DaloRADIUS - Captive Portal Setup

  • View
    944

  • Download
    58

Embed Size (px)

DESCRIPTION

DaloRADIUS - Captive Portal Setup

Text of DaloRADIUS - Captive Portal Setup

  • daloRADIUS Captive Portal Setup

    2009 by Liran Tal

    liran@enginx.com

  • daloRADIUS Hands-on Guides

    Captive Portal Setup

    The captive portal provides a Unified Access Method (UAM) to allow users with access to the service via their

    web browser, where-as they can login, register for a new account, view a service's terms of usage, and more.

    The essence of the captive portal functionality is to (always) redirect any web traffic a user requests to the

    service's web pages which provide access to the service (via Login or Signup pages).

    Some references to captive portal software are Wifidog, NoCatAuth, Chillispot, and maybe the most common and popular of all is CoovaChilli which is the successor of the Chillispot project which suffered from

    abandoned development, there-fore, Coova's maintainer, David Bird, has assumed the role of continuing it's

    development under the new name CoovaChilli.

    daloRADIUS ships with CoovaChilli (and Chillispot's) captive portal pages and support those only. Moreover, it provides a PHP version for the captive portal pages which are suitable to deploy on a LAMP based install, while introducing a a templating system for the captive portal pages which makes it extremely

    easy and convenient for businesses to modify the portal pages and customize to their needs. Project's References:

    1. Wifidog: http://dev.wifidog.org 2. NoCatAuth: http://nocat.net 3. Chillispot: http://chillispot.info

    4. CoovaChilli: http://coova.org/CoovaChilli

    Deploying the Captive Portal

    As stated above in the brief introduction, daloRADIUS ships with Captive Portal pages, ready to be used.

    More than that, it ships with 3 different versions of the captive portal pages:

    1. A stripped-down version of the pages Very basic HTML

    2. A themed version of the captive portal pages (option 1)

    3. A themed version of the captive portal pages (option 2)

    We will focus on deploying the captive portal pages with the 2nd version which is available in the daloRADIUS

    package: contrib/chilli/portal2.

  • Out-lined below are the steps to take for a Ubuntu or a Debian-based Linux distribution: (while the document refers to CoovaChilli, most if not all configuration examples are relevant to Chillispot as

    well and so, CoovaChilli and Chillispot are interchange-able in the scope of the document)

    1. Get latest release of daloRADIUS ( >= 0.9-8 ) and unpack the tar.gz package to a local directory.

    2. Copy the hotspotlogin directory from contrib/chilli/portal2 (found in the top-level directory of the

    daloRADIUS package) to the website accessible directory of your choice. For the example through-out

    this document we will use /var/www/dalohosting/hotspotlogin/

    3. Adjust file permissions for the web server user and group

    4. CoovaChilli (and Chillispot) communicates with the (remote) portal pages over SSL, and the

    CoovaChilli directive that is required in CoovaChilli's configuration is:

    Information regarding these parameters and others is available through CoovaChilli's homepage, forums, mailing list and documentation.

    In the given example, the hotspotlogin directory is accessible from that example domain. It's necessary to make sure that a good shared secret is used for the uamsecret directive which needs to match the same in both the hotspotlogin files and the CoovaChilli configuration files.

    5. Configuring the hotspotlogin directory, we need to specify the uamsecret that was set previously in the CoovaChilli configuration. Use the preferred editor by your choice to edit the file

    /var/www/dalohosting/hotspotlogin/hotspotlogin.php and set the uamsecret variable at the beginning of the file accordingly:

    # mkdir p /var/www/dalohosting # cp -arp /tmp/daloradius-0.9-8/contrib/chilli/portal2/hotspotlogin/ /var/www/dalohosting/

    CODE

    # cd /tmp # wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius-0.9-8/daloradius-0.9-8.tar.gz?use_mirror=garr

    # tar zxvf daloradius-0.9-8.tar.gz

    CODE

    # chown www-data:www-data /var/www/dalohosting/hotspotlogin/* -R # chown www-data:www-data /var/www/dalohosting/hotspotlogin

    CODE

    # uamlisten 192.168.182.1 # uamport 3990

    # uamserver https://www.example.com/hotspotlogin/hotspotlogin.php # uamsecret mysecretuampassword

    CODE

  • 6. It is required to make the hotspotlogin directory accessible to the web server via the exact location as

    we set in CoovaChilli's uamserver definition. To achieve this we define a VirtualHost entry: (though it is beyond the scope of this document to explain it in every other possible way, use apache's references).

    Enabling SSL support in apache:

    While this isn't an apache guide, the steps above should be sufficient for an already installed apache2 server to add SSL support.

    Next, adding a VirtualHost file entry (assuming a NameVirtualHost entry for this domain already

    exist). The

    Save the above file as /etc/apache2/sites-enabled/hotspotlogin-ssl effectively replacing the VirtualHost IP address of 1.1.1.1 with correct settings, as well as other configuration options in the

    file, enable this site entry and restart/reload apache:

    # Shared secret used to encrypt challenge with. Prevents dictionary attacks. # You should change this to your own shared secret. $uamsecret = "mysecretuampassword";

    CODE

    # apt-get install ssl-cert

    # mkdir /etc/apache2/ssl # /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem # a2enmod ssl && /etc/init.d/apache2 restart

    CODE

    ServerName www.example.com ServerAlias www.example.com

    DocumentRoot /var/www/dalohosting/ SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

    AllowOverride None

    Options ExecCGI -MultiViews

    Order allow,deny Allow from all

    CODE

    # a2ensite hotspotlogin-ssl # /etc/init.d/apache2 restart

    CODE

  • It might be a good idea to make sure the web server is configured to listen for SSL on the correct IP address as stated above. Take a look at /etc/apache2/ports.conf

    Successful Login

    Finally, When the captive portal pages have been installed and configured correctly in the remote web server, and

    the CoovaChilli configuration has correct parameters and the software is running on a NAS or a sandbox Linux system, if the user attempts to connect to the wireless network (at least, wireless in most cases) an IP address is allocated by the DHCP server ran by CoovaChilli for the user.

    At this point, the user will attempt to open the browser and surf the Internet, since CoovaChilli is configured to run as a captive portal software it will intercept the user's port 80 (web traffic) request and displays the configured captive portal page, as shown in the screenshot:

    Feedback

    We hope you enjoyed this tutorial and made the best of it.

    For comments and general feedback please contact us via email at team@enginx.com