WifiDocs ChillispotHotspot 8.

04 Introduction
Note: This howto has been tested and works for Ubuntu 8.04 Hardy Heron server editions for other vesions of ubuntu see WifiDocs/ChillispotHotspot Chillispot is software which provides authentication and restricted network access to clients. Its primary use is in wireless (WiFi) networks. For instance, suppose you are managing a wireless network in a hotel: the access points are connected via the wired LAN to a server which works as a gateway, firewall, DNS server, etc. Now you want the same server (either because it's desirable or because it's required by your nation's law) to require authentication from all clients, possibly without messing around with the configuration of the access points. And maybe you even want users to be able to browse some sites (i.e. an internal web server or the hotel web site) without the need to authenticate themselves. Chillispot lets you manage all of this, and some more. Please take a look at the Chillispot.info web site to see how the software works. In a few words, hillispot creates a virtual private network (192.168.182.0/24, but you can change this default setting) which it uses to dialogate with the clients and to decide who and how to let to see the outside network. Chillispot manages the allocation of dynamic IP addresses to clients, so you don't need other DHCP tools. As of mid 2007, ChilliSpot appears to be dead. The developer Jens Jacobsen had vanished, and the chillispot.org domain lapsed, but chillispot.info is a copy (with ads inserted) of the original site. CoovaChilli has forked from ChilliSpot 1.0 and its development also continues with an active user-base.

Requirements
The following software is required for this installation:

Chillispot FreeRadius Apache MySQL

Apache 1.x and MySql 4.0.x or even 3.23.x would probably do, but the above specified versions are the latest stable ones available so you're encouraged to stick to them. This tutorial will show how to run all this software on a single machine. However, you could install Apache and MySQL on a separate one, or even have 4 different machines: you'll just need to adjust the configuration parameters of each piece of software.

Also, you'll need your kernel configured for generic tunneling support. A 2.6.x kernel version is recommended.

Caveats
This HOWTO presumes you have an x86 machine. This is not going to work on AMD64, because both Chillispot and FreeRadius have bugs which prevent them to work as they should. I don't know the status of these softwares on other platforms.

The proccess
Chillispot takes control of the internal interface (eth1) using a vtun kernel module to bring up a virtual interface (tun0). In fact thr vtun kernel module is used to move IP packets from the kernel to user mode, in such a way that chillispot can function without any non-standard kernel modules. Chillispot then sets up a DHCP server (this can be disabled from the chillispot conf file) on the tun0 interface. A client connecting to this interface has all packets rejected until it is authorized though the chillispot login page (acting as a supplicant for authentication). When a non-authenticated client tries to connect to a web-page (on port 80 or 443) the request is intercepted by chilli and redirected to a perl-script called hotspotlogin.cgi (served by apache over https). hotspotlogin.cgi serves a page to the end-user with a username and password field. These authentication data are then forwarded to the freeradius server, which matches them with information in its backend (using either PAP or CHAP). The backend in this case is mysql, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably). A user is then either rejected or authenticated by freeradius, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user.

Hardware Requirements
Any PC with 2 network interfaces should work.

Software Installation
For this howto we start with an installation of Ubuntu Linux. Weve used the Ubuntu 7.10 Gutsy Gibbon server edition. The base installation is beyond the scope of this document, but the Ubuntu Website has plenty of documentation on installing ubuntu from scratch. Towards of the ubuntu server edition install it asks you if you require extra packages. Enable the following

* LAMP * SSH server

Note:When asked for a mysql password and you want to use the default password for this howto use:
mysqladminsecret

Of course for a live chillispot access point you will need to change all password to your own If you are using a different version or forget in install extra packages you can install them at a latter date by using the command
tasksel

Root
To make the installation easier create a root user. Many files can only be changed with root user. Login user, then enter command
#sudo passwd root Enter new UNIX password: Retype new UNIX password: #su root Password:

SSH
So we can cut and paste commands to make life easier Install putty on you windows machine Assuming that your ubuntu box is connected to your ADSL router/DHCP server you will need to find your IP address of your ubuntu box so you can connect with putty
ip addr

Type in your ip address and connect

Repository
Use default repository or better

Update Ubuntu
sudo apt-get update sudo apt-get upgrade

Network setup

Setup up your network hardware/software

Interfaces
nano -w /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1

To enable packet forwarding you should add the following line

nano -w /etc/sysctl.conf net/ipv4/ip_forward=1

Enable and check ip forward without a reboot

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Restart network
sudo /etc/init.d/networking restart

EnableTUN/TAP device driver support

nano -w /etc/modules tun

To enable without reboot

sudo modprobe tun

Install chillispot
sudo apt-get install chillispot

Fill in the details IP address of radius server 1:

127.0.0.1

Radius shared secret:

radiussecret

In a typical configuration this should be set to 'eth1'. <ok>

Ethernet interface for DHCP to listen:

eth1

URL of UAM server:

https://192.168.2.1/cgi-bin/hotspotlogin.cgi

URL of UAM homepage:

https://192.168.2.1/welcome.html

Shared password between chillispot and webserver:

uamsecret

Enable Chillispot captive portal:

nano -w /etc/default/chillispot ENABLED=1

Chillispot
chillispot config file
nano -w /etc/chilli.conf net 192.168.2.0/24 ###change manually #dns1 192.168.2.1 #dns2 192.168.2.1 domain domain.org ###change manually radiusserver1 127.0.0.1 radiusserver2 127.0.0.1 radiussecret radiussecret dhcpif eth1 uamserver https://192.168.2.1/cgi-bin/hotspotlogin.cgi #uamhomepage https://192.168.2.1/welcome.html ###change manually uamsecret uamsecret uamlisten 192.168.2.1 ####change manually uamallowed www.google.it,192.168.2.0/24 ###change manually

Note: uamhomepage has been commented out because its optional

To check conf files for errors run command

sudo /etc/init.d/chillispot start

If an error occurs it will display the line number that has caused the error. Count down the line numbers in the chilli.conf file to find the problem. If you get a message that Coova Capture Portal is disabled and to see /etc/default/chillispot

nano -w /etc/default/chillispot ENABLED=1

Let's discuss the chilli.conf file in detail.

Radius section
radiusserver1 127.0.0.1 radiusserver2 127.0.0.1 radiussecret theradiussecret

You need to specify two radius servers even if you only have one. Of course, you can enter the same server in both lines. In this case it's localhost, as FreeRadius is on the same machine of Chillispot.
radiussecret theradiussecret

The radiussecret directive contains a (secret) word which must match the one contained in the FreeRadius configuration file. This secret ensures we are allowed to make queries to the radius server. We'll se the radius configuration part later on.

Networking section
dns1 192.168.2.1

You need to specify the IP address of the DNS server, which will be told to clients as well. The local machine's one will be fine if the machine operates a DNS service, otherwise enter another one such as you provider's.
dhcpif eth1

The interface to be specified is the one where the access points reside, which should be already configured with the working access points. Be sure to disable any DHCP server bound to that interface, as Chillispot doesn't want one.

UAM section
uamallowed 192.168.2.0/24.1,192.168.182.0/24,www.google.it

The above line states which hosts the clients are allowed to connect without requring authentication. You must enter the IP address of the gateway (both the VPN address and the LAN address - This is very important! In fact, you must list at least these two addresses here, otherwise the chillispot will not work!), the IP address of the DNS server (if it's on another machine) and any other hosts you want.
uamserver https://192.168.2.1/cgi-bin/hotspotlogin.cgi

This is the (secure) URL of the script which displays the login interface and manages the login. We'll discuss this further in the Apache configuration section.

uamhomepage https://192.168.2.1/welcome.html

Optional This is the page where all clients will be redirected when they try to surf a web site which is not in the uamallowed list. This is quite handy, as you don't need to provide login URLs to your users: their browser gets automatically redirected here. The contents of this file are very customizable (you can provide a full featured web page with information and the login link), and also this will be discussed later on while talking of Apache configuration.
uamsecret theuamsecret

This is the shared secret between chillispot and hostspotlogin.cgi, which ensures that the CGI script is allowed to talk to Chillispot. It's different than the radius secret, but you can also set them all alike (not recommended, of course).

Install Firewall
The creator of chillispot has created firewall rules. We just need to enable them.
sudo cp /usr/share/doc/chillispot/firewall.iptables /etc/init.d/chilli.iptables sudo chmod a+x /etc/init.d/chilli.iptables sudo ln -s ../init.d/chilli.iptables /etc/rcS.d/S41chilli.iptables

The default firewall is set for eth0 = internet, eth1 = LAN,If you want to change this setup edit the following file
nano -w /etc/init.d/chilli.iptables EXTIF=eth0 INTIF=eth1

Enable firewall script

sudo /etc/init.d/chilli.iptables

As said else where, do not enable a DHCP server on our ubnutu box. chillispot has its own DHCP server.

Install Radius server and Database

sudo apt-get install freeradius freeradius-mysql freeradius-dialupadmin

Create database to store usernames and passwords

mysql -u root -p Enter password:mysqladminsecret mysql> CREATE DATABASE radius;

mysql> quit

Propergate database with tables created by the maker's of freeradius

zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius Enter password:mysqladminsecret mysql -u root -p Enter password:mysqladminsecret mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret'; mysql> FLUSH PRIVILEGES; mysql> quit

Tell freeradius where to find of database

nano -w /etc/freeradius/sql.conf server = "localhost" login = "radius" password = "mysqlsecret"

Set FreeRadius server client password

nano -w /etc/freeradius/clients.conf client 127.0.0.1 { secret = radiussecret }

Testing default file setup

The default FreeRadius setup authorize's usernames and passwords from a "file" found in /etc/freeradius/users. We should test the default FreeRadius setup before we change the authorization link from "file" to "sql" (mysql). Add username an password to our user "file". edit "John Doe"
nano -w /etc/freeradius/users

uncomment
"John Doe" Auth-Type := Local, User-Password == "hello" Reply-Message = "Hello, %u"

At this point you need to reboot your ubuntu box

reboot

Check FreeRadius config files.

sudo /etc/init.d/freeradius stop

sudo freeradius -XXX -A

If all goes well the last line should display Mon Mar 24 11:32:35 2008 : Info: Ready to process requests. Ctrl+C to exit. Start FreeRadius again
sudo /etc/init.d/freeradius start

Test password authorization to "file"

sudo radtest "John Doe" hello 127.0.0.1 0 radiussecret

If all goes well you should get a reply

Sending Access-Request of id 136 to 127.0.0.1 port 1812 User-Name = "John Doe" User-Password = "hello" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37 Reply-Message = "Hello, John Doe"

change authorization to sql

If the above tests worked we can now change authorization from "file" to "sql" Change: files to # files # sql to sql
nano -w /etc/freeradius/radiusd.conf authorize { preprocess # auth_log # attr_filter chap mschap # digest # IPASS suffix # ntdomain eap files # sql # etc_smbpasswd # ldap # daily # checkval

to
authorize { preprocess # auth_log # attr_filter chap mschap # digest # IPASS suffix # ntdomain eap # files sql # etc_smbpasswd # ldap # daily # checkval }

Note: You can only use one authorisation method at a time, not both. Therefore "files" section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql"

SQL Logging
If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql
nano -w /etc/freeradius/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" login = "radius" password = "mysqlsecret" radius_db = "radius" [...] # Set to 'yes' to read radius clients from the database ('nas' table) readclient = yes ###change manually } nano -w /etc/freeradius/radiusd.conf $INCLUDE ${confdir}/sql.conf authorize { preprocess chap suffix eap #files sql } authenticate { Auth-Type PAP {

pap } Auth-Type CHAP { chap } eap } accounting { detail radutmp sql ###change manually } session { sql ###change manually }

Add users
Note: The first command is one line which ends with the word radius, It has wraped around.
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius Enter password:mysqlsecret

Restart Radius
sudo /etc/init.d/freeradius restart

Test link
sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret

If all goes well you should receive

Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = "mysqltest" User-Password = "testsecret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=180, length=20

Apache Server
Create login page
sudo mkdir -p /var/www/hotspot/cgi-bin zcat -c /usr/share/doc/chillispot/hotspotlogin.cgi.gz | sudo tee /var/www/hotspot/cgi-bin/hotspotlogin.cgi sudo chmod a+x /var/www/hotspot/cgi-bin/hotspotlogin.cgi

edit login script

nano -w /var/www/hotspot/cgi-bin/hotspotlogin.cgi

Uncomment and change password

$uamsecret = "uamsecret"; $userpassword=1;

SSL
Apache Modules
To install the Apache2 module for MYSQL authentication, you can run the following command from a terminal prompt:
sudo apt-get install libapache2-mod-auth-mysql

Once you install the module, the module will be available in the /etc/apache2/modsavailable directory. You can use the a2enmod command to enable a module. You can use the a2dismod command to disable a module. Once you enable the module, the module will be available in the the /etc/apache2/mods-enabled directory.

Setup up Apache and SSL

Make sure LAMP server is installed, if not use the following command:
tasksel

Create a Certificate
sudo apt-get install ssl-cert sudo mkdir /etc/apache2/ssl

We need to find our host name for our cert

hostname -f

Hardcoding cert lifetime based on this patch: http://bugs.debian.org/cgibin/bugreport.cgi?bug=293821#22

sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

(Answer questions)

Note: The "Host Name" must be fill out correctly The host name of the server the certificate is for. This must be filled in. (commonName)

Host Name as per hostname -f

host.name #change to your host name

Install Module The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the

https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.
sudo a2enmod ssl /etc/init.d/apache2 force-reload

Create virtualhost Create a virtualhost file so it looks something like this:

sudo nano -w /etc/apache2/sites-available/hotspot NameVirtualHost 192.168.2.1:443 <VirtualHost 192.168.2.1:443> ServerAdmin webmaster@domain.org DocumentRoot "/var/www/hotspot" ServerName "192.168.2.1" <Directory "/var/www/hotspot/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/" <Directory "/usr/share/freeradius-dialupadmin/htdocs/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /var/www/hotspot/cgi-bin/ <Directory "/var/www/hotspot/cgi-bin/"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/hotspot-error.log LogLevel warn CustomLog /var/log/apache2/hotspot-access.log combined ServerSignature On SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.pem </VirtualHost>

Enable SSL virtualhost

sudo a2ensite hotspot /etc/init.d/apache2 reload

Listen Ports

HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file:
nano -w /etc/apache2/ports.conf Listen 192.168.2.1:80 Listen 192.168.2.1:443 #<IfModule mod_ssl.c> # Listen 443 #</IfModule>

don't forget to modify

sudo nano -w /etc/apache2/sites-available/default NameVirtualHost *:80 <virtualhost *:80>

Server Root
nano -w /etc/apache2/apache2.conf

add
ServerName 192.168.2.1

Edit host file

nano -w /etc/hosts 192.168.2.1 host.name host #change to your host name

Restart Apache server

sudo /etc/init.d/apache2 restart

your web broswer should be able to link to pages https://192.168.2.1/cgi-bin/hotspotlogin.cgi and http://192.168.2.1:3990/

Finish
Reboot your computer and everything should work
reboot

Optional Features

Install Wifi Adaptor

If you want to install a wifi adaptor to your chilli hotspot follow these instructions The wifi adaptor/card must support master mode. Install card and drivers if required see WifiDocs/MasterMode We need to modify interfaces
sudo nano -w /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp # Secondary network interface auto eth1 # Wireless Setup auto ath0 iface ath0 inet manual wireless-mode master wireless-essid pivotpoint # Bridge interface auto br0 iface br0 inet manual bridge-ports eth1 ath0

Modify firewall/iptables interface

nano -w /etc/init.d/chilli.iptables

change INTIF
INTIF="br0"

Finally change chillispot interface

nano -w /etc/chilli.conf dhcpif br0

reboot and that it.

Firewall
You may need to modify firewall settings In this example i want to control chillispot with SSH (port 22) through eth1. By default port 22 is blocked on eth1.
nano -w /etc/init.d/chilli.iptables

find #Allow releated, established and ssh on $EXTIF. Reject everything else. Then add a new line just below the existing port 22 rule
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT

reset firewall
sudo /etc/init.d/chilli.iptables

Done

Dial Up admin
Note: Dial Up Admin is untested and uncommented continue at your own risk The following is untested a cut and paste of what I assume is dial up adminstartion of you login in server. I would be nice if someone could add some comments.
sed "/auto_increment/ s/DEFAULT '0'//" /usr/share/freeradiusdialupadmin/sql/badusers.sql | mysql -u radius -p radius mysql -u radius -p radius < /usr/share/freeradiusdialupadmin/sql/mtotacct.sql mysql -u radius -p radius < /usr/share/freeradiusdialupadmin/sql/totacct.sql sed "/auto_increment/ s/DEFAULT '0'//" /usr/share/freeradiusdialupadmin/sql/userinfo.sql | mysql -u radius -p radius nano -w /etc/freeradius-dialupadmin/admin.conf general_domain: dominio.org general_radius_server_secret: radiussecret general_encryption_method: clear sql_username: radius sql_password: mysqlsecret #sql_debug: true

Dial-up Admin https://192.168.2.1/dialupadmin/index.html

nano -w /etc/apache2/sites-available/hotspot <Directory "/usr/share/freeradius-dialupadmin/htdocs"> ... AuthName "Restricted Area" AuthType Basic AuthUserFile /etc/apache2/.htpasswd require valid-user </Directory> sudo htpasswd -bcm /etc/apache2/.htpasswd admin adminsecret sudo /etc/init.d/apache2 restart nano -w /etc/freeradius-dialupadmin/naslist.conf

Online users
nas1_name: nas1.%{general_domain} nas1_type: other nas1_model: ChilliSpot nas1_ip: 0.0.0.0 nas1_finger: database

User Statistics
nano -w sudo chmod a+x /usr/share/freeradius-dialupadmin/bin/tot_stats nano -w /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats SBAGLIATO: $sql_password = ($sql_pasword == '') ? '' : "-p$sql_password"; CORRETTO: $sql_password = ($sql_pasword eq '') ? '' : "-p$sql_password"; sudo cp /usr/share/doc/freeradius-dialupadmin/examples/freeradiusdialupadmin.cron /etc/cron.d/freeradius-dialupadmin

Failed Logins
nano -w /etc/freeradius/radiusd.conf log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes

restart radius
sudo /etc/init.d/freeradius restart nano -w /usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log /usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log & sudo chmod a+x /etc/init.d/freeradius.badlogins sudo ln -s ../init.d/freeradius.badlogins /etc/rc2.d/S99freeradius.badlogins $ sudo /usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log /etc/freeradius-dialupadmin/admin.conf once $ sudo /etc/init.d/freeradius.badlogins

Transparent Proxy
Note: Transparent Proxy is untested and uncommented continue at your own risk Squid http://www.squid-cache.org/

sudo apt-get install squid sarg nano -w /etc/squid/squid.conf http_port 192.168.2.1:3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on nano -w /etc/init.d/chilli.iptables sudo iptables -t nat -A PREROUTING -i tun0 -p tcp -s 192.168.2.0/24 --dport 80 -j REDIRECT --to 3128

http://192.168.2.1:3128/
sudo iptables -I FORWARD 1 -i tun0 -o eth0 -s 192.168.2.0/24 -p tcp --dport 443 -m conntrack --ctstate NEW -j LOG --log-prefix HOTSPOT: nano -w /etc/log/syslog

DansGuardian

Script Backup
Note: Script Backup is untested and uncommented continue at your own risk /var/log/squid/access.log /var/log/syslog /etc/logrotate.d/squid
cp /var/log/squid/access.log /data/access.log-`date +%Y%m%d`

/data /etc/cron.daily/sysklogd
grep "HOTSPOT:" /var/log/syslog > /data/httpd_syslog.log-`date +%Y%m%d`