How to create wifi Hotspot system using Chillispot, Freeradius 2 and Fedora 12

Transcription

1 How to create wifi Hotspot system using Chillispot, Freeradius 2 and Fedora 12 Introduction The goal of this tutorial is to teach you on creating your own ChilliSpot hotspot system to control access to your wireless networks. We will configure the hotspot system to force all users to login (via a captive portal web-page) and enter their username and password before they can use the internet services. What is a hotspot? A hotspot is a wifi access point that is made for public access to the internet. It has a captive portal which authenticates the hotspot users and grant access to the internet if the hotspot access policy condition are met. What is ChilliSpot ChilliSpot is an open source captive portal or wireless LAN access point controller. It is used for authenticating users of a wireless LAN. It supports web based login which is today's standard for public HotSpots. Authentication, authorization and accounting (AAA) is handled by your favorite radius server. What is Radius? Radius is the industry standard for Authentication, Authorization and Accounting most forms of Internet access devices. It is used by virtually all Internet service providers for dial-up modem pools, ADSL, Cable Modem, and for Wireless LAN. The basic Radius protocol is specified in RFC Scope This tutorial will show how to deploy all this software on a single machine. However, you could deploy your ChilliSpot hotspot system separately from your system running LAMMP and Freeradius but it will require special customization and its beyond the scope of this tutorial. Requirements This tutorial assumes that you have a x86 PC with 2 networks card and running Fedora 12. Software Requirements The following software is required for this installation: ChilliSpot Freeraddius 2x LAMPP (Linux/Apache/MySQL/PHP/Perl) Fedora 12 Page 1 of 10

2 Apache 2x MySQL 2x PHP 5x Perl 5x Note: This tutorial might also work in Centos 5.5. Preparing your system Before we proceed to the installation, its very important to know how the ChilliSpot works. A little background about ChilliSpot As of mid 2007, ChilliSpot appears to be dead. The developer Jens Jacobsen had vanished, and the chillispot.org domain lapsed, but chillispot.info is a copy (with ads inserted) of the original site. You can download the rpm version of ChilliSpot directly from this website. How does ChilliSpot Works? ChilliSpot runs a program called 'chilli' which takes control of the internal interface (eth1) using a vtun kernel module to bring up a virtual interface (tun0). In fact the vtun kernel module is used to move IP packets from the kernel to user mode, in such a way that ChilliSpot can function without any non-standard kernel modules. ChilliSpot then sets up a DHCP server (this can be disabled from the ChilliSpot conf file) on the tun0 interface. A client connecting to this interface has all packets rejected until it is authorized though the ChilliSpot login page (acting as a supplicant for authentication). When a non-authenticated client tries to connect to a web-page (on port 80 or 443) the request is intercepted by chilli and redirected to a perl-script called 'hotspotlogin.cgi' (served by Apache over https). The "hotspotlogin.cgi" serves a page to the end-user with a username and password field. These authentication data are then forwarded to the Free Radius server, which matches them with information in it's backend (using either PAP or CHAP). The backend in this case is MySQL, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably). A user is then either rejected or authenticated by Free Radius, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user. Source: [1] Network Configuration As per the requirements of ChilliSpot, the machine we are using should have 2 network interface (we will use eth0 and eth1 in our example). eth0 is connected to the internet (WAN) eth1 is the internal interface through which the clients machine will connect to the internet (LAN). We can connect a switch to eth1. To this switch we can attach a number of other machines or wireless Access Points. Disable SE Linux Page 2 of 10

3 SE Linux is enabled by default on Fedora systems, first thing we need to do is to disable it to avoid problems. Edit the file /etc/sysconfig/selinux vi /etc/sysconfig/selinux and change the directive from enforcing to disabled. This file controls the state of SELinux on the system. SELINUX= can take one of these three values: enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - No SELinux policy is loaded. SELINUX=disabled SELINUXTYPE= can take one of these two values: targeted - Targeted processes are protected, mls - Multi Level Security protection. SELINUXTYPE=targeted and reboot your system. Configure your network card Open up your terminal and type the command below to configure your WAN interface: vi /etc/sysconfig/network-scripts/ifcfg-eth0 Put the IP ADDRESS/SUBNET MASK and GATEWAY provided by your ISP. DEVICE=eth0 IPADDR= NETMASK= GATEWAY= ONBOOT=yes Configure your LAN interface by typing this command: vi /etc/sysconfig/network-scripts/ifcfg-eth1 Disable DHCP and don't configure any IP Address on it. Your LAN configuration should look exactly like this: DEVICE=eth1 ONBOOT=yes Please note that you need to configure your LAN IP Address in the ChilliSpot main configuration file and we will do it later. Enable IP Forwarding You should also need to enable IP packet forwarding by editing the /etc/sysctl.conf file. vi /etc/sysctl.conf and uncomment the below line: Page 3 of 10

4 net.ipv4.ip_forward = 1 We will configure the firewall later after we finish install and configure everything. Lets proceed to the installation of the required software. Installing Web Server and MySQL Database Server This command will install Apache, MySQL, PHP, Perl and other dependencies. yum -y install httpd httpd-devel mod_perl mod_ssl php php-devel php-cli php-mbstring php-gd php-mcrypt php-mysql php-pdo php-suhosin phpmyadmin Test if PHP is working fine, create a file called phpinfo.php and put it in your /var/www/html. The file shout contain this php code: &lt?php phpinfo();?&gt Open up your web browser and type this url You should see something like this: [2] Generate Self Signed SSL Certificate The ChilliSpot login page hotspotlogin.cgi requires https. Go to /etc/pki directory and generate a private key using openssl command as shown below: openssl genrsa -des3 -out server.key 1024 This command will prompt you for a pass-phrase, you can type any password you want. Page 4 of 10

5 Generating RSA private key, 1024 bit long modulus e is (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: Remove pass-phrase from the key, this will prevent the web server from asking pass-phrase each time you reboot the server. openssl rsa -in server.key -out server.pem Using the key we generated, we will then create a certificate signing request (CSR) file. openssl req -new -key server.key -out server.csr During the generation of CSR, you will be prompted for several pieces of information as shown below. Enter pass phrase for server.key:your pass-phrase here You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [XX]:PH State or Province Name (full name) []:Kalibo Locality Name (eg, city) [Default City]:Kalibo Organization Name (eg, company) [Default Company Ltd]:Private Hotspot Ltd. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Generate a self-signed ceftificate by typing this command: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Enter your pass-phrase and you're done Signature ok subject=/c=ph/st=kalibo/l=kalibo/o=private Hotspot Ltd. Getting Private key Enter pass phrase for server.key: Lets intall the certificate, edit the file vi /etc/httpd/conf.d/ssl.conf and put your newly created certificate. Page 5 of 10

6 Server Certificate: Point SSLCertificateFile at a PEM encoded certificate. If the certificate is encrypted, then you will be prompted for a pass phrase. Note that a kill -HUP will prompt again. A new certificate can be generated using the genkey(1) command. SSLCertificateFile /etc/pki/server.crt Server Private Key: If the key is not combined with the certificate, use this directive to point at the key file. Keep in mind that if you've both a RSA and a DSA private key you can configure both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/pki/server.pem Then start the web server and make sure it will automatically starts at boot. service httpd restart chkconfig httpd on Configuring MySQL database Start the MySQL server service mysqld start Configure password for MySQL root user mysql -u root set password for root@localhost = PASSWORD ('your_password'); And allow it to run during boot. chkconfig mysqld on Installing and Configuring Radius Server Installing Freeradius Server Download the latest version of freeradius 2x from fedora repository using the command below. yum -y install freeradius freeradius-mysql freeradius-utils Enable MySQL support for Freeradius Enable sql and sql counter module in the Freeradius main configuration file. vi /etc/raddab/radiusd.conf Please see the changes highlighted in bold Include another file that has the SQL-related configuration. This is another file only because it tends to be big. $INCLUDE sql.conf This module is an SQL enabled version of the counter module. Rather than maintaining seperate (GDBM) databases of accounting info for each counter, this module uses the data stored in the raddacct table by the sql modules. This Page 6 of 10

7 module NEVER does any database INSERTs or UPDATEs. It is totally dependent on the SQL module to process Accounting packets. $INCLUDE sql/mysql/counter.conf Edit /etc/raddab/sql.conf and enter your MySQL username and password login = "root" password = "your_password" Edit the file /etc/raddab/sites-enabled/default and enable sql module by uncommenting the line below in the authorize, accounting and post-auth section of this file. authorize section: authorize {...some entries here... sql accounting section: accounting {...some entries here... sql session section: session {...some entries here... sql post-auth section: post-auth {...some entries here... sql Enable sql counter module by placing the below lines inside the authorize section. authorize {...some entries here... monthlycounter dailycounter noresetcounter Importing Freeradius MySQL database schema Login to MySQL and create freeradius database mysql -u root -p create database radius; Import Freeradius schema cd /etc/raddb/sql/mysql Page 7 of 10

8 mysql -u root -p radius < schema.sql Add a NAS client { secret = your_radius_secret shortname = nas1 Installing and Configuring ChilliSpot Downloading and Installing ChilliSpot Download and install ChilliSpot from the ChilliSpot website. To download, type this command from your terminal: wget [3] and intall using rpm command. rpm -Uvh chillispot i386.rpm Configuring ChilliSpot Chillispot configuration resides in a single file, which is /etc/chilli.conf. Lets edit the file "/etc/chilli.conf" and find these lines that says: TAG: net IP network address of external packet data network Used to allocate dynamic IP addresses and set up routing. Normally you do not need to uncomment this tag. net /24 Uncomment the line that begins with net and specify the ip address that ChilliSpot will give to tun0. net /24 You need to specify the IP address of the DNS server, which will be told to clients as well. The local machine's one will be fine if the machine operates a DNS service, otherwise enter another one such as your provider's dns server. TAG: dns1 Primary DNS server. Will be suggested to the client. If omitted the system default will be used. Normally you do not need to uncomment this tag. dns TAG: dns2 Secondary DNS server. Will be suggested to the client. If omitted the system default will be used. Normally you do not need to uncomment this tag. Page 8 of 10

9 dns Scroll down a little bit and look for the radius section. You need to specify two radius servers even if you only have one. Of course, you can enter the same server in both lines. TAG: radiusserver1 IP address of radius server 1 For most installations you need to modify this tag. radiusserver TAG: radiusserver2 IP address of radius server 2 If you have only one radius server you should set radiusserver2 to the same value as radiusserver1. For most installations you need to modify this tag. radiusserver Specify your radius authentication and accounting ports. TAG: radiusauthport Radius authentication port The UDP port number to use for radius authentication requests. The same port number is used for both radiusserver1 and radiusserver2. Normally you do not need to uncomment this tag. radiusauthport 1812 TAG: radiusacctport Radius accounting port The UDP port number to use for radius accounting requests. The same port number is used for both radiusserver1 and radiusserver2. Normally you do not need to uncomment this tag. radiusacctport 1813 Enter your radius secret. TAG: radiussecret Radius shared secret for both servers For all installations you should modify this tag. radiussecret wifitesting The interface to be specified in this section is the LAN interface. This will be your clients gateway. DHCP Parameters TAG: dhcpif Ethernet interface to listen to. This is the network interface which is connected to the access points. In a typical configuration this tag should be set to eth1. dhcpif eth1 Universal access method (UAM) parameters TAG: uamserver URL of web server handling authentication. uamserver Page 9 of 10

10 TAG: uamhomepage URL of welcome homepage. Unauthenticated users will be redirected to this URL. If not specified users will be redirected to the uamserver instead. Normally you do not need to uncomment this tag. uamhomepage TAG: uamsecret Shared between chilli and authentication web server uamsecret your_radius_secret TAG: uamlisten IP address to listen to for authentication requests Do not uncomment this tag unless you are an experienced user! uamlisten TAG: uamport TCP port to listen to for authentication requests Do not uncomment this tag unless you are an experienced user! uamport 3990 TAG: uamallowed Comma separated list of domain names, IP addresses or network segments the client can access without first authenticating. It is possible to specify this tag multiple times. Normally you do not need to uncomment this tag. uamallowed TAG: uamanydns If this flag is given unauthenticated users are allowed to use any DNS server. Normally you do not need to uncomment this tag. uamanydns cp /usr/share/doc/chillispot-1.1.0/hotspotlogin.cgi /var/www/cgi-bin/ vi /etc/raddb/dictionary $INCLUDE /usr/share/doc/chillispot-1.1.0/dictionary.chillispot yum -y install bind bind-chroot squid net-snmp net-snmp-devel net-snmp-utils php-snmp cacti Source URL: Links: [1] [2] [3] Page 10 of 10 Powered by TCPDF (