First guess: radius does not answer. Anway, as the correct config of coova is (almost) black magic, especially under openwrt, I strongly suggest, you first set up coova on regular linux, to avoid the openwrt specialities. Have it up and running; then port to openwrt.
Hi Raine, thanks for your reply. Okay, so you suggest to first install some ubuntu in my mac and deploy coovachilli there? BTW, i'm currently working on a TPLINK AC1750, there is where i have installed coovachilli via OPENWRT.
Another question, how would I create the GUEST NETWORK in linux? I mean, the GUEST network is created by the router via LUCI WEB... so i was wondering how could i create the same schema in a linux?? Thanks
I've been studying Chilli a lot these past few weeks. A couple of obvious things:
In the UCI system, option network becomes Chilli's dhcpif. Do not set a dhcpif, option network defines your guest interface. That guest interface should be defined in /etc/config/network as a bridge with proto none. Do not set up any DHCP server, firewall zone, etc. on the guest interface. Chilli will handle all of that. Attach wired and/or wifi interfaces to the guest bridge in the conventional way.
uamlisten defaults to the .1 in Chilli's net (which defaults to 192.168.182.0/24), you generally should not tamper with those.
If your UAM web page(s) are not internally served by Chilli you have to include their IP, domain, or network in the walled garden.
Set at least dns1 to an operational DNS server, or clients may hang waiting for DNS.
If the chilli config can't be parsed, chilli will somewhat silently not start. The log will be full of repeated crash messages though.
I recommend using a desktop browser for testing. Open the web console so you can see what is being sent and received.
Here is my rewritten and annotated config file. Realize that some of this may still be wrong.
#
# Re-organized coova-chilli config file for OpenWrt
# This is the UCI method of configuration. This file is /etc/config/chilli
# (Parameters marked <FLAG> are boolean. Define them as '1' to activate their function, comment out to not activate).
config chilli # Each instance of the chilli daemon is defined with a 'config chilli' block.
###########################
#### INSTANCE CONTROLS ####
###########################
# option disabled 1 # <FLAG> Shut down this instance of chilli from being configured or starting.
option debug '1' # <FLAG> Generate debugging messages (to syslog) (Requires build option ENABLE_DEBUG)
option debugfacility 0 # Verbosity of debugging messages (higher number = more verbose)
# option interval 3600 # Re-read / re-load configuration file at this interval (in seconds)
# Primary use of this is it will also re-check the DNS of the walled garden list.
# option childmax '120' # Number of child processes that may start. Set smaller to conserve RAM.
# Note that /etc/init.d/chilli hard-codes the CLI options fg, pidfile, cmdsocket, and unixipc
#####################
#### NETWORKING #####
#####################
option network 'guest' # This is REQUIRED. The network (usually a bridge) that hotspot users connect to.
# This network should be declared in /etc/config/network with proto none. Chilli
# controls all aspects of this network including IP, ARP, and DHCP server.
# It is also possible to connect directly to a single hardware port such as 'eth1'
# That is commonly seen in examples of wired / central server applications.
# The setting is passed to chilli as 'dhcpif'. Do not set dhcpif separately. Only set network.
# Simple names will be converted. e.g. 'guest' loads as 'br-guest' if needed.
option tundev 'tun0' # Name of the guest tunnel (external side, into the kernel to reach the Internet)
# An interface will be created with this name. It must be unique in the system.
# Firewall rules for the hotspot users should be attached to this network name.
option net '192.168.182.0/24' # IPv4 subnet for the hotspot users. Default is 192.168.182.0/24
# One of these IPs (by default, the first one) will be the UAM server.
# option postauthproxy '' # HTTP proxy for all user's Internet access
# option postauthproxyport 8080 # Port number on the HTTP proxy.
# option dhcpmac 00:00:5E:00:02:00 # Override a MAC onto the net network. This can be useful to tag guest traffic
# so it will be identifiable to a firewall.
# option maxclients 512 # Number of simultaneous clients (public users) the system will support.
################################
#### INTEGRATED DHCP SERVER ####
################################
# option dynip '192.168.182.0/24' # Pool that client dynamic DHCPs will be allocated from. Default is the same as net.
# option statip '192.168.182.0/24' # Range of allowable static IPs. Advanced use only.
# option domain key.chillispot.org # Default DNS domain. Usually leave commented out,
# unless you're letting clients use a LAN.
# option rfc7710uri 'http://192.168.182.1:3990/www/coova.html' # Advertise that this is a captive portal, and device
# should immediately open this page to log in. Works on newer clients.
option dns1 192.168.30.1 # DNS server(s) for client use. These are automatically in the garden for unauthenticated
# clients. It is important to set a DNS server, or clients will stall waiting for DNS..
# option dns2 172.16.0.6 # These will be advertised in DHCP replies.
# option uamanydns '1' # <FLAG> Allow clients to use any DNS server.
# option lease 600 # DHCP lease time (seconds) Default 600, which is 10 minutes.
# option dhcphashsize 56 # size of the DHCP table
######################
#### SCRIPT CALLS ####
######################
# option uamui # Optional script, runs when an unauthenticated UAM user hits the server.
option ipup '/etc/chilli/up.sh' # Script executed after net/tundev interface is brought up.
option ipdown '/etc/chilli/down.sh' # Script executed after teardown of net/tundev, e.g. remove firewall rules.
# option macup # Runs when DHCP issued
# option macdown # Runs when a DHCP is lost.
# option conup # Runs when a user is authorized
# option condown # Runs when a user is de-authorized
# option vlanupdate # Runs when VLAN created / destroyed
# option locationupdate # Runs when location changed ???
##################################
#### INTEGRATED RADIUS CLIENT ####
##################################
option radiusserver1 localhost # Server to submit RADIUS auth and acct to. REQUIRED to use RADIUS auth.
option radiusserver2 localhost # Set the same as radiusserver1 if you don't have a redundant server.
# option radiusauthport 1812 # (Default 1812) Note the same ports are used on both servers.
# option radiusacctport 1813 # (Default 1813)
# option radiuslisten 127.0.0.1 # IP on the local machine to bind for the incoming RADIUS replies. (Default 0.0.0.0)
option uamaaaurl 'http://192.168.30.240/hotspot/aaa.php' # Use this http AAA server instead of RADIUS.
# Requires build option ENABLE_CHILLIPROXY
# radiusserver1 and 2 must still be set (to localhost) for HTTP AAA.
option radiussecret easyhotspot # The same secret is used for auth and acct, and on both servers.
# This is not relevant to HTTP AAA.
option radiusnasid 'cabin' # Identify this machine. If configured, will be sent to RADIUS as attribute NAS-Identifier.
# Also added to URLs during UAM
# option nasmac ' ' # Send this MAC for identification instead of the net interface MAC
# option nasip '192.168.182.1' # Send this IP for identification instead of the net interface IP
# option radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport # WISPr location. Used for WISPr only.
# option radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport # WISPr name. Used for WISPr only.
# option radiusnasporttype 19 # Send this as port type. Default of 19 means it is a 802.11 WiFi.
option radiusoriginalurl '1' # <FLAG> Pass the user's original URL to the RADIUS server as a Chilli Vendor Attribute
# option openidauth '1' # Use OpenID including chillispot-config Vendor Attributes
option defsessiontimeout 0 # User's allowed time, in seconds, unless RADIUS overrides.
option defidletimeout 0 # Time in seconds before an idle user will be dropped, RADIUS can override.
option defbandwidthmaxdown 0 # Rate in kbps, RADIUS can override
option defbandwidthmaxup 0 # Rate in kbps, RADIUS can override.
#### RADIUS accounting settings
option definteriminterval 0 # Time between interim accounting, RADIUS auth can override
# option swapoctets '1' # <FLAG> Reverse the meaning of 'input' vs. 'output' octet count
# option acctupdate '1' # <FLAG> Allow a RADIUS Accounting Reply to be used to control a user's status.
# option locationstopstart '1' # <FLAG> Restart accounting when location changes
#### CoA server
# option coaport 3799 # Take CoA (disconnection) requests on this port.
# option coanoipcheck 1 # <FLAG> Allow COA from anywhere, ordinarily only the designated RADIUS servers allowed.
######################
#### RADIUS PROXY ####
######################
# This functionality (requires build option ENABLE_RADPROXY) can link WPA-Enterprise wifi authentication through Chilli.
# option proxylisten '10.0.0.1' # Listening IP on this machine.
# option proxyport '1645' # UDP port. This should generally not be 1812 to avoid conflict with the AAA server.
# option proxyclient '10.0.0.1/24' # Allowable proxy clients (i.e. your WPA-Enterprise APs)
# option proxysecret 'testing123' # For proxy requests. Default is the same as radiussecret.
###################################################
#### INTEGRATED UNIVERSAL ACCESS METHOD SERVER ####
###################################################
option uamhomepage 'http://192.168.30.240/hotspot/spotlogin0.php' # Optional "splash" page. This should redirect to
# the 'loginurl' that will be supplied to it. If not set, uamserver URL below is used directly.
# option uamserver 'http://192.168.182.1:3990/www/login.chi'
option uamserver 'http://192.168.30.240/hotspot/spotlogin1.php' # URL of the UAM login page that collects the password etc.
# This may be internally or externally hosted. A uamserver URL is REQUIRED to use UAM.
option uamsecret easyhotspot # Shared secret text used to encrypt UAM challenge.
# This is optional. A null secret (unencrypted challenge) also works.
option nochallenge '1' # <FLAG> Use unencrypted PAP password= to UAM. This is of course not secure.
# (Requires adding nochallenge to the boolean settings in /etc/init.d/chilli)
# option uamlisten '192.168.182.1' # UAM login interface (and possibly web server) defaults to .1 in the net network.
# option uamport 3990 # UAM main port. Default 3990. Note this is also the integrated web server.
# option uamuiport 3991 # UI port. Default 3991.
option uamallowpost '1' # <FLAG> Allow POSTs to the UAM login. A "Connection Reset" will occur if POST received without this.
option nouamsuccess '1' # <FLAG> Attempt to redirect a newly-authorized user to their originally requested page.
# (Most OS/ browser considers this a security risk and refuse to do it anyway.)
option challengetimeout 120 # Timeout before generating a new CHAP challenge
option challengetimeout2 120 # Timeout for challenge during login.
#### Web server option to UAM.
# option wwwdir '/etc/chilli/www' # Web server document root, accessible at http://uamlisten:uamport/www
# option wwwbin '/etc/chilli/wwwsh' # Launcher script for .chi web server dynamic files (haserl based).
####################################
#### MAC / LOCAL AUTHENTICATION ####
####################################
# A local flat-file database of users can be installed. The file will be consulted first. If it fails, RADIUS is then tried.
option localusers '/etc/chilli/localusers' # File of local users. One line per user, format is username:password
# User's MAC can be considered for pre-authentication. AAA server may recognize MACs of logged in users and reconnect them.
option macauth '1' # <FLAG> Use MAC authentication for all users (overrides macallowed)
# option macallowed '00-01-02-03-04-05' # Use MAC authentication for only these MACs.
# option strictmacauth '1' # <FLAG> Don't issue a DHCP reply until MAC has been decisioned.
# option macauthdeny '1' # <FLAG> Treat a MAC-based Access-Reject as the final decision. Do not let user UAM.
# option macreauth '1' # <FLAG> Force re-authentication on MAC during any URL redirection
# option macallowlocal '1' # <FLAG> Use local database of MACs instead of AAA.
# option macsuffix 'TEXT' # Add this text to the MAC to form the AAA User-Name in a MAC auth request
# option macpasswd 'TEXT' # Use this text as User-Password in a MAC based auth request.
# Default is to use the MAC the same as the user name.
# option ethers '/etc/chilli/ethers' # Local file of MAC to IP. This is used both as DHCP reservations and MAC auth.
#######################
#### Walled Garden ####
#######################
# These are different ways to specify Internet locations that an unauthenticated client can still access.
# If using an off-site server for the UAM page, it must be placed in the garden here.
option uamallowed '192.168.30.0/24'
# option uamallowed 'google.com' # comma separated list of specific sites.
# list uamdomain '.chillispot.org,.coova.org' # Domains can be wildcarded, also comma separated or multiple lines.
# list uamregex '//' # Regex method to define garden sites (build option required)
# list authedallowed '.openwrt.org' # For authorized users, exempt these sites from bandwidth or GB limit.
# option uamauthedallowed '1' # <FLAG> For authorized users, exempt all garden sites from bandwitch or GB limits.
Yes. Then you are shure, the environment (firewall, radius, UAM-server, walled garden etc.) is working. Then you might even copy the config files to openwrt box, and use chilli without the uci-stuff.
Yes although I'm using a self-written uam page and AAA system as well.
If you want to use my file comment out uamhomepage, uamaaaurl, nochallenge, macauth, and localusers, and go from there. Also you need to change uamallowed to allow your UAM server.
Thank mk, one quick question. What do you mean with " This network should be declared in /etc/config/network with proto none." in the "option network" part of the code?
What sould i write in /etc/config/network?
And in "option uamallowed '192.168.30.0/24'" should i use the same IP adress or put another one? which one?
config interface 'guest'
option type 'bridge'
option ifname 'eth0.3'
option proto 'none'
eth0.3 is the wired connection, based on setting up a VLAN in the switch. If your guest connections are only wireless leave out the ifname line. Also make a wifi AP and attach it to guest with option network guest in the AP's block in /etc/config/wireless.
The uamallowed (walled garden) must include your uamserver page, which is 192.168.15.16 for you.
Thanks MK! I'll try my best to set it up, it's a little frustrating because i'm kinda newbie in this stuff, I started since 3 weeks ago to study all this captive portal docs.
Anyway, do you have an email/whatp/fb to contact you in case I need some extra help? I really appreciate your help guys, thanks!
Question... this will NOT display a captive portal right? this is just the installation of coovachilli...? considering I already have my radiusdesk server working.
The Radiusdesk machine also hosts the RADIUS server. In other words all your uamserver and radiusserver1 and radiusserver2 point at the Radiusdesk machine.
Especially when the Radiusdesk machine is a VM you need to have the network configured so the OpenWrt router can reach it. The easy way is to set the virtual network adapter in your VM hypervisor to be bridged to the LAN port of the host machine. If the VM host is running a firewall you may need to open ports.
The rest of the pdf file is about configuring coovachilli the old way with environment variables. Just for confusion, some of these files still exist in an OpenWrt chilli opkg install but are otherwise not used. The OpenWrt version of Chilli would really prefer you use the UCI system.
Now of course you also need the guest bridge network and wifi AP as previously explained, and change the IP addresses in the config to match your LAN network. It is very important that from the router CLI you must be able to ping the Radiusdesk server. If that does not work you need to fix the network.
(Spoiler alert, it doesn't (quite) work, because the RadiusDesk pages use chilli's JSON API, which is not compiled into the released OpenWrt builds-- though it really should be)
To get close to working (but not actually, that would require recompiling chilli) you need to do two configs to Radiusdesk. First go to the gears on the left side and click dynamic login pages on the top, then dynamic keys, and add one of type nasid with your nasid (nas01 here). Or you could have set nasid in the chilli config to one of the existing example ones.
Then after trying to log in, click the bullseye on the left side (radius), dynamic clients, unknown clients tab, you should see your AP has tried to contact, so select it and hit the paperclip to make your client known. For security RADIUS will not answer unknown clients.
Then you should see a bunch of pictures but also red error messages because there's no JSON. That should be fixable if you have a build system.
Note also that the Radiusdesk VM has a chilli instance running, though you will need to somehow set up two independent network interfaces in your hypervisor (that lead to actual hardware) to make it work. Which is not an OpenWrt subject at all.
