User Tools

Site Tools


iut:projtut:captive:server

Introduction

The captive portal could be run on the router itself. Unfortunately, in our case we cannot. Therefore it runs on the server itself.

We are using Chillispot with FreeRADIUS and MySQL

Installation

Requirements

- A PC with 2 network cards
Here, eth0 will be 'the internet', eth1 will be the LAN on which chillispot is active

- VirtualBox if you don't plan on using a real machine

- Debian 6.0

- A WiFi access-point

How-to

Installing Debian

Machine name : ProjetChilli

Domain : (none)

Root password : projet

New user : Chilli Projet

User ID : chilli

User password : “ ” (space)

Use one disk containing all partitions

Don't check any other CDs

Use ftp.fr.debian.org as network mirror

Don't use popularity contest

Select : Graphic environment (optional), Web DNS SSH servers (the SQL server proposed is PostgreSQL; we are going to use MySQL so don't select the option in this case)

Unselect : Standard system utilities

Get a coffee or take a nap while waiting for the system to fetch all the programs, updates and such

Setting the system defaults

First of all, you may want to install startup-manager if you have multiple systems on one PC

Secondly, change the options to remove the screensaver and to automatically log in to user Chilli (this saves time & annoyment when restarting often)

Also, it may be helpful to put user Chilli in the sudoers file:

su root
visudo

add line :

chilli ALL=(ALL) NOPASSWD: ALL

Pin these programs to status bar : Epiphany, Terminal, Synaptic; as you will often use them

Add useful pages to bookmarks bar in Epiphany

Change terminal colors to White on Black for comfort

In Synaptic, change depots to include contrib&non-free, remove cdrom

Getting & Installing the basic components

Note: I will put most stuff in command line, though you could do it graphically, this is to keep the same instructions if you didn't choose to install the graphic environment

Before anything, check your system is up to date:

sudo apt-get update
sudo apt-get upgrade

Authentication

The best right now is to get these two components at about the same time, since MySQL will need FreeRADIUS first so you can insert the corresponding tables :

FreeRADIUS
apt-get install freeradius freeradius-mysql

Testing setup:

Set a different password for localhost

nano -w /etc/freeradius/clients.conf
client localhost {
             ipaddr = 127.0.0.1
             secret = radiussecret
nano -w /etc/freeradius/users

Uncomment the following lines:

"John Doe"     Auth-Type := Local, User-Password == "hello"
                     Reply-Message = "Hello, %u"

Stop FreeRadius:

/etc/init.d/freeradius stop

Check radius configuration files:

freeradius -XXX

If all is OK, it should display the following:

Debug: Ready to process requests

exit with ctrl+c
start FreeRadius again:

/etc/init.d/freeradius start

Try connecting with user John Doe:

radtest "John Doe" hello 127.0.0.1 0 radiussecret

If the file authorization is right, you should receive:

Sending Access-Request of id 136 to 127.0.0.1 port 1812
        User-Name = "John Doe"
        User-Password = "hello"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37
        Reply-Message = "Hello, John Doe"
MySQL
apt-get install mysql-server

When prompted for a password, enter mysqladminsecret

For this next part, you may want to use a graphical client such as PHPMyAdmin, MySQLNavigator/MySQLAdministrator or anything similar

Now, on to creating the RADIUS tables:

mysql -u root -p
mysql> CREATE DATABASE radius;
mysql> quit

mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql

mysql -u root -p
mysql> GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'mysqlsecret';
mysql> FLUSH PRIVILEGES;
mysql> quit
Combining both

Now that FreeRADIUS works on its own, and our MySQL tables are done, we have to combine the two

First, tell FreeRADIUS where to find MySQL:

nano -w /etc/freeradius/sql.conf
database = "mysql"
login = "radius"
password = "mysqlsecret"

Change FreeRADIUS Authorization from file to sql :

nano -w /etc/freeradius/sites-available/default

In authorize{ files #sql to #files sql

Because we are later going to use and Admin interface, we also have to enable sql logging : uncomment sql in accounting{ and session{

nano -w /etc/freeradius/sql.conf

#uncomment readclients = yes

Uncomment $INCLUDE sql.conf in /etc/freeradius/radiusd.conf

Add users to MySQL

When prompted for password, use mysqlsecret and NOT mysqladminsecret

echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('mysqltest', 'Password', 'testsecret');" | mysql -u radius -p radius
echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('chillispot', 'Password', 'chillispot');" | mysql -u radius -p radius

Restart FreeRADIUS:

/etc/init.d/freeradius restart

Test link

radtest mysqltest testsecret 127.0.0.1 0 radiussecret
radtest chillispot chillispot 127.0.0.1 0 radiussecret

If everything works, you should as before receive an Access-Accept from FreeRADIUS. If not, running freeradius-XXX should tell you about where the problems are.

Chillispot

Get the .deb package from Chillispot and install it with

sudo dpkg -i chillispot.deb

Chillispot only has one configuration file : /etc/chilli.conf

cp /usr/share/doc/chillispot/hotspotlogin.cgi.gz /usr/lib/cgi-bin
gunzip /usr/lib/cgi-bin/hotspotlogin.cgi.gz
chmod 755 /usr/lib/cgi-bin/hotspotlogin.cgi
nano -w /var/www/hotspot/cgi-bin/hotspotlogin.cgi

$uamsecret = “uamsecret”;
$userpassword=1;

Apache

SSL
apt-get install ssl-cert
mkdir /etc/apache2/ssl
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
a2enmod ssl
/etc/init.d/apache2 restart
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
nano -w /etc/apache2/sites-available/ssl

see Files to see what this file should be like

a2ensite ssl

IPtables

Although the base is done, for the system to work correctly we have to do 2 things

echo 1 > /proc/sys/net/ipv4/ip_forward
nano -w /etc/sysctl.conf
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

These will let packets go from one network to the other, and activate NAT

Admin interface

Scripts

Check out the scripts I used

References

Support

iut/projtut/captive/server.txt · Last modified: 2013/12/25 16:47 (external edit)