Note: This howto has been tested and works for Ubuntu 8.04 Hardy Heron server editions for other vesions of ubuntu see WifiDocs/ChillispotHotspot

Chillispot is software which provides authentication and restricted network access to clients. Its primary use is in wireless (WiFi) networks.

For instance, suppose you are managing a wireless network in a hotel: the access points are connected via the wired LAN to a server which works as a gateway, firewall, DNS server, etc. Now you want the same server (either because it’s desirable or because it’s required by your nation’s law) to require authentication from all clients, possibly without messing around with the configuration of the access points. And maybe you even want users to be able to browse some sites (i.e. an internal web server or the hotel web site) without the need to authenticate themselves. Chillispot lets you manage all of this, and some more.

Please take a look at the Chillispot.info web site to see how the software works. In a few words, hillispot creates a virtual private network (192.168.182.0/24, but you can change this default setting) which it uses to dialogate with the clients and to decide who and how to let to see the outside network. Chillispot manages the allocation of dynamic IP addresses to clients, so you don’t need other DHCP tools.

Requirements

The following software is required for this installation:

• Chillispot
• FreeRadius
• Apache
• MySQL

Apache 1.x and MySql 4.0.x or even 3.23.x would probably do, but the above specified versions are the latest stable ones available so you’re encouraged to stick to them.

This tutorial will show how to run all this software on a single machine. However, you could install Apache and MySQL on a separate one, or even have 4 different machines: you’ll just need to adjust the configuration parameters of each piece of software.

Also, you’ll need your kernel configured for generic tunneling support. A 2.6.x kernel version is recommended.

Caveats

This HOWTO presumes you have an x86 machine. This is not going to work on AMD64, because both Chillispot and FreeRadius have bugs which prevent them to work as they should. I don’t know the status of these softwares on other platforms.

The proccess

Chillispot takes control of the internal interface (eth1) using a vtun kernel module to bring up a virtual interface (tun0). In fact thr vtun kernel module is used to move IP packets from the kernel to user mode, in such a way that chillispot can function without any non-standard kernel modules. Chillispot then sets up a DHCP server (this can be disabled from the chillispot conf file) on the tun0 interface.

A client connecting to this interface has all packets rejected until it is authorized though the chillispot login page (acting as a supplicant for authentication). When a non-authenticated client tries to connect to a web-page (on port 80 or 443) the request is intercepted by chilli and redirected to a perl-script called hotspotlogin.cgi (served by apache over https).

hotspotlogin.cgi serves a page to the end-user with a username and password field. These authentication data are then forwarded to the freeradius server, which matches them with information in it’s backend (using either PAP or CHAP). The backend in this case is mysql, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably).

A user is then either rejected or authenticated by freeradius, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user.

Hardware Requirements

Any PC with 2 network interfaces should work.

Software Installation

For this howto we start with an installation of Ubuntu Linux. We’ve used the Ubuntu 7.10 Gutsy Gibbon server edition.

The base installation is beyond the scope of this document, but the Ubuntu Website has plenty of documentation on installing ubuntu from scratch.

Towards of the ubuntu server edition install it asks you if you require extra packages. Enable the following

* LAMP * SSH server

Note:When asked for a mysql password and you want to use the default password for this howto use:

mysqladminsecret

If you are using a different version or forget in install extra packages you can install them at a latter date by using the command

tasksel

Root

To make the installation easier create a root user. Many files can only be changed with root user.

Login user, then enter command

#sudo passwd root Enter new UNIX password: Retype new UNIX password: #su root Password:

SSH

So we can cut and paste commands to make life easier

Install putty on you windows machine

Assuming that your ubuntu box is connected to your ADSL router/DHCP server you will need to find your IP address of your ubuntu box so you can connect with putty

ifconfig

Type in your ip address and connect

Repository

Use default repository or better

Update Ubuntu

sudo apt-get update

sudo apt-get upgrade

Network setup

Setup up your network hardware/software

Interfaces

nano -w /etc/network/interfaces

auto lo iface lo inet loopback  auto eth0 iface eth0 inet dhcp  auto eth1

To enable packet forwarding you should add the following line

nano -w /etc/sysctl.conf

net/ipv4/ip_forward=1

Enable and check ip forward without a reboot

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Restart network

sudo /etc/init.d/networking restart

EnableTUN/TAP device driver support

nano -w /etc/modules

tun

To enable without reboot

sudo modprobe tun

Install chillispot

sudo apt-get install chillispot

Fill in the details

IP address of radius server 1:

127.0.0.1

Radius shared secret:

radiussecret

In a typical configuration this should be set to ‘eth1′. <ok>

Ethernet interface for DHCP to listen:

eth1

URL of UAM server:

https://192.168.2.1/cgi-bin/hotspotlogin.cgi

URL of UAM homepage:

https://192.168.2.1/welcome.html

Shared password between chillispot and webserver:

uamsecret

Enable Chillispot captive portal:

nano -w /etc/default/chillispot

ENABLED=1

Chillispot

chillispot config file

nano -w /etc/chilli.conf

net 192.168.2.0/24 ###change manually #dns1 192.168.2.1  #dns2 192.168.2.1  domain domain.org ###change manually radiusserver1 127.0.0.1  radiusserver2 127.0.0.1  radiussecret radiussecret  dhcpif eth1 uamserver https://192.168.2.1/cgi-bin/hotspotlogin.cgi #uamhomepage https://192.168.2.1/welcome.html ###change manually uamsecret uamsecret uamlisten 192.168.2.1 ####change manually uamallowed www.google.it,192.168.2.0/24 ###change manually

• Note: uamhomepage has been commented out because its optional

To check conf files for errors run command

sudo /etc/init.d/chillispot start

If an error occurs it will display the line number that has caused the error. Count down the line numbers in the chilli.conf file to find the problem.

If you get a message that Coova Capture Portal is disabled and to see /etc/default/chillispot

nano -w /etc/default/chillispot

ENABLED=1

Let’s discuss the chilli.conf file in detail.

Radius section

radiusserver1 127.0.0.1 radiusserver2 127.0.0.1 radiussecret theradiussecret

You need to specify two radius servers even if you only have one. Of course, you can enter the same server in both lines. In this case it’s localhost, as FreeRadius is on the same machine of Chillispot.

radiussecret theradiussecret

The radiussecret directive contains a (secret) word which must match the one contained in the FreeRadius configuration file. This secret ensures we are allowed to make queries to the radius server. We’ll se the radius configuration part later on.

Networking section

dns1 192.168.2.1

You need to specify the IP address of the DNS server, which will be told to clients as well. The local machine’s one will be fine if the machine operates a DNS service, otherwise enter another one such as you provider’s.

dhcpif eth1

The interface to be specified is the one where the access points reside, which should be already configured with the working access points. Be sure to disable any DHCP server bound to that interface, as Chillispot doesn’t want one.

UAM section

uamallowed 192.168.2.0/24.1,192.168.182.0/24,www.google.it

The above line states which hosts the clients are allowed to connect without requring authentication. You must enter the IP address of the gateway (both the VPN address and the LAN address – This is very important! In fact, you must list at least these two addresses here, otherwise the chillispot will not work!), the IP address of the DNS server (if it’s on another machine) and any other hosts you want.

uamserver https://192.168.2.1/cgi-bin/hotspotlogin.cgi

This is the (secure) URL of the script which displays the login interface and manages the login. We’ll discuss this further in the Apache configuration section.

uamhomepage https://192.168.2.1/welcome.html

Optional

This is the page where all clients will be redirected when they try to surf a web site which is not in the uamallowed list. This is quite handy, as you don’t need to provide login URLs to your users: their browser gets automatically redirected here. The contents of this file are very customizable (you can provide a full featured web page with information and the login link), and also this will be discussed later on while talking of Apache configuration.

uamsecret theuamsecret

This is the shared secret between chillispot and hostspotlogin.cgi, which ensures that the CGI script is allowed to talk to Chillispot. It’s different than the radius secret, but you can also set them all alike (not recommended, of course).

Install Firewall

The creator of chillispot has created firewall rules. We just need to enable them.

sudo cp /usr/share/doc/chillispot/firewall.iptables /etc/init.d/chilli.iptables sudo chmod a+x /etc/init.d/chilli.iptables sudo ln -s ../init.d/chilli.iptables /etc/rcS.d/S41chilli.iptables

The default firewall is set for eth0 = internet, eth1 = LAN,If you want to change this setup edit the following file

nano -w /etc/init.d/chilli.iptables

EXTIF=eth0 INTIF=eth1

Enable firewall script

sudo /etc/init.d/chilli.iptables

As said else where, do not enable a DHCP server on our ubnutu box. chillispot has its own DHCP server.

Install Radius server and Database

sudo apt-get install freeradius freeradius-mysql freeradius-dialupadmin

Create database to store usernames and passwords

mysql -u root -p Enter password:mysqladminsecret mysql> CREATE DATABASE radius; mysql> quit

Propergate database with tables created by the maker’s of freeradius

zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius Enter password:mysqladminsecret mysql -u root -p Enter password:mysqladminsecret mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret'; mysql> FLUSH PRIVILEGES; mysql> quit

Tell freeradius where to find of database

nano -w /etc/freeradius/sql.conf

server = "localhost" login  = "radius" password = "mysqlsecret"

Set FreeRadius server client password

nano -w /etc/freeradius/clients.conf

client 127.0.0.1 {     secret = radiussecret }

Testing default file setup

The default FreeRadius setup authorize’s usernames and passwords from a “file” found in /etc/freeradius/users. We should test the default FreeRadius setup before we change the authorization link from “file” to “sql” (mysql).

Add username an password to our user “file”. edit “John Doe”

nano -w /etc/freeradius/users

uncomment

"John Doe"     Auth-Type := Local, User-Password == "hello"                Reply-Message = "Hello, %u"

At this point you need to reboot your ubuntu box

reboot

Check FreeRadius config files.

sudo /etc/init.d/freeradius stop sudo freeradius -XXX -A

If all goes well the last line should display

Mon Mar 24 11:32:35 2008 : Info: Ready to process requests.

Ctrl+C to exit.

Start FreeRadius again

sudo /etc/init.d/freeradius start

Test password authorization to “file”

sudo radtest "John Doe" hello 127.0.0.1 0 radiussecret

If all goes well you should get a reply

Sending Access-Request of id 136 to 127.0.0.1 port 1812         User-Name = "John Doe"         User-Password = "hello"         NAS-IP-Address = 255.255.255.255         NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37         Reply-Message = "Hello, John Doe"

change authorization to sql

If the above tests worked we can now change authorization from “file” to “sql”

Change:

nano -w /etc/freeradius/radiusd.conf

authorize {         preprocess #       auth_log #       attr_filter         chap         mschap #       digest #       IPASS         suffix #       ntdomain         eap         files #       sql #       etc_smbpasswd #       ldap #       daily #       checkval }

to

authorize {         preprocess #       auth_log #       attr_filter         chap         mschap #       digest #       IPASS         suffix #       ntdomain         eap #       files         sql #       etc_smbpasswd #       ldap #       daily #       checkval }

Note: You can only use one authorisation method at a time, not both. Therefore “files” section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users “file” instead of “sql”

SQL Logging

If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql

nano -w /etc/freeradius/sql.conf

sql {         driver = "rlm_sql_mysql"         server = "localhost"         login = "radius"         password = "mysqlsecret"         radius_db = "radius"         [...]         # Set to 'yes' to read radius clients from the database ('nas' table)         readclient = yes ###change manually }

nano -w /etc/freeradius/radiusd.conf

        $INCLUDE ${confdir}/sql.conf authorize {         preprocess         chap         suffix         eap         #files         sql } authenticate {         Auth-Type PAP {           pap         }         Auth-Type CHAP {           chap         }         eap } accounting {         detail         radutmp         sql ###change manually } session {         sql ###change manually }

Add users

Note: The first command is one line which ends with the word radius, It has wraped around.

echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius Enter password:mysqlsecret

Restart Radius

sudo /etc/init.d/freeradius restart

Test link

sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret

If all goes well you should receive

Sending Access-Request of id 180 to 127.0.0.1 port 1812         User-Name = "mysqltest"         User-Password = "testsecret"         NAS-IP-Address = 255.255.255.255         NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=180, length=20

Apache Server

Create login page

sudo mkdir -p /var/www/hotspot/cgi-bin zcat -c /usr/share/doc/chillispot/hotspotlogin.cgi.gz | sudo tee /var/www/hotspot/cgi-bin/hotspotlogin.cgi sudo chmod a+x /var/www/hotspot/cgi-bin/hotspotlogin.cgi

edit login script

nano -w /var/www/hotspot/cgi-bin/hotspotlogin.cgi

Uncomment and change password

$uamsecret = "uamsecret"; $userpassword=1;

SSL

Apache Modules

To install the Apache2 module for MYSQL authentication, you can run the following command from a terminal prompt:

sudo apt-get install libapache2-mod-auth-mysql

Once you install the module, the module will be available in the /etc/apache2/mods-available directory. You can use the a2enmod command to enable a module. You can use the a2dismod command to disable a module. Once you enable the module, the module will be available in the the /etc/apache2/mods-enabled directory.

Setup up Apache and SSL

Make sure LAMP server is installed, if not use the following command:

tasksel

Create a Certificate

sudo apt-get install ssl-cert

sudo mkdir /etc/apache2/ssl

We need to find our host name for our cert

hostname -f

Hardcoding cert lifetime based on this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821#22

sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

(Answer questions)

• Note: The “Host Name” must be fill out correctly The host name of the server the certificate is for. This must be filled in. (commonName)

Host Name as per hostname -f

host.name #change to your host name

Install Module

The mod_ssl module adds an important feature to the Apache2 server – the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.

sudo a2enmod ssl

/etc/init.d/apache2 force-reload

Create virtualhost

Create a virtualhost file so it looks something like this:

sudo nano -w /etc/apache2/sites-available/hotspot

NameVirtualHost 192.168.2.1:443 <VirtualHost 192.168.2.1:443>         ServerAdmin
 webmaster@domain.orgQuesto indirizzo e-mail è protetto dallo spam bot. Abilita Javascript per vederlo.
          DocumentRoot "/var/www/hotspot"         ServerName "192.168.2.1"         <Directory "/var/www/hotspot/">                 Options Indexes FollowSymLinks MultiViews                 AllowOverride None                 Order allow,deny                 allow from all         </Directory>           Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/"          <Directory "/usr/share/freeradius-dialupadmin/htdocs/">                  Options Indexes FollowSymLinks MultiViews                 AllowOverride None                 Order allow,deny                 allow from all         </Directory>          ScriptAlias /cgi-bin/ /var/www/hotspot/cgi-bin/         <Directory "/var/www/hotspot/cgi-bin/">                 AllowOverride None                 Options ExecCGI -MultiViews +SymLinksIfOwnerMatch                 Order allow,deny                 Allow from all         </Directory>          ErrorLog /var/log/apache2/hotspot-error.log          LogLevel warn          CustomLog /var/log/apache2/hotspot-access.log combined          ServerSignature On          SSLEngine on          SSLCertificateFile /etc/apache2/ssl/apache.pem </VirtualHost>

Enable SSL virtualhost

sudo a2ensite hotspot

/etc/init.d/apache2 reload

Listen Ports

HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file:

nano -w /etc/apache2/ports.conf

Listen 192.168.2.1:80 Listen 192.168.2.1:443 #<IfModule mod_ssl.c> #    Listen 443 #</IfModule>

don’t forget to modify

sudo nano -w /etc/apache2/sites-available/default

NameVirtualHost *:80 <virtualhost *:80>

Server Root

nano -w /etc/apache2/apache2.conf

add

ServerName 192.168.2.1

Edit host file

nano -w /etc/hosts

192.168.2.1    host.name host #change to your host name

Restart Apache server

sudo /etc/init.d/apache2 restart

your web broswer should be able to link to pages

https://192.168.2.1/cgi-bin/hotspotlogin.cgi

and

http://192.168.2.1:3990/

Finish

Reboot your computer and everything should work

reboot

source here