Install ChilliSpot on CentOS 5 - IT VIET

Technology Hardware & Solution Provider

Tuesday, September 9, 2014

Install ChilliSpot on CentOS 5

Checking users to login (via a captive portal web-page).


eth0 = Wan
eth1 = Internal Interface / LAN (Clients, PC, Access Points)

Chillispot takes control of (eth1) using a vtun kernel module to bring up a virtual interface (tun0). The vtun kernel module is used to move IP packets from the kernel to user mode

Chillispot sets up a DHCP server (can be disabled from the chillispot conf file) on the tun0 interface.

A client connecting to internal interface has all packets rejected until it is authorized though the chillispot login page (acting as a supplicant for authentication). When a non-authenticated client
tries to connect to a web-page (on port 80 or 443) the request is intercepted by chilli and redirected to a perl-script called hotspotlogin.cgi (served by apache over https).
 hotspotlogin.cgi serves a page to the end-user with a username and password field. These authentication data are then forwarded to the freeradius server, which matches them with information in it’s backend (using either PAP or CHAP). The backend in this case is mysql, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably).

A user is then either rejected or authenticated by freeradius, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user.

-------You need to install the following packages:
* mysql-server
* apache2
* freeradius
* freeradius-mysql

-------You need to enable packet forwarding:
Edit /etc/sysctl.conf and set net.ipv4.ip_forward = 1

-------Install chillispot from

1) Copy hotspotlogin.cgi from source to /var/www/cgi-bin directory
2) Copy chillispot-pf.conf from source to /etc/pf.conf
3) Edit /etc/pf.conf and update int & ext_if macros
4) Copy chilli.conf & chilli.ipup from source to /etc
5) Tell Chilli about the location of the authentication server
(which in this scenario is on the same machine as chillispot).
This is done by uncommenting and editing the following line in

uamserver is the default IP address that chillispot gives
the tun0 interface.

6) For added password security, we need to add a shared secret
between the hotspotlogin.cgi and chilli. Find the line in
“/etc/chilli.conf” that reads

#uamsecret ht2eb8ej6s4et3rg1ulp

Uncomment this line (remove the #) and CHANGE the secret to
what ever you desire. The secret needs to be the same with the
hotspotlogin.cgi script.

Continue editing /etc/chilli.conf and update the dns, dhcpif
& other parameters.

Edit the hotspotlogin.cgi in your cgi-bin directory & update
the uamsecret so that its the same as the entry in your
/etc/chilli.conf. Also uncomment the line that reads:

7) chmod 755 /var/www/cgi-bin/hotspotlogin.cgi
8) Copy chilli.init from source to /etc/rc.d/init.d/chilli
Edit /etc/rc.d/init.d/chilli and Define the correct path
for the chilli binary

-------You need to configure the network interfaces.
1) Set eth0 for internet connection.
2) Set eth1 with address
or issue command: ifconfig eth1 up
3) Check that both interfaces are physically connected
to the appropriate network equipment

-------Configuring Apache2 for SSL
1) yum install mod_ssl
2) mkdir /etc/httpd/ssl
3) openssl req -new -x509 -days 365 -nodes -out \
/etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key

4) Edit http.conf and enable ssl

NameVirtualHost *:443

SSLEngine On
SSLCertificateFile /etc/httpd/ssl/httpd.pem
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

#DocumentRoot /srv/www/
#ErrorLog /srv/www/
#CustomLog /srv/www/ combined

-------Configure radius
1) Edit “/etc/raddb/clients.conf”.
Find the section that contains the line
client {

make sure it is uncommented, and then, in the section between the
{ and the following }, change the following lines:

secret = testing123

change testing123 to match the radiussecret you chose for

2) Edit “/etc/raddb/users”
Uncomment the following line in the file
#steve Auth-Type := Local, User-Password == “testing”
This will be the test user and password we will use to make sure
everything works.

-------Copy firewall.iptables from source to /etc/rc.d/init.d/chilli.iptables

-------Start the firewall
sh /etc/rc.d/init.d/chilli.iptables

-------Restart services
/etc/rc.d/init.d/httpd restart
/etc/rc.d/init.d/radiusd restart

/etc/rc.d/init.d/chilli restart

No comments:

Post a Comment