Thursday, July 19, 2007

TIP: WiFi with chillispot and linux

Well, blogging back, here's a short and brief hot chillispot tips for smooth ChilliSpot installation.

As we all know, ChilliSpot is an open source captive portal or wireless LAN access point controller. It is used for authenticating users of a wireless LAN (WiFi). It supports web based login page which is today's standard for public hotspots. Authentication, authorization and accounting (AAA) is handled by our favorite radius server. It also supports two different access methods for a Wireless LAN HotSpot namely Universal Access Method (UAM) as well as Wireless Protected Access (WPA).

ChilliSpot man now says:
Chilli has three major interfaces:
A downlink interface for accepting connections from clients, a radius interface for authenticating clients and an uplink network interface for forwarding traffic to other networks.
Authentication of clients is performed by an external radius server. For UAM the CHAP-Challenge and CHAP-Password as specified by RFC 2865 is used. For WPA the radius EAP-Message attribute as defined in RFC 2869 is used. The message attributes described in RFC 2548 are used for transferring encryption keys from the radius server to chilli. Furthermore the radius interface supports accounting.

The downlink interface accepts DHCP and ARP requests from clients. The client can be in two states: Unauthenticated and authenticated.

In unauthenticated state web requests from the client are redirected to an authentication web server.

In a typical application unauthenticated clients will be forwarded to a web server and prompted for username and password. The web server forwards the user credentials to chilli by means of redirecting the web browser to chilli. A received authentication request is forwarded to a radius server. If authentication is successful the state of the client is changed to authenticated. This authentication method is known as Universal Access Method (UAM).

As an alternative to UAM the access points can be configured to authenticate the clients by using Wireless Protected Access (WPA). In this case authentication credentials are forwarded from the access point to chilli by using the radius protocol. The received radius request is proxied by chilli and forwarded to the radius server.

The uplink interface is implemented by using the TUN/TAP driver. When chilli is started a tun interface is established, and optionally an external configuration script is called.

Read ChilliSpot installation basics here first.

Check out the latest version from this download page. Now, do

Download the latest rpm binary here or install directly via:

# rpm -ivh

# updatedb &


The old safe way, make a backup copy of chilli.conf file.
# locate chilli.conf
# cp /etc/chilli.conf /etc/chilli.conf.bak

Fire up your favorite browser. And google for "chillispot hotspotlogin.php" keyword.

We are trying to fetch a higher version of hotspotlogin.php or hotspot.php file. Why? I like PHP better than CGI works. :) If you get a version of 0.97 and above, that would be great.

One reason is that this hotspot.php file from google'd page, would actually replace chilli's own CGI login page called hotspotlogin.cgi .

# locate hotspotlogin.cgi

Now, let us assume you already have hotspot.php. We need to copy this file into your root apache directory or whatever suits you as long as the location would be referenced inside /etc/chilli.conf. That basically means, your apache should be up and running as well.

Now, copy the downloaded hotspot.php to your apache root directory like

# cp hotspot.php /var/www/html/

Start your apache
# service httpd start

Note, you can add more IP address restrictions here using apache conf.d files.

Avoid the attitude of hitting copy then paste. Make sure you replace the ones that suits your values. Worry not, you have a backup copy of it, remember? Now, open up your editor and modify /etc/chilli.conf for the below changes.

pidfile /var/run/
dynip your-radius-server-IP-address-local-NETWORK/subnet
net your-radius-server-IP-address-local-NETWORK/subnet
dns1 your-primary-dns-IP-address
dns2 your-secondary-dns-IP-address
radiusserver1 your-radius-server-IP-address-live
radiusauthport 1812
radiusacctport 1813
radiussecret your-wifi-secret
radiusnasip your-radius-server-IP-address-local
uamsecret your-uam-secret
uamlisten your-radius-server-IP-address-local
uamport 3990

# service chilli start

11 TIPS:

ChilliSpot-powered linux box acting as wifi access point gateway (controller) has been successful with noted conditions below:

1. having a redhat-based distro with kernel versions 2.6.x and above
2. with 2 NICs (Gigabit Ethernet preferably) for optimum performance with
one live IP and unassigned eth1
3. an active firewall with MASQ or preferably NAT
4. for server-based WiFi database and code generation/administration - working Apache/MySQL/PHP + FreeRadius is adviseable
5. gateway of WiFi APs = linux tun0 IP address
6. eth1 should not have any IP address
7. existing caching DNS and Squid proxy for added performance.
8. very nice if you can do PHP coding to create your own customized WiFi admin and mgmt page
9. and lastly, you are trying to avoid an erratic and sad experience the way *some and cheap WiFi box handles AAA, NAT, cloaking, code generation/mgmt (atleast for my case) and not to mention a clogged bottlenecked ethernet ports for a typical large volume of WiFi audience.
10. The last wifi box next to your linux box are cross-cabled.

If it doesn't work out right, read chilli.conf, read FAQs , join the forums and try again.

Make it colorful with your MRTG graph usage, NTOP, bandwidth

See my wifi admin and mgmt page:



Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy