Tag/tag.png

Content Cleanup Required
This article should be cleaned-up to follow the content standards in the Wiki Guide. More info...

Tag/tag.png

Page too long
This article is too long, and should be split into sub-articles. More info...

Introduction

Chillispot is software which provides authentication and restricted network access to clients. Its primary use is in wireless (WiFi) networks.

For instance, suppose you are managing a wireless network in a hotel: the access points are connected via the wired LAN to a server which works as a gateway, firewall, DNS server, etc. Now you want the same server (either because it's desirable or because it's required by your nation's law) to require authentication from all clients, possibly without messing around with the configuration of the access points. And maybe you even want users to be able to browse some sites (i.e. an internal web server of copper sinks site) without the need to authenticate themselves. Chillispot lets you manage all of this, and some more.

Please take a look at the Chillispot.info web site to see how the software works. In a few words, Chillispot creates a virtual private network (192.168.182.0/24, but you can change this default setting) which it uses to dialogate with the clients and to decide who and how to let to see the outside network. Chillispot manages the allocation of dynamic IP addresses to clients, so you don't need other DHCP tools.

As of mid 2007, ChilliSpot appears to be dead. The developer Jens Jacobsen had vanished, and the chillispot.org domain lapsed, but chillispot.info is a copy (with ads inserted) of the original site. CoovaChilli has forked from ChilliSpot 1.0 and its development also continues with an active user-base.

Notes

The ip address number 192.168.1.73, which you'll find in this document, refers to the PC where you run chillispot, then modify it with the ip address of YOUR local machine. Remember you have to DISABLE DHCP if enabled on your router.

Requirements

The following software is required for this installation:

  • Chillispot 1.0
  • FreeRadius 1.0.x-2.1.x

  • Apache 2.x
  • MySQL 4.1.x-5.1.x

Apache 1.x and MySql 4.0.x or even 3.23.x would probably do, but the above specified versions are the latest stable ones available so you're encouraged to stick to them.

This tutorial will show how to run all this software on a single machine. However, you could install Apache and MySQL on a separate one, or even have 4 different machines: you'll just need to adjust the configuration parameters of each piece of software.

Also, you'll need your kernel configured for generic tunneling support (and for NAT probably but that will not be covered here). A 2.6.x kernel version is recommended.

Kernel configuration

Chillispot create a VPN, that is to say an IP tunnel. Your kernel must support this: if you're using software such as OpenVPN chances are you're already fine. Anyhow, take a look at the following section in your kernel configuration (run the command 'modconf'): Linux Kernel Configuration: TUN/TAP support

# sudo apt-get install modconf

# sudo modconf

Kernel/drivers/net --->

  • tun [Universal TUN/TAP device driver support] --->

You can either compile the TUN/TAP support inside the kernel or (as is this example) build it as a module. The name of the module will be tun.

# sudo modprobe tun

To have the module automatically load on reboot you will need to add "tun" to the modules file

# sudo nano -w /etc/modules

add the line

..
tun
..

You'll probably also need to enable IP masquerading, NAT or what is necessary in order to let the VPN clients surf the outside network. If you're reading this HOWTO it's likely that you already know all of this; if not, look around for specific documentation.

Port Forwarding

nano -w /etc/sysctl.conf

net/ipv4/ip_forward=1

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

sudo /etc/init.d/networking restart

Installing the software

Apache and MySQL

I assume you already installed Apache and MySQL, or - if not - that you are able to do that. If this is not the case, there are plenty of tutorial out there on how to accomplish these tasks. One option is to use tasksel and select "LAMP server"

# sudo tasksel

The only important thing to do is to enable SSL features for apache. Apache configuration (See Apache SSL section below)

Chillispot

Download it from http://www.chillispot.info

# wget http://www.chillispot.info/download/chillispot_1.0_i386.deb
# sudo dpkg -i chillispot_1.0_i386.deb

Note: for amd64 architecture
# sudo apt-get install ia32-libs
# sudo dpkg -i --force-architecture chillispot_1.0_i386.deb
Note: for amd64 Ubuntu >= 10.04 download the file: chillispot_1.0-10_i386.deb

Download Link: chillispot_1.0-10_i386.deb or

# sudo apt-get install chillispot (only for x86!)

FreeRadius

You can install it from repos:

# sudo apt-get install freeradius
# sudo apt-get install freeradius-mysql

Chillispot configuration

Chillispot configuration resides in a single file, which is /etc/chilli.conf. For a single server configuration something in the shape of this will do:

# sudo nano -w /etc/chilli.conf

radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
radiussecret theradiussecret
dns1 192.168.1.73
dhcpif eth0
uamallowed 192.168.182.1,192.168.1.73,www.google.it
uamserver https://192.168.1.73/cgi-bin/hotspotlogin.cgi
uamhomepage https://192.168.1.73/welcome.html
uamsecret theuamsecret

Let's discuss the file in detail.

Radius section

radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
radiussecret theradiussecret

You need to specify two radius servers even if you only have one. Of course, you can enter the same server in both lines. In this case it's localhost, as FreeRadius is on the same machine of Chillispot.

radiussecret theradiussecret

The radiussecret directive contains a (secret) word which must match the one contained in the FreeRadius configuration file. This secret ensures we are allowed to make queries to the radius server. We'll se the radius configuration part later on.

Networking section

dns1 192.168.1.73

You need to specify the IP address of the DNS server, which will be told to clients as well. The local machine's one will be fine if the machine operates a DNS service, otherwise enter another one such as you provider's.

dhcpif eth0

The interface to be specified is the one where the access points reside, which should be already configured with the working access points. Be sure to disable any DHCP server bound to that interface, as Chillispot doesn't want one.

UAM section

uamallowed 192.168.182.1,192.168.1.73,www.google.it

The above line states which hosts the clients are allowed to connect without requring authentication. You must enter the IP address of the gateway (both the VPN address and the LAN address - This is very important! In fact, you must list at least these two addresses here, otherwise the chillispot will not work!), the IP address of the DNS server (if it's on another machine) and any other hosts you want.

uamserver https://192.168.1.73/cgi-bin/hotspotlogin.cgi

This is the (secure) URL of the script which displays the login interface and manages the login. We'll discuss this further in the Apache configuration section.

uamhomepage https://192.168.1.73/welcome.html

This is the page where all clients will be redirected when they try to surf a web site which is not in the uamallowed list. This is quite handy, as you don't need to provide login URLs to your users: their browser gets automatically redirected here. The contents of this file are very customizable (you can provide a full featured web page with information and the login link), and also this will be discussed later on while talking of Apache configuration.

uamsecret theuamsecret

This is the shared secret between chillispot and hostspotlogin.cgi, which ensures that the CGI script is allowed to talk to Chillispot. It's different than the radius secret, but you can also set them all alike (not recommended, of course).

Apache configuration

Apache (or any other webserver you like) handles the welcome page and the login requests, and therefore requires a bit of configuration.

As told before, SSL support is required by Chillispot (if you don't have it, the login manager will complain and not work). When dealing with usernames and password and encryped connection is a good idea to use SSL in any case. See section below.

At this point there are several options. What I did was to setup a virtual host bound to http://192.168.1.73/, which is also the content of uamhomepage variable in /etc/chilli.conf. As I wrote before, this page can contain anything you want the user to see before loggin in (information about your place, your network, the rules, ...), but in any case it should also feature a link to Chillispot server "prelogin" page . That is to say, in it's basic form the index.html file of your web site has to be:

<a href="http://192.168.182.1:3990/prelogin">Click here to login</a>

The Chillispot server bound to port 3990 will redirect the browser to whatever you specified in the uamserver line of /etc/chilli.conf. In this case it's:

https://192.168.1.73/cgi-bin/hotspotlogin.cgi

The hotspotlogin.cgi manages the actual login. The good thing is that you don't have to write it from scratch. Just type in:

# sudo cp /usr/share/doc/chillispot/hotspotlogin.cgi.gz /usr/lib/cgi-bin
# sudo gunzip /usr/lib/cgi-bin/hotspotlogin.cgi.gz
# sudo chmod 755 /usr/lib/cgi-bin/hotspotlogin.cgi

This presumes your Apache is configured to run cgi-scripts of course.

There's only one change needed for hotspotlogin.cgi: locate the $uamsecret assignement at the top of the file and set it to the value of uamsecret in /usr/lib/cgi-bin/hotspotlogin.cgi. In our example:

# sudo nano -w /usr/lib/cgi-bin/hotspotlogin.cgi

$uamsecret = "theuamsecret";
$userpassword=1;

You can then edit this file at your pleasure to customize the appearence of the login screen.

FreeRadius configuration

Authentication

FreeRadius is a complex piece of software but (luckily) the features needed for a basic or even common setup are a few, and therefore also the configuration is fairly straightforward.

The first file to look into is /etc/freeradius/clients.conf. You need to have something like this into it:

# nano -w /etc/freeradius/clients.conf

client 127.0.0.1 {
 secret     = theradiussecret

 shortname  = localhost

 nastype    = other
}

There should already be a client 127.0.0.1 section uncommented, so you may just need to edit that one. If you're not connecting from localhost you can vary the IP address accordingly, or even specify a class: the comments in the file explain everything.

The next file to edit is /etc/freeradius/sql.conf. It is already preconfigured for MySQL, but you can change it to work with Postgres, Oracle or MS-SQL. The other options are fairly intuitive, in the sense that you only have to specify the login data for the MySQL server and database. You can leave the remaining settings alone. In my example I have:

# nano -w /etc/freeradius/sql.conf

# Connect info
server = "localhost"
login = "freeradius"
password = "mysuperpassword"

# Database table configuration
radius_db = "radius"

Difficult, huh?

The last file which requires some modification is /etc/freeradius/radiusd.conf. Browse the file, look for the sql directive in the authorize section, and uncomment it: this is needed in order to have FreeRadius use the SQL module for authentication.

# nano -w /etc/freeradius/radiusd.conf

authorize {
        preprocess
#       auth_log
#       attr_filter
        chap
        mschap
#       digest
#       IPASS
        suffix
#       ntdomain
        eap
        files
        sql
#       etc_smbpasswd
#       ldap
#       daily
#       checkval
        pap
}

Note: for freeradius2

1) uncomment the line #$INCLUDE sql.conf
2) "authorize" section is in:
# nano -w /etc/freeradius/sites-available/default

Be sure to restart FreeRadius after these changes

# sudo /etc/init.d/freeradius restart

Accounting

FreeRadius comes already preconfigured for accounting, and it stores that information in files under the /var/log/radius/radacct directory. However. you might want to configure it to use MySQL instead of files for accounting also. To accomplish this task look for the accounting section in /etc/freeradius/radiusd.conf. It should be configured like this:

# sudo nano -w /etc/freeradius/radiusd.conf

accounting {
    unix
    radutmp
    sql
}

(I stripped all the commented stuff out)

I only made two changes:

  • I added the sql option, which causes FreeRadius to store accounting information on the table radacct of the SQL database it uses.

  • I removed the detail option, so that it doesn't log that information on files anymore. You can leave this where it is if you want both logs.

MySQL configuration

FreeRadius requires a MySQL database with a predefinied structure where to look for user/password pairs and (if desired) store accounting information. Log into the MySQL client with root privildges and launch the following commands, or a variation of them which suits your needs:

# sudo mysql -u root -p

mysql> CREATE DATABASE radius;

mysql> GRANT ALL PRIVILEGES ON radius.* to 'freeradius'@'localhost' IDENTIFIED BY 'mysuperpassword';

mysql> FLUSH PRIVILEGES;

mysql> quit

Then import the SQL schema:

# sudo zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u freeradius -p mysuperpassword radius

Note: for freeradius 2
# mysql -u freeradius -p radius < /etc/freeradius/sql/mysql/schema.sql
# mysql -u freeradius -p radius < /etc/freeradius/sql/mysql/nas.sql

If this way doesn't work for you, just import the above file through phpmyadmin.

As you will see, this creates several tables. You probably just need to use one of those: radcheck. This table has the following structure:

  • Field

    Type

    Null

    Key

    Default

    Extra

    id

    int(11) unsigned

    PRI

    NULL

    auto_increment

    UserName

    varchar(64)

    MUL

    Attribute

    varchar(32)

    op

    varchar(2)

    ==

    Value

    varchar(253)

The id is auto-incremented and op defaults to the correct value, so you just need to enter the other fields in this fashion:

mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('aika', 'User-Password', 'myaikapassword');

That should be enough. You can then use whatever client or interface you want to populate the users database.

Firewall configuration (easy way)

  • install firestarter

#sudo apt-get install firestarter
  • run the wizard (the first time you run it, wizard should be automatic)
  • Select "enable internet connection sharing"
  • Set the device which is connected to internet (ethX)
  • Set 'tun0' as your local network connected device (tun0 device will be shown with chilli running correctly)
  • DO NOT enable DHCP (IMPORTANT)
  • Confirm the wizard or close preferences
  • Go to 'policy' tab
  • Add an 'inbound traffic policy' rule in the 'allow connections from host' pane where allowed ips are 192.168.182.2/24 (which is from 192.168.182.2 to 192.168.182.255)

you also might need this (I'm not sure)

# sudo apt-get install dnsmasq ipmasq
# sudo /etc/init.d/dnsmasq restart
# sudo dpkg-reconfigure ipmasq

[Reconfigure ipmasq to start after networking has been started]

Firewall configuration (difficult way) [to be skipped if you followed the easy way]

Note: Type all the following commands in a root terminal, DO NOT use sudo.

The services you're going to use require you to open a few ports on your firewall. This HOWTO assumes you have already protected your computer somehow, and therefore only lists the changes you need to do.

You basically need to do the following:

  • Open port 443/TCP at least to the 192.168.182.0/24 subnet: this is the Apache HTTPS port.
  • Open port 3990/TCP at least to the 192.168.182.0/24 subnet: this is the port of Chillispot web server.
  • Open port 1812/UDP to 127.0.0.1 (probably all ports are already open to localhost): this is the port FreeRadius listens to, and Chillispot connects to it using that.

  • Open port 67/UDP to the VPN (probably the tun0 interface): this is used by Chillispot DHCP server to get requests for IP address registration.

This can change very much depending on your configuration, but if you stick to this example that's it. You'll probably also want to configure NAT at this point.

In order to enable packet forwarding you should change the following line in /etc/network/options:

nano -w /etc/network/options

    ip_forward=yes

Then you have to restart networking:

    # /etc/init.d/networking restart 
  • . Start by configuring the network card that interfaces to the other computers on you network:

    # ip addr add 1.2.3.4/56 dev ethX

where ethX is the network card and 1.2.3.4/56 is your desired server IP address with prefix length (Usually 192.168.0.1/24 is used)

  • . Then configure the NAT as follows:

    # iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE

where ethX is the network card that the Internet is coming from

    # echo 1 > /proc/sys/net/ipv4/ip_forward
  • . Install dnsmasq and ipmasq using apt-get:

    # apt-get install dnsmasq ipmasq
  • . Restart dnsmasq:

    # /etc/init.d/dnsmasq restart
  • . Reconfigure ipmasq to start after networking has been started:

    # dpkg-reconfigure ipmasq
  • . Repeat steps 1 and 2.

Apache2 SSL

This guide will help you setup SSL with apache2.

Generate the certificate

If you are running a 7.04 distribution you may execute the folowing command.

sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Enable the SSL module

sudo a2enmod ssl

Listen to port 443

sudo bash
echo "Listen 443" >> /etc/apache2/ports.conf

Create and enable the SSL site

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

sudo nano -w /etc/apache2/sites-available/ssl

Modify it so it looks something like this

NameVirtualHost *:443
<virtualhost *:443>
        ServerAdmin webmaster@localhost

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/apache.pem

        DocumentRoot /var/www/
        <directory />
                Options FollowSymLinks
                AllowOverride None
        </directory>

        <directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                # Commented out for Ubuntu
                #RedirectMatch ^/$ /apache2-default/
        </directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </directory>

</virtualhost>

...and enable it

sudo a2ensite ssl

phpMyPrepaid and MySQL

Get phpMyPrepaid here: ftp://ftp.heanet.ie/mirrors/download.sourceforge.net/pub/sourceforge/p/ph/phpmyprepaid/phpMyPrepaid.0.1.3RC1.tar

(NOTE: There is a newer version available from http://www.chillispot.org/patch/ . Checkout the Chillispot forums for discussion -SW)

Some files need to be adjusted, but it's just a question of links. Read the INSTALL file.

  • Install freeradius 1.1.0. You'll need the package from http://apt-repo.ttec.com/binaries/ [this applies to breezy only. Dapper comes with correct freeradius version now] (NOTE: this is required because we need the sqlcounter module that is stable in the 1.1 release -SW)

You need to download freeradius_1.1.0~pre0~cvs20051129-0-JM-2_i386.deb and freeradius-mysql_1.1.0~pre0~cvs20051129-0-JM-2_i386.deb (NOTE: these have been superseded. See my notes below on how to backport these from Dapper yourself -SW)

  • add 'ATTRIBUTE Max-All-Session 3000 integer' without quotes to /etc/freeradius/dictionary

  • Modifications needed to /etc/freeradius/radiusd.conf [can only use root user, not sudo]

  • under the "$INCLUDE ${confdir}/sql.conf" add:

    sqlcounter noresetcounter {
                counter-name = Max-All-Session-Time
                check-name = Max-All-Session
                sqlmod-inst = sql
                key = User-Name
                reset = never
                query = "SELECT SUM(AcctSessionTime) FROM radacct where UserName='%{%k}'"
                }
  1. "instantiate" section must be as follow:

    instantiate {

        exec
        expr
        noresetcounter

        }
  1. "authorize" section must be as follow:

    authorize {
        preprocess
        chap
        mschap
        suffix
        sql
        noresetcounter
        }

Rough instructions for PHPMyPrepaid:

Extract the phpMyPrepaid file to a directory on your webserver eg /var/www/html/myprepaid

Edit the dbconnect.php file in the phpMyPrepaid directory and enter the username and password for your MySQL radius database.

IMPORTANT Save this file behind your web directory or your passwords will be easy to hack.

Edit config.inc.php and change the line that points to dbconnect to wherever you have saved dbconnect.php

In your web browser got to http://yoursite.com/whereveryouputphpmyprepaid/ and create some tickets. Check your database to see if the users have been setup in radcheck. Launch FreeRadius as root with this command radiusd -xxyx -l stdout. Pick a user and password from your database and try to login from a wireless client.

Tips

  • Launch Chillispot using 'chilli --debug --fg' to see what's happening while it works.
  • The same applies to Freeradius. Use 'freeradius -x'
  • mysql5 [provided in dapper] currently gives some problems if you try to use it through phpmyadmin. Just launch 'sudo chmod og=rx /var/run/mysqld' to solve them.
  • There are 2 useful options (expecially the first one) which need to be added in phpMyPrepaid:
  • Idle-Timeout: Time after which the user is disconnected if not browsing.[useful if the user forget to logout correctly]
  • Session-Timeout: Time after which the user is disconnected. However he can reconnect if has some time left.

    To add the first option you have to modify the phpMyPrepaid/CrCards/DBinsert.php file and add before "}" (consider that 60 corrisponds to 60 sec):

        $q3= "INSERT INTO radreply (UserName , Attribute, op, Value) VALUES('$id','Idle-Timeout',':=','60')";
        $insert3 = mysql_query($q3) or die(mysql_error());

Hotspotlogin.php

This file is an easier to be modified substitute for hotspotlogin.cgi. Change the uamsecret password, put it in /var/www and change chilli.conf as follow:

Replace

uamserver https://192.168.1.73/cgi-bin/hotspotlogin.cgi
  • with:

uamserver http://192.168.1.73/hotspotlogin.php

<?php
# File: hotspotlogin.php
# working with chillispot_0.97
# last change 2004-10-01
# this is forked from original chillispot.org's hotspotlogin.cgi by Kanne
# uamsecret enabled by Cedric
# logoff when closing logoff window added by Lorenzo Allori <lallori_A.T_medici.org>
# Shared secret used to encrypt challenge with. Prevents dictionary attacks.
# You should change this to your own shared secret.

$uamsecret = "theuamsecret";

# Uncomment the following line if you want to use ordinary user-password
# for radius authentication. Must be used together with $uamsecret.

$userpassword=1;

$loginpath = "/hotspotlogin.php";

# possible Cases:       
# attempt to login                          login=login
# 1: Login successful                       res=success
# 2: Login failed                           res=failed
# 3: Logged out                             res=logoff
# 4: Tried to login while already logged in res=already
# 5: Not logged in yet                      res=notyet
#11: Popup                                  res=popup1
#12: Popup                                  res=popup2
#13: Popup                                  res=popup3
# 0: It was not a form request              res=""
#Read query parameters which we care about
# $_GET['res'];
# $_GET['challenge'];
# $_GET['uamip'];
# $_GET['uamport'];
# $_GET['reply'];
# $_GET['userurl'];
# $_GET['timeleft'];
# $_GET['redirurl'];
#Read form parameters which we care about
# $_GET['username'];
# $_GET['password'];
# $_GET['chal'];
# $_GET['login'];
# $_GET['logout'];
# $_GET['prelogin'];
# $_GET['res'];
# $_GET['uamip'];
# $_GET['uamport'];
# $_GET['userurl'];
# $_GET['timeleft'];
# $_GET['redirurl'];

$titel = '';
$headline = '';
$bodytext = '';
$body_onload = '';
$footer_text = '<center>
                  <a href="#">[HELP]</a> 
                  <a href="#">[terms and conditions]</a>  
                </center>';
         
$footer_textz  = '';                 
# attempt to login
if ($_GET['login'] == login) {
  $hexchal = pack ("H32", $_GET['chal']);
  if (isset ($uamsecret)) {
    $newchal = pack ("H*", md5($hexchal . $uamsecret));
  } else {
    $newchal = $hexchal;
  }
  $response = md5("\0" . $_GET['Password'] . $newchal);
  $newpwd = pack("a32", $_GET['Password']);
  $pappassword = implode ("", unpack("H32", ($newpwd ^ $newchal)));

  $titel = 'Logging in to HotSpot'; 
  $headline = 'Logging in to HotSpot';
  $bodytext = ''; 
  print_header();
  if ((isset ($uamsecret)) && isset($userpassword)) {
    print '<meta http-equiv="refresh" content="0;url=http://' . $_GET['uamip'] . ':' . $_GET['uamport'] . '/logon?username=' . $_GET['UserName'] . '&password=' . $pappassword . '">';
  } else {
    print '<meta http-equiv="refresh" content="0;url=http://' . $_GET['uamip'] . ':' . $_GET['uamport'] . '/logon?username=' . $_GET['UserName'] . '&response=' . $response . '&userurl=' . $_GET['userurl'] . '">';
  }
   print_body();
   print_footer();
}
# 1: Login successful
if ($_GET['res'] == success) {
  $result = 1;
  $titel = 'Logged in to HotSpot';
  $headline = 'Logged in to HotSpot';
  $bodytext = 'Welcome';
  $body_onload = 'onLoad="javascript:popUp(' . $loginpath . '?res=popup&uamip=' . $_GET['uamip'] . '&uamport=' . $_GET['uamport'] . '&timeleft='  . $_GET['timeleft'] . ')"';
  print_header();
  print_body();
  if ($reply) { 
    print '<center>' . $reply . '</BR></BR></center>';
  }
  print '<center><a href="http://' . $_GET['uamip'] . ':' . $_GET['uamport'] . '/logoff">Logout</a></center>';
  print_footer();
}
# 2: Login failed
if ($_GET['res'] == failed) {
  $result = 2;
  $titel = 'HotSpot Login Failed';
  $headline = 'HotSpot Login Failed';
  $bodytext = 'Sorry, try again<br>';
  print_header();
  print_body();
  if ($_GET['reply']) {
    print '<center>' . $_GET['reply'] . '</center>';
  }
  print_login_form();
  print_footer();
}
# 3: Logged out
if ($_GET['res'] == logoff) {
  $result = 3;
  $titel = 'Logged out from HotSpot';
  $headline = 'Logged out from HotSpot';
  $bodytext = '<a href="http://' . $_GET['uamip'] . ':' . $_GET['uamport'] . '/prelogin">Login</a>';
  print_header();
  print_body();
  print_footer();
}
# 4: Tried to login while already logged in
if ($_GET['res'] == already) {
  $result = 4;
  $titel = 'Already logged in to HotSpot';
  $headline = 'Already logged in to HotSpot';
  $bodytext = '<a href="http://' . $_GET['uamip'] . ':' . $_GET['uamport'] . '/logoff">Logout</a>';
  print_header();
  print_body();
  print_footer();
}
# 5: Not logged in yet
if ($_GET['res'] == notyet) {
  $result = 5;
  $titel = 'Logged out from HotSpot';
  $headline = 'Logged out from HotSpot';
  $bodytext = 'please log in<br>';
  print_header();
  print_body();
  print_login_form();
  print_footer();
}
#11: Popup1
if ($_GET['res'] == popup1) {
  $result = 11;
  $titel = 'Logging into HotSpot';
  $headline = 'Logged in to HotSpot';
  $bodytext = 'please wait...';
  print_header();
  print_body();
  print_footer();
}
#12: Popup2
if ($_GET['res'] == popup2) {
  $result = 12;
  $titel = 'Do not close this Window!';
  $headline = 'Logged in to HotSpot';
  $bodytext = '<a href="http://' . $_GET['uamip'] . ':' . $_GET['uamport'] . '/logoff">Logout</a>';
  print_header();
  print_bodyz();
  print_footer();
}
#13: Popup3
if ($_GET['res'] == popup3) {
  $result = 13;
  $titel = 'Logged out from HotSpot';
  $headline = 'Logged out from HotSpot';
  $bodytext = '<a href="http://' . $_GET['uamip'] . ':' . $_GET['uamport'] . '/prelogin">Login</a>';
  print_header();
  print_body();
  print_footer();
}
# 0: It was not a form request
# Send out an error message
if ($_GET['res'] == "") {
  $result = 0;
  $titel = 'What do you want here?';
  $headline = 'HotSpot Login Failed';
  $bodytext = 'Login must be performed through ChilliSpot daemon!';
  print_header();
  print_body();
  print_footer();
}
# functions
function print_header(){
  global $titel, $loginpath;
  $uamip = $_GET['uamip'];
  $uamport = $_GET['uamport'];
  print "
  <html>
    <head>
      <title>$titel</title>
        <meta http-equiv=\"Cache-control\" content=\"no-cache\">
        <meta http-equiv=\"Pragma\" content=\"no-cache\">
        <meta http-equiv=\"Content-Type\" content=\"text/html; charset=ISO-8859-1\">
        <SCRIPT LANGUAGE=\"JavaScript\">
    var blur = 0;
    var starttime = new Date();
    var startclock = starttime.getTime();
    var mytimeleft = 0;
    function doTime() {
      window.setTimeout( \"doTime()\", 1000 );
      t = new Date();
      time = Math.round((t.getTime() - starttime.getTime())/1000);
      if (mytimeleft) {
        time = mytimeleft - time;
        if (time <= 0) {
          window.location = \"$loginpath?res=popup3&uamip=$uamip&uamport=$uamport\";
        }
      }
      if (time < 0) time = 0;
      hours = (time - (time % 3600)) / 3600;
      time = time - (hours * 3600);
      mins = (time - (time % 60)) / 60;
      secs = time - (mins * 60);
      if (hours < 10) hours = \"0\" + hours;
      if (mins < 10) mins = \"0\" + mins;
      if (secs < 10) secs = \"0\" + secs;
      title = \"Online time: \" + hours + \":\" + mins + \":\" + secs;
      if (mytimeleft) {
        title = \"Remaining time: \" + hours + \":\" + mins + \":\" + secs;
      }
      if(document.all || document.getElementById){
         document.title = title;
      }
     else {   
        self.status = title;
      }
    }
    function popUp(URL) {
      if (self.name != \"chillispot_popup\") {
        chillispot_popup = window.open(URL, 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=1,width=350,height=300');
      }
    }
    function doOnLoad(result, URL, userurl, redirurl, timeleft) {
     if (timeleft) {
        mytimeleft = timeleft;
      }
      if ((result == 1) && (self.name == \"chillispot_popup\")) {
        doTime();
      }
     if ((result == 1) && (self.name != \"chillispot_popup\")) {
        chillispot_popup = window.open(URL, 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=1,width=350,height=300');
      }
      if ((result == 2) || result == 5) {
        document.form1.UserName.focus()
      }
      if ((result == 2) && (self.name != \"chillispot_popup\")) {
        chillispot_popup = window.open('', 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=1,width=400,height=200');
        chillispot_popup.close();
      }
      if ((result == 12) && (self.name == \"chillispot_popup\")) {
        doTime();
        if (redirurl) {
          opener.location = redirurl;
        }
        else if (opener.home) {
          opener.home();
        }
        else {
          opener.location = \"about:home\";
        }
        self.focus();
        blur = 0;
      }
      if ((result == 13) && (self.name == \"chillispot_popup\")) {
        self.focus();
        blur = 1;
      }
    }
    function doOnBlur(result) {
      if ((result == 12) && (self.name == \"chillispot_popup\")) {
        if (blur == 0) {
          blur = 1;
          self.focus();
        }
      }
    }
    function popup_logoff(url, name)
    {
    MyNewWindow=window.open(\"http://\"+url,name);
    }
  </script>";
}
function print_body(){
  global $headline, $bodytext, $body_onload,$result, $loginpath;
  $uamip = $_GET['uamip'];
  $uamport = $_GET['uamport'];
  $userurl = $_GET['userurl'];
  $redirurl = $_GET['redirurl'];
  $userurldecode = $_GET['userurl'];
  $redirurldecode = $_GET['redirurl'];
  $timeleft = $_GET['timeleft'];
  print "
  </head>
    <body onLoad=\"javascript:doOnLoad($result, '$loginpath?res=popup2&uamip=$uamip&uamport=$uamport&userurl=$userurl&redirurl=$redirurl&timeleft=$timeleft','$userurldecode', '$redirurldecode', '$timeleft')\" onBlur = \"javascript:doOnBlur($result)\" bgColor = '#c0d8f4'>
      <h1 style=\"text-align: center;\">$headline</h1>
      <center>$bodytext</center><br>";
# begin debugging
#  print '<center>THE INPUT (for debugging):<br>';
#    foreach ($_GET as $key => $value) {
#      print $key . '=' . $value . '<br>';
#    }
#  print '<br></center>';
# end debugging
}
function print_bodyz(){
  global $headline, $bodytext, $body_onload, $result, $loginpath;
  $uamip = $_GET['uamip'];
  $uamport = $_GET['uamport'];
  $userurl = $_GET['userurl'];
  $redirurl = $_GET['redirurl'];
  $userurldecode = $_GET['userurl'];
  $redirurldecode = $_GET['redirurl'];
  $timeleft = $_GET['timeleft'];
  print "
  </head>
    <body onLoad=\"javascript:doOnLoad($result, '$loginpath?res=popup2&uamip=$uamip&uamport=$uamport&userurl=$userurl&redirurl=$redirurl&timeleft=$timeleft','$userurldecode', '$redirurldecode', '$timeleft')\" onBlur = \"javascript:doOnBlur($result)\" bgColor = '#c0d8f4' onUnLoad = \"javascript:popup_logoff('192.168.182.1:3990/logoff','Error')\">
      <h1 style=\"text-align: center;\">$headline</h1>
      <center>$bodytext</center><br><br>
      <center>Do not close this window</center>
      <center>otherwise you'll be logged out immediately</center>";
# begin debugging
#  print '<center>THE INPUT (for debugging):<br>';
#    foreach ($_GET as $key => $value) {
#      print $key . '=' . $value . '<br>';
#    }
#  print '<br></center>';
# end debugging
}
function print_login_form(){
  global $loginpath;
  print '<FORM name="form1" METHOD="get" action="' . $loginpath . '?">
          <INPUT TYPE="HIDDEN" NAME="chal" VALUE="' . $_GET['challenge'] . '">
          <INPUT TYPE="HIDDEN" NAME="uamip" VALUE="' . $_GET['uamip'] . '">
          <INPUT TYPE="HIDDEN" NAME="uamport" VALUE="' . $_GET['uamport'] . '">
          <INPUT TYPE="HIDDEN" NAME="userurl" VALUE="' . $_GET['userurl'] . '">
          <center>
          <table border="0" cellpadding="5" cellspacing="0" style="width: 217px;">
          <tbody>
            <tr>
              <td align="right">Login:</td>
              <td><input type="text" name="UserName" size="20" maxlength="255"></td>
            </tr>
            <tr>
              <td align="right">Password:</td>
              <td><input type="password" name="Password" size="20" maxlength="255"></td>
            </tr>
            <tr>
              <td align="center" colspan="2" height="23"><input type="submit" name="login" value="login"></td>
          </tr>
        </tbody>
        </table>
        </center>
      </form>';
}
function print_footer(){
  global $footer_text;
  print $footer_text . '</body></html>';
  exit(0);
}
function print_footerz(){
  global $footer_textz;
  print $footer_textz . '</body></html>';
  exit(0);
}
exit(0);
?>

Other resources

  1. http://www.chillispot.org/ - Chillispot web site, here you can find useful FAQs and a discussion forum.

  2. http://www.freeradius.org/ - FreeRadius home page

  3. http://www.frontios.com/freeradius.html - A very useful tutorial on using FreeRadius and MySQL together

Authors and contributors

  • The original document is written by Michele Beltrame (gentoo user).
  • Modified Hotspotlogin.php has been provided from Lorenzo Allori.
  • This HOWTO has been written by Gabriele Vidali.

Comments

Backporting FreeRadius to Breezy from Dapper

I know Dapper is nearly here but I needed to deply this now (2006-03-09)! Of course, the version numbers shown were correct at the time of printing, they may change when Dapper is released.

Backporting yourself is preferred to installing binary packages from unknown/untrusted sources. Not to cast any doubt on the source that was listed but I have no idea who they are, do you? Backporting from Dapper gives you the benefit of knowing that the package configuration conforms to the Ubuntu guidelines and you know that no changes have been to the source code from the Ubuntu repositiories. It sounds daunting but the steps are fairly straight forward.

I would start freeradius before you upgrade or you'll get errors later when the restart commands fail!

Start by adding the Dapper source repositories to your /etc/apt/sources.list. Simply replace deb with deb-src in your favourite mirror entries eg

deb-src http://au.archive.ubuntu.com/ubuntu dapper main restricted universe

Make a directory to build the new packages in and cd to it.

To ensure you have all the build dependencies execute:

$ sudo apt-get build-dep freeradius debhelper lsb

The first thing to do is upgrade debhelper:

$ fakeroot apt-get -b source debhelper
$ sudo dpkg -i debhelper_5.0.7ubuntu4_all.deb

then you have to upgrade lsb-base (you only need lsb-base, if you try and install lsb you'll get a whopping numberof packages upgraded):

$ fakeroot apt-get -b source lsb
$ sudo dpkg -i lsb-base_3.0-12ubuntu3_all.deb

Finally, you can build and install freeradius 1.1

$ fakeroot apt-get -b source freeradius
$ sudo dpkg -i freeradius_1.1.0-1_i386.deb freeradius-mysql_1.1.0-1_i386.deb

If that's successful continue on with Gabriele's great HOWTO...

If you run into any problems, try using the command "sudo apt-get -f install" which will try and install any packages that are required.

If you think anything should be clarified feel free to drop me an email.

Good luck, SimonWong.


Hotcakes Hotspot Manager

Hi,

I've just released Beta-1 of Hotcakes Hotspot Manager. Managing a captive portal is now quick and easy.

Features includes: -> Open Source Software (GPL). -> Web Based Administration. -> Prepaid and Permanent users. -> Use of Ajax to see 'live' activity on the Hotspot. -> Helpdesk facility. -> Predefined profiles and skeleton profiles. -> Flexible Billing solution - Includes PDF invoice and e-mail generation. -> Inline Help on many pages.

You can find it here:

http://cakeforge.org/projects/hotcakes/

You are all most welcome to give it a spin. It includes a step by step setup HOWTO for Ubuntu Dapper Drake.

Cheers

Wifiroute Hotspot Manager

http://sourceforge.net/projects/wifiroute/

Features includes: -> Open Source Software (GPL) (based on phpmyprepaid) -> Scanner support for document scanner -> Written in php/mysql with basic use of php classes -> Credit by time (i.e. 30 mins) or date (i.e. credit valid until 21/01/2008) -> Multilanguage support

Chillispot - new home page

http://chillispot.info/

Chillispot - home page in Internet Archive

Currently (2007.08.24) Chillispot homepage is unavailable.

You can see it only in Internet Archive:

http://web.archive.org/web/*/http://www.chillispot.org

Correction

No development continues at ChilliSpot.info. That site is a modified (to add advertisements) version of the original ChilliSpot website.


CategoryWireless

WifiDocs/ChillispotHotspot (last edited 2017-08-31 18:34:13 by ckimes)