Professional Documents
Culture Documents
04 Introduction
Note: This howto has been tested and works for Ubuntu 8.04 Hardy Heron server editions for other vesions of ubuntu see WifiDocs/ChillispotHotspot Chillispot is software which provides authentication and restricted network access to clients. Its primary use is in wireless (WiFi) networks. For instance, suppose you are managing a wireless network in a hotel: the access points are connected via the wired LAN to a server which works as a gateway, firewall, DNS server, etc. Now you want the same server (either because it's desirable or because it's required by your nation's law) to require authentication from all clients, possibly without messing around with the configuration of the access points. And maybe you even want users to be able to browse some sites (i.e. an internal web server or the hotel web site) without the need to authenticate themselves. Chillispot lets you manage all of this, and some more. Please take a look at the Chillispot.info web site to see how the software works. In a few words, hillispot creates a virtual private network (192.168.182.0/24, but you can change this default setting) which it uses to dialogate with the clients and to decide who and how to let to see the outside network. Chillispot manages the allocation of dynamic IP addresses to clients, so you don't need other DHCP tools. As of mid 2007, ChilliSpot appears to be dead. The developer Jens Jacobsen had vanished, and the chillispot.org domain lapsed, but chillispot.info is a copy (with ads inserted) of the original site. CoovaChilli has forked from ChilliSpot 1.0 and its development also continues with an active user-base.
Requirements
The following software is required for this installation:
Apache 1.x and MySql 4.0.x or even 3.23.x would probably do, but the above specified versions are the latest stable ones available so you're encouraged to stick to them. This tutorial will show how to run all this software on a single machine. However, you could install Apache and MySQL on a separate one, or even have 4 different machines: you'll just need to adjust the configuration parameters of each piece of software.
Also, you'll need your kernel configured for generic tunneling support. A 2.6.x kernel version is recommended.
Caveats
This HOWTO presumes you have an x86 machine. This is not going to work on AMD64, because both Chillispot and FreeRadius have bugs which prevent them to work as they should. I don't know the status of these softwares on other platforms.
The proccess
Chillispot takes control of the internal interface (eth1) using a vtun kernel module to bring up a virtual interface (tun0). In fact thr vtun kernel module is used to move IP packets from the kernel to user mode, in such a way that chillispot can function without any non-standard kernel modules. Chillispot then sets up a DHCP server (this can be disabled from the chillispot conf file) on the tun0 interface. A client connecting to this interface has all packets rejected until it is authorized though the chillispot login page (acting as a supplicant for authentication). When a non-authenticated client tries to connect to a web-page (on port 80 or 443) the request is intercepted by chilli and redirected to a perl-script called hotspotlogin.cgi (served by apache over https). hotspotlogin.cgi serves a page to the end-user with a username and password field. These authentication data are then forwarded to the freeradius server, which matches them with information in its backend (using either PAP or CHAP). The backend in this case is mysql, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably). A user is then either rejected or authenticated by freeradius, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user.
Hardware Requirements
Any PC with 2 network interfaces should work.
Software Installation
For this howto we start with an installation of Ubuntu Linux. Weve used the Ubuntu 7.10 Gutsy Gibbon server edition. The base installation is beyond the scope of this document, but the Ubuntu Website has plenty of documentation on installing ubuntu from scratch. Towards of the ubuntu server edition install it asks you if you require extra packages. Enable the following
Note:When asked for a mysql password and you want to use the default password for this howto use:
mysqladminsecret
Of course for a live chillispot access point you will need to change all password to your own If you are using a different version or forget in install extra packages you can install them at a latter date by using the command
tasksel
Root
To make the installation easier create a root user. Many files can only be changed with root user. Login user, then enter command
#sudo passwd root Enter new UNIX password: Retype new UNIX password: #su root Password:
SSH
So we can cut and paste commands to make life easier Install putty on you windows machine Assuming that your ubuntu box is connected to your ADSL router/DHCP server you will need to find your IP address of your ubuntu box so you can connect with putty
ip addr
Repository
Use default repository or better
Update Ubuntu
sudo apt-get update sudo apt-get upgrade
Network setup
Interfaces
nano -w /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1
Restart network
sudo /etc/init.d/networking restart
Install chillispot
sudo apt-get install chillispot
Chillispot
chillispot config file
nano -w /etc/chilli.conf net 192.168.2.0/24 ###change manually #dns1 192.168.2.1 #dns2 192.168.2.1 domain domain.org ###change manually radiusserver1 127.0.0.1 radiusserver2 127.0.0.1 radiussecret radiussecret dhcpif eth1 uamserver https://192.168.2.1/cgi-bin/hotspotlogin.cgi #uamhomepage https://192.168.2.1/welcome.html ###change manually uamsecret uamsecret uamlisten 192.168.2.1 ####change manually uamallowed www.google.it,192.168.2.0/24 ###change manually
If an error occurs it will display the line number that has caused the error. Count down the line numbers in the chilli.conf file to find the problem. If you get a message that Coova Capture Portal is disabled and to see /etc/default/chillispot
Radius section
radiusserver1 127.0.0.1 radiusserver2 127.0.0.1 radiussecret theradiussecret
You need to specify two radius servers even if you only have one. Of course, you can enter the same server in both lines. In this case it's localhost, as FreeRadius is on the same machine of Chillispot.
radiussecret theradiussecret
The radiussecret directive contains a (secret) word which must match the one contained in the FreeRadius configuration file. This secret ensures we are allowed to make queries to the radius server. We'll se the radius configuration part later on.
Networking section
dns1 192.168.2.1
You need to specify the IP address of the DNS server, which will be told to clients as well. The local machine's one will be fine if the machine operates a DNS service, otherwise enter another one such as you provider's.
dhcpif eth1
The interface to be specified is the one where the access points reside, which should be already configured with the working access points. Be sure to disable any DHCP server bound to that interface, as Chillispot doesn't want one.
UAM section
uamallowed 192.168.2.0/24.1,192.168.182.0/24,www.google.it
The above line states which hosts the clients are allowed to connect without requring authentication. You must enter the IP address of the gateway (both the VPN address and the LAN address - This is very important! In fact, you must list at least these two addresses here, otherwise the chillispot will not work!), the IP address of the DNS server (if it's on another machine) and any other hosts you want.
uamserver https://192.168.2.1/cgi-bin/hotspotlogin.cgi
This is the (secure) URL of the script which displays the login interface and manages the login. We'll discuss this further in the Apache configuration section.
uamhomepage https://192.168.2.1/welcome.html
Optional This is the page where all clients will be redirected when they try to surf a web site which is not in the uamallowed list. This is quite handy, as you don't need to provide login URLs to your users: their browser gets automatically redirected here. The contents of this file are very customizable (you can provide a full featured web page with information and the login link), and also this will be discussed later on while talking of Apache configuration.
uamsecret theuamsecret
This is the shared secret between chillispot and hostspotlogin.cgi, which ensures that the CGI script is allowed to talk to Chillispot. It's different than the radius secret, but you can also set them all alike (not recommended, of course).
Install Firewall
The creator of chillispot has created firewall rules. We just need to enable them.
sudo cp /usr/share/doc/chillispot/firewall.iptables /etc/init.d/chilli.iptables sudo chmod a+x /etc/init.d/chilli.iptables sudo ln -s ../init.d/chilli.iptables /etc/rcS.d/S41chilli.iptables
The default firewall is set for eth0 = internet, eth1 = LAN,If you want to change this setup edit the following file
nano -w /etc/init.d/chilli.iptables EXTIF=eth0 INTIF=eth1
As said else where, do not enable a DHCP server on our ubnutu box. chillispot has its own DHCP server.
mysql> quit
uncomment
"John Doe" Auth-Type := Local, User-Password == "hello" Reply-Message = "Hello, %u"
If all goes well the last line should display Mon Mar 24 11:32:35 2008 : Info: Ready to process requests. Ctrl+C to exit. Start FreeRadius again
sudo /etc/init.d/freeradius start
to
authorize { preprocess # auth_log # attr_filter chap mschap # digest # IPASS suffix # ntdomain eap # files sql # etc_smbpasswd # ldap # daily # checkval }
Note: You can only use one authorisation method at a time, not both. Therefore "files" section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql"
SQL Logging
If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql
nano -w /etc/freeradius/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" login = "radius" password = "mysqlsecret" radius_db = "radius" [...] # Set to 'yes' to read radius clients from the database ('nas' table) readclient = yes ###change manually } nano -w /etc/freeradius/radiusd.conf $INCLUDE ${confdir}/sql.conf authorize { preprocess chap suffix eap #files sql } authenticate { Auth-Type PAP {
pap } Auth-Type CHAP { chap } eap } accounting { detail radutmp sql ###change manually } session { sql ###change manually }
Add users
Note: The first command is one line which ends with the word radius, It has wraped around.
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius Enter password:mysqlsecret
Restart Radius
sudo /etc/init.d/freeradius restart
Test link
sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret
Apache Server
Create login page
sudo mkdir -p /var/www/hotspot/cgi-bin zcat -c /usr/share/doc/chillispot/hotspotlogin.cgi.gz | sudo tee /var/www/hotspot/cgi-bin/hotspotlogin.cgi sudo chmod a+x /var/www/hotspot/cgi-bin/hotspotlogin.cgi
SSL
Apache Modules
To install the Apache2 module for MYSQL authentication, you can run the following command from a terminal prompt:
sudo apt-get install libapache2-mod-auth-mysql
Once you install the module, the module will be available in the /etc/apache2/modsavailable directory. You can use the a2enmod command to enable a module. You can use the a2dismod command to disable a module. Once you enable the module, the module will be available in the the /etc/apache2/mods-enabled directory.
Create a Certificate
sudo apt-get install ssl-cert sudo mkdir /etc/apache2/ssl
(Answer questions)
Note: The "Host Name" must be fill out correctly The host name of the server the certificate is for. This must be filled in. (commonName)
Install Module The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the
https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.
sudo a2enmod ssl /etc/init.d/apache2 force-reload
Listen Ports
HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file:
nano -w /etc/apache2/ports.conf Listen 192.168.2.1:80 Listen 192.168.2.1:443 #<IfModule mod_ssl.c> # Listen 443 #</IfModule>
Server Root
nano -w /etc/apache2/apache2.conf
add
ServerName 192.168.2.1
your web broswer should be able to link to pages https://192.168.2.1/cgi-bin/hotspotlogin.cgi and http://192.168.2.1:3990/
Finish
Reboot your computer and everything should work
reboot
Optional Features
change INTIF
INTIF="br0"
Firewall
You may need to modify firewall settings In this example i want to control chillispot with SSH (port 22) through eth1. By default port 22 is blocked on eth1.
nano -w /etc/init.d/chilli.iptables
find #Allow releated, established and ssh on $EXTIF. Reject everything else. Then add a new line just below the existing port 22 rule
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
reset firewall
sudo /etc/init.d/chilli.iptables
Done
Dial Up admin
Note: Dial Up Admin is untested and uncommented continue at your own risk The following is untested a cut and paste of what I assume is dial up adminstartion of you login in server. I would be nice if someone could add some comments.
sed "/auto_increment/ s/DEFAULT '0'//" /usr/share/freeradiusdialupadmin/sql/badusers.sql | mysql -u radius -p radius mysql -u radius -p radius < /usr/share/freeradiusdialupadmin/sql/mtotacct.sql mysql -u radius -p radius < /usr/share/freeradiusdialupadmin/sql/totacct.sql sed "/auto_increment/ s/DEFAULT '0'//" /usr/share/freeradiusdialupadmin/sql/userinfo.sql | mysql -u radius -p radius nano -w /etc/freeradius-dialupadmin/admin.conf general_domain: dominio.org general_radius_server_secret: radiussecret general_encryption_method: clear sql_username: radius sql_password: mysqlsecret #sql_debug: true
nano -w /etc/apache2/sites-available/hotspot <Directory "/usr/share/freeradius-dialupadmin/htdocs"> ... AuthName "Restricted Area" AuthType Basic AuthUserFile /etc/apache2/.htpasswd require valid-user </Directory> sudo htpasswd -bcm /etc/apache2/.htpasswd admin adminsecret sudo /etc/init.d/apache2 restart nano -w /etc/freeradius-dialupadmin/naslist.conf
Online users
nas1_name: nas1.%{general_domain} nas1_type: other nas1_model: ChilliSpot nas1_ip: 0.0.0.0 nas1_finger: database
User Statistics
nano -w sudo chmod a+x /usr/share/freeradius-dialupadmin/bin/tot_stats nano -w /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats SBAGLIATO: $sql_password = ($sql_pasword == '') ? '' : "-p$sql_password"; CORRETTO: $sql_password = ($sql_pasword eq '') ? '' : "-p$sql_password"; sudo cp /usr/share/doc/freeradius-dialupadmin/examples/freeradiusdialupadmin.cron /etc/cron.d/freeradius-dialupadmin
Failed Logins
nano -w /etc/freeradius/radiusd.conf log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes
restart radius
sudo /etc/init.d/freeradius restart nano -w /usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log /usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log & sudo chmod a+x /etc/init.d/freeradius.badlogins sudo ln -s ../init.d/freeradius.badlogins /etc/rc2.d/S99freeradius.badlogins $ sudo /usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log /etc/freeradius-dialupadmin/admin.conf once $ sudo /etc/init.d/freeradius.badlogins
Transparent Proxy
Note: Transparent Proxy is untested and uncommented continue at your own risk Squid http://www.squid-cache.org/
sudo apt-get install squid sarg nano -w /etc/squid/squid.conf http_port 192.168.2.1:3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on nano -w /etc/init.d/chilli.iptables sudo iptables -t nat -A PREROUTING -i tun0 -p tcp -s 192.168.2.0/24 --dport 80 -j REDIRECT --to 3128
http://192.168.2.1:3128/
sudo iptables -I FORWARD 1 -i tun0 -o eth0 -s 192.168.2.0/24 -p tcp --dport 443 -m conntrack --ctstate NEW -j LOG --log-prefix HOTSPOT: nano -w /etc/log/syslog
DansGuardian
Script Backup
Note: Script Backup is untested and uncommented continue at your own risk /var/log/squid/access.log /var/log/syslog /etc/logrotate.d/squid
cp /var/log/squid/access.log /data/access.log-`date +%Y%m%d`
/data /etc/cron.daily/sysklogd
grep "HOTSPOT:" /var/log/syslog > /data/httpd_syslog.log-`date +%Y%m%d`