Install ChilliSpot on CentOS 5

Checking users to login (via a captive portal web-page).

Config

eth0 = Wan

eth1 = Internal Interface / LAN (Clients, PC, Access Points)

Chillispot takes control of (eth1) using a vtun kernel module to bring up a virtual interface (tun0). The vtun kernel module is used to move IP packets from the kernel to user mode

Chillispot sets up a DHCP server (can be disabled from the chillispot conf file) on the tun0 interface.

A client connecting to internal interface has all packets rejected until it is authorized though the chillispot login page (acting as a supplicant for authentication). When a non-authenticated client

tries to connect to a web-page (on port 80 or 443) the request is intercepted by chilli and redirected to a perl-script called hotspotlogin.cgi (served by apache over https).

 hotspotlogin.cgi serves a page to the end-user with a username and password field. These authentication data are then forwarded to the freeradius server, which matches them with information in it’s backend (using either PAP or CHAP). The backend in this case is mysql, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably).

A user is then either rejected or authenticated by freeradius, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user.

-------You need to install the following packages:

* mysql-server

* apache2

* freeradius

* freeradius-mysql

-------You need to enable packet forwarding:

Edit /etc/sysctl.conf and set net.ipv4.ip_forward = 1

-------Install chillispot from http://chillispot.org/download.html

1) Copy hotspotlogin.cgi from source to /var/www/cgi-bin directory

2) Copy chillispot-pf.conf from source to /etc/pf.conf

3) Edit /etc/pf.conf and update int & ext_if macros

4) Copy chilli.conf & chilli.ipup from source to /etc

5) Tell Chilli about the location of the authentication server

(which in this scenario is on the same machine as chillispot).

This is done by uncommenting and editing the following line in

“/etc/chilli.conf”:

uamserver https://192.168.182.1/cgi-bin/hotspotlogin.cgi

192.168.182.1 is the default IP address that chillispot gives

the tun0 interface.

6) For added password security, we need to add a shared secret

between the hotspotlogin.cgi and chilli. Find the line in

“/etc/chilli.conf” that reads

#uamsecret ht2eb8ej6s4et3rg1ulp

Uncomment this line (remove the #) and CHANGE the secret to

what ever you desire. The secret needs to be the same with the

hotspotlogin.cgi script.

Continue editing /etc/chilli.conf and update the dns, dhcpif

& other parameters.

Edit the hotspotlogin.cgi in your cgi-bin directory & update

the uamsecret so that its the same as the entry in your

/etc/chilli.conf. Also uncomment the line that reads:

#$userpassword=1;

7) chmod 755 /var/www/cgi-bin/hotspotlogin.cgi

8) Copy chilli.init from source to /etc/rc.d/init.d/chilli

Edit /etc/rc.d/init.d/chilli and Define the correct path

for the chilli binary

-------You need to configure the network interfaces.

1) Set eth0 for internet connection.

2) Set eth1 with address 0.0.0.0 255.255.255.0

or issue command: ifconfig eth1 0.0.0.0 up

3) Check that both interfaces are physically connected

to the appropriate network equipment

-------Configuring Apache2 for SSL

1) yum install mod_ssl

2) mkdir /etc/httpd/ssl

3) openssl req -new -x509 -days 365 -nodes -out \

/etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key

4) Edit http.conf and enable ssl

NameVirtualHost *:443

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/httpd.pem

SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

#ServerAdmin info@mydomain.com

#ServerName www.mydomain.com

#DocumentRoot /srv/www/mydomain.com/public_html/

#ErrorLog /srv/www/mydomain.com/logs/error.log

#CustomLog /srv/www/mydomain.com/logs/access.log combined

-------Configure radius

1) Edit “/etc/raddb/clients.conf”.

Find the section that contains the line

client 127.0.0.1 {

make sure it is uncommented, and then, in the section between the

{ and the following }, change the following lines:

secret = testing123

change testing123 to match the radiussecret you chose for

“/etc/chilli.conf”

2) Edit “/etc/raddb/users”

Uncomment the following line in the file

#steve Auth-Type := Local, User-Password == “testing”

This will be the test user and password we will use to make sure

everything works.

-------Copy firewall.iptables from source to /etc/rc.d/init.d/chilli.iptables

-------Start the firewall

sh /etc/rc.d/init.d/chilli.iptables

-------Restart services

/etc/rc.d/init.d/httpd restart

/etc/rc.d/init.d/radiusd restart

/etc/rc.d/init.d/chilli restart