Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 5 of 5
  1. #1
    Status
    Offline
    Akangage's Avatar
    Administrator
    Join Date
    Aug 2007
    Location
    Daerah Khusus Ibukota Jakarta, Indonesia
    Posts
    4,195
    Reviews
    Read 0 Reviews
    Downloads
    210
    Uploads
    87
    Feedback Score
    0

    MikroTik WPA2 AES EAP-PEAP

    Hi All,

    Udah lama banget ga nulis-nulis lagi di FMI karena sibuk gawe hehehe sekarang mau share dan berbagi ilmu yah... mungkin lumayan buat nambah pengetahuan bagi yang belum tahu, kalo sudah tahu dilengkapi biar jadi sempurna
    Topik ini di angkat sebenarnya kebetulan ada customer kantor menggunakan security lumayan ini buat Mobile Terminal (, , , ) alias perangkat AutoID, pas kebetulan yang di bawa ada 2 tipe, 1 WindowsCE dan 1 lagi Windows Embeded Handheld, sayangnya pas di coba hanya WindowsCE saja yang bisa melakukan koneksi ke wireless sedangkan WEH ga bisa. Akhirnya seharian browsing sana sini dan nanya sama sesepuh di spectrumindo, akhirnya bisa sukses konek.

    Kelupaan, thanks berat buat om Herry Darmawan atas infonya hehehe
    Langsung aja bisa di coba untuk di praktekan.

    Sesuatu yang di butuhkan
    Informasi

    MikroTik RB dengan Wireless card --> yang saya gunakan RB411.
    Linux OS --> yang saya gunakan Ubuntu Server 12.04 x64.
    Radius Server ---> yang saya gunakan Freeradius.
    Kabel Ethernet jangan kelupaan.

    (Sample Only)
    Network Wireless
    IP Address : 192.168.22.1/29
    IP Pool : 192.168.22.2 - 192.168.22.5

    Network Radius
    IP Address Freeradius : 192.168.8.1/24
    IP Address MikroTik : 192.168.8.195/24
    Click here to enlarge


    Berikut Step-nya
    NOTE

    Buka mikrotik dengan Winbox, buka terminal dan masukan informasi security
    >_
    /interface wireless security-profiles add authentication-types=wpa2-eap eap-methods=passthrough group-ciphers=tkip,aes-ccm \ group-key-update=5m interim-update=0s management-protection=allowed \
    management-protection-key="" mode=dynamic-keys name=high-sec radius-eap-accounting=yes \
    radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX-XX-XX-XX-XX-XX radius-mac-mode=as-username-and-password static-algo-0=\
    none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1=\
    "" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=Admin123 tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""


    Untuk Wireless-nya
    >_
    /interface wireless add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 default-authentication default-client-tx-limit=0 default-forwarding=yes disable-running-check=no disabled=n
    hide-ssid=no l2mtu=2290 mac-address=02:0E:8E:26:01:D5 master-interface=wlan1 \
    max-station-count=2007 mtu=1500 multicast-helper=default name=wlan3 proprietary-exte
    post-2.9.25 security-profile=high-sec ssid=Enterprise update-stats-interval=disabled
    wds-cost-range=0 wds-default-bridge=none wds-default-cost=0 wds-ignore-ssid=no wds-m
    disabled wmm-support=disabled

    Karena tidak ingin terganggu maka wireless-ny pake VWLAN karena cuman buat testing Click here to enlarge dan wireless-nya langsung ber-IP jadi ga pake bridge2-an karena ya itu tadi testing doank Click here to enlarge untuk IP-address-nya bebas.
    >_
    /ip dhcp-serveradd address-pool=Enter authoritative=after-2sec-delay bootp-support=static disabled=no interface=wlan3 lease-time=8h name=Enter
    /ip dhcp-server config
    set store-leases-disk=5m
    /ip dhcp-server network
    add address=192.168.22.0/29 comment="Enterprise EAP" dhcp-option="" dns-server=192.168.22.1 gateway=192.168.22.1 ntp-server="" \
    wins-server=""

    Setelah di atas sudah kita ke radius mikrotik dulu
    >_
    /radiusadd accounting-backup=no accounting-port=1813 address=192.168.8.177 authentication-port=1812 called-id="" disabled=no domain="" \
    realm="" secret=Admin123 service=hotspot,wireless timeout=3s
    /radius incoming
    set accept=yes port=3799

    Click here to enlarge


    Next Step, kita menuju ke Freeradius, jadi siapkan Ubuntu-nya Click here to enlarge saya tidak akan memandu gimana cara install Ubuntu-nya hehehehe Click here to enlarge

    NOTE
    >_
    sudo apt-get install mysql-client mysql-server freeradius freeradius-utils freeradius-mysql php5-common php5-gd php-pear php-db libapache2-mod-php5 php5-mysql php5-mcrypt apache2 phpmyadmin


    Yang saya lakukan menggunakan simple password, user : root password : admin123
    Jika waktu instalasi anda di tawari user dan password bebas saja, hanya saja karena testing jadi menggunakan seperti itu.

    Jika sudah selesai instalasi semua, masuk ke MySQL
    >_
    mysql -u root -p
    Enter password:
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 51
    Server version: 5.5.24-0ubuntu0.12.04.1 (Ubuntu)

    Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    mysql> create database radius;
    Query OK, 0 rows affected (0.00 sec)

    Setelah di sukses membuat database, saat-nya kita meng-import sql skema milik freeradius
    >_
    mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql

    Kemudian import sql untuk nas milik freeradius
    >_
    mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql

    Sudah selesai semua dan lancar tiada masalah, saat-nya kita mencoba mengakses menggunakan user dan password Click here to enlarge
    >_
    nano /etc/freeradius/users

    Tambahkan di paling bawah paling enak, kosongnya panjang Click here to enlarge
    >_
    root Cleartext-password := "admin123"

    Untuk keluar dan menyimpan "ctrl+x" setelah itu kita restart service freeradius-nya
    >_
    root@out-standing:/home/akangage# /etc/init.d/freeradius restart
    * Stopping FreeRADIUS daemon freeradius [ OK ]
    * Starting FreeRADIUS daemon freeradius [ OK ]

    Kita coba masukan user dan password yang sudah di buat barusan
    >_
    radtest root admin123 localhost 1812 testing123

    Jika sukses maka akan muncul informarsi Access-Accept
    >_
    Sending Access-Request of id 233 to 127.0.0.1 port 1812 User-Name = "root"
    User-Password = "admin123"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=233, length=20

    Sukses membuat akses freeradius, sekarang saat-nya dari radius ke MySQL
    >_
    mysql -u root -p
    Enter password:
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 72
    Server version: 5.5.24-0ubuntu0.12.04.1 (Ubuntu)

    Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    mysql> use radius;
    Reading table information for completion of table and column names
    You can turn off this feature to get a quicker startup with -A

    Database changed
    mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('akangage', 'Password', 'tes123');
    Query OK, 1 row affected (0.04 sec)

    mysql> exit
    Bye

    Sekarang kita edit credential freeradius terhadap SQL
    >_
    /etc/freeradius/sql.conf

    database=mysql
    login=root
    password=admin123

    Serta lepas tanda pagar pada "readclient = yes"

    Mari kita coba lagi bisa atau tidak login
    >_
    Sending Access-Request of id 233 to 127.0.0.1 port 1812 User-Name = "akangage"
    User-Password = "tes123"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=233, length=20

    OK, bisa konek berarti sejauh ini lancar jaya Click here to enlarge

    Sekarang kita edit untuk SQL bekerja atas freeradius
    >_
    nano /etc/freeradius/sites-enabled/default

    Buang tanda pagar pada sql, sebelumnya
    >_
    # See “Authorization Queries” in sql.conf
    # sql

    # See “Accounting queries” in sql.conf
    # sql

    # See “Simultaneous Use Checking Queries” in sql.conf
    # sql

    # See “Authentication Logging Queries” in sql.conf
    # sql

    Menjadi :
    >_
    # See “Authorization Queries” in sql.conf
    sql

    # See “Accounting queries” in sql.conf
    sql

    # See “Simultaneous Use Checking Queries” in sql.conf
    sql

    # See “Authentication Logging Queries” in sql.conf
    sql

    Berikutnya kita edit
    >_
    nano /etc/freeradius/radiusd.conf

    Rubahlah sebelumnya (jika)
    >_
    # $INCLUDE sql.conf

    Menjadi
    >_
    $INCLUDE sql.conf


    Biar support via MySQL untuk menyimpan data, kita edit dulu yang ini
    >_
    nano /etc/freeradius/sites-enabled/inner-tunnel

    Buang tanda pagar pada sql, sebelumnya
    >_
    # See “Authorization Queries” in sql.conf
    # sql

    # See “Authentication Logging Queries” in sql.conf
    # sql

    Menjadi :
    >_
    # See “Authorization Queries” in sql.conf
    sql

    # See “Authentication Logging Queries” in sql.conf
    sql


    Saat-nya memasukan informasi MikroTik Click here to enlarge akhirnya....
    >_
    nano /etc/freeradius/clients.conf

    Masukan informasi ini di paling bawah saja, agak longar soalnya Click here to enlarge
    >_
    client 192.168.8.195 {
    secret=Admin123
    shortname=routeros
    nastype=mikrotik
    }


    Biar lebih mudah ga repot setting di client eq. Smartphone
    >_
    nano /etc/freeradius/modules/mschap


    Buang tanda pagarnya dan di aktifkan semua
    >_
    use_mppe = yes
    require_encryption = yes
    require_strong = yes
    with_ntdomain_hack = yes


    Refresh library-nya
    >_
    ldconfig


    Mari kita tambakan library document MikorTik pada freeradius
    >_
    nano /etc/freeradius/dictionary

    Tambahkan ini di paling bawah lagi Click here to enlarge
    >_
    $INCLUDE /usr/share/freeradius/dictionary.mikrotik

    Setelah di simpan, mari kita restart
    >_
    root@out-standing:/home/akangage# /etc/init.d/freeradius restart
    * Stopping FreeRADIUS daemon freeradius [ OK ]
    * Starting FreeRADIUS daemon freeradius [ OK ]

    Click here to enlarge


    Sekarang kita bantu dengan GUI untuk freeradius dengan , mayan jadi agak mudah ngak buka teks lagi Click here to enlarge
    NOTE
    Kita sedot dulu daloradiusnya bos
    >_
    wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdaloradius%2F&ts=1361864084&use_mirror=nchc

    Mari kita operasikan tar.gz-nya
    >_
    tar xvfz daloradius-0.9-9.tar.gz

    Lalu kita rubah menjadi bahasa manusia
    >_
    mv daloradius-0.9-9 daloradius

    Kemudian kita pindahkan ke www agar bisa di akses via web browser
    >_
    mv daloradius /var/www

    Jangan lupa di chown jika ada beberapa yang mengganggu.

    Sekarang kita update database freeradius dengan daloradius, kita menuju folder dimana DB daloradius di simpan
    >_
    cd /var/www/daloradius/contrib/db

    Kemudian kita improt
    >_
    mysql -u root -p radius < mysql-daloradius.sql

    Jangan lupa kita rubah dulu password DB di daloradius bisa konak sama freeradius
    >_
    nano /var/www/daloradius/library/daloradius.conf.php

    Rubah password DB menjadi :
    >_
    $configValues['CONFIG_DB_PASS'] = 'admin123';

    Click here to enlarge

    Ahaaa...... nongol dah daloradiusnya dengan input di browser address/daloradius
    Click here to enlarge

    Secara default
    User : administrator
    Pass : radius
    Click here to enlarge

    Sekarang mari kita test, apakah EAP-PEAP bisa ngacir di Mobile Terminal windows CE, kita install dulu disini saya menggunakan WinCE edition, karena ada WinMobile juga.
    Click here to enlarge Click here to enlarge Click here to enlarge Click here to enlarge Click here to enlarge Click here to enlarge Click here to enlarge Click here to enlarge Click here to enlarge
    Attached Images Attached Images

  2. #2
    Status
    Offline
    ferrycupu's Avatar
    Member Super Senior
    Join Date
    Jan 2009
    Location
    Jakarta
    Posts
    564
    Reviews
    Read 0 Reviews
    Downloads
    8
    Uploads
    0
    Feedback Score
    0
    saya baca-baca dan mencoba memahamin, ya om
    izin nyimenk

  3. #3
    Status
    Offline
    muaredi's Avatar
    Newbie
    Join Date
    May 2010
    Posts
    51
    Reviews
    Read 0 Reviews
    Downloads
    1
    Uploads
    0
    Feedback Score
    0
    gak ngerti, aduuuuuhhhh

  4. #4
    Status
    Offline
    Akangage's Avatar
    Administrator
    Join Date
    Aug 2007
    Location
    Daerah Khusus Ibukota Jakarta, Indonesia
    Posts
    4,195
    Reviews
    Read 0 Reviews
    Downloads
    210
    Uploads
    87
    Feedback Score
    0
    Click here to enlarge Originally Posted by muaredi Click here to enlarge
    gak ngerti, aduuuuuhhhh
    Oleh karena itu mari kita belajar Click here to enlarge

  5. #5
    Status
    Offline
    Akangage's Avatar
    Administrator
    Join Date
    Aug 2007
    Location
    Daerah Khusus Ibukota Jakarta, Indonesia
    Posts
    4,195
    Reviews
    Read 0 Reviews
    Downloads
    210
    Uploads
    87
    Feedback Score
    0
    Ada update biar lebih mudah di deteksi di client mobile secara general.
    Last edited by Akangage; 04-04-2014 at 10:27.

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Ask: Security WPA2 + Radius
    By isayuti in forum Wireless Networking
    Replies: 5
    Last Post: 18-01-2012, 22:20

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •