I want to set up a captive portal and connect it to radius server for accounting and authorization. I wonder if the Coova-Chilli have the login page or not?
You can set up a local login page, of course.
Thank @reinerotto so much for you reply. You mean coova-chilli has a built-in login page? I'm a little confused about UAM (Universal Access Method)! Do you have a configuration example for coova-chilli?
Coovachilli has been unmaintained for many years and should be considered EOL.
It will fail on OpenWrt 23.5.x and above unless you do a great deal of hacking about - ifyou are lucky.
If you are constrained by a corporate requirement to use radius, possibly the easiest way forward is to try the uspot package, designed as a replacement for Coovachilli:
Otherwise radius is a complete overkill and you should consider openNDS:
https://openwrt.org/docs/guide-user/services/captive-portal/opennds
I appreciate your explanation @bluewavenet. But, how should I install uspot in openwrt? There is no candidate when I use opkg install uspot!
As far as I know it is available for OpenWrt 23.05.x onwards.
1 Like
I updated openwrt version and now uspot is installed. I configured it as the website guide. But it doesn't work!!!
my configurations for each part is as below:
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc0:d525:fcc5::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'captive'
option proto 'static'
option device 'phy1-ap0'
option ipaddr '10.0.0.1'
option netmask '255.255.252.0'
option type 'bridge'
/etc/config/uspot/:
#for auth mode 'credentials', add any number of the following config entry
#config credentials
#option uspot 'example'
#option username 'myuser'
#option password 'mypass'
#Values provided for the options below reflect the defaults used when the option is not set.
config uspot 'captive'
option auth_mode 'click-to-continue' # one of 'uam', 'radius', 'credentials', 'click-to-continue'
option idle_timeout '600' # client is kicked when idle for more than N seconds, defaults to 600, option used if not provided by radius
option session_timeout '1000' # client is kicked if connected for more than N seconds, defaults to 0, option used if not provided by radius
option interface 'captive' # network interface (from config/network) on which captive clients will be managed
option setname 'captive' # firewall ipset name for client management
option debug '1' # turn on debugging output in logs
#captive portal API (RFC8908) configuration:
#option cpa_can_extend '0' # 'can-extend-session' is true if this option is set to '1', false otherwise
#option cpa_venue_url 'http://captiveportal.com' # value is provided verbatim as 'venue-info-url'
/etc/config/firewall:
config zone
option name 'captive'
list network 'captive'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
#setup CPD hijacking for unauthenticated clients
config redirect
option name 'Redirect-unauth-captive-CPD'
option src 'captive'
option src_dport '80'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
option ipset 'captive' # match with uspot option 'setname'
#allow DHCP for captive clients
config rule
option name 'Allow-DHCP-NTP-captive'
option src 'captive'
option proto 'udp'
option dest_port '67 123'
option target 'ACCEPT'
#prevent access to LAN-side services from captive interface
#Linux implements a weak host model and traffic crossing zone boundary isn't considered forwarding on the router:
#it must be explicitely denied - NB order matter: DHCP is broadcast that would be caught by this rule
#config rule
#option name 'Restrict-input-captive'
#option src 'captive'
#option dest_ip '!captive'
#option target 'DROP'
#allow incoming traffic to CPD / web interface and local UAM server
config rule
option name 'Allow-captive-CPD-WEB-UAM'
option src 'captive'
option dest_port '80 443 3990'
option proto 'tcp'
option target 'ACCEPT'
#allow forwarding traffic to wan from authenticated clients
config rule
option name 'Forward-auth-captive'
option src 'captive'
option dest 'wan'
option proto 'any'
option target 'ACCEPT'
option ipset 'captive' # match with uspot option 'setname'
#allow DNS for captive clients
config rule
option name 'Allow-DNS-captive'
option src 'captive'
list proto 'udp'
list proto 'tcp'
option dest_port '53'
option target 'ACCEPT'
#if using RFC5176 RADIUS DAE:
#config rule
#option name 'Allow-captive-DAE'
#option src 'wan'
#option proto 'udp'
#option family 'ipv4'
#option src_ip 'XX.XX.XX.XX' # adjust as needed
#option dest_port '3799' # match value for 'das_port' in config/uspot
#option target 'ACCEPT'
#create the ipset that will hold authenticated clients
config ipset
option name 'captive' # match with uspot option 'setname'
list match 'src_mac'
#optional whitelist for e.g. remote UAM host and/or dynamic hosts via dnsmasq ipset functionality
#config rule
#option name 'Allow-Whitelist'
#option src 'captive'
#option dest 'wan'
#option proto 'any'
#option ipset 'wlist'
#option target 'ACCEPT'
#associated whitelist ipset with prepopulated entries
#config ipset
#option name 'wlist'
#list match 'dest_ip'
/etc/config/dhcp:
config dhcp 'captive'
option interface 'captive'
option start '2'
option limit '1000'
option leasetime '2h'
# add the following for RFC8910 Captive Portal API - DNS name is setup below
# list dhcp_option '114,https://captive.example.org/api'
# optionally provide NTP server (if enabled on the device) - recommended for SSL cert validation
# list dhcp_option_force '42,10.0.0.1'
#add a local domain name for HTTPS support, name must match TLS certificate
config domain
option name 'captive.example.org'
option ip '10.0.0.1'
#if using optional dynamic hosts whitelist
#config ipset
#list name 'wlist' # match value with whitelist ipset name in config/firewall
#list domain 'my.whitelist1.domain'
#list domain 'my.whitelist2.domain'
/etc/config/uhttpd:
config uhttpd 'uspot'
list listen_http '10.0.0.1:80'
option redirect_https '0'
option max_requests '5'
option no_dirlists '1'
option home '/www-uspot'
list ucode_prefix '/hotspot=/usr/share/uspot/handler.uc'
list ucode_prefix '/cpd=/usr/share/uspot/handler-cpd.uc'
option error_page '/cpd'
#if using TLS and/or supporting RFC8908 CapPort API:
#ist listen_https '10.0.0.1:443'
#option cert '/usr/share/certs/captive.pem' # to be provided manually
#option key '/usr/share/certs/captive.key' # to be provided manually
#for RFC8908 support:
#list ucode_prefix '/api=/usr/share/uspot/handler-api.uc'
#if using RADIUS UAM authentication:
#config uhttpd 'uam3990'
#list listen_http '10.0.0.1:3990'
#option redirect_https '0'
#option max_requests '5'
#option no_dirlists '1'
#option home '/www-uspot'
#list ucode_prefix '/logon=/usr/share/uspot/handler-uam.uc'
#list ucode_prefix '/logoff=/usr/share/uspot/handler-uam.uc'
#list ucode_prefix '/logout=/usr/share/uspot/handler-uam.uc'
#
/etc/config/dhcp
config dhcp 'captive'
option interface 'captive'
option start '2'
option limit '1000'
option leasetime '2h'
# add the following for RFC8910 Captive Portal API - DNS name is setup below
# list dhcp_option '114,https://captive.example.org/api'
# optionally provide NTP server (if enabled on the device) - recommended for SSL cert validation
# list dhcp_option_force '42,10.0.0.1'
When I use logread to read the log of services, I see error "uhttpd[5951]: Error: Unable to open ucode handler: No such file or directory" from the instance 2 of uhttpd which is the uspot. Have you seen such an error?
You should open an issue on Github for this:
It is very new and you will probably be the first to open an issue.
I have not used it, and I don't think I would ever need to as, in my opinion, there is very little point in using radius for a captive portal except for the case of old dinosaur corporate environment where a huge historical investment as been made in radius servers etc. (unless of course you are doing this as an academic exercise - but that is a different [historical] story).