You are on page 1of 5

daloRADIUS

Captive Portal Setup

2009 by Liran Tal liran@enginx.com

daloRADIUS Hands-on Guides

Captive Portal Setup


The captive portal provides a Unified Access Method (UAM) to allow users with access to the service via their web browser, where-as they can login, register for a new account, view a service's terms of usage, and more. The essence of the captive portal functionality is to (always) redirect any web traffic a user requests to the service's web pages which provide access to the service (via Login or Signup pages). Some references to captive portal software are Wifidog, NoCatAuth, Chillispot, and maybe the most common and popular of all is CoovaChilli which is the successor of the Chillispot project which suffered from abandoned development, there-fore, Coova's maintainer, David Bird, has assumed the role of continuing it's development under the new name CoovaChilli.

daloRADIUS ships with CoovaChilli (and Chillispot's) captive portal pages and support those only. Moreover, it provides a PHP version for the captive portal pages which are suitable to deploy on a LAMP based install, while introducing a a templating system for the captive portal pages which makes it extremely easy and convenient for businesses to modify the portal pages and customize to their needs.

Project's References: 1. Wifidog: http://dev.wifidog.org 2. NoCatAuth: http://nocat.net 3. Chillispot: http://chillispot.info 4. CoovaChilli: http://coova.org/CoovaChilli

Deploying the Captive Portal


As stated above in the brief introduction, daloRADIUS ships with Captive Portal pages, ready to be used. More than that, it ships with 3 different versions of the captive portal pages: 1. A stripped-down version of the pages Very basic HTML 2. A themed version of the captive portal pages (option 1) 3. A themed version of the captive portal pages (option 2) We will focus on deploying the captive portal pages with the 2nd version which is available in the daloRADIUS package: contrib/chilli/portal2.

Out-lined below are the steps to take for a Ubuntu or a Debian-based Linux distribution: (while the document refers to CoovaChilli, most if not all configuration examples are relevant to Chillispot as well and so, CoovaChilli and Chillispot are interchange-able in the scope of the document)

1. Get latest release of daloRADIUS ( >= 0.9-8 ) and unpack the tar.gz package to a local directory.

2. Copy the hotspotlogin directory from contrib/chilli/portal2 (found in the top-level directory of the daloRADIUS package) to the website accessible directory of your choice. For the example through-out this document we will use /var/www/dalohosting/hotspotlogin/

3. Adjust file permissions for the web server user and group

4. CoovaChilli (and Chillispot) communicates with the (remote) portal pages over SSL, and the CoovaChilli directive that is required in CoovaChilli's configuration is:

5. Configuring the hotspotlogin directory, we need to specify the uamsecret that was set previously in the CoovaChilli configuration. Use the preferred editor by your choice to edit the file /var/www/dalohosting/hotspotlogin/hotspotlogin.php and set the uamsecret variable at the beginning of the file accordingly:

CODE CODE CODE CODE

# cd /tmp # wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius-0.98/daloradius-0.9-8.tar.gz?use_mirror=garr # tar zxvf daloradius-0.9-8.tar.gz

# mkdir p /var/www/dalohosting # cp -arp /tmp/daloradius-0.9-8/contrib/chilli/portal2/hotspotlogin/ /var/www/dalohosting/

# chown www-data:www-data /var/www/dalohosting/hotspotlogin/* -R # chown www-data:www-data /var/www/dalohosting/hotspotlogin

# # # #

uamlisten uamport uamserver uamsecret

192.168.182.1 3990 https://www.example.com/hotspotlogin/hotspotlogin.php mysecretuampassword

Information regarding these parameters and others is available through CoovaChilli's homepage, forums, mailing list and documentation. In the given example, the hotspotlogin directory is accessible from that example domain. It's necessary to make sure that a good shared secret is used for the uamsecret directive which needs to match the same in both the hotspotlogin files and the CoovaChilli configuration files.

6. It is required to make the hotspotlogin directory accessible to the web server via the exact location as we set in CoovaChilli's uamserver definition. To achieve this we define a VirtualHost entry: (though it is beyond the scope of this document to explain it in every other possible way, use apache's references). Enabling SSL support in apache:

CODE CODE CODE CODE

# Shared secret used to encrypt challenge with. Prevents dictionary attacks. # You should change this to your own shared secret. $uamsecret = "mysecretuampassword";

# # # #

apt-get install ssl-cert mkdir /etc/apache2/ssl /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem a2enmod ssl && /etc/init.d/apache2 restart

While this isn't an apache guide, the steps above should be sufficient for an already installed apache2 server to add SSL support. Next, adding a VirtualHost file entry (assuming a NameVirtualHost entry for this domain already exist). The <VirtualHost 1.1.1.1:443> ServerName www.example.com ServerAlias www.example.com DocumentRoot /var/www/dalohosting/ SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>

Save the above file as /etc/apache2/sites-enabled/hotspotlogin-ssl effectively replacing the VirtualHost IP address of 1.1.1.1 with correct settings, as well as other configuration options in the file, enable this site entry and restart/reload apache: # a2ensite hotspotlogin-ssl # /etc/init.d/apache2 restart

It might be a good idea to make sure the web server is configured to listen for SSL on the correct IP address as stated above. Take a look at /etc/apache2/ports.conf

Successful Login
Finally, When the captive portal pages have been installed and configured correctly in the remote web server, and the CoovaChilli configuration has correct parameters and the software is running on a NAS or a sandbox Linux system, if the user attempts to connect to the wireless network (at least, wireless in most cases) an IP address is allocated by the DHCP server ran by CoovaChilli for the user. At this point, the user will attempt to open the browser and surf the Internet, since CoovaChilli is configured to run as a captive portal software it will intercept the user's port 80 (web traffic) request and displays the configured captive portal page, as shown in the screenshot:

Feedback
We hope you enjoyed this tutorial and made the best of it. For comments and general feedback please contact us via email at team@enginx.com

You might also like