Debian Wi-Fi hotspot using CoovaChilli, FreeRadius, MySQL and daloRADIUS

I decide to create hotspot from my server to allow other connect to Internet for free. I used "Captive portal" solution based on these applications:
CoovaChilli
FreeRadius
MySQL
daloRADIUS
When somebody wants to connect to Internet using my wifi, the first page he can see is the register/login page (whatever page he wants to visit).
After registration/login he is able to connect to Internet.chi

So let's see how I did it.

Let's have one server with two network interfaces - first (eth0) goes to Internet, the second one (eth1) is the wifi for "unknown" clients.


Install basic software:
aptitude install mysql-server phpmyadmin freeradius freeradius-utils freeradius-mysql apache2 php-pear php-db
a2enmod ssl
a2ensite default-ssl
service apache2 restart
cd /tmp && wget 'http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius-0.9-8/daloradius-0.9-
8.tar.gz'
tar xvzf daloradius-0.9-8.tar.gz
mv /tmp/daloradius-0.9-8 /var/www/daloradius
chown -R www-data:www-data /var/www/daloradius
cp -r /var/www/daloradius/contrib/chilli/portal2/* /var/www/
rm /var/www/index.html

Because my machine is 64 bit I need to build CoovaChilli package myself:
aptitude --assume-yes install dpkg-dev debhelper libssl-dev
cd /tmp
wget -c http://ap.coova.org/chilli/coova-chilli-1.2.2.tar.gz
tar xzf coova-chilli*.tar.gz
cd coova-chilli*
dpkg-buildpackage -rfakeroot

Install CoovaChilli:
cd ..
dpkg -i coova-chilli_*_amd64.deb

Configure FreeRadius

Change /etc/freeradius/clients.conf:
client 127.0.0.1 {
secret = mysecret
}

Change /etc/freeradius/sql.conf:
server = "localhost"
login = "root"
password = "xxxx"

Uncomment in /etc/freeradius/sites-available/default:
authorize {
sql
}

accounting {
sql
}

Uncomment in /etc/freeradius/radiusd.conf:
$INCLUDE sql.conf

Configure MySQL database for FreeRadius
mysql -u root --password=xxxx
mysql> CREATE DATABASE radius;
mysql> exit

mysql -u root --password=xxxx radius < /var/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

daloRADIUS configuration

Modify this file /var/www/daloradius/library/daloradius.conf.php
$configValues['CONFIG_DB_PASS'] = 'xxxx';
$configValues['CONFIG_MAINT_TEST_USER_RADIUSSECRET'] = 'mysecret';
$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';

You also need to modify following configuration files to setup sign in web pages /var/www/signup-*/library/daloradius.conf.php:
$configValues['CONFIG_DB_PASS'] = 'xxxx';
$configValues['CONFIG_DB_NAME'] = 'radius';
$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';
$configValues['CONFIG_SIGNUP_SUCCESS_MSG_LOGIN_LINK'] = "Click <b>here</b>".
" to return to the Login page and start your surfing";

Chnage lines in /var/www/signup*/index.php to (changed 'User-Password' -> 'Cleartext-Password' and '==' -> ':='):
$sql = "INSERT INTO ".$configValues['CONFIG_DB_TBL_RADCHECK']." (id, Username, Attribute, op, Value) ".
" VALUES (0, '$username', 'Cleartext-Password', ':=', '$password')";

Another file need to be modified to communicate with CoovaChilli is /var/www/hotspotlogin/hotspotlogin.php.
$uamsecret = "uamsecret";

Now you should be able to reach daloRADIUS installation on http://127.0.0.1/daloradius/
username: administrator
password: radius

Routing

We should not forget to enable packet forwarding and setup NAT:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
sed --in-place=.old 's/^#\(net.ipv4.ip_forward=1\)/\1/' /etc/sysctl.conf
sysctl -p

CoovaChilli configuration

Let's start with /etc/chilli/defaults:
HS_NETWORK=192.168.10.0
HS_UAMLISTEN=192.168.10.1

HS_RADSECRET=mysecret
HS_UAMSECRET=uamsecret
HS_UAMFORMAT=https://\$HS_UAMLISTEN/hotspotlogin/hotspotlogin.php
HS_UAMHOMEPAGE=https://\$HS_UAMLISTEN

Then don't forget to enable CoovaChilli to start in /etc/default/chilli
START_CHILLI=1

Maybe you need to execute chilli and radius server with some debug options to see "errors" during client connection:
chilli --fg --debug
freeradius -X

Few links we created:
http://192.168.10.1/signup-free/ - sign up page (if you don't have username/password)
http://192.168.10.1:3990/prelogin - use for login to your portal
http://192.168.10.1/daloradius/ - daloradius admin page
http://192.168.10.1/phpmyadmin/ - phpmyadmin page (useful for sql database)

This how-to describe simple configuration of CoovaChilli so there are many things to configure. I didn't mentioned anything about security - so it's up to you to
tweak it yourself.

You can find additional info on this web page:

https://help.ubuntu.com/community/WifiDocs/CoovaChilli

Engoy... ;-)






Ubuntu Server + Freeradius 2.0.x + coovachilli + Daloradius

so first thing first i needs :
- Ubuntu 10.04 (Lucid Lynx)
- Lamp Server
- DNS Server
- OpenSSH Server
- Radisu Management web based (daloradius)

1. setting up the server machine

Ubuntu 10.04
I'm using ubuntu 10.04 and installed it on my vmware to test it.
first thing first i need to install debian-archive-keyring so my package i want to install can be authenticated easily, command : sudo apt-get install debian-
archive-keyring
and then invoke apt-get update
after that i enable internet forwarding so that another computer can send and receive packet from internet through my ubuntu. command : nano
/etc/sysctl.conf and find line with net.ipv4.ip_forward=1 then remove the #.

Lamp Server
To install lamp server using command : sudo apt-get install lamp-server^
when the download is finished, there is another gui asking about password for mysql.
then when the server is running there is another problem, although i can say that not a much problem, there will be notification like this : "apache2: Could not reliably
determine the server's fully qualified domain name, using 127.0.1.1 for ServerName"
nano /etc/apache2/apache2.conf and add this line in the bottom : ServerName 127.0.0.1 save, and then restart the
apache /etc/init.d/apache2 restart

DNS Server
im using bind9 package for the dns server :
sudo apt-get install bind9
and then configure the forwarders :
nano /etc/bind/named.conf.options
then uncomment and fill the ip address with one you use

forwarders {

8.8.8.8;

}; then restart service /etc/init.d/bind9 restart

openSSH server
to install openssh server package :
sudo apt-get install openssh-server
print server
samba file server
webmin

2. setting up freeradius

install using :
sudo apt-get install freeradius freeradius-mysql
then choose yes, and continue downloading and installing
then stop the radius
/etc/init.d/freeradius stop
then run in debugging mode
freeradius -X
and if there are no errors detected (Ready to process requests.) then ctrl+c to stop and continue the next step

the next step is create radius database into mysql and create user named radius:
mysql -u root -p (then insert your password)
then type the following :
CREATE DATABASE radius;

GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpassword'; (where you can change
radpassword into anything you like for the user radius in mysql)

FLUSH PRIVILEGES;

quit

then insert the radius database into mysql :
mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql
insert your password for user root
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql
insert your password for user root
the next step is configure radius to connect to mysql :
nano /etc/freeradius/sql.conf
look for this line then change it accordingly :
server = "localhost"
login = "radius"
password = "radiussecret"
and then on the same file configuration change
# readclient = yes
into
readclient = yes
nano /etc/freeradius/clients.conf
look for
secret = testing123 change it into secret = radpassword and then at the bottom line add this line
client 192.168.1.0/24 { //ip of server
secret=radpassword
}
next, i set up freeradius to use mysql for its database (backup it first)

cp /etc/freeradius/sites-available/default /etc/freeradius/sites-available/confignano /etc/freeradius/sites-
available/default
in authorize section, looks for
files add # so that it become like this
# files

looks for another line below
# sql , remove # so it become like this
sql

looks for another sql word on accounting section and session, if there is a (#) remove it
save dan exit
then make a user for testing the freeradius mysql -u root -p
then type your root password
mysql > use radius;
mysql > INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('guest', 'password', 'guest')
mysql > select * from radcheck where UserName='guest';
mysql > exit
next step is to activate sql module nano /etc/freeradius/radiusd.conf
remove comment from $INCLUDE sql.conf
add # pad file in /etc/hosts
#::1 localhost ip6-localhost ip6-loopback

3. Instalasi coova chili

download the package : wget http://coova-chilli.s3.amazonaws.com/coova-chilli_1.0.13-1_i386.deb
and then install it dpkg -i coova-chilli_1.0.13-1_i386.deb
copy default chilli configuration (for backup purpose) cp /etc/chilli/default /etc/chilli/config then create folder for hotspot web mkdir
/var/www/hotspot
cd /var/www/hotspot
cp /etc/chilli/www/* /var/www/hotspot
mkdir /var/www/hotspot/images
cp /var/www/hotspot/coova.jpg /var/www/hotspot/images/
and also make folder for uam mkdir /var/www/hotspot/uam
cd /var/www/hotspot/uam
wget http://ap.coova.org/uam/
wget http://ap.coova.org/js/chilli.js
change the configuration to use my ip address sed -i 's/ap.coova.org\/js\/chilli.js/192.168.0.1\/uam\/chilli.js/g'
/var/www/hotspot/uam/index.html edit chilli library to match my ip address sed -i 's/192.168.182.1/192.168.0.1/g'
/etc/chilli/www/ChilliLibrary.js
sed -i 's/192.168.182.1/192.168.0.1/g' /var/www/hotspot/ChilliLibrary.js configure chilli to start on boot nano
/etc/default/chilliSTART_CHILLI=1
CONFFILE="/etc/chilli.conf" edit chilli configuration file nano /etc/chilli/default change accordingly
HS_LANIF=eth0 # Subscriber Interface for client devices
HS_NETWORK=192.168.1.0 # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.255.0 # HotSpot Network Netmask
HS_UAMLISTEN=192.168.1.1 # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990 # HotSpot Port (on subscriber network)

HS_NASID=nas01
HS_UAMSECRET=uamsecret
HS_RADIUS=127.0.0.1
HS_RADIUS2=127.0.0.1
HS_RADSECRET=radpassword
HS_UAMALLOW=www.google.com,192.168.1.0/24

HS_UAMSERVER=192.168.1.1
HS_UAMFORMAT=https://\$HS_UAMSERVER/uam/index.php
HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html
HS_UAMSERVICE=https://192.168.1.1/cgi-bin/hotspotlogin.cgi
configure chilli firewall nano /etc/chilli/up.sh add this code at the bottom line # may not have been populated the first time; run again
[ -e "/var/run/chilli.iptables" ] && sh /var/run/chilli.iptables 2>/dev/null
# force-add the final rule necessary to fix routing tables
iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
thats the end of setting up coovachilli

4. SSL configuration

install ssl sudo apt-get install libapache2-mod-auth-mysql make ssl folder mkdir /etc/apache2/ssl install certificate apt-get install
ssl-cert view your hostname to make the certification hostname -f and then generate the certificate by using those hostname make-ssl-cert
/usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem editing your hostname nano /etc/hosts127.0.0.1 localhost
192.168.0.1 ## your hostname enable ssl module a2enmod ssl reload/restart your apache /etc/init.d/apache2 force-reload create Virtual
host for hotspot nano /etc/apache2/sites-available/hotspot then fill with this code (thx to zjapske for the code http://pastebin.com/HmqXvwfr)

NameVirtualHost 192.168.0.1:443
<VirtualHost 192.168.0.1:443>
ServerAdmin webmaster@domain.org
DocumentRoot "/var/www/hotspot"
ServerName "192.168.0.1"
<Directory "/var/www/hotspot/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>


Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/"
<Directory "/usr/share/freeradius-dialupadmin/htdocs/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

<Directory "/var/www/hotspot/cgi-bin/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/hotspot-error.log

LogLevel warn

CustomLog /var/log/apache2/hotspot-access.log combined

ServerSignature On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

then enable virtual host a2ensite hotspot edit listening port nano /etc/apache2/ports.conf
Listen *:443
Listen *:80
#
# Listen 443
#
edit site default nano /etc/apache2/sites-available/default
NameVirtualHost *:80

create login page for the hotspot
mkdir -p /var/www/hotspot/
cd /var/www/hotspot/
wget http://www.truesoft.co.th/wifi/uam.tgz
tar -xzvf uam.tgz
reboot the server end of ssl configuration

5. Instal DaloRadius (radius management interface)

For Daloradius i use daloradius-0.9-8, for version 9-9 i haven't try to use it yet, but i'll update it later
after download it go to the folder where daloradius located, then


tar -xzvf daloradius-0.9-8.tar.gz copy the directory into www cp daloradius-0.9-8 /var/www/ -R changing owner dan permission chown
www-data:www-data /var/www/daloradius-0.9-8 -R
chmod 644 /var/www/daloradius-0.9-8/library/daloradius.conf.php
then install daloradius database into mysql mysql -u root -p radius < /var/www/daloradius-0.9-8/contrib/db/mysql-daloradius.sql
change database configuration accordingly nano /var/www/daloradius-0.9-8/library/daloradius.conf.php
'FREERADIUS_VERSION' = '2';
'CONFIG_DB_ENGINE' = 'mysql';
'CONFIG_DB_HOST' = '127.0.0.1'
'CONFIG_DB_USER' = 'radius'
'CONFIG_DB_PASS' = 'radpassword'
'CONFIG_DB_NAME' = 'radius'
if something occured like : mysql connection error when you try to login just create another user 'radius' with same password, but instead of @'localhost' use
@'%' mysql -u root -p
GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'%' IDENTIFIED BY 'radpassword';
FLUSH PRIVILEGES;

after that make sure that these following package is installed sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-
php5
then login to http://192.168.1.1/daloradius-0.9-8/login.php
login using username : administrator | password : radius
thats all thx, any question just add your comment bellow

source : http://opensource.telkomspeedy.com/forum/viewtopic.php?id=10812
http://manajung.blogspot.com/2010/01/daloradius-on-ubunto-910.html