Menu

yfi_setup_centos6

Anonymous

Installing YFi on CentOS 6

This will explain how to install YFi and FreeRadius? on CentOS 6. You will notice that it's much the same as the previous tutorial as not much has changed, but there are a few minor kinks. In my example I have installed everything on a 64bit machine. I don't think there is much difference in setup on a 32bit machine.

I always start off by checking my system is up to date, so lets do that first: 

yum update

Preparing the LAMP environment

yum groupinstall 'Web Server'
yum groupinstall 'MySQL Database server'
yum groupinstall 'Development Tools'

Activate LAMP startup

This services needs to be activated as start-up services. We will use chkconfig to activate them. 

chkconfig httpd on
chkconfig mysqld on
service httpd start
service mysqld start

Set MySQL password

You also should add a password to MySQL's root user. 

mysqladmin -u root password "great_secret"

Install ImageMagick? and enable MySQL support in PHP

yum install ImageMagick php-mysql

Include JSON support for PHP

YFi Hotspot Manager makes use of json functions available in version 5.2x of PHP. 

yum install php-devel php-pear php-common

Just a side note. The previous Centos how to refers to installing json with "pecl install json", I noticed this did not work on Centos 6. I've done three Centos 6 (2x 64bit and 1x 32bit) installs and on the one doing the above was sufficient. If that doesn't work for you, do: 

yum install json.so

Make sure json.so will load: 

cat /etc/php.d/json.ini

If it's empty, do the following, else skip it 

echo "extension=json.so" >> json.ini

and then restart apache 

service httpd restart

Install YFi Hotspot Manager's CakePHP application

As of this writing, YFi only supports CakePHP verson 1.2.X, so don't go and install the latest version just yet ;) Get CakePHP Copy and extract it inside the directory that Apache is serving its content from (/var/www/html by default on CentOS) 

cp cake_1.2.5.tar.gz /var/www/html
cd /var/www/html
tar -xzvf cake_1.2.5.tar.gz
ln -s ./cake_1.2.5 ./c2

Ensure the following modules are enabled in Apache (the /etc/httpd/conf/httpd.conf file) 

LoadModule rewrite_module modules/mod_rewrite.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so

You can do a quick check by doing: 

egrep "mod_rewrite|mod_deflate|mod_headers" /etc/httpd/conf/httpd.conf

If one or all of them are missing (highly doubtful about it), then add them in /etc/httpd/conf/httpd.conf.

Ensure the following is specified in /etc/php.ini 

allow_call_time_pass_reference = On
output_buffering = 4096
short_open_tag = On
date.timezone = Africa/Johannesburg  ;; Change this to your timezone

Change Apache's configuration file to include the following at the end of the file: (/etc/httpd/conf/httpd.conf) 

## -- YFi begin
<Directory  /var/www/html/c2>
    AllowOverride All
</Directory>
#-------COMPRESS CONTENT-----------
# place filter 'DEFLATE' on all outgoing content
SetOutputFilter DEFLATE
# exclude uncompressible content via file type
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|jpg|png|pdf|zip|bz2|sit|rar)$ no-gzip
#dont-vary
# Keep a log of compression ratio on each request
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
CustomLog /var/log/httpd/deflate.log deflate
# Properly handle old browsers that do not support compression
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
#----------------------------------

#------ADD EXPIRY DATE-------------
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
    Header set Expires "Thu, 15 Apr 2012 20:00:00 GMT"
</FilesMatch>
#----------------------------------

#--------Remove ETags --------------------
FileETag none
#-----------------------------------------
## -- YFi end

Restart Apache 

service httpd restart

Install YFi CakePHP Application

Download the latest version of the YFi Cake application.
If you want to try the latest development source, follow this instructions: SVN Quick Help 

mv yfi_cake/ /var/www/html/c2/
mv yfi/ /var/www/html/
chown -R apache. /var/www/html/c2/yfi_cake/tmp
chown -R apache. /var/www/html/c2/yfi_cake/webroot/img/graphics

NOTE! Somewhere along the line I noticed in my apache error log that yfi wants /var/www/c2 to exists. Even with all the ubuntu-to-centos scripts applied. I haven't spent time figuring out what it is, so I just did the following to keep it happy: 

ln -s /var/www/html/c2 /var/www/c2

Configure the database

You need to create a database called 'yfi' and allow access to it for a username / password combination.
It is good practice to change the default username / password combination.
This can be changed inside the '/var/www/html/c2/yfi_cake/config/database.php' file.
These sample commands assume the defaults. 

mysql -u root -p
create database yfi;
GRANT ALL PRIVILEGES ON yfi.* to 'yfi'@'127.0.0.1' IDENTIFIED BY 'yfi';
GRANT ALL PRIVILEGES ON yfi.* to 'yfi'@'localhost' IDENTIFIED BY 'yfi';
exit;

Dump the sample database in the newly created yfi database. 

mysql -u root -p yfi < /var/www/html/c2/yfi_cake/setup/db/yfi.sql

Test the CakePHP application

Verify that everything works as intended by doing the following test.
Go to the followingURL and be sure that a login-page is displayed.
http://127.0.0.1/c2/yfi_cake/users/

Tweaking the configuration

Some settings may need further tweaking especially if you deviated from the standard.
They are all in one configuration file called (/var/www/html/c2/yfi_cake/config/yfi.php)
You also need to specify the SMTP server's detail.
This can be used to notify users about their usage via e-mail. YFi Hotspot Manager also features a message sending facility to inform permanent users about something.

Installing the YFi Hotspot Manager 's Viewer Component

YFi Hotspot Manager consists of two components: A CakePHP application and a Viewer.
This following will help you to install the Viewer.

Ensure you already have a working CakePHP setup. Instructions on how to complete it is on thie page: Configure CakePHP

We already moved the yfi folder to the proper place in one of our previous steps, so lets test it...

Test the Viewer component

Go to the following URL http://127.0.0.1/yfi (you may need to replace 127.0.0.1 with the IP address of the server you installed the YFi Hotspot Manager on)
You should get a splash page which, depending on the speed of your network connection, will change into a login page.
Log in either as the administrator or as an Access Provider or as a permanent user.
The following table displays the default username and password for each.

Role
Username
Password

Administrator
root
admin

Access Provider
ap
ap

Permanent User
dvdwalt@ri
dvdwalt@ri

Should you have difficulty with the Viewer component please use Mozilla Firefox and the Firebug plug-in to make easy troubleshooting possible.

Configuring FreeRADIUS

FreeRADIUS is the world's most popular RADIUS server. It features various back-ends. Some include LDAP and SQL.
FreeRADIUS is in version 2.x as of this writing.
YFi Hotspot Manager is a front-end to the MySQL database used by FreeRADIUS.
FreeRADIUS has a feature to use custom modules. We use a custom Perl module specifically written for the YFi Hotspot Manager.
FreeRADIUS supply Authentication, Authorization and Accounting services. The Perl module does the Authentication and Authorization.
The Accounting is done by the SQL module.
You can install freeradius2 with proper components with yum 

yum install freeradius2*

Compiling FreeRadius?

If for some reason you don`t want to use yum package proceed with compilation

First we get some prerequisits: 

yum install libtool-ltdl-devel mysql-devel perl-XML-Simple perl-XML-LibXML perl-suidperl perl-libxml-perl
yum install gdbm-devel pam-devel net-snmp-devel net-snmp-utils readline-devel libpcap-devel openldap-devel python-devel postgresql-devel unixODBC-devel perl-ExtUtils-Embed

Get the latest version of FreeRadius? from http://freeradius.org/download.html
In my example it is version 2.1.12
Unpack the file and: 

cd freeradius-server-2.1.12/
./configure | tee config_out.txt
make
make install
ldconfig
useradd -r radiusd
chown -R radiusd. /usr/local/etc/raddb/
ln -s /usr/local/etc/raddb /etc/raddb

You can test to see if Free Radius works by issuing the following command: 

radiusd -X

This will start Free Radius in debug mode ( To stop it -> Ctrl+c).

Setup FreeRADIUS

The following commands will set-up FreeRADIUS to work together with YFi Hotspot Manager. 

cd /usr/local/etc/
mv raddb/ raddb.orig
cp /var/www/html/c2/yfi_cake/setup/radius/raddb.tar.gz .
tar -xzvf raddb.tar.gz
chown -R radiusd. raddb
chown radiusd.apache raddb/proxy.conf
chmod 664 raddb/proxy.conf
chmod 644 raddb/dictionary
ldconfig

CentOS specific tweaks

Because the original YFi Hostpot Manager was designed on Ubuntu - we also need to do the following changes:

Use the paths specified in raddb.orig/radiusd.conf 

cp raddb.orig/radiusd.conf raddb/

Edit the 'new' (original) raddb/radiusd.conf file by un-commenting the following line: 

$INCLUDE sql.conf

Create a bash script ('/root/yfi_ubuntu_to_centos.sh) with the following content: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/bash

#-------------------------------------------
#---- Script to change Ubuntu specifics ----
#---- to CentOS specifics ------------------
#-------------------------------------------

function usr_local_etc_to_etc(){
        echo "Change /usr/local/etc to /etc for" $1
        sed 's|/usr/local/etc|/etc|g' $1 > $1.tmp;mv $1.tmp $1;
}

function usr_local_share_to_usr_share(){
        echo "Change /usr/local/share to /usr/share for" $1
        sed 's|/usr/local/share|/usr/share|g' $1 > $1.tmp;mv $1.tmp $1;

}

function var_www_c2_to_var_www_html_c2(){
        echo "Change /var/www/c2 to /var/www/html for" $1
        sed 's|/var/www/c2|/var/www/html/c2|g' $1 > $1.tmp;mv $1.tmp $1;
}

function radclient_fix(){
        echo "Change /usr/local/bin/radclient to /usr/bin/radclient for" $1
        sed 's|/usr/local/bin/radclient|/usr/bin/radclient|g' $1 > $1.tmp;mv $1.tmp $1;
}

file_list[0]="/var/www/html/c2/yfi_cake/config/yfi.php"
file_list[1]="/etc/raddb/rlm_perl_modules/conf/settings.conf"
file_list[2]="/etc/raddb/rlm_perl_modules/Attributes.pm"
file_list[3]="/etc/raddb/rlm_perl_modules/rlm_perl.pm"
file_list[4]="/etc/raddb/rlm_perl_modules/sqlcounter.conf"
file_list[5]="/etc/raddb/rlm_perl_modules/SQLCounter.pm"
file_list[6]="/etc/raddb/rlm_perl_modules/Telkom.pm"
file_list[7]="/etc/raddb/rlm_perl_modules/User.pm"
file_list[8]="/etc/raddb/rlm_perl_modules/Voucher.pm"
file_list[9]="/etc/raddb/rlm_perl_modules/Devices.pm"
file_list[10]="/etc/raddb/rlm_perl_modules/Nas.pm"
file_list[11]="/etc/raddb/dictionary"
file_list[12]="/var/www/html/c2/yfi_cake/webroot/files/radscenario.pl"

for i in  ${file_list[@]}
do
        usr_local_etc_to_etc $i
        usr_local_share_to_usr_share $i
        var_www_c2_to_var_www_html_c2 $i
        radclient_fix $i
done

Run the above script to fix all the paths in various files for CentOS. (You can run it multiple times without harm) 

chmod +x /root/yfi_ubuntu_to_centos.sh
/root/yfi_ubuntu_to_centos.sh

Activate and change chillispot dictionary

FreeRADIUS includes various dictionaries from different vendors.
These dictionaries defines attributes for the vendor's NAS devices.
Dictionaries can be included or excluded by editing the /usr/local/share/freeradius/dictionary file.
The latest version of FreeRADIUS all ready includes the chillispot dictionary by default.
YFi Hotspot Manager defines special Voucher attributes. To enable these, add the following to the /usr/local/share/freeradius/dictionary.chillispot file. (YFi Specific Attributes and YFi Various Counters) 

ATTRIBUTE       ChilliSpot-Version                      8       string
ATTRIBUTE       ChilliSpot-OriginalURL                  9       string

#YFi Specific Attributes
ATTRIBUTE       Yfi-Voucher                     40     string
ATTRIBUTE       Yfi-MAC-Reset                   41     string
ATTRIBUTE       Yfi-Data                    42     string
ATTRIBUTE       Yfi-Time                43     string

#YFi Various Counters
ATTRIBUTE       Max-Daily-Session                       50      integer
ATTRIBUTE       Max-Monthly-Session                     51      integer
ATTRIBUTE       Max-Weekly-Session                      52      integer
ATTRIBUTE       Max-All-Session                         53      integer

ATTRIBUTE       ChilliSpot-Max-Daily-Octets             60      integer
ATTRIBUTE       ChilliSpot-Max-Monthly-Octets           61      integer
ATTRIBUTE       ChilliSpot-Max-Weekly-Octets            62      integer
ATTRIBUTE       ChilliSpot-Max-All-Octets               63      integer

# Configuration management parameters (ChilliSpot Only)
ATTRIBUTE       ChilliSpot-UAM-Allowed                  100     string

Additional changes

If you deviated from the standard, the following files may need changes

/etc/raddb/sql.conf - This defines the database conection detail.
/etc/raddb/rlm_perl_modules/conf/settings.conf - This defines the database settings and counters used by the FreeRADIUS YFi Hotspot Manager Perl module.

CentOS specific changes

Edit /etc/raddb/dictionary and replace 

$INCLUDE        /usr/share/freeradius/dictionary

with 

$INCLUDE        /usr/local/share/freeradius/dictionary

Edit /usr/local/etc/raddb/proxy.conf:
Look for: 

home_server virtual.example.com {
            virtual_server = virtual.example.com
}

and hash that out completely.

As a final test issue the following command and ensure no errors are present. 

radiusd -X

If there are no errors, we can make FreeRadius? start at system startup: 

echo "/usr/local/sbin/radiusd" >> /etc/rc.local

and we can start it now by typing: 

radiusd

Two important lines to change in /var/www/html/c2/yfi_cake/config/yfi.php. Change this from: 

$config['freeradius']['path_to_dictionary_files']   = '/usr/share/freeradius/';
$config['freeradius']['radclient']                  = '/usr/bin/radclient';

to 

$config['freeradius']['path_to_dictionary_files']   = '/usr/local/share/freeradius/';
$config['freeradius']['radclient']                  = '/usr/local/bin/radclient';

Preparing pptpd to work with YFi Hotspot Manager

WARNING: DO NOT SKIP THIS STEP - EVEN IF YOU DO NOT INTEND TO USE pptp!!!!'''

Introduction

Typical usage of YFi Hotspot Manager include that NAS devices behind NAT firewalls try to connect to the FreeRADIUS server running on the server where YFi Hotspot Manager is installed on.
These NAT firewalls usually incorporate DHCP. With a changing IP the solution we use is to connect the NAS device via a pptp tunnel to the FreeRADIUS server.
You can read up more about the technology VPN Discussion

Install the pptpd server. For this we go to the publisher of the pptpd program poptop, but first we need to install ppp: 

yum install ppp

You can install directly from the publishers site by issuing the following command:
For 32bit: 

rpm -ivh http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.el6.i686.rpm

For 64bit: 

rpm -ivh http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.el6.x86_64.rpm

Edit the pptpd config file ( vi /etc/pptpd.conf) and add right at the end: 

localip 10.20.30.1

This will cause the server to create a virtual interface with IP 10.20.30.1.
Poin to point virtual connections can be set-up from the NAS devices, using this IP when you specify the RADIUS server's IP.
Make the file where the clients to the pptpd program gets defined writable by the user running Apache. 

chown root.apache /etc/ppp/chap-secrets
chmod 664 /etc/ppp/chap-secrets

Restart the pptpd program to apply the changes 

chkconfig pptpd on
service pptpd restart

Creating pptpd clients

This is done automatically in the background when you add a new VPN connected NAS.
To get the detail which you have to supply the pptpd client program on the NAS device simply edit the nas device.
It will be specified under the 'Optional Info' tab.

Imported from wikispaces

The pptp client detail is fetched from the /etc/ppp/chap-secrets file.

Cron Scripts - RHEL/CentOS

YFi Hotspot Manager requires a few scripts to run periodically in order to maintain a healthy and working system.
Most of the scripts are CakePHP shell scripts.
This makes it easy to interact with the MySQL database used by FreeRADIUS.
To enable/activate the CRON script, just copy the script from the "yfi_cake" directory 

cp /var/www/html/c2/yfi_cake/setup/cron/yfi /etc/cron.d/

We will also have to modify the CRON script by replacing the apache user and path to suite RHEL/CentOS 

cd /etc/cron.d
sed 's|www-data|apache|g' yfi > yfi.tmp;mv yfi.tmp yfi;
sed 's|/var/www/c2|/var/www/html/c2|g' yfi > yfi.tmp;mv yfi.tmp yfi;

For those of you new to sed, the "sed" lines above does the following:
It Searches for "www-data" and replaces it with "apache" string.
It then takes the output of the operation and writes it to a file "yfi.tmp".
And finally, it renames the file "yfi.tmp" with the corrected string (apache) to "yfi".
The same goes for the second line; Replaces "/var/www/c2" with "/var/www/html/c2", outputs the file to "yfi.tmp" and lastly renames the file "yfi.tmp" to "yfi". NOTE: As mentioned above, you must follow this steps in order to avoid problems later on with cron.

NOTE FOR BETA 5!: Don't forget to apply the 2 fixes mentioned here: http://sourceforge.net/apps/trac/hotcakes/wiki/Bugs Things wont view properly if you don't fix it, but if you grabbed your copy from SVN and not the tarball, then you should be ok.
Give your server one last restart just to make sure things start up properly

Congratulations! Your YFi Hotspot Manager setup is complete

Related

Wiki: Home
Wiki: yfi_setup_svn
Wiki: yfi_tech_vpn