Вы находитесь на странице: 1из 18
Search Ubuntu Documentation > Community Documentation > WifiDocsCoovaChilli Community Documentation
Search
Ubuntu Documentation > Community Documentation > WifiDocsCoovaChilli
Community Documentation
WifiDocsCoovaChilli
Login to Edit
Contents
Note: This howto is under construction, help appreciated
This howto has a problem getting the login web page talking to freeradius.
1.
Introduction
2.
Requirements
3.
Caveats
Introduction
4.
The proccess
5.
Hardware Requirements
6.
Software Versions
CoovaChilli is an open-source software access controller, based on the
popular (but now defunct) ChilliSpot project, and is actively maintained by
an original ChilliSpot contributor.
7.
Software Installation
1. Root
2. SSH
3. Repository
CoovaChilli is a feature rich software access controller that provides a
captive portal / walled-garden environment and uses RADIUS for access
provisioning and accounting. CoovaChilli is an integral part of the CoovaAP
OpenWRT-based firmware which is specialized for hotspots. For more
information on how Coova's Chilli differs from the standard ChilliSpot, see
the ChangeLog.
4. Update Ubuntu
5. Network setup
8.
Install Radius server and Database
1. Testing default file setup
2. change authorization to sql
3. SQL Logging
4. Add users
9.
Install CoovaChilli
Requirements
1. CoovaChilli Package Installation
2. CoovaChilli Source Installation
This tutorial will show how to run all this software on a single machine.
However, you could install Apache, MySQL, and FreeRADIUS on a
separate one, or even have 4 different machines: you'll just need to adjust
the configuration parameters of each piece of software. Though, the more
typical way to run CoovaChilli is on the router itself - using firmware such as
OpenWrt (or CoovaAP), vendor SDKs (such as Ubiquiti), or pre-installed in
hardware like that used by FON and open-mesh.com.
3. Basic Configuration
10.
Install Firewall
1.
IPtables
11.
Apache Server
1.
Create login page
12.
SSL
1.
Apache Modules
2.
Setup up Apache and SSL
13.
Finish
NOTE: both coovachilli and chillispot don't work with 64bit OS. RADIUS
authentication is flawed in those setups.
14.
Additional Info
15.
Optional Features
16.
Post Install Trouble Shooting
Caveats
1. Packet Forwarding
2. EnableTUN/TAP device driver support
3. Firewall / Port Forward
This HOWTO presumes you have an x86 machine with at least two physical
network interfaces. Usually, this is an Ethernet WAN interface and
"subscriber" LAN interface that CoovaChilli will control - it can be either a
Ethernet or WiFi interface. In our case, we'll assume two Ethernet interfaces
for the WAN (eth0) and LAN (eth1).
17.
Authors
18.
References
19.
Support
20.
Comments / log
1.
Thanks
The proccess
CoovaChilli takes control of the internal interface (eth1) using a raw promiscuous socket. It then uses the vtun kernel module to
bring up a virtual interface (either a tun or tap) to pass and receive packets to and from the WAN. In fact the vtun kernel module is
used to move IP packets from the kernel to user mode, in such a way that CoovaChilli can function without any non-standard
kernel modules. CoovaChilli then provides DHCP, ARP, and HTTP Hijacking on the "dhcpif" interface, in our case that's eth0.
A client connecting to this interface is limited to a "walled garden" until authorized. The client is only able to resolve DNS and web
browser web sites specifically added to the walled garden. Authentication (and authorization) in CoovaChilli typically happens in
one of two ways. Either it was a MAC based authentication (using the macauth option in chilli.conf) or it was the more typical
"Universal Access Method" (UAM). This method uses a captive portal that initiates authentication. When a non-authenticated
client tries to connect to a web-page (on port 80) the request is intercepted by CoovaChilli and redirected to the captive portal. In
our case, we'll use a perl-script called hotspotlogin.cgi (served by apache over https).
hotspotlogin.cgi serves a page to the end-user with a username and password field. These authentication data are then
forwarded to the FreeRADIUS server, which matches them with information in it’s back-end (using either PAP, CHAP, or
MSCHAPv2). The FreeRADIUS back-end in this case is mysql, but could be any number of services such as LDAP, Kerberos, unix
passwd files or even Active Directory (probably).
A user is then either rejected or authenticated by FreeRADIUS, prompting hotspotlogin.cgi to present either a rejection message
or a page with a success message and a logout link to the user.
Hardware Requirements
Any PC with 2 network interfaces.
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
Software Versions This howto has been tested with: ● Ubuntu 9.04 i386 server ● coova-chilli-1.0.13
Software Versions
This howto has been tested with:
● Ubuntu 9.04 i386 server
● coova-chilli-1.0.13
Software Installation
For this howto we start with an installation of Ubuntu Linux.
The base installation is beyond the scope of this document, but the Ubuntu Website has plenty of documentation on installing
ubuntu from scratch.
Towards the end of the ubuntu server edition install it asks you if you require extra packages. Enable the following:
LAMP
SSH server
DNS Server
Note:When asked for a mysql password and you want to use the default password for this howto use:
mysqladminsecret
Of course for a live chillispot access point you will need to change all password to your own
If you are using a different version or forget to install extra packages you can install them at a latter date by using the command:
tasksel
Root
To make the installation easier create a root user. Many files can only be changed with root user.
Login user, then enter command:
#sudo passwd root
Enter new UNIX password:
Retype new UNIX password:
#su root
Password:
SSH
So we can cut and paste commands to make life easier
Install putty on you windows machine
Assuming that your ubuntu box is connected to your ADSL router/DHCP server you will need to find your IP address of your
ubuntu box so you can connect with putty
ip addr
Type in your ip address and connect
Repository
Use default repository or better
Update Ubuntu
sudo apt-get update
sudo apt-get upgrade
Generated by www.PDFonFly.com at 1/19/2012 12:40:44
AM
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
Network setup Setup up your network hardware/software Interfaces nano -w /etc/network/interfaces auto lo iface lo
Network setup
Setup up your network hardware/software
Interfaces
nano -w /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
Install Radius server and Database
sudo apt-get install freeradius freeradius-mysql
Create database to store usernames and passwords
mysql -u root -p
Enter password:mysqladminsecret
mysql> CREATE DATABASE radius;
mysql> quit
Propergate database with tables created by the makers of freeradius
Select either
Freeradius 1
zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius
Enter password:mysqladminsecret
or
Freeradius 2
mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql
mysql -u root -p
Enter password:mysqladminsecret
mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret';
mysql> FLUSH PRIVILEGES;
mysql> quit
Tell freeradius where to find the database
nano -w /etc/freeradius/sql.conf
server = "localhost"
login = "radius"
password = "mysqlsecret"
Set FreeRadius server client password
nano -w /etc/freeradius/clients.conf
client 127.0.0.1 {
secret = radiussecret
}
Note: for freeradius 2:
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
client localhost { ipaddr = 127.0.0.1 secret = radiussecret } Testing default file setup The
client localhost {
ipaddr = 127.0.0.1
secret = radiussecret
}
Testing default file setup
The default FreeRadius setup authorize's usernames and passwords from a "file" found in /etc/freeradius/users. We should
test the default FreeRadius setup before we change the authorization link from "file" to "sql" (mysql).
Add username an password to our user "file". edit "John Doe"
nano -w /etc/freeradius/users
uncomment
"John Doe"
Auth-Type := Local, User-Password == "hello"
Reply-Message = "Hello, %u"
At this point you need to reboot your ubuntu box
reboot
Check FreeRadius config files.
sudo /etc/init.d/freeradius stop
sudo freeradius -XXX
If all goes well the last line should display
Mon Jun 29 15:24:34 2009 : Debug: Ready to process requests.
Ctrl+C to exit.
Start FreeRadius again
sudo /etc/init.d/freeradius start
Test password authorization to "file"
sudo radtest "John Doe" hello 127.0.0.1 0 radiussecret
If all goes well you should get a reply
Sending Access-Request of id 136 to 127.0.0.1 port 1812
User-Name = "John Doe"
User-Password = "hello"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37
Reply-Message = "Hello, John Doe"
change authorization to sql
If the above tests worked we can now change authorization from "file" to "sql" nano -w /etc/freeradius/radiusd.conf Change:
files
to
# files
# sql
to
sql
note for freeradius2:
nano -w /etc/freeradius/sites-available/default
Note: You can only use one authorisation method at a time, not both. Therefore "files" section needs to be commented out
otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql"
SQL Logging
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM
If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
nano -w /etc/freeradius/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" login =
nano -w /etc/freeradius/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "mysqlsecret"
radius_db = "radius"
]
# Set to 'yes' to read radius clients from the database ('nas' table)
readclient = yes ###change manually
[
}
nano -w /etc/freeradius/radiusd.conf
note for freeradius2:
for the line $INCLUDE
-> /etc/freeradius/radiusd.conf
nano -w /etc/freeradius/sites-available/default
$INCLUDE ${confdir}/sql.conf
authorize {
preprocess
chap
suffix
eap
#files
sql
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
eap
}
accounting {
detail
radutmp
sql ###change manually
}
session {
sql ###change manually
}
Add users
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Passw
('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius
Enter password:mysqlsecret
coovachilli uses the username 'chillispot' with the password 'chillispot' for logging into the radius by default. Add this user in the
table radcheck too.
its defined in the default config file /etc/chilli/config
HS_ADMUSR=chillispot
HS_ADMPWD=chillispot
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('chillispot', 'Pass
('chillispot', 'Password', 'chillispot');" | mysql -u radius -p radius
Enter password:mysqlsecret
Restart Radius
sudo /etc/init.d/freeradius restart
Test link
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret sudo radtest chillispot chillispot 127.0.0.1 0 radiussecret
sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret
sudo radtest chillispot chillispot 127.0.0.1 0 radiussecret
If all goes well you should receive an Access-Accept response like this:
Sending Access-Request of id 180 to 127.0.0.1 port 1812
User-Name = "mysqltest"
User-Password = "testsecret"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=180, length=20
Install CoovaChilli
There are two methods of installing coovachilli on ubuntu.
● Package
● Source
Both methods are listed below
CoovaChilli Package Installation
To install the CoovaChilli package, first download it (or the latest version available from http://www.coova.org/CoovaChilli):
sudo wget http://ap.coova.org/chilli/coova-chilli_1.0.13-1_i386.deb
Then install it:
sudo dpkg -i coova-chilli_1.0.13-1_i386.deb
Copy the default configuration files and Apache site configuration:
cp /etc/chilli/defaults /etc/chilli/config
mkdir /var/www/hotspot
cd
/var/www/hotspot
cp
/etc/chilli/www/* /var/www/hotspot
mkdir /var/www/hotspot/images
cp /var/www/hotspot/coova.jpg /var/www/hotspot/images/
mkdir /var/www/hotspot/uam
cd /var/www/hotspot/uam
wget http://ap.coova.org/uam/
wget http://ap.coova.org/js/chilli.js
Change Host Address
Edit index.html to use chilli.js from local (this example uses the host IP address as 10.1.0.1)
sed -i 's/ap.coova.org\/js\/chilli.js/10.1.0.1\/uam\/chilli.js/g' /var/www/hotspot/uam/index.html
Edit ChilliLibrary.js to use the correct host IP address (again, example uses 10.1.0.1):
sed -i 's/192.168.182.1/10.1.0.1/g' /etc/chilli/www/ChilliLibrary.js
sed -i 's/192.168.182.1/10.1.0.1/g' /var/www/hotspot/ChilliLibrary.js
To enable coovachilli change START_CHILLI to 1
nano -w /etc/default/chilli
To enable on reboot
START_CHILLI=1
CONFFILE="/etc/chilli.conf"
To enable without a reboot
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM
sudo /etc/init.d/chilli start CoovaChilli Source Installation To build from source: sudo apt-get install
sudo /etc/init.d/chilli start
CoovaChilli Source Installation
To build from source:
sudo apt-get install build-essential linux-headers-server
wget http://ap.coova.org/chilli/coova-chilli-1.0.13.tar.gz
tar -xzf coova-chilli-1.0.13.tar.gz && cd coova-chilli-1.0.13
./configure
make
sudo make install
Copy the default configuration files and Apache site configuration:
cp /etc/chilli/defaults /etc/chilli/config
mkdir /var/www/hotspot
cd
/var/www/hotspot
cp
/etc/chilli/www/* /var/www/hotspot
mkdir /var/www/hotspot/uam
cd /var/www/hotspot/uam
wget http://ap.coova.org/uam/
wget http://ap.coova.org/js/chilli.js
Edit index.html to use chilli.js from local (default is 192.168.2.1 for few networks and many hosts)
sed -i 's/ap.coova.org\/js\/chilli.js/192.168.2.1\/uam\/chilli.js/g' /var/www/hotspot/uam/index.html
The startup script:
cd /etc/init.d/
wget http://dev.coova.org/svn/coova-chilli/debian/coova-chilli.chilli.init
mv chilli chilli.bak && mv coova-chilli.chilli.init chilli && chmod 755 chilli
sed '21,30s/**/# &/' chilli > chilli.tmp && mv chilli.tmp chilli && chmod 755 chilli
the last command comments out the lines 21 to 30
please check the startup file for your special paths and start chilli with
sudo /etc/init.d/chilli start
To enable our chilli start up script at boot.
update-rc.d chilli defaults
We also need to make our chilli file executable by using the following command.
chmod +x /etc/init.d/chilli
Basic Configuration
See /etc/chilli/defaults file for details on possible configurations. Copy this to a new file called "config" (in the same directory) and
edit the settings. To load the settings and start chilli, run "/etc/init.d/chilli start". This will generate main.conf, local.conf, and
hs.conf files in /etc/chilli/ for you. In order to make changes to the settings at a later date, rerun chilli start.
NOTE: the chilli config file only generates the main.conf if the service is restarted by /etc/init.d/chilli which we start to configure
now. When you start chilli in debug mode by entering "chilli --debug --fg" then coovachilli gets started with the main.conf. If you
change the config file and restart chilli in debug mode nothing would change. So you can ether edit the main.conf and edit in
debug mode or edit the config file and restart the service
Per default, it is assumed that Ethernet device eth0 is your connection to the Internet and eth1 is the interface you want to have
clients (subscribers) on. If this is not the case, then change the HS_WANIF configuration to be your Internet connected device
and HS_LANIF to be your WiFi device, for example. With the right devices configured, restart chilli and you are on your way.
nano /etc/chilli/config
Edit the first 63 lines of the file to the following until the HS_UAMSERVICE url is defined.
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM

#

-*- /bin/sh -*-

 

#

#

Coova-Chilli Default Configurations.

#

To customize, copy this file to /etc/chilli/config

#

and edit to your liking. This is included in shell scripts

#

that configure chilli and related programs before file 'config'.

#

HS_WANIF=eth0

# WAN Interface toward the Internet # Subscriber Interface for client devices # HotSpot Network (must include HS_UAMLISTEN) # HotSpot Network Netmask # HotSpot IP Address (on subscriber network) # HotSpot Port (on subscriber network)

HS_LANIF=eth1

HS_NETWORK=10.1.0.0

HS_NETMASK=255.255.255.0

HS_UAMLISTEN=10.1.0.1

HS_UAMPORT=3990

#

Allow some additional local ports (used in the up.sh script when

setting the firewall for the created tun/tap) HS_TCP_PORTS="80 443"

#

#

HS_DYNIP=

#

HS_DYNIP_MASK=255.255.255.0

#

HS_STATIP=

#

HS_STATIP_MASK=255.255.255.0

#

HS_DNS_DOMAIN=

#

if your interface eth0 for example has the ip 192.168.5.2

#

and your router where your internet connection is established has the address

#

192.168.5.1 than you are allowed to access the router from your wlan network 192.168.2.0/24

#

so you have don't have to define the dns servers below

#

#

HS_DNS2=62.72.64.237

#

HS_DNS1=192.168.2.1

###

#

HotSpot settings for simple Captive Portal

#

HS_NASID=nas01

HS_UAMSECRET=uamsecret

HS_RADIUS=127.0.0.1

HS_RADIUS2=127.0.0.1

HS_RADSECRET=radiussecret

# please provide here the address for your router too.

# From the example above it has the address 192.168.0.1 (comma separated)

HS_UAMALLOW=10.1.0.0/24,192.168.0.1

# Put entire domains in the walled-garden with DNS inspection

# HS_UAMDOMAINS=".paypal.com,.paypalobjects.com"

# Optional initial redirect and RADIUS settings

# HS_SSID=<ssid>

# To send to the captive portal

# HS_NASMAC=<mac address> # To explicitly set Called-Station-Id

# HS_NASIP=<ip address>

# To explicitly set NAS-IP-Address

# The server to be used in combination with HS_UAMFORMAT to

# create the final chilli 'uamserver' url configuration.

HS_UAMSERVER=10.1.0.1

# Use HS_UAMFORMAT to define the actual captive portal url.

# Shell variable replacement takes place when evaluated, so here

# HS_UAMSERVER is escaped and later replaced by the pre-defined

HS_UAMSERVER to form the actual "--uamserver" option in chilli. HS_UAMFORMAT=https://\$HS_UAMSERVER/uam/

#

#

Same principal goes for HS_UAMHOMEPAGE.

HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html

#

This option will be configured to be the WISPr LoginURL as well

#

as provide "uamService" to the ChilliController. The UAM Service is

#

described in: http://coova.org/wiki/index.php/CoovaChilli/UAMService

#

HS_UAMSERVICE=https://10.1.0.1/cgi-bin/hotspotlogin.cgi

Install Firewall

IPtables

The creators of CoovaChilli have predefined rules for iptables, but their script needs a little
The creators of CoovaChilli have predefined rules for iptables, but their script needs a little help before it works. CoovaChilli's
iptables config is done in the /etc/chilli/up.sh script which runs after the tun interface is up, so that the exact tun interface is
known.
Fix up.sh by adding these lines at the very end of the file:
# may not have been populated the first time; run again
[ -e "/var/run/chilli.iptables" ] && sh /var/run/chilli.iptables 2>/dev/null
# force-add the final rule necessary to fix routing tables
iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
/etc/chilli/up.sh calls /etc/chilli/ipup.sh, if it exists. By default, it does not. If you need to run your own commands after the main
iptables configuration is done, create /etc/chilli/ipup.sh and populate it however you like, being sure to make it executable (chmod
+x /etc/chilli/ipup.sh) when done.
In the chilli config above, we set the DNS server to that of the local interface. So, your system should be running a DNS server. In
ubuntu, it's just a matter of:
tasksel
Then select DNS Server and install
Apache Server
Create login page
We need to create a login page. Fortunately the creators of coovachilli have included hotspotlogin.cgi with the source code:
To find this file use this command:
find / | grep 'hotspotlogin.cgi'
In our example the file we require is found in:
/usr/share/doc/coova-chilli/hotspotlogin.cgi.gz
We need to create a directory in our apache web server, copy hotspotlogin.cgi and make it executable.
sudo mkdir -p /var/www/hotspot/cgi-bin
zcat -c /usr/share/doc/coova-chilli/hotspotlogin.cgi.gz | sudo tee /var/www/hotspot/cgi-
bin/hotspotlogin.cgi
sudo chmod a+x /var/www/hotspot/cgi-bin/hotspotlogin.cgi
edit login script
nano -w /var/www/hotspot/cgi-bin/hotspotlogin.cgi
Uncomment and change password
$uamsecret = "uamsecret";
$userpassword=1;
if you like to edit the page later, don't use print "HTML code"; use
print <<ENDHTML;
your
HTML code here
ENDHTML
this way you don't need to escape the double quotes.
SSL
Apache Modules
To install the Apache2 module for MYSQL authentication, you can run the following command from a terminal prompt:
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM
sudo apt-get install libapache2-mod-auth-mysql Once you install the module, the module will be available in
sudo apt-get install libapache2-mod-auth-mysql
Once you install the module, the module will be available in the /etc/apache2/mods-available directory. You can use the
a2enmod command to enable a module. You can use the a2dismod command to disable a module. Once you enable the module,
the module will be available in the the /etc/apache2/mods-enabled directory.
Setup up Apache and SSL
Make sure LAMP server is installed, if not use the following command:
tasksel
Create a Certificate
sudo apt-get install ssl-cert
sudo mkdir /etc/apache2/ssl
We need to find our host name for our cert
hostname -f
Hardcoding cert lifetime based on this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821#22
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
(Answer questions)
Note: The "Host Name" must be fill out correctly The host name of the server the certificate is for. This must be filled in.
(commonName)
Host Name as per hostname -f
host.name #change to your host name
Install Module
The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your
browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator
(URL) in the browser navigation bar.
sudo a2enmod ssl
/etc/init.d/apache2 force-reload
Create virtualhost
Create a virtualhost file so it looks something like this:
sudo nano -w /etc/apache2/sites-available/hotspot
NameVirtualHost 10.1.0.1:443
<VirtualHost 10.1.0.1:443>
ServerAdmin webmaster@domain.org
DocumentRoot "/var/www/hotspot"
ServerName "10.1.0.1"
<Directory "/var/www/hotspot/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/"
<Directory "/usr/share/freeradius-dialupadmin/htdocs/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Generated by www.PDFonFly.com at 1/19/2012 12:40:44
AM
Order allow,deny
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
allow from all </Directory> ScriptAlias /cgi-bin/ /var/www/hotspot/cgi-bin/ #this here is a alias with no
allow from all
</Directory>
ScriptAlias /cgi-bin/ /var/www/hotspot/cgi-bin/ #this here is a alias with no hotspot
path !!!!!!!
<Directory "/var/www/hotspot/cgi-bin/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/hotspot-error.log
LogLevel warn
CustomLog /var/log/apache2/hotspot-access.log combined
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
Enable SSL virtualhost
sudo a2ensite hotspot
/etc/init.d/apache2 reload
Listen Ports
HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file:
nano -w /etc/apache2/ports.conf
Listen *:443
Listen *:80
#<IfModule mod_ssl.c>
# Listen 443
#</IfModule>
don't forget to modify
sudo nano -w /etc/apache2/sites-available/default
NameVirtualHost *:80
<virtualhost *:80>
Server Root
nano -w /etc/apache2/apache2.conf
add
ServerName 10.1.0.1
Edit host file
nano -w /etc/hosts
10.1.0.1 host.name host #change to your host name
Restart Apache server
sudo /etc/init.d/apache2 restart
your web broswer should be able to link to pages
Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
https://10.1.0.1/cgi-bin/hotspotlogin.cgi and http://10.1.0.1:3990/ Finish Reboot your computer and everything should
https://10.1.0.1/cgi-bin/hotspotlogin.cgi
and
http://10.1.0.1:3990/
Finish
Reboot your computer and everything should work, lol does that really need a reboot???? whatever lets restart:
reboot
Additional Info
COOVA-CHILLI FILES
/etc/chilli.conf
The main chilli configuration file.
/etc/chilli/defaults
Default configurations used by the chilli init.d and functions scripts.
/etc/chilli/config
Location specific configurations used by chilli init.d and functions scripts. Copy the defaults file mentioned above and edit.
/etc/chilli/functions
Helps configure chilli by loading the above configurations, sets some defaults, and provides functions for writing main.conf,
hs.conf, and local.conf based on local and possibily centralized. See chilli.conf(5)
/etc/init.d/chilli
The init.d file for chilli which defaults to using the above configurations to build a set of configurations files in the /etc/chilli
directory - taking local configurations and optionally centralized configurations from RADIUS or a URL. See chilli.conf(5)
/var/run/chilli.sock
UNIX socket used to daemon communication.
/var/run/chilli.pid
Process ID file.
/etc/chilli/www/
The typical location of location content served up by chilli using a minimal web server. SIGNALS
Sending HUP to chilli will cause the configuration file to be reread and DNS lookups to be performed.
The configuration options are not affected by sending HUP: fg, conf, pidfile, statedir, net, dynip, statip, uamlisten, uamport,
radiuslisten, coaport, coanoipcheck, proxylisten, proxyport, proxyclient, proxysecret, dhcpif, dhcpmac, lease, or eapolenable
The above configuration options can only be changed by restarting the daemon.
Optional Features
extra authentication parameters
you can add a column to the radcheck table for example: is the user account still valid? with this command:
alter table radcheck add column `Valid` tinyint(1) default 0 not null;
than in the
Generated by www.PDFonFly.com at 1/19/2012 12:40:44
AM
/etc/freeradius/sql.conf
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
change the variable authorize_check_query by adding and Valid = 1 after where username = “%{SQL-User-Name}”
change the variable authorize_check_query by adding and Valid = 1 after where username = “%{SQL-User-Name}” \
in the future time you can change the valid to serve many purposes for example email authorization,
xml service for the freeradius database
this cgi bash script is experimental for analysing an xml file and for inserting the parsed data into a mysql database. it is used for
inserting a new user to the radcheck table or to modify an user of freeradius in combination with coovachilli.
Post Install Trouble Shooting
When coovachilli is started it automatically installs required modules and network access. Use the following commands to check:
Packet Forwarding
Test the current setting of the kernel:
cat /proc/sys/net/ipv4/ip_forward
Manual Install
Immediately allow the forwarding of packets. The configuration is not preserved on reboot but sets a flag in the kernel itself.
echo 1 > /proc/sys/net/ipv4/ip_forward
EnableTUN/TAP device driver support
Test the current setting of the kernel:
lsmod
Look for the module tun
The TUN/TAP driver is required for proper operation of the chilli server. Linux kernels later than 2.4.7 already include the driver,
but could be loaded manually with modprobe tun or automaticly by adding tun to the /etc/modules configuration file.
Manual Install
sudo modprobe tun
Firewall / Port Forward
On start up coovachilli runs a firewall script defining rules. Rules are as follows:
# Generated by iptables-save v1.3.8 on Sun Aug 10 14:59:34 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:530]
:OUTPUT ACCEPT [1:530]
COMMIT
# Completed on Sun Aug 10 14:59:34 2008
# Generated by iptables-save v1.3.8 on Sun Aug 10 14:59:34 2008
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:530]
:POSTROUTING ACCEPT [1:530]
COMMIT
# Completed on Sun Aug 10 14:59:34 2008
# Generated by iptables-save v1.3.8 on Sun Aug 10 14:59:34 2008
*filter
:INPUT ACCEPT [181:23233]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [148:77128]
-A INPUT -d 192.168.2.1 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
Generated by www.PDFonFly.com at 1/19/2012 12:40:44
AM
-A INPUT -d 192.168.2.1 -i tun0 -p tcp -m tcp --dport 3991 -j ACCEPT
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
-A INPUT -d 255.255.255.255 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT -A
-A INPUT -d 255.255.255.255 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 192.168.2.1 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 192.168.2.1 -i tun0 -j DROP
-A INPUT -i tun0 -j DROP
-A FORWARD -i tun0 -o ! eth0 -j DROP
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o eth1 -j DROP
-A FORWARD -i eth1 -j DROP
COMMIT
# Completed on Sun Aug 10 14:59:34 2008
Authors
● Nils/agathon
References
● CoovaChilli with VMWare
● Ubuntu Startup Script
● SED command
Support
● coova wiki
● coova fourm
● IRC irc.freenode.net:#coova
Comments / log
Thanks
All contributors
hey fressco, you have to access the loginpage from a client in your network not from the server mashine. you don't have to enter
the loginpage manual on the client mashine, it points you here automatically. when you get a right ip from the coovachilli virtual
dhcp like 10.1.0.2 than everything with the above config should work coovachilli will point you to "https://10.1.0.1/cgi-
bin/hotspotlogin.cgi" if you always get a not found error than see the uam_homepage or uam_server in the config
is the problem or how far could you go with your current system?
what exactly
Hi Nils
I've just done a fresh Ubuntu 8.04 server install. I've followed the install instructions above. I've removed the hotspot directory
e.g. /var/www/hotspot/cgi-bin/ to /var/www/cgi-bin/ in all places listed. I've connected a client machine to eth1 which
receives the IP address of 10.1.0.2 and default gateway of 10.1.0.1. I load firefox and I receives an error of Address Not Found.
I think there is something wrong with the apache setup?
On the client machine i manually enter the url of https://10.1.0.1/cgi-bin/hotspotlogin.cgi and i get the error Network
Timeout
This is a cut and paste of my /etc/chilli/config file
#
-*- /bin/sh -*-
#
#
Coova-Chilli Default Configurations.
#
To customize, copy this file to /etc/chilli/config
#
and edit to your liking. This is included in shell scripts
#
that configure chilli and related programs before file 'config'.
###
#
Local Network Configurations
#
HS_WANIF=eth0
HS_LANIF=eth1
# WAN Interface toward the Internet
# Subscriber Interface for client devices
HS_NETWORK=10.1.0.0
HS_NETMASK=255.255.255.0
# HotSpot Network (must include HS_UAMLISTEN)
# HotSpot Network Netmask
Generated by www.PDFonFly.com at 1/19/2012 12:40:44
AM
HS_UAMLISTEN=10.1.0.1
# HotSpot IP Address (on subscriber network)
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli

HS_UAMPORT=3990

 

# HotSpot Port (on subscriber network)

 

#

HS_DYNIP=

#

HS_DYNIP_MASK=255.255.255.0

 

#

HS_STATIP=

#

HS_STATIP_MASK=255.255.255.0

 

# HS_DNS_DOMAIN=

 

# HS_DNS1=

# HS_DNS2=

###

#

HotSpot settings for simple Captive Portal

#

HS_NASID=nas01

 

HS_UAMSECRET=uamsecret

 

HS_RADIUS=127.0.0.1

 

HS_RADIUS2=127.0.0.1

 

HS_RADSECRET=radiussecret

HS_UAMALLOW=10.1.0.0/24,192.168.0.1,www.google.co.nz

# Put entire domains in the walled-garden with DNS inspection

# HS_UAMDOMAINS=".paypal.com,.paypalobjects.com"

# Optional initial redirect and RADIUS settings

# HS_SSID=<ssid>

 

# To send to the captive portal

# HS_NASMAC=<mac address> # To explicitly set Called-Station-Id

# HS_NASIP=<ip address>

# To explicitly set NAS-IP-Address

# The server to be used in combination with HS_UAMFORMAT to

# create the final chilli 'uamserver' url configuration.

HS_UAMSERVER=10.1.0.1

 

# Use HS_UAMFORMAT to define the actual captive portal url.

# Shell variable replacement takes place when evaluated, so here

# HS_UAMSERVER is escaped and later replaced by the pre-defined

HS_UAMSERVER to form the actual "--uamserver" option in chilli. HS_UAMFORMAT=https://\$HS_UAMSERVER/uam/

#

#

Same principal goes for HS_UAMHOMEPAGE.

HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html

#

This option will be configured to be the WISPr LoginURL as well

#

as provide "uamService" to the ChilliController. The UAM Service is

#

described in: http://coova.org/wiki/index.php/CoovaChilli/UAMService

#

HS_UAMSERVICE=https://10.1.0.1/cgi-bin/hotspotlogin.cgi

###

#

Features not activated per-default (default to off)

#

#

HS_RADCONF=off

# Get some configurations from RADIUS or a URL ('on' and 'url'

respectively)

 

#

#

HS_ANYIP=on

# Allow any IP address on subscriber LAN

#

#

HS_MACAUTH=on

# To turn on MAC Authentication

#

#

HS_MACAUTHDENY=on

# Put client in 'drop' state on MAC Auth Access-Reject

#

#

HS_MACAUTHMODE=local

# To allow MAC Authentication based on macallowed, not RADIUS

#

#

HS_MACALLOWED="

"

# List of MAC addresses to authenticate (comma seperated)

#

#

HS_USELOCALUSERS=on

# To use the /etc/chilli/localusers file

#

#

HS_OPENIDAUTH=on

# To inform the RADIUS server to allow OpenID Auth

#

#

HS_WPAGUESTS=on

# To inform the RADIUS server to allow WPA Guests

#

#

HS_DNSPARANOIA=on

# To drop DNS packets containing something other

#

# than A, CNAME, SOA, or MX records

#

#

HS_OPENIDAUTH=on

# To inform the RADIUS server to allow OpenID Auth

#

# Will also configure the embedded login forms for OpenID

#

Generated by www.PDFonFly.com at 1/19/2012 12:40:44

AM

#

HS_USE_MAP=on

# Short hand for allowing the required google

#

# sites to use Google maps (adds many google sites!)

 

#

###

#

Other feature settings and their defaults

 

#

#

HS_DEFSESSIONTIMEOUT=0

# Default session-timeout if not defined by RADIUS (0 for unlimited)

#

#

HS_DEFIDLETIMEOUT=0

# Default idle-timeout if not defined by RADIUS (0 for unlimited)

#

#

HS_DEFBANDWIDTHMAXDOWN=0

# Default WISPr-Bandwidth-Max-Down if not defined by RADIUS (0 for

unlimited)

#

#

HS_DEFBANDWIDTHMAXUP=0

# Default WISPr-Bandwidth-Max-Up if not defined by RADIUS (0 for

unlimited)

###

#

Centralized configuration options examples

 

#

#

HS_RADCONF=url

# requires curl

#

HS_RADCONF_URL=https://coova.org/app/ap/config

 

#

HS_RADCONF=on

# gather the ChilliSpot-Config attributes in

#

# Administrative-User login

#

HS_RADCONF_SERVER=rad01.coova.org

# RADIUS Server

 

#

HS_RADCONF_SECRET=coova-anonymous

#

HS_RADCONF_AUTHPORT=1812

# RADIUS Shared Secret # Auth port # Username # Password

#

HS_RADCONF_USER=chillispot

#

HS_RADCONF_PWD=chillispot

###

#

Standard configurations

#

HS_MODE=hotspot HS_TYPE=chillispot

# HS_RADAUTH=1812

# HS_RADACCT=1813

# HS_ADMUSR=chillispot

# HS_ADMPWD=chillispot

###

#

Post-Auth proxy settings

#

#

HS_POSTAUTH_PROXY=<host or ip>

 

#

HS_POSTAUTH_PROXYPORT=<port>

#

Directory specifying where internal web pages can be served

 

#

by chilli with url /www/<file name>. Only extentions like .html

#

.jpg, .gif, .png, .js are allowed. See below for using .chi as a

CGI extension. HS_WWWDIR=/etc/chilli/www

#

# Using this option assumes 'haserl' is installed per-default

 

# but, and CGI type program can ran from wwwsh to process requests

to chilli with url /www/filename.chi HS_WWWBIN=/etc/chilli/wwwsh

#

 

#

Some configurations used in certain user interfaces

#

HS_PROVIDER=Coova

HS_PROVIDER_LINK=http://www.coova.org/

 

###

#

WISPr RADIUS Attribute support

 

#

HS_LOC_NAME="My HotSpot"

# WISPr Location Name and used in portal

# WISPr settings (to form a proper WISPr-Location-Id)

 

# HS_LOC_NETWORK="My Network"

# Network name # Phone area code # Phone country code # ISO Country code

# HS_LOC_AC=408

# HS_LOC_CC=1

# HS_LOC_ISOCC=US

 

Generated by www.PDFonFly.com at 1/19/2012 12:40:44 AM

If you have an error "You need to install haserl to serve pages with this wwwsh script!" can not find haserl. Download haserl from

http://haserl.sourceforge.net/. sudo apt-get install gcc tar -xvf haserl-0.8.0.tar.gz cd haserl-0.8.0/ ./configure
http://haserl.sourceforge.net/.
sudo apt-get install gcc
tar -xvf haserl-0.8.0.tar.gz
cd haserl-0.8.0/
./configure
make
make install
Edit /etc/chilli/wwwsh file
haserl=$(which haserl 2>/dev/null)
with
haserl=/usr/local/bin/haserl
This is a cut and paste of my /etc/hosts file
127.0.0.1
localhost
127.0.1.1
ubuntu.WAG325N ubuntu
10.1.0.1
ubuntu.WAG325N ubuntu
# The following lines are desirable for IPv6 capable hosts
::1
ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
This is a cut and paste of my /etc/apache2/ports.conf file
Listen *:443
Listen *:80
#Listen 80
#
#<IfModule mod_ssl.c>
# Listen 443
#</IfModule>
This is a cut and paste of my /etc/apache2/ports.conf file
NameVirtualHost 10.1.0.1:443
<VirtualHost 10.1.0.1:443>
ServerAdmin webmaster@domain.org
DocumentRoot "/var/www/hotspot"
ServerName "10.1.0.1"
<Directory "/var/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/"
<Directory "/usr/share/freeradius-dialupadmin/htdocs/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
<Directory "/var/www/cgi-bin/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
Generated by www.PDFonFly.com at 1/19/2012 12:40:44
AM
URL: https://help.ubuntu.com/community/WifiDocs/CoovaChilli
</Directory> ErrorLog /var/log/apache2/hotspot-error.log LogLevel warn CustomLog
</Directory>
ErrorLog /var/log/apache2/hotspot-error.log
LogLevel warn
CustomLog /var/log/apache2/hotspot-access.log combined
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
Hi All,
The .cgi script is ancient and coova now makes use of a JSON interface which is quite complex. If you want to use you own server
as an authentication source with PAP passwords you have to create your own HS_UAMSERVICE.
You can check out how to do this by navigating to the following link: http://hotcakes.wiki.sourceforge.net
Thanks for the initial documentation!
NEW!
CoovaChilli Ver. 1.0.14 now support VLAN. I've installed new version on Ubuntu 9.04 server from source: This version have also
some more utilities (build configuration on the fly, tool for monitoring). Unfortunately is no more dettailed instructions (probably is
too new) Great work !
CategoryWireless
WifiDocs/CoovaChilli (last edited 2011-08-08 12:29:29 by tomdavies04)
Parent Page
Page History
The material on this wiki is available under a free license, see Copyright / License for details
You can contribute to this wiki, see Wiki Guide for details