|
|
Prerequisite
- Modding series 7 – Setup OpenVPN Server
- Modding series 21 – Install FreeRadius Server
- Modding series 22 – Install FreeRadius plugin for OpenVPN
I’m using daloRadius as accounting and reporting tools here. The management function is not used (except NAS client part).
Install daloRadius
Download daloRadius 0.9.9 package
# cd /volume1/web
# wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
# tar xvzf daloradius-0.9-9.tar.gz
# rm daloradius-0.9-9.tar.gz
# chown -R nobody:nobody /volume1/web/daloradius-0.9-9
# chown 644 /volume1/web/daloradius-0.9-9/library/daloradius.conf.php
Edit /volume1/web/daloradius-0.9-9/library/daloradius.conf.php, update the values as below
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radpass';
$configValues['CONFIG_DB_NAME'] = 'radiusdb';
$configValues['CONFIG_FILE_RADIUS_PROXY'] = '/opt/etc/raddb/proxy.conf';
$configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/opt/var/daloradius';
$configValues['CONFIG_LOG_FILE'] = '/opt/var/log/daloradius.log';
Follow up
# mkdir /opt/var/daloradius
# chown nobody:nobody /opt/var/daloradius
# touch /opt/var/log/daloradius.log
# chown nobody:nobody /opt/var/log/daloradius.log
Create and import the database
# /usr/syno/mysql/bin/mysql -u root -p
> CREATE DATABASE radiusdb;
> GRANT ALL ON radiusdb.* TO radius@localhost IDENTIFIED BY "radpass";
> GRANT ALL ON radiusdb.* TO radius@127.0.0.1 IDENTIFIED BY "radpass";
> exit;
# cd /volume1/web/daloradius-0.9-9/contrib/db
# /usr/syno/mysql/bin/mysql -u radius -p radiusdb < fr2-mysql-daloradius-and-freeradius.sql
# password: radpass
Install PHP extension
Install php-pear and php-pear-db
# ipkg install php-pear
# pear config-set php_bin /usr/bin/php
# cd /opt/share/pear
# wget http://download.pear.php.net/package/DB-1.7.14.tgz
# mv DB-1.7.14.tgz DB.tgz
# tar xvzf DB.tgz
# chown -R nobody:nobody /opt/share/pear
Edit php configuration
# vi /usr/syno/etc/php.ini
include_path = .:/php/includes:/opt/share/pear:/opt/share/pear/DB
# vi /usr/syno/etc/php/user-setting.ini
append /opt/share/pear:/opt/share/pear/DB to open_basedir
Install php-gd
# ipkg install php-gd
MOTP stands for mobile one time password which provides one time password services.
Download and install otp server
Login to DS as root mkdir -p /opt/usr/local/bin cd /opt/usr/local/bin Download otp server script
# wget http://motp.sourceforge.net/bash/otpverify.sh Install necessary library
# ipkg install findutils # ipkg install md5deep # ipkg install bash Edit otpverify.sh
# vi [...]
Prerequisite
- Modding series 9 – Setup an OpenLDAP Server
- Modding series 21 – Install FreeRadius Server and integrate with OpenLDAP Server
Setup FreeRadius to support EAP-PEAP-TLS
- SSH to DS as root
- Edit /opt/etc/raddb/radiusd.conf, add following line to the config file
$INCLUDE ${confdir}/sites-enabled/
# vi /opt/etc/raddb/radiusd.conf
# add sites-enabled to the config
$INCLUDE ${confdir}/sites-enabled/
- Edit /opt/etc/raddb/radiusd.conf again, looks for the authenticate section and then add mschap within the section.
# vi /opt/etc/raddb/radiusd.conf
authenticate {
.
.
.
# add mschap
mschap
}
Looks for modules section and add three lines within modules section as below
# vi /opt/etc/raddb/radiusd.conf
modules {
# add expiration, logintime and attr_filter modules
$INCLUDE ${confdir}/modules/expiration
$INCLUDE ${confdir}/modules/logintime
$INCLUDE ${confdir}/modules/attr_filter
}
- Edit /opt/etc/raddb/eap.conf, change default_eap_type to peap.
# vi /opt/etc/raddb/eap.conf
.
.
default_eap_type = peap
.
.
- Edit /opt/etc/raddb/sites-enabled/default, looks for authorize section and un-comment the ldap line.
# vi /opt/etc/raddb/sites-enabled/default
authorize {
.
.
# un-comment the ldap
ldap
.
.
}
Then looks for authenticate section and uncomment Auth-Type LDAP as well.
# vi /opt/etc/raddb/sites-enabled/default
authenticate {
.
.
# un-comment the ldap
Auth-Type LDAP{
ldap
}
.
.
}
- Edit /opt/etc/raddb/sites-enabled/inner-tunnel, looks for authorize section and un-comment the ldap line.
# vi /opt/etc/raddb/sites-enabled/inner-tunnel
authorize {
.
.
# un-comment the ldap
ldap
.
.
}
Then looks for authenticate section and uncomment Auth-Type LDAP as well.
# vi /opt/etc/raddb/sites-enabled/inner-tunnel
authenticate {
.
.
# un-comment the ldap
Auth-Type LDAP{
ldap
}
.
.
}
- Edit /opt/etc/raddb/clients.conf, add the Wifi Access Point to the config file.
# vi /opt/etc/raddb/clients.conf
# add access point details here, 192.168.0.1 is the ip of the access point
client 192.168.0.1 {
secret = [shared secret password of radius server]
shortname = [SSID of the access point]
nastype = other
}
- If you have firewall activate on your diskstation, make sure to add a firewall rule to allow the wifi access point to access the udp port 1812, 1813 and 1814.
For now the radius server is already able to perform authentication for wpa/wpa2 enterprise!
Generate client certificate
If you do not plan to perform authorization using client certificate, you can skip this part.
- SSH to DS as root
- Edit /opt/etc/raddb/certs/client.cnf, refer to modding series 21 for details about this client certificate config file.
** IMPORTANT The Country Name, State and Organization Name MUST match the value of the CA.
- Before we generate the client certificate, we MUST backup the original certificate first.
# cd /opt/etc/raddb
# cp -r certs certs.b4genclient
- Generate a client certificate
# cd /opt/etc/raddb/certs
# make client.pem
- If you want to generate another client certificate for other wifi client. Edit the client.cnf and run make client.pem again. If make failed and said it couldn’t load a certificate, just copy the server.crt from backup directory and try again.
# cp /opt/etc/raddb/certs.b4genclient/server.crt /opt/etc/raddb/certs
# make client.pem
Since NAS is running 24×7, it is the best device to capture my tomato router logs.
Install and Setup Syslog-ng
Login to NAS using ssh/telnet as root install syslog-ng
#ipkg install syslog-ng
The glib and eventlog packages should be installed by ipkg as well. Backup syslog-ng configuration
#cd /opt/etc/syslog-ng #mv syslog-ng.conf syslog-ng.conf.bak Create configuration [...]
In previous article I setup Squid and using a passwd file to hold password for squid. But now I have freeradius running, I want to integrate Squid with Freeradius so that I don’t need to maintain the passwd file.
Luckily, the Squid compiled by optware already include basic-auth-helper option during compilation, what we need [...]
This article records all my steps to install disk station with new hard disk and procedures of bootstrapping the box.
Installing Disk Station
My hard disk is WD2003FYYS-02W0B. Firware: DSM 3.1-1613 (claimed to be the last firmware available for 207 model.)
Downlod Synology Assistant and latest firmware 3.1-1613 from synology.com Install Synology Assistant on [...]
Update Aug 22 2011
The solution is redesigned so that the htaccess file is pushing from NAS to web hosting account. This greatly simplifed the overall process and resolved the deadlock situation.
I have a few private wordpress blog hosting on some web hosting provider and want to protect my private blog to be [...]
My previous backup strategy is simple login to cpanel, generate full backup and then ftp it and have it stored in the syno box monthly. The disadvantages is that
- wasting a lot of local storage to store a number of full backup
- time consuming to perform these tasks manually and ftping large backup archive periodically.
- Since I’m only performing backup monthly, data is subject to lost if something funny happened on my webhost account (disk crash, hacker, whatover)
Why not just mirroring the live site to the apache on the syno box? The benefit
- automate all backup tasks without manual procedures
- can backup up to like every 10 minutes or even less
- backup only changes!! not full backup everytime
- incremental backup means saving tons of local storage
- can verify the backup content using any browser because the backup site is actually running on the NAS!
Since there is no synchronization plugin available for wordpress, I’m doing this task by a few scripts written myself.
Understanding the sequence
- Firstly, we setup a virtual domain on our NAS in order to host the mirror site.
- We setup a schedule job to backup the wordpress database daily
- After the database is backup, a cron job will download the db backup as well as the web files to our NAS
- After download, another cron job will extract the backup file and import the data to local mysql database.
- Finally, we patch the local data in order to have the wordpress running on the mirror site.
The requirement
This article requires a lots of technique mentioned in previous articles, make sure you familiar with the setup below, otherwise, refer to previous articles.
- Setup ssh public key authentication (usage series 5)
- Setup DNS and DDNS (usage series 20)
- Data patching
- Setup wordpress (usage series 16)
- Setup cronjob
I really had enough maintaining the proxy setting for all browser installed in my home network’s PCs!! I never know this can be done automatically. Until recently I got time doing some search regarding this and wow it is just perfect and simple using diskstation for this task!! Now all I need is to [...]
Tested Firmware: 3.1 Tested DS: DS207+
It is quite simple to have the DiskStation provides email account for your user. I don’t use diskstation to send email, I use gmail smtp instead. It is not a good idea to use the smtp provided by diskstation for home because we cannot setup reverse DNS record [...]
|
|
