Search

Ubuntu Documentation > Community Documentation > WifiDocsCoovaChilli

Community Documentation
Login to Edit

WifiDocsCoovaChilli
Note: This howto is under construction, help appreciated This howto has a problem getting the login web page talking to freeradius.
Contents 1. 2. 3. 4. 5. 6. 7.

Introduction
CoovaChilli is an open-source software access controller, based on the popular (but now defunct) ChilliSpot project, and is actively maintained by an original ChilliSpot contributor. CoovaChilli is a feature rich software access controller that provides a captive portal / walled-garden environment and uses RADIUS for access provisioning and accounting. CoovaChilli is an integral part of the CoovaAP OpenWRT-based firmware which is specialized for hotspots. For more information on how Coova's Chilli differs from the standard ChilliSpot, see the ChangeLog.

8.

Requirements
This tutorial will show how to run all this software on a single machine. However, you could install Apache, MySQL, and FreeRADIUS on a separate one, or even have 4 different machines: you'll just need to adjust the configuration parameters of each piece of software. Though, the more typical way to run CoovaChilli is on the router itself - using firmware such as OpenWrt (or CoovaAP), vendor SDKs (such as Ubiquiti), or pre-installed in hardware like that used by FON and open-mesh.com. NOTE: both coovachilli and chillispot don't work with 64bit OS. RADIUS authentication is flawed in those setups.

9.

10. 11. 12.

13. 14. 15. 16.

Caveats
This HOWTO presumes you have an x86 machine with at least two physical network interfaces. Usually, this is an Ethernet WAN interface and "subscriber" LAN interface that CoovaChilli will control - it can be either a Ethernet or WiFi interface. In our case, we'll assume two Ethernet interfaces for the WAN (eth0) and LAN (eth1).
17. 18. 19. 20.

Introduction Requirements Caveats The proccess Hardware Requirements Software Versions Software Installation 1. Root 2. SSH 3. Repository 4. Update Ubuntu 5. Network setup Install Radius server and Database 1. Testing default file setup 2. change authorization to sql 3. SQL Logging 4. Add users Install CoovaChilli 1. CoovaChilli Package Installation 2. CoovaChilli Source Installation 3. Basic Configuration Install Firewall 1. IPtables Apache Server 1. Create login page SSL 1. Apache Modules 2. Setup up Apache and SSL Finish Additional Info Optional Features Post Install Trouble Shooting 1. Packet Forwarding 2. EnableTUN/TAP device driver support 3. Firewall / Port Forward Authors References Support Comments / log 1. Thanks

The proccess
CoovaChilli takes control of the internal interface (eth1) using a raw promiscuous socket. It then uses the vtun kernel module to bring up a virtual interface (either a tun or tap) to pass and receive packets to and from the WAN. In fact the vtun kernel module is used to move IP packets from the kernel to user mode, in such a way that CoovaChilli can function without any non-standard kernel modules. CoovaChilli then provides DHCP, ARP, and HTTP Hijacking on the "dhcpif" interface, in our case that's eth0. A client connecting to this interface is limited to a "walled garden" until authorized. The client is only able to resolve DNS and web browser web sites specifically added to the walled garden. Authentication (and authorization) in CoovaChilli typically happens in one of two ways. Either it was a MAC based authentication (using the macauth option in chilli.conf) or it was the more typical "Universal Access Method" (UAM). This method uses a captive portal that initiates authentication. When a non-authenticated client tries to connect to a web-page (on port 80) the request is intercepted by CoovaChilli and redirected to the captive portal. In our case, we'll use a perl-script called hotspotlogin.cgi (served by apache over https). hotspotlogin.cgi serves a page to the end-user with a username and password field. These authentication data are then forwarded to the FreeRADIUS server, which matches them with information in its back-end (using either PAP, CHAP, or MSCHAPv2). The FreeRADIUS back-end in this case is mysql, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably). A user is then either rejected or authenticated by FreeRADIUS, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user.

Hardware Requirements
Any PC with 2 network interfaces.
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

Software Versions
This howto has been tested with:
q q

Ubuntu 9.04 i386 server coova-chilli-1.0.13

Software Installation
For this howto we start with an installation of Ubuntu Linux. The base installation is beyond the scope of this document, but the Ubuntu Website has plenty of documentation on installing ubuntu from scratch. Towards the end of the ubuntu server edition install it asks you if you require extra packages. Enable the following: LAMP SSH server DNS Server Note:When asked for a mysql password and you want to use the default password for this howto use: mysqladminsecret Of course for a live chillispot access point you will need to change all password to your own If you are using a different version or forget to install extra packages you can install them at a latter date by using the command: tasksel

Root
To make the installation easier create a root user. Many files can only be changed with root user. Login user, then enter command: #sudo passwd root Enter new UNIX password: Retype new UNIX password: #su root Password:

SSH
So we can cut and paste commands to make life easier Install putty on you windows machine Assuming that your ubuntu box is connected to your ADSL router/DHCP server you will need to find your IP address of your ubuntu box so you can connect with putty ip addr Type in your ip address and connect

Repository
Use default repository or better

Update Ubuntu
sudo apt-get update sudo apt-get upgrade
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

Network setup
Setup up your network hardware/software

Interfaces
nano -w /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1

Install Radius server and Database

sudo apt-get install freeradius freeradius-mysql Create database to store usernames and passwords mysql -u root -p Enter password:mysqladminsecret mysql> CREATE DATABASE radius; mysql> quit Propergate database with tables created by the makers of freeradius Select either Freeradius 1 zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius Enter password:mysqladminsecret or Freeradius 2 mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql mysql -u root -p Enter password:mysqladminsecret mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret'; mysql> FLUSH PRIVILEGES; mysql> quit Tell freeradius where to find the database nano -w /etc/freeradius/sql.conf server = "localhost" login = "radius" password = "mysqlsecret" Set FreeRadius server client password nano -w /etc/freeradius/clients.conf client 127.0.0.1 { secret = radiussecret } Note: for freeradius 2:
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

client localhost { ipaddr = 127.0.0.1 secret = radiussecret }

Testing default file setup

The default FreeRadius setup authorize's usernames and passwords from a "file" found in /etc/freeradius/users. We should test the default FreeRadius setup before we change the authorization link from "file" to "sql" (mysql). Add username an password to our user "file". edit "John Doe" nano -w /etc/freeradius/users uncomment "John Doe" Auth-Type := Local, User-Password == "hello" Reply-Message = "Hello, %u"

At this point you need to reboot your ubuntu box reboot Check FreeRadius config files. sudo /etc/init.d/freeradius stop sudo freeradius -XXX If all goes well the last line should display Mon Jun 29 15:24:34 2009 : Debug: Ready to process requests. Ctrl+C to exit. Start FreeRadius again sudo /etc/init.d/freeradius start Test password authorization to "file" sudo radtest "John Doe" hello 127.0.0.1 0 radiussecret If all goes well you should get a reply Sending Access-Request of id 136 to 127.0.0.1 port 1812 User-Name = "John Doe" User-Password = "hello" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37 Reply-Message = "Hello, John Doe"

change authorization to sql

If the above tests worked we can now change authorization from "file" to "sql" nano -w /etc/freeradius/radiusd.conf Change: files to # files

# sql to sql note for freeradius2: nano -w /etc/freeradius/sites-available/default Note: You can only use one authorisation method at a time, not both. Therefore "files" section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql"

SQL Logging
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql

nano -w /etc/freeradius/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" login = "radius" password = "mysqlsecret" radius_db = "radius" [...] # Set to 'yes' to read radius clients from the database ('nas' table) readclient = yes ###change manually } nano -w /etc/freeradius/radiusd.conf note for freeradius2: for the line $INCLUDE... -> /etc/freeradius/radiusd.conf nano -w /etc/freeradius/sites-available/default $INCLUDE ${confdir}/sql.conf authorize { preprocess chap suffix eap #files sql } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } eap } accounting { detail radutmp sql ###change manually } session { sql ###change manually }

Add users
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Passw ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius Enter password:mysqlsecret coovachilli uses the username 'chillispot' with the password 'chillispot' for logging into the radius by default. Add this user in the table radcheck too. its defined in the default config file /etc/chilli/config HS_ADMUSR=chillispot HS_ADMPWD=chillispot echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('chillispot', 'Pass ('chillispot', 'Password', 'chillispot');" | mysql -u radius -p radius Enter password:mysqlsecret Restart Radius sudo /etc/init.d/freeradius restart

Test link

Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret sudo radtest chillispot chillispot 127.0.0.1 0 radiussecret If all goes well you should receive an Access-Accept response like this: Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = "mysqltest" User-Password = "testsecret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=180, length=20

Install CoovaChilli
There are two methods of installing coovachilli on ubuntu.
q q

Package Source

Both methods are listed below

CoovaChilli Package Installation

To install the CoovaChilli package, first download it (or the latest version available from http://www.coova.org/CoovaChilli): sudo wget http://ap.coova.org/chilli/coova-chilli_1.0.13-1_i386.deb Then install it: sudo dpkg -i coova-chilli_1.0.13-1_i386.deb Copy the default configuration files and Apache site configuration: cp /etc/chilli/defaults /etc/chilli/config mkdir /var/www/hotspot cd /var/www/hotspot cp /etc/chilli/www/* /var/www/hotspot mkdir /var/www/hotspot/images cp /var/www/hotspot/coova.jpg /var/www/hotspot/images/ mkdir /var/www/hotspot/uam cd /var/www/hotspot/uam wget http://ap.coova.org/uam/ wget http://ap.coova.org/js/chilli.js

Change Host Address

Edit index.html to use chilli.js from local (this example uses the host IP address as 10.1.0.1) sed -i 's/ap.coova.org\/js\/chilli.js/10.1.0.1\/uam\/chilli.js/g' /var/www/hotspot/uam/index.html Edit ChilliLibrary.js to use the correct host IP address (again, example uses 10.1.0.1): sed -i 's/192.168.182.1/10.1.0.1/g' /etc/chilli/www/ChilliLibrary.js sed -i 's/192.168.182.1/10.1.0.1/g' /var/www/hotspot/ChilliLibrary.js To enable coovachilli change START_CHILLI to 1 nano -w /etc/default/chilli To enable on reboot START_CHILLI=1 CONFFILE="/etc/chilli.conf" To enable without a reboot
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

sudo /etc/init.d/chilli start

CoovaChilli Source Installation

To build from source: sudo apt-get install build-essential linux-headers-server wget http://ap.coova.org/chilli/coova-chilli-1.0.13.tar.gz tar -xzf coova-chilli-1.0.13.tar.gz && cd coova-chilli-1.0.13 ./configure make sudo make install Copy the default configuration files and Apache site configuration: cp /etc/chilli/defaults /etc/chilli/config mkdir /var/www/hotspot cd /var/www/hotspot cp /etc/chilli/www/* /var/www/hotspot mkdir /var/www/hotspot/uam cd /var/www/hotspot/uam wget http://ap.coova.org/uam/ wget http://ap.coova.org/js/chilli.js Edit index.html to use chilli.js from local (default is 192.168.2.1 for few networks and many hosts) sed -i 's/ap.coova.org\/js\/chilli.js/192.168.2.1\/uam\/chilli.js/g' /var/www/hotspot/uam/index.html The startup script: cd /etc/init.d/ wget http://dev.coova.org/svn/coova-chilli/debian/coova-chilli.chilli.init mv chilli chilli.bak && mv coova-chilli.chilli.init chilli && chmod 755 chilli sed '21,30s/**/# &/' chilli > chilli.tmp && mv chilli.tmp chilli && chmod 755 chilli the last command comments out the lines 21 to 30 please check the startup file for your special paths and start chilli with sudo /etc/init.d/chilli start To enable our chilli start up script at boot. update-rc.d chilli defaults We also need to make our chilli file executable by using the following command. chmod +x /etc/init.d/chilli

Basic Configuration
See /etc/chilli/defaults file for details on possible configurations. Copy this to a new file called "config" (in the same directory) and edit the settings. To load the settings and start chilli, run "/etc/init.d/chilli start". This will generate main.conf, local.conf, and hs.conf files in /etc/chilli/ for you. In order to make changes to the settings at a later date, rerun chilli start. NOTE: the chilli config file only generates the main.conf if the service is restarted by /etc/init.d/chilli which we start to configure now. When you start chilli in debug mode by entering "chilli --debug --fg" then coovachilli gets started with the main.conf. If you change the config file and restart chilli in debug mode nothing would change. So you can ether edit the main.conf and edit in debug mode or edit the config file and restart the service Per default, it is assumed that Ethernet device eth0 is your connection to the Internet and eth1 is the interface you want to have clients (subscribers) on. If this is not the case, then change the HS_WANIF configuration to be your Internet connected device and HS_LANIF to be your WiFi device, for example. With the right devices configured, restart chilli and you are on your way. nano /etc/chilli/config Edit the first 63 lines of the file to the following until the HS_UAMSERVICE url is defined.
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

# -*- /bin/sh -*# # Coova-Chilli Default Configurations. # To customize, copy this file to /etc/chilli/config # and edit to your liking. This is included in shell scripts # that configure chilli and related programs before file 'config'. # HS_WANIF=eth0 # WAN Interface toward the Internet HS_LANIF=eth1 # Subscriber Interface for client devices HS_NETWORK=10.1.0.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETMASK=255.255.255.0 # HotSpot Network Netmask HS_UAMLISTEN=10.1.0.1 # HotSpot IP Address (on subscriber network) HS_UAMPORT=3990 # HotSpot Port (on subscriber network) # Allow some additional local ports (used in the up.sh script when # setting the firewall for the created tun/tap) HS_TCP_PORTS="80 443" # # # # # # # # # # # # HS_DYNIP= HS_DYNIP_MASK=255.255.255.0 HS_STATIP= HS_STATIP_MASK=255.255.255.0 HS_DNS_DOMAIN= if your interface eth0 for example has the ip 192.168.5.2 and your router where your internet connection is established has the address 192.168.5.1 than you are allowed to access the router from your wlan network 192.168.2.0/24 so you have don't have to define the dns servers below HS_DNS2=62.72.64.237 HS_DNS1=192.168.2.1

### # HotSpot settings for simple Captive Portal # HS_NASID=nas01 HS_UAMSECRET=uamsecret HS_RADIUS=127.0.0.1 HS_RADIUS2=127.0.0.1 HS_RADSECRET=radiussecret # please provide here the address for your router too. # From the example above it has the address 192.168.0.1 (comma separated) HS_UAMALLOW=10.1.0.0/24,192.168.0.1 # Put entire domains in the walled-garden with DNS inspection # HS_UAMDOMAINS=".paypal.com,.paypalobjects.com" # Optional initial redirect and RADIUS settings # HS_SSID=<ssid> # To send to the captive portal # HS_NASMAC=<mac address> # To explicitly set Called-Station-Id # HS_NASIP=<ip address> # To explicitly set NAS-IP-Address # The server to be used in combination with HS_UAMFORMAT to # create the final chilli 'uamserver' url configuration. HS_UAMSERVER=10.1.0.1 # Use HS_UAMFORMAT to define the actual captive portal url. # Shell variable replacement takes place when evaluated, so here # HS_UAMSERVER is escaped and later replaced by the pre-defined # HS_UAMSERVER to form the actual "--uamserver" option in chilli. HS_UAMFORMAT=https://\$HS_UAMSERVER/uam/ # Same principal goes for HS_UAMHOMEPAGE. HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html # This option will be configured to be the WISPr LoginURL as well # as provide "uamService" to the ChilliController. The UAM Service is # described in: http://coova.org/wiki/index.php/CoovaChilli/UAMService # HS_UAMSERVICE=https://10.1.0.1/cgi-bin/hotspotlogin.cgi

Install Firewall
IPtables
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

The creators of CoovaChilli have predefined rules for iptables, but their script needs a little help before it works. CoovaChilli's iptables config is done in the /etc/chilli/up.sh script which runs after the tun interface is up, so that the exact tun interface is known. Fix up.sh by adding these lines at the very end of the file: # may not have been populated the first time; run again [ -e "/var/run/chilli.iptables" ] && sh /var/run/chilli.iptables 2>/dev/null # force-add the final rule necessary to fix routing tables iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE /etc/chilli/up.sh calls /etc/chilli/ipup.sh, if it exists. By default, it does not. If you need to run your own commands after the main iptables configuration is done, create /etc/chilli/ipup.sh and populate it however you like, being sure to make it executable (chmod +x /etc/chilli/ipup.sh) when done. In the chilli config above, we set the DNS server to that of the local interface. So, your system should be running a DNS server. In ubuntu, it's just a matter of: tasksel Then select DNS Server and install

Apache Server
Create login page
We need to create a login page. Fortunately the creators of coovachilli have included hotspotlogin.cgi with the source code: To find this file use this command: find / | grep 'hotspotlogin.cgi' In our example the file we require is found in: /usr/share/doc/coova-chilli/hotspotlogin.cgi.gz We need to create a directory in our apache web server, copy hotspotlogin.cgi and make it executable. sudo mkdir -p /var/www/hotspot/cgi-bin zcat -c /usr/share/doc/coova-chilli/hotspotlogin.cgi.gz | sudo tee /var/www/hotspot/cgibin/hotspotlogin.cgi sudo chmod a+x /var/www/hotspot/cgi-bin/hotspotlogin.cgi edit login script nano -w /var/www/hotspot/cgi-bin/hotspotlogin.cgi Uncomment and change password $uamsecret = "uamsecret"; $userpassword=1; if you like to edit the page later, don't use print "HTML code"; use print <<ENDHTML; ....your HTML code here..... ENDHTML this way you don't need to escape the double quotes.

SSL
Apache Modules
To install the Apache2 module for MYSQL authentication, you can run the following command from a terminal prompt:
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

sudo apt-get install libapache2-mod-auth-mysql Once you install the module, the module will be available in the /etc/apache2/mods-available directory. You can use the a2enmod command to enable a module. You can use the a2dismod command to disable a module. Once you enable the module, the module will be available in the the /etc/apache2/mods-enabled directory.

Setup up Apache and SSL

Make sure LAMP server is installed, if not use the following command: tasksel Create a Certificate sudo apt-get install ssl-cert sudo mkdir /etc/apache2/ssl We need to find our host name for our cert hostname -f Hardcoding cert lifetime based on this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821#22 sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem (Answer questions) Note: The "Host Name" must be fill out correctly The host name of the server the certificate is for. This must be filled in. (commonName) Host Name as per hostname -f host.name #change to your host name Install Module The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar. sudo a2enmod ssl /etc/init.d/apache2 force-reload Create virtualhost Create a virtualhost file so it looks something like this: sudo nano -w /etc/apache2/sites-available/hotspot NameVirtualHost 10.1.0.1:443 <VirtualHost 10.1.0.1:443> ServerAdmin webmaster@domain.org DocumentRoot "/var/www/hotspot" ServerName "10.1.0.1" <Directory "/var/www/hotspot/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/" <Directory "/usr/share/freeradius-dialupadmin/htdocs/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM Order allow,deny
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

allow from all </Directory> ScriptAlias /cgi-bin/ /var/www/hotspot/cgi-bin/ #this here is a alias with no hotspot path !!!!!!! <Directory "/var/www/hotspot/cgi-bin/"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/hotspot-error.log LogLevel warn CustomLog /var/log/apache2/hotspot-access.log combined ServerSignature On SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.pem </VirtualHost> Enable SSL virtualhost sudo a2ensite hotspot /etc/init.d/apache2 reload Listen Ports HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file: nano -w /etc/apache2/ports.conf Listen *:443 Listen *:80 #<IfModule mod_ssl.c> # Listen 443 #</IfModule> don't forget to modify sudo nano -w /etc/apache2/sites-available/default NameVirtualHost *:80 <virtualhost *:80> Server Root nano -w /etc/apache2/apache2.conf add ServerName 10.1.0.1 Edit host file nano -w /etc/hosts 10.1.0.1 host.name host #change to your host name

Restart Apache server sudo /etc/init.d/apache2 restart your web broswer should be able to link to pages

Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

https://10.1.0.1/cgi-bin/hotspotlogin.cgi and http://10.1.0.1:3990/

Finish
Reboot your computer and everything should work, lol does that really need a reboot???? whatever lets restart: reboot

Additional Info
COOVA-CHILLI FILES
/etc/chilli.conf The main chilli configuration file. /etc/chilli/defaults Default configurations used by the chilli init.d and functions scripts. /etc/chilli/config Location specific configurations used by chilli init.d and functions scripts. Copy the defaults file mentioned above and edit. /etc/chilli/functions Helps configure chilli by loading the above configurations, sets some defaults, and provides functions for writing main.conf, hs.conf, and local.conf based on local and possibily centralized. See chilli.conf(5) /etc/init.d/chilli The init.d file for chilli which defaults to using the above configurations to build a set of configurations files in the /etc/chilli directory - taking local configurations and optionally centralized configurations from RADIUS or a URL. See chilli.conf(5) /var/run/chilli.sock UNIX socket used to daemon communication. /var/run/chilli.pid Process ID file. /etc/chilli/www/ The typical location of location content served up by chilli using a minimal web server. SIGNALS Sending HUP to chilli will cause the configuration file to be reread and DNS lookups to be performed. The configuration options are not affected by sending HUP: fg, conf, pidfile, statedir, net, dynip, statip, uamlisten, uamport, radiuslisten, coaport, coanoipcheck, proxylisten, proxyport, proxyclient, proxysecret, dhcpif, dhcpmac, lease, or eapolenable The above configuration options can only be changed by restarting the daemon.

Optional Features
extra authentication parameters
you can add a column to the radcheck table for example: is the user account still valid? with this command: alter table radcheck add column `Valid` tinyint(1) default 0 not null; than in the /etc/freeradius/sql.conf
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

change the variable authorize_check_query by adding and Valid = 1 after where username = %{SQL-User-Name} \ in the future time you can change the valid to serve many purposes for example email authorization, ...

xml service for the freeradius database

this cgi bash script is experimental for analysing an xml file and for inserting the parsed data into a mysql database. it is used for inserting a new user to the radcheck table or to modify an user of freeradius in combination with coovachilli.

Post Install Trouble Shooting

When coovachilli is started it automatically installs required modules and network access. Use the following commands to check:

Packet Forwarding
Test the current setting of the kernel: cat /proc/sys/net/ipv4/ip_forward

Manual Install
Immediately allow the forwarding of packets. The configuration is not preserved on reboot but sets a flag in the kernel itself. echo 1 > /proc/sys/net/ipv4/ip_forward

EnableTUN/TAP device driver support

Test the current setting of the kernel: lsmod Look for the module tun The TUN/TAP driver is required for proper operation of the chilli server. Linux kernels later than 2.4.7 already include the driver, but could be loaded manually with modprobe tun or automaticly by adding tun to the /etc/modules configuration file.

Manual Install
sudo modprobe tun

Firewall / Port Forward

On start up coovachilli runs a firewall script defining rules. Rules are as follows: # Generated by iptables-save v1.3.8 on Sun Aug 10 14:59:34 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [1:530] :OUTPUT ACCEPT [1:530] COMMIT # Completed on Sun Aug 10 14:59:34 2008 # Generated by iptables-save v1.3.8 on Sun Aug 10 14:59:34 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:530] :POSTROUTING ACCEPT [1:530] COMMIT # Completed on Sun Aug 10 14:59:34 2008 # Generated by iptables-save v1.3.8 on Sun Aug 10 14:59:34 *filter :INPUT ACCEPT [181:23233] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [148:77128] -A INPUT -d 192.168.2.1 -i tun0 -p tcp -m tcp --dport 3990 -A INPUT -d 192.168.2.1 -i tun0 -p tcp -m tcp --dport 3991 2008

2008

2008

-jGenerated by www.PDFonFly.com at 1/19/2012 12:40:44 AM ACCEPT -j ACCEPT URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

-A INPUT -d 255.255.255.255 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT -A INPUT -d 192.168.2.1 -i tun0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d 192.168.2.1 -i tun0 -j DROP -A INPUT -i tun0 -j DROP -A FORWARD -i tun0 -o ! eth0 -j DROP -A FORWARD -o tun0 -j ACCEPT -A FORWARD -i tun0 -j ACCEPT -A FORWARD -o eth1 -j DROP -A FORWARD -i eth1 -j DROP COMMIT # Completed on Sun Aug 10 14:59:34 2008

Authors
q

Nils/agathon

References
q q q

CoovaChilli with VMWare Ubuntu Startup Script SED command

Support
q q q

coova wiki coova fourm IRC irc.freenode.net:#coova

Comments / log
Thanks
All contributors hey fressco, you have to access the loginpage from a client in your network not from the server mashine. you don't have to enter the loginpage manual on the client mashine, it points you here automatically. when you get a right ip from the coovachilli virtual dhcp like 10.1.0.2 than everything with the above config should work coovachilli will point you to "https://10.1.0.1/cgibin/hotspotlogin.cgi" if you always get a not found error than see the uam_homepage or uam_server in the config ... what exactly is the problem or how far could you go with your current system? Hi Nils I've just done a fresh Ubuntu 8.04 server install. I've followed the install instructions above. I've removed the hotspot directory e.g. /var/www/hotspot/cgi-bin/ to /var/www/cgi-bin/ in all places listed. I've connected a client machine to eth1 which receives the IP address of 10.1.0.2 and default gateway of 10.1.0.1. I load firefox and I receives an error of Address Not Found. I think there is something wrong with the apache setup? On the client machine i manually enter the url of https://10.1.0.1/cgi-bin/hotspotlogin.cgi and i get the error Network Timeout This is a cut and paste of my /etc/chilli/config file # -*- /bin/sh -*# # Coova-Chilli Default Configurations. # To customize, copy this file to /etc/chilli/config # and edit to your liking. This is included in shell scripts # that configure chilli and related programs before file 'config'.

### # Local Network Configurations # HS_WANIF=eth0 # WAN Interface toward the Internet HS_LANIF=eth1 # Subscriber Interface for client devices HS_NETWORK=10.1.0.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETMASK=255.255.255.0 # HotSpot Network Netmask Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM HS_UAMLISTEN=10.1.0.1 # HotSpot IP Address (on subscriber network) URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

HS_UAMPORT=3990 # # # # # # #

# HotSpot Port (on subscriber network)

HS_DYNIP= HS_DYNIP_MASK=255.255.255.0 HS_STATIP= HS_STATIP_MASK=255.255.255.0 HS_DNS_DOMAIN= HS_DNS1= HS_DNS2=

### # HotSpot settings for simple Captive Portal # HS_NASID=nas01 HS_UAMSECRET=uamsecret HS_RADIUS=127.0.0.1 HS_RADIUS2=127.0.0.1 HS_RADSECRET=radiussecret HS_UAMALLOW=10.1.0.0/24,192.168.0.1,www.google.co.nz # Put entire domains in the walled-garden with DNS inspection # HS_UAMDOMAINS=".paypal.com,.paypalobjects.com" # Optional initial redirect and RADIUS settings # HS_SSID=<ssid> # To send to the captive portal # HS_NASMAC=<mac address> # To explicitly set Called-Station-Id # HS_NASIP=<ip address> # To explicitly set NAS-IP-Address # The server to be used in combination with HS_UAMFORMAT to # create the final chilli 'uamserver' url configuration. HS_UAMSERVER=10.1.0.1 # Use HS_UAMFORMAT to define the actual captive portal url. # Shell variable replacement takes place when evaluated, so here # HS_UAMSERVER is escaped and later replaced by the pre-defined # HS_UAMSERVER to form the actual "--uamserver" option in chilli. HS_UAMFORMAT=https://\$HS_UAMSERVER/uam/ # Same principal goes for HS_UAMHOMEPAGE. HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html # This option will be configured to be the WISPr LoginURL as well # as provide "uamService" to the ChilliController. The UAM Service is # described in: http://coova.org/wiki/index.php/CoovaChilli/UAMService # HS_UAMSERVICE=https://10.1.0.1/cgi-bin/hotspotlogin.cgi ### # Features not activated # # HS_RADCONF=off respectively) # # HS_ANYIP=on # # HS_MACAUTH=on # # HS_MACAUTHDENY=on # # HS_MACAUTHMODE=local # # HS_MACALLOWED="..." # # HS_USELOCALUSERS=on # # HS_OPENIDAUTH=on # # HS_WPAGUESTS=on # # HS_DNSPARANOIA=on # # # HS_OPENIDAUTH=on # # # HS_USE_MAP=on

per-default (default to off) # Get some configurations from RADIUS or a URL ('on' and 'url'

# Allow any IP address on subscriber LAN # To turn on MAC Authentication # Put client in 'drop' state on MAC Auth Access-Reject # To allow MAC Authentication based on macallowed, not RADIUS # List of MAC addresses to authenticate (comma seperated) # To use the /etc/chilli/localusers file # To inform the RADIUS server to allow OpenID Auth # To inform the RADIUS server to allow WPA Guests # To drop DNS packets containing something other # than A, CNAME, SOA, or MX records # To inform the RADIUS server to allow OpenID Auth # Will also configure the embedded login forms for OpenID
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli # Short hand for allowing the required google

# # ### # Other feature settings # # HS_DEFSESSIONTIMEOUT=0 # # HS_DEFIDLETIMEOUT=0 # # HS_DEFBANDWIDTHMAXDOWN=0 unlimited) # # HS_DEFBANDWIDTHMAXUP=0 unlimited)

# sites to use Google maps (adds many google sites!)

and their defaults # Default session-timeout if not defined by RADIUS (0 for unlimited) # Default idle-timeout if not defined by RADIUS (0 for unlimited) # Default WISPr-Bandwidth-Max-Down if not defined by RADIUS (0 for

# Default WISPr-Bandwidth-Max-Up if not defined by RADIUS (0 for

### # Centralized configuration options examples # # HS_RADCONF=url # requires curl # HS_RADCONF_URL=https://coova.org/app/ap/config # # # # # # # HS_RADCONF=on # gather the ChilliSpot-Config attributes in # Administrative-User login HS_RADCONF_SERVER=rad01.coova.org # RADIUS Server HS_RADCONF_SECRET=coova-anonymous # RADIUS Shared Secret HS_RADCONF_AUTHPORT=1812 # Auth port HS_RADCONF_USER=chillispot # Username HS_RADCONF_PWD=chillispot # Password

### # Standard configurations # HS_MODE=hotspot HS_TYPE=chillispot # HS_RADAUTH=1812 # HS_RADACCT=1813 # HS_ADMUSR=chillispot # HS_ADMPWD=chillispot

### # Post-Auth proxy settings # # HS_POSTAUTH_PROXY=<host or ip> # HS_POSTAUTH_PROXYPORT=<port> # Directory specifying where internal web pages can be served # by chilli with url /www/<file name>. Only extentions like .html # .jpg, .gif, .png, .js are allowed. See below for using .chi as a # CGI extension. HS_WWWDIR=/etc/chilli/www # Using this option assumes 'haserl' is installed per-default # but, and CGI type program can ran from wwwsh to process requests # to chilli with url /www/filename.chi HS_WWWBIN=/etc/chilli/wwwsh # Some configurations used in certain user interfaces # HS_PROVIDER=Coova HS_PROVIDER_LINK=http://www.coova.org/

### # WISPr RADIUS Attribute support # HS_LOC_NAME="My HotSpot" # WISPr Location Name and used in portal # WISPr settings (to form a proper WISPr-Location-Id) # HS_LOC_NETWORK="My Network" # Network name # HS_LOC_AC=408 # Phone area code # HS_LOC_CC=1 # Phone country code # HS_LOC_ISOCC=US # ISO Country code
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli If you have an error "You need to install haserl to serve pages with this wwwsh script!" can not find haserl. Download haserl from

http://haserl.sourceforge.net/. sudo apt-get install gcc tar -xvf haserl-0.8.0.tar.gz cd haserl-0.8.0/ ./configure make make install Edit /etc/chilli/wwwsh file haserl=$(which haserl 2>/dev/null) with haserl=/usr/local/bin/haserl This is a cut and paste of my /etc/hosts file 127.0.0.1 127.0.1.1 10.1.0.1 localhost ubuntu.WAG325N ubuntu ubuntu.WAG325N ubuntu

# The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts This is a cut and paste of my /etc/apache2/ports.conf file Listen *:443 Listen *:80

#Listen 80 # #<IfModule mod_ssl.c> # Listen 443 #</IfModule> This is a cut and paste of my /etc/apache2/ports.conf file NameVirtualHost 10.1.0.1:443 <VirtualHost 10.1.0.1:443> ServerAdmin webmaster@domain.org DocumentRoot "/var/www/hotspot" ServerName "10.1.0.1" <Directory "/var/www/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/" <Directory "/usr/share/freeradius-dialupadmin/htdocs/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory "/var/www/cgi-bin/"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli Allow from all

</Directory> ErrorLog /var/log/apache2/hotspot-error.log LogLevel warn CustomLog /var/log/apache2/hotspot-access.log combined ServerSignature On SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.pem </VirtualHost> Hi All, The .cgi script is ancient and coova now makes use of a JSON interface which is quite complex. If you want to use you own server as an authentication source with PAP passwords you have to create your own HS_UAMSERVICE. You can check out how to do this by navigating to the following link: http://hotcakes.wiki.sourceforge.net Thanks for the initial documentation!

NEW! CoovaChilli Ver. 1.0.14 now support VLAN. I've installed new version on Ubuntu 9.04 server from source: This version have also some more utilities (build configuration on the fly, tool for monitoring). Unfortunately is no more dettailed instructions (probably is too new) Great work !

CategoryWireless
WifiDocs/CoovaChilli (last edited 2011-08-08 12:29:29 by tomdavies04) Parent Page Page History

The material on this wiki is available under a free license, see Copyright / License for details You can contribute to this wiki, see Wiki Guide for details

Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli