Embed Size (px)
Citation preview
WifiDocsChillispotHotspot8.04
Introduction
Note: This howto has been tested and works for Ubuntu 8.04 Hardy Heron server editions for other vesions of ubuntu see WifiDocs/ChillispotHotspot
Chillispot is software which provides authentication and restricted network access to clients. Its primary use is in wireless (WiFi) networks.
For instance, suppose you are managing a wireless network in a hotel: the access points are connected via the wired LAN to a server which works as a gateway, firewall, DNS server, etc. Now you want the same server (either because it's desirable or because it's required by your nation's law) to require authentication from all clients, possibly without messing around with the configuration of the access points. And maybe you even want users to be able to browse some sites (i.e. an internal web server or the hotel web site) without the need to authenticate themselves. Chillispot lets you manage all of this, and some more.
Please take a look at the Chillispot.info web site to see how the software works. In a few words, hillispot creates a virtual private network (192.168.182.0/24, but you can change this default setting) which it uses to dialogate with the clients and to decide who and how to let to see the outside network. Chillispot manages the allocation of dynamic IP addresses to clients, so you don't need other DHCP tools.
As of mid 2007, ChilliSpot appears to be dead. The developer Jens Jacobsen had vanished, and the chillispot.org domain lapsed, but chillispot.info is a copy (with ads inserted) of the original site. CoovaChilli has forked from ChilliSpot 1.0 and its development also continues with an active user-base.
Requirements
The following software is required for this installation:
Chillispot FreeRadius
Apache MySQL
Apache 1.x and MySql 4.0.x or even 3.23.x would probably do, but the above specified versions are the latest stable ones available so you're encouraged to stick to them.
This tutorial will show how to run all this software on a single machine. However, you could install Apache and MySQL on a separate one, or even have 4 different machines: you'll just need to adjust the configuration parameters of each piece of software.
Also, you'll need your kernel configured for generic tunneling support. A 2.6.x kernel version is recommended.
Caveats
This HOWTO presumes you have an x86 machine. This is not going to work on AMD64, because both Chillispot and FreeRadius have bugs which prevent them to work as they should. I don't know the status of these softwares on other platforms.
The proccess
Chillispot takes control of the internal interface (eth1) using a vtun kernel module to bring up a virtual interface (tun0). In fact thr vtun kernel module is used to move IP packets from the kernel to user mode, in such a way that chillispot can function without any non-standard kernel modules. Chillispot then sets up a DHCP server (this can be disabled from the chillispot conf file) on the tun0 interface.
A client connecting to this interface has all packets rejected until it is authorized though the chillispot login page (acting as a supplicant for authentication). When a non-authenticated client tries to connect to a web-page (on port 80 or 443) the request is intercepted by chilli and redirected to a perl-script called hotspotlogin.cgi (served by apache over https).
hotspotlogin.cgi serves a page to the end-user with a username and password field. These authentication data are then forwarded to the freeradius server, which matches them with information in it’s backend (using either PAP or CHAP). The backend in this case is mysql, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably).
A user is then either rejected or authenticated by freeradius, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user.
Hardware Requirements
Any PC with 2 network interfaces should work.
Software Installation
For this howto we start with an installation of Ubuntu Linux. We’ve used the Ubuntu 7.10 Gutsy Gibbon server edition.
The base installation is beyond the scope of this document, but the Ubuntu Website has plenty of documentation on installing ubuntu from scratch.
Towards of the ubuntu server edition install it asks you if you require extra packages. Enable the following
* LAMP * SSH server
Note:When asked for a mysql password and you want to use the default password for this howto use:
mysqladminsecret
Of course for a live chillispot access point you will need to change all password to your own
If you are using a different version or forget in install extra packages you can install them at a latter date by using the command
tasksel
Root
To make the installation easier create a root user. Many files can only be changed with root user.
Login user, then enter command
#sudo passwd rootEnter new UNIX password:Retype new UNIX password:#su rootPassword:
SSH
So we can cut and paste commands to make life easier
Install putty on you windows machine
Assuming that your ubuntu box is connected to your ADSL router/DHCP server you will need to find your IP address of your ubuntu box so you can connect with putty
ip addr
Type in your ip address and connect
Repository
Use default repository or better
Update Ubuntusudo apt-get updatesudo apt-get upgrade
Network setup
Setup up your network hardware/software
Interfacesnano -w /etc/network/interfacesauto loiface lo inet loopback
auto eth0iface eth0 inet dhcp
auto eth1
To enable packet forwarding you should add the following line
nano -w /etc/sysctl.confnet/ipv4/ip_forward=1
Enable and check ip forward without a reboot
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
Restart network
sudo /etc/init.d/networking restart
EnableTUN/TAP device driver supportnano -w /etc/modulestun
To enable without reboot
sudo modprobe tun
Install chillispotsudo apt-get install chillispot
Fill in the details
IP address of radius server 1:
127.0.0.1
Radius shared secret:
radiussecret
In a typical configuration this should be set to 'eth1'. <ok>
Ethernet interface for DHCP to listen:
eth1
URL of UAM server:
https://192.168.2.1/cgi-bin/hotspotlogin.cgi
URL of UAM homepage:
https://192.168.2.1/welcome.html
Shared password between chillispot and webserver:
uamsecret
Enable Chillispot captive portal:
nano -w /etc/default/chillispotENABLED=1
Chillispot
chillispot config file
nano -w /etc/chilli.confnet 192.168.2.0/24 ###change manually#dns1 192.168.2.1 #dns2 192.168.2.1 domain domain.org ###change manuallyradiusserver1 127.0.0.1 radiusserver2 127.0.0.1 radiussecret radiussecret dhcpif eth1uamserver https://192.168.2.1/cgi-bin/hotspotlogin.cgi#uamhomepage https://192.168.2.1/welcome.html ###change manuallyuamsecret uamsecretuamlisten 192.168.2.1 ####change manuallyuamallowed www.google.it,192.168.2.0/24 ###change manually
Note: uamhomepage has been commented out because its optional
To check conf files for errors run command
sudo /etc/init.d/chillispot start
If an error occurs it will display the line number that has caused the error. Count down the line numbers in the chilli.conf file to find the problem.
If you get a message that Coova Capture Portal is disabled and to see /etc/default/chillispot
nano -w /etc/default/chillispotENABLED=1
Let's discuss the chilli.conf file in detail.
Radius sectionradiusserver1 127.0.0.1radiusserver2 127.0.0.1radiussecret theradiussecret
You need to specify two radius servers even if you only have one. Of course, you can enter the same server in both lines. In this case it's localhost, as FreeRadius is on the same machine of Chillispot.
radiussecret theradiussecret
The radiussecret directive contains a (secret) word which must match the one contained in the FreeRadius configuration file. This secret ensures we are allowed to make queries to the radius server. We'll se the radius configuration part later on.
Networking sectiondns1 192.168.2.1
You need to specify the IP address of the DNS server, which will be told to clients as well. The local machine's one will be fine if the machine operates a DNS service, otherwise enter another one such as you provider's.
dhcpif eth1
The interface to be specified is the one where the access points reside, which should be already configured with the working access points. Be sure to disable any DHCP server bound to that interface, as Chillispot doesn't want one.
UAM sectionuamallowed 192.168.2.0/24.1,192.168.182.0/24,www.google.it
The above line states which hosts the clients are allowed to connect without requring authentication. You must enter the IP address of the gateway (both the VPN address and the LAN address - This is very important! In fact, you must list at least these two addresses here, otherwise the chillispot will not work!), the IP address of the DNS server (if it's on another machine) and any other hosts you want.
uamserver https://192.168.2.1/cgi-bin/hotspotlogin.cgi
This is the (secure) URL of the script which displays the login interface and manages the login. We'll discuss this further in the Apache configuration section.
uamhomepage https://192.168.2.1/welcome.html
Optional
This is the page where all clients will be redirected when they try to surf a web site which is not in the uamallowed list. This is quite handy, as you don't need to provide login URLs to your users: their browser gets automatically redirected here. The contents of this file are very customizable (you can provide a full featured web page with information and the login link), and also this will be discussed later on while talking of Apache configuration.
uamsecret theuamsecret
This is the shared secret between chillispot and hostspotlogin.cgi, which ensures that the CGI script is allowed to talk to Chillispot. It's different than the radius secret, but you can also set them all alike (not recommended, of course).
Install Firewall
The creator of chillispot has created firewall rules. We just need to enable them.
sudo cp /usr/share/doc/chillispot/firewall.iptables /etc/init.d/chilli.iptablessudo chmod a+x /etc/init.d/chilli.iptablessudo ln -s ../init.d/chilli.iptables /etc/rcS.d/S41chilli.iptables
The default firewall is set for eth0 = internet, eth1 = LAN,If you want to change this setup edit the following file
nano -w /etc/init.d/chilli.iptablesEXTIF=eth0INTIF=eth1
Enable firewall script
sudo /etc/init.d/chilli.iptables
As said else where, do not enable a DHCP server on our ubnutu box. chillispot has its own DHCP server.
Install Radius server and Databasesudo apt-get install freeradius freeradius-mysql freeradius-dialupadmin
Create database to store usernames and passwords
mysql -u root -pEnter password:mysqladminsecretmysql> CREATE DATABASE radius;
mysql> quit
Propergate database with tables created by the maker's of freeradius
zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radiusEnter password:mysqladminsecretmysql -u root -pEnter password:mysqladminsecretmysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret';mysql> FLUSH PRIVILEGES;mysql> quit
Tell freeradius where to find of database
nano -w /etc/freeradius/sql.confserver = "localhost"login = "radius"password = "mysqlsecret"
Set FreeRadius server client password
nano -w /etc/freeradius/clients.confclient 127.0.0.1 { secret = radiussecret}
Testing default file setup
The default FreeRadius setup authorize's usernames and passwords from a "file" found in /etc/freeradius/users. We should test the default FreeRadius setup before we change the authorization link from "file" to "sql" (mysql).
Add username an password to our user "file". edit "John Doe"
nano -w /etc/freeradius/users
uncomment
"John Doe" Auth-Type := Local, User-Password == "hello" Reply-Message = "Hello, %u"
At this point you need to reboot your ubuntu box
reboot
Check FreeRadius config files.
sudo /etc/init.d/freeradius stop
sudo freeradius -XXX -A
If all goes well the last line should display
Mon Mar 24 11:32:35 2008 : Info: Ready to process requests.
Ctrl+C to exit.
Start FreeRadius again
sudo /etc/init.d/freeradius start
Test password authorization to "file"
sudo radtest "John Doe" hello 127.0.0.1 0 radiussecret
If all goes well you should get a reply
Sending Access-Request of id 136 to 127.0.0.1 port 1812 User-Name = "John Doe" User-Password = "hello" NAS-IP-Address = 255.255.255.255 NAS-Port = 0rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37 Reply-Message = "Hello, John Doe"
change authorization to sql
If the above tests worked we can now change authorization from "file" to "sql"
Change:
files to # files
# sql to sql
nano -w /etc/freeradius/radiusd.confauthorize { preprocess# auth_log# attr_filter chap mschap# digest# IPASS suffix# ntdomain eap files# sql# etc_smbpasswd# ldap# daily
# checkval}
to
authorize { preprocess# auth_log# attr_filter chap mschap# digest# IPASS suffix# ntdomain eap# files sql# etc_smbpasswd# ldap# daily# checkval}
Note: You can only use one authorisation method at a time, not both. Therefore "files" section needs to be commented out otherwise free radius will still try to authorize with /etc/freeradius/users "file" instead of "sql"
SQL Logging
If you want to use software packages like ezRADIUS or Dialup Admin you need to enable logging to sql
nano -w /etc/freeradius/sql.confsql { driver = "rlm_sql_mysql" server = "localhost" login = "radius" password = "mysqlsecret" radius_db = "radius" [...] # Set to 'yes' to read radius clients from the database ('nas' table) readclient = yes ###change manually}nano -w /etc/freeradius/radiusd.conf $INCLUDE ${confdir}/sql.confauthorize { preprocess chap suffix eap #files sql}authenticate {
Auth-Type PAP { pap } Auth-Type CHAP { chap } eap}accounting { detail radutmp sql ###change manually}session { sql ###change manually}
Add users
Note: The first command is one line which ends with the word radius, It has wraped around.
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radiusEnter password:mysqlsecret
Restart Radius
sudo /etc/init.d/freeradius restart
Test linksudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret
If all goes well you should receive
Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = "mysqltest" User-Password = "testsecret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=180, length=20
Apache ServerCreate login pagesudo mkdir -p /var/www/hotspot/cgi-binzcat -c /usr/share/doc/chillispot/hotspotlogin.cgi.gz | sudo tee /var/www/hotspot/cgi-bin/hotspotlogin.cgisudo chmod a+x /var/www/hotspot/cgi-bin/hotspotlogin.cgi
edit login script
nano -w /var/www/hotspot/cgi-bin/hotspotlogin.cgi
Uncomment and change password
$uamsecret = "uamsecret";$userpassword=1;
SSLApache Modules
To install the Apache2 module for MYSQL authentication, you can run the following command from a terminal prompt:
sudo apt-get install libapache2-mod-auth-mysql
Once you install the module, the module will be available in the /etc/apache2/mods-available directory. You can use the a2enmod command to enable a module. You can use the a2dismod command to disable a module. Once you enable the module, the module will be available in the the /etc/apache2/mods-enabled directory.
Setup up Apache and SSL
Make sure LAMP server is installed, if not use the following command:
tasksel
Create a Certificatesudo apt-get install ssl-certsudo mkdir /etc/apache2/ssl
We need to find our host name for our cert
hostname -f
Hardcoding cert lifetime based on this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821#22
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
(Answer questions)
Note: The "Host Name" must be fill out correctly The host name of the server the certificate is for. This must be filled in. (commonName)
Host Name as per hostname -f
host.name #change to your host name
Install Module
The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the
https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.
sudo a2enmod ssl/etc/init.d/apache2 force-reload
Create virtualhost
Create a virtualhost file so it looks something like this:
sudo nano -w /etc/apache2/sites-available/hotspotNameVirtualHost 192.168.2.1:443<VirtualHost 192.168.2.1:443> ServerAdmin [email protected] DocumentRoot "/var/www/hotspot" ServerName "192.168.2.1" <Directory "/var/www/hotspot/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory>
Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/" <Directory "/usr/share/freeradius-dialupadmin/htdocs/"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory>
ScriptAlias /cgi-bin/ /var/www/hotspot/cgi-bin/ <Directory "/var/www/hotspot/cgi-bin/"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory>
ErrorLog /var/log/apache2/hotspot-error.log
LogLevel warn
CustomLog /var/log/apache2/hotspot-access.log combined
ServerSignature On SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.pem</VirtualHost>
Enable SSL virtualhost
sudo a2ensite hotspot/etc/init.d/apache2 reload
Listen Ports
HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file:
nano -w /etc/apache2/ports.confListen 192.168.2.1:80Listen 192.168.2.1:443#<IfModule mod_ssl.c># Listen 443#</IfModule>
don't forget to modify
sudo nano -w /etc/apache2/sites-available/defaultNameVirtualHost *:80<virtualhost *:80>
Server Root
nano -w /etc/apache2/apache2.conf
add
ServerName 192.168.2.1
Edit host file
nano -w /etc/hosts192.168.2.1 host.name host #change to your host name
Restart Apache server
sudo /etc/init.d/apache2 restart
your web broswer should be able to link to pages
https://192.168.2.1/cgi-bin/hotspotlogin.cgi
and
http://192.168.2.1:3990/
Finish
Reboot your computer and everything should work
reboot
Optional Features
Install Wifi Adaptor
If you want to install a wifi adaptor to your chilli hotspot follow these instructions
The wifi adaptor/card must support master mode.
Install card and drivers if required
see WifiDocs/MasterMode
We need to modify interfaces
sudo nano -w /etc/network/interfaces# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).
# The loopback network interfaceauto loiface lo inet loopback
# The primary network interfaceauto eth0iface eth0 inet dhcp
# Secondary network interfaceauto eth1
# Wireless Setupauto ath0 iface ath0 inet manual wireless-mode master wireless-essid pivotpoint
# Bridge interfaceauto br0iface br0 inet manual bridge-ports eth1 ath0
Modify firewall/iptables interface
nano -w /etc/init.d/chilli.iptables
change INTIF
INTIF="br0"
Finally change chillispot interface
nano -w /etc/chilli.confdhcpif br0
reboot and that it.
Firewall
You may need to modify firewall settings
In this example i want to control chillispot with SSH (port 22) through eth1. By default port 22 is blocked on eth1.
nano -w /etc/init.d/chilli.iptables
find
#Allow releated, established and ssh on $EXTIF. Reject everything else.
Then add a new line just below the existing port 22 rule
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
reset firewall
sudo /etc/init.d/chilli.iptables
Done
Dial Up adminNote: Dial Up Admin is untested and uncommented continue at your own risk
The following is untested a cut and paste of what I assume is dial up adminstartion of you login in server. I would be nice if someone could add some comments.
sed "/auto_increment/ s/DEFAULT '0'//" /usr/share/freeradius-dialupadmin/sql/badusers.sql | mysql -u radius -p radiusmysql -u radius -p radius < /usr/share/freeradius-dialupadmin/sql/mtotacct.sqlmysql -u radius -p radius < /usr/share/freeradius-dialupadmin/sql/totacct.sqlsed "/auto_increment/ s/DEFAULT '0'//" /usr/share/freeradius-dialupadmin/sql/userinfo.sql | mysql -u radius -p radiusnano -w /etc/freeradius-dialupadmin/admin.confgeneral_domain: dominio.orggeneral_radius_server_secret: radiussecretgeneral_encryption_method: clearsql_username: radiussql_password: mysqlsecret#sql_debug: true
Dial-up Admin
https://192.168.2.1/dialupadmin/index.html
nano -w /etc/apache2/sites-available/hotspot<Directory "/usr/share/freeradius-dialupadmin/htdocs"> ... AuthName "Restricted Area" AuthType Basic AuthUserFile /etc/apache2/.htpasswd require valid-user</Directory>sudo htpasswd -bcm /etc/apache2/.htpasswd admin adminsecretsudo /etc/init.d/apache2 restartnano -w /etc/freeradius-dialupadmin/naslist.conf
Online users
nas1_name: nas1.%{general_domain}nas1_type: othernas1_model: ChilliSpotnas1_ip: 0.0.0.0nas1_finger: database
User Statistics
nano -w sudo chmod a+x /usr/share/freeradius-dialupadmin/bin/tot_statsnano -w /usr/share/freeradius-dialupadmin/bin/monthly_tot_statsSBAGLIATO: $sql_password = ($sql_pasword == '') ? '' : "-p$sql_password";CORRETTO: $sql_password = ($sql_pasword eq '') ? '' : "-p$sql_password";sudo cp /usr/share/doc/freeradius-dialupadmin/examples/freeradius-dialupadmin.cron /etc/cron.d/freeradius-dialupadmin
Failed Logins
nano -w /etc/freeradius/radiusd.conflog_auth = yes log_auth_badpass = yeslog_auth_goodpass = yes
restart radius
sudo /etc/init.d/freeradius restartnano -w /usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log/usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log &sudo chmod a+x /etc/init.d/freeradius.badloginssudo ln -s ../init.d/freeradius.badlogins /etc/rc2.d/S99freeradius.badlogins$ sudo /usr/share/freeradius-dialupadmin/bin/log_badlogins /var/log/freeradius/radius.log /etc/freeradius-dialupadmin/admin.conf once$ sudo /etc/init.d/freeradius.badlogins
Transparent ProxyNote: Transparent Proxy is untested and uncommented continue at your own risk
Squid http://www.squid-cache.org/
sudo apt-get install squid sargnano -w /etc/squid/squid.confhttp_port 192.168.2.1:3128httpd_accel_host virtualhttpd_accel_port 80httpd_accel_with_proxy onhttpd_accel_uses_host_header onnano -w /etc/init.d/chilli.iptablessudo iptables -t nat -A PREROUTING -i tun0 -p tcp -s 192.168.2.0/24 --dport 80 -j REDIRECT --to 3128
http://192.168.2.1:3128/
sudo iptables -I FORWARD 1 -i tun0 -o eth0 -s 192.168.2.0/24 -p tcp --dport 443 -m conntrack --ctstate NEW -j LOG --log-prefix HOTSPOT:nano -w /etc/log/syslog
DansGuardian
Script BackupNote: Script Backup is untested and uncommented continue at your own risk
/var/log/squid/access.log
/var/log/syslog
/etc/logrotate.d/squid
cp /var/log/squid/access.log /data/access.log-`date +%Y%m%d`
/data
/etc/cron.daily/sysklogd
grep "HOTSPOT:" /var/log/syslog > /data/httpd_syslog.log-`date +%Y%m%d`
