Howto build a Wifi Hotspot using Chillispot and Debian Etch
This is a step by step tutorial how to build a Wifi Hotspot using Chillispot and Debian GNU/Linux.
Configure your NIC
You need at least two network interface cards to make the chillispot working. Install Debian GNU/Linux and configure the ip address of your network cards.
Your network card configuration should be look like this:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
eth0 (WAN) IP Address assigned by your ISP
eth1 (LAN) no need to assign IP Address.
We don't need to configure eth1 since Chillispot takes care for the role of IP Address assignment using its own DHCP.
Edit your /etc/resolv.conf file and add the ip address of your DNS server.
Your resolv.conf file should look like this:
nameserver 10.0.0.1 nameserver 10.0.0.2
Installing Chillispot
To install chillispot on your Debian machine, type this command:
This will install Apache, MySQL, Chillispot and FreeRadius. After the installation an ncurses-based configuration menu will appear.
Enter the ip address of your radius server, in this case we put 127.0.0.1 since the radius server is installed also in this machine.
Enter your radius shared secret.
Basically you have to select which interface is connected to your LAN or access points. In this scenario it is set to eth1.
Enter the URL of your UAM (Universal Access Method) server. You need to tell Chillispot about the location of the authentication server which in this case it is on the same machine. 192.168.182.1 is the default IP address that chillispot gives the tun0 interface.
Enter the URL of your UAM homepage. This is the page where all clients will be redirected when they try to surf a web site which is not in the uamallowed list.
Then you must assign a UAM secret for your Chillispot server. This is the shared secret between chillispot and hostspotlogin.cgi, which ensures that the CGI script is allowed to talk to Chillispot. It's different than the radius secret.
Edit your /usr/lib/cgi-bin/hotspotlogin.cgi
Uncomment the line #$uamsecret = "ht2eb8ej6s4et3rg1ulp";
and replace the "ht2eb8ej6s4et3rg1ulp"; with the UAM secret that you entered on the Chillispot installation.
$uamsecret = "secret";
Enabling Chillispot
Chillispot is not enabled by default, after you install Chillispot you need to enbale it by editing /etc/default/chillispot file
and replace the line ENABLED=0 with ENABLED=1
# /etc/default/chillispot # # Enable on system start? # Change to 1 if you want it to be enabled. # Please make sure you have configured chillispot first. ENABLED=1 # # chillispot default configuration CHILLICFG=/etc/chilli.conf # # daemon arguments DAEMON_ARGS="--conf $CHILLICFG"
Configuring Apache for Chillispot
Generate self-signed SSL certificate, click here to find out more about creating self-signed SSL certificate.
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Enable mod_ssl
a2enmod ssl
/etc/init.d/apache2 restart
Create a secure host, just copy your default virtual host configuration and specify a different name. I used the name "secure" here.
Edit the file
and change these two lines:
- NameVirtualHost *
- <VirtualHost *>
to
- NameVirtualHost *:443
- <VirtualHost *:443>
- SSLEngine on
- SSLCertificateFile /etc/apache2/ssl/apache.pem
Enable the secure host and restart apache
/etc/init.d/apache2 restart
FreeRadius Configuration
Login to your MySQL database server and create a radius database.
CREATE DATABASE radius;
GRANT ALL ON radius.* TO admin@localhost IDENTIFIED BY 'password';
Import the SQL schema
Edit /etc/freeradius/radiusd.conf file
and uncomment the word sql in authorize section
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# Read the 'users' file
files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
}
and in accounting section.
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
Changes are highlighted in bold.
Edit your /etc/freeradius/sql.conf file
and add your radius database information to let freeradius to connect to your mysql database.
# Connect info
server = "localhost"
login = "admin"
password = "password"
# Database table configuration
radius_db = "radius"
Edit /etc/freeradius/clients.conf file
and add your radius shared secret.
client 127.0.0.1 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 31 characters in length.
#
secret = secret
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
}
Edit /etc/freeradius/users
and uncomment the line:
steve Auth-Type := Local, User-Password == "testing"
This will enable you to login using the username steve and password testing.
Setup a NAT
Last thing you have to do is to configure your server as a router or gateway. Edit the file /etc/sysctl.conf
and enable port forwarding by uncommenting these lines:
# Uncomment the next line to enable Spoof protection (reverse-path filter) net.ipv4.conf.default.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies net.ipv4.tcp_syncookies=1 # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.conf.default.forwarding=1
setup a NAT using this command.
Then restart chillispot and freeradius.
/etc/init.d/freeradius restart
Finally, its time to check whether your chillispot installation is working. Connect a PC to your hotspot server and open your internet browser, use the username steve and password testing to login to your hotspot portal.
Cheers!
Delicious
Digg
StumbleUpon
Furl
Facebook
MySpace
Twitter
Google
Yahoo
Buzz Up!
LinkedIn
Technorati
Comments
28 May 2008
7 hours 54 min
Hi, this tutorial is intended for Debian Etch systems and it supports Freeradius 1x. This would work on Ubuntu systems also, however, you have to install Freeradius 1x from source.
With regards to your problems which is you asked from your previous comment, did you generate SSL certificate? If not, please refer to this url.
http://www.cahilig.net/2008/08/27/create-self-signed-ssl-certifcate-usin...
What version of freeradius are you using?
Dear ,
i try to configure but not working please tell me which vertion of linux u used? i am ubuntu server 9.04 but not working .please guide me any other document for hotspot
Dear,,,
Please anyone help me its not working in my system its is installed ubuntu 9.04 server
first error:
1) bash: /etc/apache2/ssl/apache.pem: No such file or directory
second error:
Enter password: gzip: /usr/share/doc/freeradius/examples/mysql.sql.gz: No such file or directory
please guide me or any-other document with working please send me to chinnappan@ymail.com
This process is for debain.
It would be better if you publish configuration files ...so that people installing on other OS would be benefited.
I am trying to install it on CENTOS.
-Ashok
28 May 2008
7 hours 54 min
Thanks.
Hi
eth1 (LAN) no need to assign IP Address. When chilli is started, it will create tun interface and it will automatically distribute the ip address to your clients using dhcp.
Just assign a static ip address from within this range: 192.168.182.2 to 192.168.182.254.
What would be the ip address of eth1 and the wireless access point?
Thanks.
what would be the setting for the wrt54g LAN and WAN?
28 May 2008
7 hours 54 min
when comment it again, freeradius restart normally :(
Please check your freeradius logs
successfull import database..
thx richard.. have u ever try with FreeRadius version 2.x before?
there is some different with ver 1 I think..
OMG.. i can't restart freeradius since I uncomment the sql comment in authorize&accounting section..
when comment it again, freeradius restart normally :(
28 May 2008
7 hours 54 min
use this command:
mysql -u root -p radius < schema.sql
finally... i found it!!! hahahah... thx richard..
now the last step... trying to login from client..
hope it works very good:)
maybe usefull for other persons.
My FreeRadius version : 2.1.7
and accounting or authorize is located at
/etc/freeradius/sites-available/default
ohh.. almost forgot brother richard,
still have problem for import database because schema.sql is not zip file, so can't user zcat command..
another command for import schema.sql to my radius database maybe?
thx a lot for ur great help:)
28 May 2008
7 hours 54 min
If you are using Debian, the freeradius configuration directory should be "/etc/freeradius".
helpppppp....
richard thanks for your guides:)
but i still have problem finding raddb... no raddb directory after /etc:(
I use Debian 5..
28 May 2008
7 hours 54 min
I guess you have freeradius2x in your system. This tutorial is for freeradius1x and have been tested on Debian 4.0 installation.
---> i can't found mysql.sql.gz file
it said
"gzip: /usr/share/doc/freeradius/examples/mysql.sql.gz: No such file or directory"
If you have freeradius2x, the location of that file is "/etc/raddb/sql/mysql/schema.sql".
but I'm not found the authorize and accounting section..
when I check until bottom page
there is a little info :
"
All of the other configuration sections like "authorize {}",
# "authenticate {}", "accounting {}", have been moved to the
# the file:
#
# raddb/sites-available/default
"
Just edit the file "/etc/raddb/sites-available/default"
28 May 2008
7 hours 54 min
Just install a network card that supported by Linux. I will recommend any of these network cards 3com,dlink,via and intel.
i don't know if this guide is too old or whatever..
finnaly i found this usefull guide..
hello richard, thx for sharing and nice to meet you..
i've got a little problem here.
1. at this step
Import the SQL schema
"zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius"
---> i can't found mysql.sql.gz file
it said
"gzip: /usr/share/doc/freeradius/examples/mysql.sql.gz: No such file or directory"
2. Edit /etc/freeradius/radiusd.conf file
and uncomment the word sql in authorize section
and accounting too right?
but I'm not found the authorize and accounting section..
when I check until bottom page
there is a little info :
"
All of the other configuration sections like "authorize {}",
# "authenticate {}", "accounting {}", have been moved to the
# the file:
#
# raddb/sites-available/default
"
can u help me for this problems?
thx a lot for ur ggreat help:)
Hello, i was wondering what kind of pci-cards does support setting up a hotspot. can you help me with that?
28 May 2008
7 hours 54 min
The users usage and other statistics are stored in the "freeradius database", its stored in table "radacct".
Try to use this "sql query"
or you can create php script to display your users usage.
Hi there, I was wondering - how and who does the monitoring of a users usage, and where does it get stored and how can it be read?
28 May 2008
7 hours 54 min
There's no need to change the ip, you can even remove the ip address from that interface since all the clients will get the ip address from tun0. If you wish to change the ip address just edit the file /etc/chilli.conf.
do i need to change the ip on eth1 ?
eth1 Link encap:Ethernet HWaddr 00:08:a1:b4:90:ac
inet addr:169.254.148.161 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::208:a1ff:feb4:90ac/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:2846 (2.7 KiB)
Interrupt:20 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:54 errors:0 dropped:0 overruns:0 frame:0
TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4516 (4.4 KiB) TX bytes:4516 (4.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.182.1 P-t-P:192.168.182.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
appreciate if you can help, cheers
Hello
Great Howto! But i found a little Error:
zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius
must be:
zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -D radius
-p is for Password and -D selects the Database which we want here.
Best Regards
Thanks you ! answer me.
I was design 2 range ip:
range ip I setup full access. I call A group
range ip is limit access, this range call B group
I create 2 user : "it" and "user"
All clients was obtain ip on Lan card. Now i want when "it" login any laptop, "it" can full access. I try to make "it" profile by freeradius :
it Cleartext-Password := "123456"
Fall-Through = Yes,
Service-Type == Framed-User,
Framed-IP-Address = 192.168.182.16,
Framed-IP-Netmask = 255.255.255.240
But,when i login it, i always obtain ip : 192.168.182.2.
Can you show me, i was wrong with step
28 May 2008
7 hours 54 min
To allocate static ip for a particular user, just give your user a static ip address from within this range 192.168.182.2 to 192.168.182.254.
I was install follow you and i was success.Can you teach me what next step I configure static ip for user name,when user login will has ip available, and another user still use dhcp of chilispot
thanks
Post new comment