for Service setting in Hotspot mode

34

Both Primary and Backup Radius Server IP/DNS was set to 192.168.1.2. It
means that if the server breakdown, the backup server will refer to the primary Radius
server. Since it has the same IP, there is no backup server when the server breakdown.
Remote network is technology that allows logging into a system. Therefore, the default
IP address of router which is 192.168.1.1 was set as remote network.

When users want to access to the network, they will enter the address in the web
browser. The web browser will attempt to open a URL that has been redirected. In this
project, https://192.168.1.2/cgi-bin/hotspotlogin.cgi/ is the Redirect URL that was set in
the router. It means that, the Redirect URL will allow the user to login into the router
and server before accessing to the network. Since the project developed over a wireless
network, the DHCP interface menu was set as Wireless Local Area Network (WLAN).
Last but not least, the ID-Hotspot was set for Radius NAS ID as the router act as hotspot
device. The router will be rebooting after the setting applied into it.

After finishing the configuration process, the full process of login user will be
tested. Users need to enter the username and password on login page. By entering the
username and password, the access-request packet will be sent to the FreeRADIUS
server. If the users enter the correct user credentials, FreeRADIUS will response the
access-accept packet. Otherwise, FreeRADIUS will response the access-reject packet.
After that, FreeRADIUS server will authenticate the users before they can access to the
network.

35

3.6

Summary

In conclusion, the FreeRADIUS was developed successfully. It consists of four

steps. The step for developing the server can be referring from Section 3.2 until Section
3.5. The installation process of FreeRADIUS in web-based Ubuntu server is to develop
the server named FreeRADIUS. The build-up Ubuntu as Apache web server is to serve
web pages requested by the users. Users typically request and view web pages using
web browser applications such as Firefox, Opera or Mozilla. Then, the configuration of
both freeRADIUS severs and Access Point is to provide local authentication service. At
the end of the process, FreeRADIUS server will communicate with user credentials for
authentication, authorization and accounting when users would like to access the WiFi
network.

CHAPTER 4

RESULT AND DISCUSSION

4.1

Introduction

This chapter describes the results on the development of FreeRADIUS server.

The result consists of request process of the FreeRADIUS server. Besides that, the login
page, access-accept process and user authenticated also will be discussed in this chapter.

4.1.1

FreeRADIUS is Ready for Process Request

In this project, FreeRADIUS server was managed to be developed. Once the

FreeRADIUS start correctly, Ready to process request was appeared at the last line on
screen.

Listening on authentication address * port 1812

Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.

37

At first the server will listen to the authentication address and sent it to the port
1812 for identifies the user. The Server also will listen to the port 1813 for accounting
process. Finally, the respond as Ready to process request shows that FreeRADIUS
server is ready to accept user request in order to access the network.

4.1.2

Login Page

The Figure 4.1a below shows the popup login page when the user want to access
the WiFi in FKE. Logging in can also be known as signing in process of individual
access to a computer system which controlled by user credentials through identifying
and accounting the users. In this project, the user test defined as Jannah for both
username and password in users file.

Figure 4.1a: Popup Login Page

38

4.1.3

FreeRADIUS Receive the Process Request

The following comment shows the response of FreeRADIUS server.

Sending Access-Request of id 94 to 127.0.0.1 port 1812

User-Name = Jannah
User-Password = Jannah
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=94, length=40
Framed-IP-Address = 172.16.3.33
Reply-Message = Hello, Jannah

When the user login in FKE WiFi Network Access Login Page by entering
username and password, they actually was sent the access-request packet to the
FreeRADIUS server. The request packet will be authenticate in port 1812 as it was sent
to 127.0.0.1 IP address of FreeRADIUS. FreeRADIUS will response Access-Accept or
Access-Reject based on the credentials entered by users. The Access-Accept packet
comment in above described that FreeRADIUS has accept the request of the user since
user has enterd the correct user credentials.

39

4.1.4

FreeRADIUS Authenticate the User

Next, the user need to be authenticate before accessing the WiFi network.

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group PAP {}
[pap] login attempt with password Jannah
[pap] Using clear text password Jannah
[pap] User authenticated successfully
++[pap] returns ok

The [pap] User authenticated successfully comment shows the user has been
authenticated successfully by FreeRADIUS server by communicating with the user
credentials. Therefore, user can access to the network.

40

4.1.5

Overall Process of the Project

Figure 4.1b: The Overall Process of The Project

Figure 4.1b shows the overall process of the project in a simple FKE WiFi
network. When user want to access to the network FKE WiFi, the login page will be
popup and users will be asked to enter their credentials (e.g. username and password).
FreeRADIUS server will supervise user access to the FKE WiFi network by
communicating with user credentials for authentication, authorization and accounting.

41

4.2

Discussion

In developing the FreeRADIUS server, there are many errors occur. During the
development process, some files need to be configured. For every configuration, the
FreeRADIUS server must be tested to prevent any error. To make sure the entire
configuration file working well, FreeRADIUS system was tested by typing freeradiusX. If the configuration works well, it will show Ready to process request at the last
line. But, when there are problems, the response will appear as the following.

Failed binding to authentication address * port 1812: Address already in use.

Then, to overcome the error, the existing FreeRADIUS will be closed by using
the startup script as following.

#>

/etc/init.d/radiusd stop

#>

killallradiusd

Once the FreeRADIUS is ready, the next process will be easy to be carried out.
Meanwhile, if the others error occurs, the forum and discussion in the internet are
referred in order to find the correct solutions.

42

On the other hand, setting up the AP has some problem because not all AP is
compatible with the system. The configuration of AP also has some error since the
firmware installed is not support for the AP itself. Then, the firmware need to be
installed again. Once the correct firmware installed, some configuration need to be done
in the AP. Then, the AP reset again, the problem occur when the AP could not be reset
and restart because of the firmware could not support the configuration change that has
been made.

4.3

Summary

In conclusion, the development of FreeRADIUS for FKE WiFi network was

completed by the above method. For every configuration file edited, the FreeRADIUS
server should be tested first either it is ready to process request or not. If yes, the next
step can be proceed. Otherwise, the file needs to be configured back because of the error
and the server will need to be test again.
overcome it

have been

The cause of that error and the way to

briefly explained

and discussed in

this

chapter.

CHAPTER 5

CONCLUSION AND RECOMMENDATION

5.1

Introduction

For this chapter, the conclusion will be discussed about FreeRADIUS server
and the future work will be recommended in order to achieve the objectives of the
project.

5.2

Conclusion

FreeRADIUS server commercially uses as a product that provides

authentication, Authorization and Accounting (AAA) services by requesting the
username and password of users. Besides that, this project is implemented with user
credentials in order to verify the identity of users.

44

As a conclusion, FreeRADIUS system has been successfully completed on

the network of Faculty of Electrical Engineering to manage the access of user to the
FKE WiFi network. The access to the AP can be managed using the specific user
account without the need to configure the login and password for each and every AP
in the FKE WiFi network.

5.3

Recommendation

There are several recommendations can be done to improve the development

of FreeRADIUS for FKE WiFi network. First and foremost, the database of users
should use the LDAP database to speed up the retrieval process.

LDAP is an open industry standard. LDAP directories are limited but

specialized databases. They have been designed for storing relatively simple
information such as white pages for organizations and enterprises. Compared to
databases, LDAP directories are flexible, easier to scale, simpler and cheaper to
maintain. Last but not least, it also support distributed data management.

LDAP Data Interchange Format (LDIF) is a standard format that used to add
or modify the directorys data. The directory contents delivered as a set of records by
LDIF, one record specifically for each object or entry. Figure 5.3 shows the tree
structure of using LDIF.

45

MY Domain Inc

Radius

Users

Profiles

Admins

Figure 5.3: Tree Structure by using LDIF

Based on the tree structure above, the organization called My Domain Inc is
the root of the tree structure. It is belongs to the dcObject and organization object
classes. Radius is one of the organizational units which consist of three suborganizational unit called users, profiles and admins. In others word, an
organizational unit can be can be illustrate as a folder which belongs to the
organizational object class.

Users under radius organizational unit belong to the person and radiusProfile
object classes. Users can be more than one. Meanwhile profiles organizational unit
contains two user templates. For example are students and teachers, they have
different profiles belongs to the person and radiusProfile object classes. But, they
need to be under users organizational unit and act as a group. Last but not least,
FreeRADIUS will use to bind the user with LDAP directory under organizational
unit. The rights if this user can be fine-tuned for maximum security. This user does
not require belongs to the radiusProfile object class.

46

BIBLIOGRAPHY

1) Authenticating

Wi-Fi

Users

with

FreeRADIUS

(http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS).
(Posted by Carla Schroder on Wed, Oct 12,2011 )
2) Dirk van der Walt. FreeRADIUS Beginners Guide.Packt Publishing Ltd., 2011
3) Phanimahesh. ApacheMySQLPHP. Last accessed on Mei 28, 2013 from Ubuntu documentation.
https://help.ubuntu.com/community/ApacheMySQLPHP
4) FreeRadius install howto (3). Retrieved on 29 December 2012 from ServerAdminBlog:
http://www.serveradminblog.com/2011/03/freeradius-install-howto-3/
5)

DD-WRT on TP-link TL-Wr740N Router (2012). Last accessed on

Electronic

Do

It

Yourself.

June 1st , 2012 from

http://ediy.com.my/index.php/blog/item/7-dd-wrt-on-tp-link-tl-

wr740n-router
6) FreeRadius install howto (3). Retrieved 29 December 2012 from ServerAdminBlog:
http://www.serveradminblog.com/2011/03/freeradius-install-howto-3/
7)

Keller, Dan (2004). Installing and Operating a RADIUS Server. Retrieved 30 December 2012
from CNIT 107: http://www.wifi.keller.com/CNIT107HW7.html

8) Tan Heng Liang. Implementation of FreeRADIUS on Network of Electrical Engineering. Published

on July 2012

9) Security TechCenter (2006). Secure Wireless Access Point Configuration. Retrieved 29 December
2012 from Security TechCenter: http://technet.microsoft.com/en-us/library/cc875845.aspx

10) Tuttle, Steven, Ehlenberger, Ami, Gorthi, Ramakrishna, Leiserson, Jay,Macbeth, Richard, Owen,
Nathan and Storrs, Michael (2004). Understanding LDAP - Design and Implementation.
Retrieved

29

December

2012

from

ibm.com/redbooks:

http://www.redbooks.ibm.com/redbooks/SG244986/wwhelp/wwhimpl/js/html/wwhelp.htm