24 March, 2010

Debian Wi-Fi hotspot using CoovaChilli, FreeRadius, MySQL and daloRADIUS

I decide to create hotspot from my server to allow other connect to Internet for free. I used "Captive portal" solution based on these applications:
When somebody wants to connect to Internet using my wifi, the first page he can see is the register/login page (whatever page he wants to visit).
After registration/login he is able to connect to Internet.

So let's see how I did it.

Let's have one server with two network interfaces - first (eth0) goes to Internet, the second one (eth1) is the wifi for "unknown" clients.


Install basic software:

aptitude install mysql-server phpmyadmin freeradius freeradius-utils freeradius-mysql apache2 php-pear php-db
a2enmod ssl
a2ensite default-ssl
service apache2 restart
cd /tmp && wget 'http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius-0.9-8/daloradius-0.9-8.tar.gz'
tar xvzf daloradius-0.9-8.tar.gz
mv /tmp/daloradius-0.9-8 /var/www/daloradius
chown -R www-data:www-data /var/www/daloradius
cp -r /var/www/daloradius/contrib/chilli/portal2/* /var/www/
rm /var/www/index.html

Because my machine is 64 bit I need to build CoovaChilli package myself:
aptitude --assume-yes install dpkg-dev debhelper libssl-dev
cd /tmp
wget -c http://ap.coova.org/chilli/coova-chilli-1.2.2.tar.gz
tar xzf coova-chilli*.tar.gz
cd coova-chilli*
dpkg-buildpackage -rfakeroot

Install CoovaChilli:
cd ..
dpkg -i coova-chilli_*_amd64.deb

Configure FreeRadius


Change /etc/freeradius/clients.conf:
client 127.0.0.1 {
 secret     = mysecret
}

Change /etc/freeradius/sql.conf:
        server = "localhost"
        login = "root"
        password = "xxxx"

Uncomment in /etc/freeradius/sites-available/default:
authorize {
          sql
}

accounting {
         sql
}

Uncomment in /etc/freeradius/radiusd.conf:
       $INCLUDE sql.conf

Configure MySQL database for FreeRadius

mysql -u root --password=xxxx
mysql> CREATE DATABASE radius;
mysql> exit

mysql -u root --password=xxxx radius < /var/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

daloRADIUS configuration


Modify this file /var/www/daloradius/library/daloradius.conf.php
$configValues['CONFIG_DB_PASS'] = 'xxxx';
$configValues['CONFIG_MAINT_TEST_USER_RADIUSSECRET'] = 'mysecret';
$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';

You also need to modify following configuration files to setup sign in web pages /var/www/signup-*/library/daloradius.conf.php:
$configValues['CONFIG_DB_PASS'] = 'xxxx';
$configValues['CONFIG_DB_NAME'] = 'radius';
$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';
$configValues['CONFIG_SIGNUP_SUCCESS_MSG_LOGIN_LINK'] = "Click <b>here</b>".
                                        " to return to the Login page and start your surfing";

Chnage lines in /var/www/signup*/index.php to (changed 'User-Password' -> 'Cleartext-Password' and '==' -> ':='):
  $sql = "INSERT INTO ".$configValues['CONFIG_DB_TBL_RADCHECK']." (id, Username, Attribute, op, Value) ".
                                        " VALUES (0, '$username', 'Cleartext-Password', ':=', '$password')";

Another file need to be modified to communicate with CoovaChilli is /var/www/hotspotlogin/hotspotlogin.php.
$uamsecret = "uamsecret";

Now you should be able to reach daloRADIUS installation on http://127.0.0.1/daloradius/
username: administrator
password: radius

Routing


We should not forget to enable packet forwarding and setup NAT:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
sed --in-place=.old 's/^#\(net.ipv4.ip_forward=1\)/\1/' /etc/sysctl.conf
sysctl -p

CoovaChilli configuration


Let's start with /etc/chilli/defaults:
HS_NETWORK=192.168.10.0
HS_UAMLISTEN=192.168.10.1

HS_RADSECRET=mysecret
HS_UAMSECRET=uamsecret
HS_UAMFORMAT=https://\$HS_UAMLISTEN/hotspotlogin/hotspotlogin.php
HS_UAMHOMEPAGE=https://\$HS_UAMLISTEN

Then don't forget to enable CoovaChilli to start in /etc/default/chilli
START_CHILLI=1

Maybe you need to execute chilli and radius server with some debug options to see "errors" during client connection:
chilli --fg --debug
freeradius -X

Few links we created:
  • http://192.168.10.1/signup-free/ - sign up page (if you don't have username/password)
  • http://192.168.10.1:3990/prelogin - use for login to your portal
  • http://192.168.10.1/daloradius/ - daloradius admin page
  • http://192.168.10.1/phpmyadmin/ - phpmyadmin page (useful for sql database)

This how-to describe simple configuration of CoovaChilli so there are many things to configure. I didn't mentioned anything about security - so it's up to you to tweak it yourself.

You can find additional info on this web page:

https://help.ubuntu.com/community/WifiDocs/CoovaChilli

Engoy... ;-)


40 comments :

  1. jonathan5/4/10 05:36

    hi,

    I get the error

    redir.c: 1121: 98 (Address already in use) IP: 192.168.10.1 Port: 3990 - Waiting for retry.
    in chilli and
    Failed binding to socket: Address already in use
    /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
    in radius

    please help

    Thank you very much for your time.

    ReplyDelete
  2. It looks like some process is using port 3990 and 1812.
    Try netstat (netstat -onatpe) to see what is the process pid and kill it.
    Then it should be fine...

    ReplyDelete
  3. Me too... the same message.

    redir.c: 1121: 98 (Address already in use) IP: 192.168.10.1 Port: 3990 – Waiting for retry.

    The process its ok...
    what happens?

    ReplyDelete
  4. Same error here too:
    redir.c: 1121: 98 (Address already in use) IP: 10.0.7.1 Port: 3990 - Waiting for retry.

    ReplyDelete
  5. Dear all..
    i install and configure using your steps properly .lastly i try to open web browser using: http://127.0.0.1/daloradius/ but i am not get any pages and username&
    password just going to this page http://127.0.0.1/daloradius/login.php but its blank page please guide me any one .i dont know where i made mistake

    ReplyDelete
  6. John Everett8/6/10 19:13

    Thanks much for your documentation! Coova-Chilli has so little documentation. This is a great help.

    I notice that you have your wireless described as 'eth1'? Is your "eth1" an ethernet adapter (with an external wireless bridge connected) or is it an actual wireless adapter in your Debian box? I can't tell if your diagram is showing the Hotspot_Server's eth1 *as* a wireless device, or *connected to* a wireless device.

    In my Debian box, the wireless adapter shows up as ath0 and it needs to be configured to work in AP mode (wlanconfig ath0 create wlandev wifi0 wlanmode ap; iwconfig ath0 essid MYNETWORK) before Coova-chilli can even start to see clients. What sort of interfaces and interface setup does your server have? If eth1 is indeed a wireless card, did you have to do anything to set it up (e.g. iwconfig wlan0 essid MYNETWORK; iwconfig wlan0 mode ap)?

    Also, your diagram shows the WiFi_Client as having address (eth0)192.168.10.1, which is the same address as the Hotspot_Server (eth1)192.168.10.1. Should the client have perhaps 192.168.10.2?

    Thanks again.

    ReplyDelete
  7. Hi.

    In the examples above I used VirtualBox with emulated network cards. I used it because it doesn't matter if you will use wifi card or network card connected to switch with computers.
    In the real (wifi) situation I'm using wlan0 and program hostapd on my server. Hostapd is creating AP with WPA2 from my wireless card. You can also use iwconfig to set up ap mode - usually depends on the wireless card you are using, but you can't setup WPA with it.
    Thank you for letting me know about the picture - it's mistake there - I'll fix it asap :-)

    See you

    PetrR

    ReplyDelete
  8. Hello,

    I recently followed your tutorial and I am running into an odd issue.. When I try to fire up chilli with the debug command. I get this outpout constantly..

    coova-chilli: Error opening configuration file '/etc/chilli/main.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/hs.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/local.conf'
    coova-chilli[21354]: options.c: 174: could not generate configuration (/tmp/chilli-21354/config.bin), sleeping one second


    Any idea what I might have missed that can be causing this?

    ReplyDelete
  9. @Jim P


    Nevermind! :) starting chilli via the init.d directory seemed to have resolved that issue.

    ReplyDelete
  10. John Everett18/6/10 19:44

    I had a similar problem. In order to get the debug/foreground options (--fg --debug) I had to add them the start block of the chilli script in init.d.

    It came in handy too because when I switched from the instructions here (for eth0) to my wireless (ath0), the default MTU was too large for Coova Chilli and the debug output showed the problem for me to fix (with ifconfig ath0 mtu xxxx).

    ReplyDelete
  11. same problem here, any one help what i made mistake , and also notice "http://192.168.10.1:3990/prelogin - use for login to your portal" following links are not working i dont know where i made mistake


    coova-chilli: Error opening configuration file '/etc/chilli/main.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/hs.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/local.conf'
    coova-chilli[14423]: options.c: 174: could not generate configuration (/tmp/chilli-14423/config.bin), sleeping one second


    Please guide me anyone for this issue

    ReplyDelete
  12. For user having "could not generate config" error , create a fullpath folders to your scriot. ex: if the error is could not generate /tmp/chilli-14423/config.bin , so create the folders needed with mkdir -p /tmp/chilli-14423 and restart your service. This is necessary when your chilli try to create configs in some folder that not exist.

    After some errors I make it working well.

    Sorry by poor english.

    ReplyDelete
  13. dear ...

    please guide me ...

    Not working this link: other links are working fine
    http://192.168.10.1:3990/prelogin - use for login to your portal

    what reason i don know any one help me

    ReplyDelete
  14. hi..

    i type the following command as root user i get the message : please tell how to solve this:

    radiusd: #### Opening IP addresses and Ports ####
    listen {
    type = "auth"
    ipaddr = *
    port = 0
    Failed binding to authentication address * port 1812: Address already in use
    /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812

    ReplyDelete
  15. Yogesh Patil17/8/10 22:40

    hi,
    i have followed all the steps you have given, i got success running everything locally on the Linux-PC and it is also leasing IP to client, but i am not able to access any link i.e. prelogin, daloradius etc.., also not able to ping to the server (i.e. Chillispot PC)

    i have already seen that you told that there is need to tweak security settings, please give settings for the allowing access from client PC


    Thanks

    ReplyDelete
  16. You mentioned you created a few links. Where did you create the links? I assume they were on the Wireless Router and not the server??

    ReplyDelete
  17. hello ...

    Any one help me .same problem here

    joseph
    August 5th, 2010 at 12:13
    Reply | Quote | #13
    dear …

    please guide me …

    Not working this link: other links are working fine
    http://192.168.10.1:3990/prelogin – use for login to your portal

    what reason i don know any one help me

    ReplyDelete
  18. @joseph
    Same problem here help me any one

    ReplyDelete
  19. Any one tell me ? what is this my problem?

    chilli status

    coova-chilli: Error opening configuration file '/etc/chilli/main.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/hs.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/local.conf'
    coova-chilli[9345]: options.c: 164: could not generate configuration (/var/run/chilli.9345.cfg.bin), sleeping one second
    coova-chilli: Error opening configuration file '/etc/chilli/main.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/hs.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/local.conf'
    coova-chilli[9345]: options.c: 164: could not generate configuration (/var/run/chilli.9345.cfg.bin), sleeping one second
    coova-chilli: Error opening configuration file '/etc/chilli/main.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/hs.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/local.conf'
    coova-chilli[9345]: options.c: 164: could not generate configuration (/var/run/chilli.9345.cfg.bin), sleeping one second
    coova-chilli: Error opening configuration file '/etc/chilli/main.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/hs.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/local.conf'
    coova-chilli[9345]: options.c: 164: could not generate configuration (/var/run/chilli.9345.cfg.bin), sleeping one second

    ReplyDelete
  20. Hello guys.

    I'm glad this "how-to" brings many interest to CoovaChilli. Unfortunately I'm no longer using it and I'm not able to help you. As I wrote before - this is not step by step how-to for beginners. It's just few notes I write when I configured/used it.

    Good luck...

    PetrR

    ReplyDelete
  21. This tutorial is fine..
    but i cant understant whay you use both (chilli & dalo) at a time..?
    i think one is sufficient.

    http://ciitix.ciit.net.pk/index.php/ciitix-wifi-documentation

    Regards:
    .
    Kashif Aziz Awan

    ReplyDelete
  22. Hello.

    As far as I know daloRADIUS is just webgui, where you can see your users, their accesses, date/times. CoovaChilli is Captive Portal solution. These two are separate projects and can be used standalone. They are doing different jobs too...

    ReplyDelete
  23. @Admin
    Have you used "sudo"

    ReplyDelete
  24. yes i am in super user(root)@aku82

    ReplyDelete
  25. Hello guy !
    (sorry for the english, i'm french)
    i have followed step by step you howto, but i have this message :
    "Enginx hotspot Login Failed"
    no pop-up, however the login/pwd is in the daloradius database
    can you help me ?
    thx a lot
    it's for my internship (?)

    ReplyDelete
  26. Can someone please help me understand how i can do this on Centos 5? I need to create a server with freeradius that also has the login page for wifi users to get authenticated (like a paid hotspot)

    ReplyDelete
  27. Mohammad Dashti14/1/11 23:34

    Hi,

    First (answer to Flo), I should mention that in "CoovaChilli configuration" part,

    instead of

    HS_UAMHOMEPAGE=https://$HS_UAMLISTEN

    should be

    HS_UAMHOMEPAGE=http://$HS_UAMLISTEN:$HS_UAMPORT/prelogin

    ----
    but after performing all above operations, there is only one point left! When I enter my username/password in hotspotlogin page (from client machine), I see below result in freeradius debug output (from server machine):

    [sql] expand: %{User-Name} -> dashti
    [sql] sql_set_user escaped user --> 'dashti'
    ...
    [pap] login attempt with password "�?c�??B_?�I?�?Z�"
    [pap] Using CRYPT encryption.
    [pap] Passwords don't match
    ++[pap] returns reject
    Failed to authenticate the user.
    WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
    Using Post-Auth-Type Reject
    +- entering group REJECT {...}
    [attr_filter.access_reject] expand: %{User-Name} -> dashti

    I also rechecked all secret words in mentioned configuration files.

    Any solution?

    ReplyDelete
  28. For anyone having trouble with this. I started a project awhile ago that creates deb packages (debian/ubuntu) that do all the hard work for you. It also includes a GUI for managing users. It still uses Coova Chilli, FreeRadius, MySQL, but does the hard work of integrating them for you.
    See http://sourceforge.net/projects/grase/ for details. There is a single deb to download that installs the repository, then you pull in the components you need and it sets it up accordingly. Please contact me if you are using it so I can keep you updated.

    Tim

    ReplyDelete
  29. @Mohammad Dashti
    you might want to check the sql.conf where user name and password for database is. make sure it match the user name of the database you created. Example user:root password:yourdatabasepassword

    ReplyDelete
  30. @Tim
    does the captive portal look the same or you made any change ?

    ReplyDelete
  31. @Flo
    you need to do this before it works
    sudo apt-get update
    then apt-get install upgrade
    take a walk comebvack like half an our then reboot and check it out

    ReplyDelete
  32. @edwin
    sorry apt-get upgrade

    ReplyDelete
  33. I have a client that is interested in setting up hotspots in 150 locations.
    It will be free access and the only thing that have found is the monthly payment services.

    I would like to set up my own system, Do you have the know how to do this and would you be available to work on this, if so please contact me.

    ReplyDelete
  34. Alvin Arnardu10/11/11 16:18

    guys i just installed free rad using some of the above instrauctions thos is what i get , i am no also sure how the 192.168.10.1/.. pages are supposed to come up i mean do they just pop up or do i have to connect the AP..Im a newbee please explain:


    address: localhost! [Success]
    coova-chilli[18841]: options.c: 181: could not generate configuration (/usr/local/var/run/chilli.18841.cfg.bin), sleeping one second
    main-opt.c: 523: 0 (Debug) DHCP Listen: 10.1.0.1
    main-opt.c: 524: 0 (Debug) UAM Listen: 10.1.0.1
    garden.c: 143: 0 (Debug) Uamallowed www.coova.org
    garden.c: 124: 0 (Debug) Uamallowed IP address #0:128: proto=0 host=174.129.195.118 port=0
    garden.c: 143: 0 (Debug) Uamallowed 10.1.0.1
    garden.c: 124: 0 (Debug) Uamallowed IP address #1:128: proto=0 host=10.1.0.1 port=0
    garden.c: 143: 0 (Debug) Uamallowed
    garden.c: 207: 0 (Debug) Invalid uamallowed domain or address: !
    garden.c: 143: 0 (Debug) Uamallowed www.coova.org
    garden.c: 96: 0 (Debug) Uamallowed already exists #0:128: proto=0 host=174.129.195.118 port=0

    ReplyDelete
  35. hey sure I do email me a edwinosantos@gmail.com hope its no too late@Joah Santos

    ReplyDelete

  36. Joah Santos :I have a client that is interested in setting up hotspots in 150 locations.
    It will be free access and the only thing that have found is the monthly payment services.
    I would like to set up my own system, Do you have the know how to do this and would you be available to work on this, if so please contact me.

    edwinosantos@gmail.com

    ReplyDelete
  37. Install "haserl" for coovachilli

    ReplyDelete
  38. Hi, I've gone through this walkthrough and I'm unable to authenticate clients and what not through the system. Getting the server to pass traffic from one interface to the other was challenging, but I've finally gotten data to be able to pass through the box and to the internet. Any help would be much appriciated. I know this appears to be a dead thread, but here is my email in case anyone wants to try and help me out.

    kyle_hoehn@hotmail.com

    ReplyDelete
  39. Hi, this is my first foray into a hotspot/radius though I'm "reasonable" with linux (been a unix/linux admin for longer than I care to remember 8-).

    Having a problem with the radius server... daloradius is telling me that radius is disabled and the radius log file is showing: -

    Sun Feb 26 19:49:16 2012 : Info: Loaded virtual server inner-tunnel
    Sun Feb 26 19:49:16 2012 : Info: Loaded virtual server
    Sun Feb 26 19:49:16 2012 : Info: Ready to process requests.
    Sun Feb 26 19:49:17 2012 : Info: Received HUP signal.
    Sun Feb 26 19:49:17 2012 : Info: HUP - Re-reading configuration files
    Sun Feb 26 19:49:17 2012 : Info: HUP - loading modules
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module "files"
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module "suffix"
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module "detail"
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module "pap"
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module "radutmp"
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module "attr_filter.access_reject"
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module "attr_filter.accounting_response"
    Sun Feb 26 19:49:17 2012 : Info: Loaded virtual server inner-tunnel
    Sun Feb 26 19:49:17 2012 : Info: Loaded virtual server
    Sun Feb 26 21:03:26 2012 : Info: Exiting normally.
    Sun Feb 26 21:04:50 2012 : Error: Failed to add duplicate client 127.0.0.1
    Sun Feb 26 21:04:50 2012 : Error: /etc/freeradius/clients.conf[235]: Failed to add client 127.0.0.1

    I can't for the life of me spot what's causing the errors - any ideas?

    Thanks!

    Andy B.

    ReplyDelete
  40. hello!

    Can we make some MAC who that they will not have to log in and as soon as the connect will have immediate access?

    ReplyDelete