Line 0
Link Here
|
|
|
1 |
Installing Chillispot on FreeBSD |
2 |
By Sevan Janiyan |
3 |
www.geeklan.co.uk |
4 |
venture37@geeklan.co.uk |
5 |
|
6 |
|
7 |
This guide will cover how to get a basic Chillispot installation going with Apache 1.3 + mod_ssl, mySQL 4.1, freeRADIUS & OpenBSD's Packet Filter PF |
8 |
|
9 |
1) Update your ports tree!!!! |
10 |
Instructions on how to do so are included in the HandBook under the Using CVSup section: |
11 |
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html |
12 |
|
13 |
2) Once the update is complete goto {PORTSDIR}/net-mgmt/chillispot & run make install, you'll be presented with a menu, select: |
14 |
MATURE Stable Releases of Apache with mod_ssl & mySQL |
15 |
& |
16 |
FREE freeRADIUS |
17 |
& choose Ok |
18 |
|
19 |
During the build process you'll be asked what flavour of freeRADIUS you'd like to build, |
20 |
choose MYSQL With MySQL user database |
21 |
|
22 |
3) When the build & install process is complete go back to the apache directory, |
23 |
regenerate & install some new certs & optionally remove the preinstalled snakeoil test ones. |
24 |
goto {PORTSDIR}/www/apache13-modssl |
25 |
& run make certificate TYPE=custom |
26 |
Answer the questions in each step & when you're finished you'll be given a summary of files & their functions |
27 |
Now copy those files from the summary by going to work/apache_1.X.XX/conf & copy the certs to your apache config directory |
28 |
(replace X.XX with the relevant version number) |
29 |
cp work/apache_1.X.XX/conf/ssl.key/ca.key %%PREFIX%%/etc/apache/ssl.key/ |
30 |
cp work/apache_1.XXX/conf/ssl.key/server.key %%PREFIX%%/etc/apache/ssl.key/ |
31 |
cp work/apache_1.XXX/conf/ssl.crt/ca.crt %%PREFIX%%/etc/apache/ssl.crt/ |
32 |
cp work/apache_1.XXX/conf/ssl.crt/server.crt %%PREFIX%%/etc/apache/ssl.crt/ |
33 |
chmod 400 %%PREFIX%%/etc/apache/ssl.key/ca.key |
34 |
chmod 400 %%PREFIX%%/etc/apache/ssl.crt/ca.crt |
35 |
|
36 |
Optional: |
37 |
rm %%PREFIX%%/etc/apache/ssl.key/snakeoil-* |
38 |
rm %%PREFIX%%/etc/apache/ssl.crt/snakeoil-* |
39 |
then goto %%PREFIX%%/etc/apache/ssl.crt/ & delete the bunch of alphanumeric filenamed symbolic links |
40 |
|
41 |
4) Put Chillispots files into place: |
42 |
copy hotspotlogin.cgi from %%PREFIX%%/share/chillispot/ to %%PREFIX%%/www/cgi/ |
43 |
& make it executable: |
44 |
chmod 555 %%PREFIX%%/www/cgi-bin/hotspotlogin.cgi |
45 |
|
46 |
put chillispot.conf file into place |
47 |
cp %%PREFIX%%/share/chillispot/chilli.conf.sample %%PREFIX%%/etc/chilli.conf |
48 |
|
49 |
freeRADIUS related files |
50 |
cp %%PREFIX%%/share/chillispot/dictionary.chillispot %%PREFIX%%/etc/raddb/ |
51 |
cp %%PREFIX%%/share/chillispot/freeradius.users %%PREFIX%%/etc/raddb/ |
52 |
|
53 |
PF Config file |
54 |
cp %%PREFIX%%/share/chillispot/pf.conf.sample /etc/pf.conf |
55 |
|
56 |
5) Setup MySQL |
57 |
run ./mysql_install_db |
58 |
& follow the onscreen instructions provided to set a new root password |
59 |
|
60 |
6) Create a Database for freeRADIUS |
61 |
at the mysql prompt issue the following: |
62 |
create database mydbname; |
63 |
grant all privileges on mydbname.* to 'dbusername'@'localhost' identified by 'mypass'; |
64 |
flush privileges; |
65 |
quit; |
66 |
|
67 |
7) Import the freeRADIUS MySQL DB Schema |
68 |
by running the following: |
69 |
mysql -u dbusrname -p mydbname < %%PREFIX%%/share/doc/freeradius/examples/mysql.sql |
70 |
|
71 |
8) Configure freeRADIUS |
72 |
goto %%PREFIX%%/etc/raddb |
73 |
trim .sample from the end of the filenames off the following files: |
74 |
acct_users |
75 |
certs |
76 |
clients.conf |
77 |
dictionary , then edit if & add $INCLUDE dictionary.chillispot |
78 |
|
79 |
eap.conf |
80 |
hints |
81 |
huntgroups |
82 |
preproxy_users |
83 |
proxy.conf |
84 |
radiusd.conf |
85 |
snmp.conf |
86 |
sql.conf |
87 |
users |
88 |
|
89 |
9) Before going ahead & configuring freeRADIUS to use MySQL |
90 |
setup a basic account using the existing flatfiles to make sure everything is working so far |
91 |
edit %%PREFIX%%/etc/raddb/clients.conf |
92 |
& change the secret entry e.g: |
93 |
secret = s3cr3t |
94 |
|
95 |
then add the sample chillispot user by copying the contents of freeradius.users to users |
96 |
|
97 |
then run adduser to create a user which radiusd will run under |
98 |
#adduser |
99 |
Username: radiusd |
100 |
Full name: freeRADIUS |
101 |
Uid (Leave empty for default): |
102 |
Login group [radiusd]: |
103 |
Login group is radiusd. Invite radiusd into other groups? []: |
104 |
Login class [default]: |
105 |
Shell (sh csh tcsh nologin) [sh]: nologin |
106 |
Home directory [/home/radiusd]: /nonexistent |
107 |
Use password-based authentication? [yes]: |
108 |
Use an empty password? (yes/no) [no]: |
109 |
Use a random password? (yes/no) [no]: y |
110 |
Lock out the account after creation? [no]: y |
111 |
Username : radiusd |
112 |
Password : <random> |
113 |
Full Name : freeRADIUS |
114 |
Uid : 1002 |
115 |
Class : |
116 |
Groups : radiusd |
117 |
Home : /nonexistent |
118 |
Shell : /usr/sbin/nologin |
119 |
Locked : yes |
120 |
OK? (yes/no): y |
121 |
adduser: INFO: Successfully added (radiusd) to the user database. |
122 |
adduser: INFO: Password for (radiusd) is: blablabla123 |
123 |
adduser: INFO: Account (radiusd) is locked. |
124 |
|
125 |
now edit %%PREFIX%%/etc/raddb/radiusd.conf |
126 |
uncomment & change the user & group entries from |
127 |
#user = nobody to user = radiusd |
128 |
#group = nobody to group = radiusd |
129 |
& change |
130 |
proxy_requests = yes to no |
131 |
|
132 |
now create the log files freeRADIUS will use in /var/log |
133 |
mkdir /var/log/radacct |
134 |
touch /var/log/radius.log |
135 |
touch /var/log/radutmp |
136 |
touch /var/log/radwtmp |
137 |
|
138 |
assign them right permissions |
139 |
chmod 700 /var/log/radacct |
140 |
chmod 644 /var/log/radius.log |
141 |
chmod 600 /var/log/radutmp |
142 |
chmod 644 /var/log/radwtmp |
143 |
|
144 |
then change their ownership |
145 |
chown radiusd:radiusd /var/log/radacct |
146 |
chown radiusd:radiusd /var/log/radius.log |
147 |
chown radiusd:radiusd /var/log/radutmp |
148 |
chown radiusd:radiusd /var/log/radwtmp |
149 |
|
150 |
10) Now fireup freeRADIUS in debug mode |
151 |
by issuing %%PREFIX%%/sbin/radiusd -X |
152 |
& using the radtest tool query freeRADIUS |
153 |
radtest steve testing localhost 1812 s3cr3t |
154 |
|
155 |
you should get the following output back: |
156 |
Sending Access-Request of id 57 to 127.0.0.1 port 1812 |
157 |
User-Name = "steve" |
158 |
User-Password = "testing" |
159 |
NAS-IP-Address = 255.255.255.255 |
160 |
NAS-Port = 1812 |
161 |
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=57, length=74 |
162 |
Class = 0x30373032333435363738 |
163 |
Session-Timeout = 3600 |
164 |
Idle-Timeout = 600 |
165 |
Acct-Interim-Interval = 60 |
166 |
WISPr-Bandwidth-Max-Up = 128000 |
167 |
WISPr-Bandwidth-Max-Down = 512000 |
168 |
|
169 |
if you're not sure if freeRADIUS is listening on port 1812/udp or 1645/udp check your /etc/services file |
170 |
$ cat /etc/services | grep radius |
171 |
# IMPORTANT NOTE: Ports 1645/1646 are the traditional radius ports used by |
172 |
#radius 1645/udp #RADIUS authentication protocol (old) |
173 |
radius 1812/udp #RADIUS authentication protocol (IANA sanctioned) |
174 |
|
175 |
If everything went along ok without any errors edit users & remove the entries you added from chillispots freeradius.users files. |
176 |
|
177 |
11) Configuring freeRADIUS to use MySQL instead of flat files |
178 |
edit %%PREFIX%%/etc/raddb/sql.conf & |
179 |
change the login, password & radius_db entries to those used in step 6 |
180 |
then uncomment |
181 |
#sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}" |
182 |
& comment out sql_user_name = "%{User-Name}" |
183 |
if you'd like to use shortames (username minus realm) aswell as user@realm.f00 & :-DEFAULT |
184 |
then uncomment simul_count_query |
185 |
|
186 |
edit %%PREFIX%%/etc/raddb/radiusd.conf |
187 |
then uncomment sql in the Authorize { |
188 |
comment out unix in Authenticate { |
189 |
comment out files in preacct { |
190 |
uncomment sql in accounting { |
191 |
comment radutmp & uncomment sql in session { |
192 |
|
193 |
freeRADIUS is now setup to use MySQL. |
194 |
|
195 |
12) You now need to setup some users for your wireless clients to use |
196 |
12.1: login to the mysql console: |
197 |
mysql -u dbusername -p |
198 |
|
199 |
12.2: choose the database you created for freeRADIUS to work on |
200 |
mysql> use mydbname; |
201 |
|
202 |
12.3: lets see what in here: |
203 |
mysql> show tables; |
204 |
+----------------------+ |
205 |
| Tables_in_mydbname | |
206 |
+----------------------+ |
207 |
| nas | |
208 |
| radacct | |
209 |
| radcheck | |
210 |
| radgroupcheck | |
211 |
| radgroupreply | |
212 |
| radpostauth | |
213 |
| radreply | |
214 |
| usergroup | |
215 |
+----------------------+ |
216 |
8 rows in set (0.00 sec) |
217 |
|
218 |
12.4: to see what fields you need to fill in isse: |
219 |
mysql> show columns from radcheck; |
220 |
+-----------+------------------+------+-----+---------+----------------+ |
221 |
| Field | Type | Null | Key | Default | Extra | |
222 |
+-----------+------------------+------+-----+---------+----------------+ |
223 |
| id | int(11) unsigned | | PRI | NULL | auto_increment | |
224 |
| UserName | varchar(64) | | MUL | | | |
225 |
| Attribute | varchar(32) | | | | | |
226 |
| op | char(2) | | | == | | |
227 |
| Value | varchar(253) | | | | | |
228 |
+-----------+------------------+------+-----+---------+----------------+ |
229 |
5 rows in set (0.01 sec) |
230 |
|
231 |
12.5: lets add our first username: |
232 |
mysql> insert into radcheck (Username, Attribute, Value) VALUES ('fry', 'Password', 'walkingonsunshine'); |
233 |
Query OK, 1 row affected (0.00 sec) |
234 |
|
235 |
12.6: is it there? |
236 |
mysql> select * from radcheck; |
237 |
+----+----------+-----------+----+-------------------+ |
238 |
| id | UserName | Attribute | op | Value | |
239 |
+----+----------+-----------+----+-------------------+ |
240 |
| 1 | fry | Password | == | walkingonsunshine | |
241 |
+----+----------+-----------+----+-------------------+ |
242 |
1 row in set (0.00 sec) |
243 |
|
244 |
12.7: assign the user to a group: |
245 |
mysql> show columns from usergroup; |
246 |
+-----------+-------------+------+-----+---------+-------+ |
247 |
| Field | Type | Null | Key | Default | Extra | |
248 |
+-----------+-------------+------+-----+---------+-------+ |
249 |
| UserName | varchar(64) | | MUL | | | |
250 |
| GroupName | varchar(64) | | | | | |
251 |
| priority | int(11) | | | 1 | | |
252 |
+-----------+-------------+------+-----+---------+-------+ |
253 |
3 rows in set (0.01 sec) |
254 |
|
255 |
mysql> insert into usergroup (UserName, GroupName, Priority) VALUES ('fry', 'dynamic', 1); |
256 |
Query OK, 1 row affected (0.00 sec) |
257 |
|
258 |
mysql> select * from usergroup; |
259 |
+----------+-----------+----------+ |
260 |
| UserName | GroupName | priority | |
261 |
+----------+-----------+----------+ |
262 |
| fry | dynamic | 1 | |
263 |
+----------+-----------+----------+ |
264 |
1 row in set (0.01 sec) |
265 |
|
266 |
12.8) Authorization Type: |
267 |
mysql> show columns from radgroupcheck; |
268 |
+-----------+------------------+------+-----+---------+----------------+ |
269 |
| Field | Type | Null | Key | Default | Extra | |
270 |
+-----------+------------------+------+-----+---------+----------------+ |
271 |
| id | int(11) unsigned | | PRI | NULL | auto_increment | |
272 |
| GroupName | varchar(64) | | MUL | | | |
273 |
| Attribute | varchar(32) | | | | | |
274 |
| op | char(2) | | | == | | |
275 |
| Value | varchar(253) | | | | | |
276 |
+-----------+------------------+------+-----+---------+----------------+ |
277 |
5 rows in set (0.00 sec) |
278 |
|
279 |
mysql> insert into radgroupcheck (GroupName, Attribute, Value) VALUES ('dynamic', 'Auth-Type', 'Local'); |
280 |
Query OK, 1 row affected (0.00 sec) |
281 |
|
282 |
mysql> select * from radgroupcheck; |
283 |
+----+-----------+-----------+----+-------+ |
284 |
| id | GroupName | Attribute | op | Value | |
285 |
+----+-----------+-----------+----+-------+ |
286 |
| 1 | dynamic | Auth-Type | == | Local | |
287 |
+----+-----------+-----------+----+-------+ |
288 |
1 row in set (0.00 sec) |
289 |
|
290 |
|
291 |
mysql> show columns from radgroupcheck; |
292 |
+-----------+------------------+------+-----+---------+----------------+ |
293 |
| Field | Type | Null | Key | Default | Extra | |
294 |
+-----------+------------------+------+-----+---------+----------------+ |
295 |
| id | int(11) unsigned | | PRI | NULL | auto_increment | |
296 |
| GroupName | varchar(64) | | MUL | | | |
297 |
| Attribute | varchar(32) | | | | | |
298 |
| op | char(2) | | | == | | |
299 |
| Value | varchar(253) | | | | | |
300 |
+-----------+------------------+------+-----+---------+----------------+ |
301 |
5 rows in set (0.00 sec) |
302 |
|
303 |
12.9) User & Group Attribute settings |
304 |
User specific attributes: |
305 |
mysql> show columns from radreply; |
306 |
+-----------+------------------+------+-----+---------+----------------+ |
307 |
| Field | Type | Null | Key | Default | Extra | |
308 |
+-----------+------------------+------+-----+---------+----------------+ |
309 |
| id | int(11) unsigned | | PRI | NULL | auto_increment | |
310 |
| UserName | varchar(64) | | MUL | | | |
311 |
| Attribute | varchar(32) | | | | | |
312 |
| op | char(2) | | | = | | |
313 |
| Value | varchar(253) | | | | | |
314 |
+-----------+------------------+------+-----+---------+----------------+ |
315 |
5 rows in set (0.00 sec) |
316 |
|
317 |
mysql> insert into radreply (UserName, Attribute, Value) VALUES ('fry', 'Class', '0702345678'); |
318 |
Query OK, 1 row affected (0.01 sec) |
319 |
|
320 |
mysql> select * from radreply; |
321 |
+----+----------+-----------+----+------------+ |
322 |
| id | UserName | Attribute | op | Value | |
323 |
+----+----------+-----------+----+------------+ |
324 |
| 1 | fry | Class | = | 0702345678 | |
325 |
+----+----------+-----------+----+------------+ |
326 |
1 row in set (0.00 sec) |
327 |
|
328 |
Group specific settings: |
329 |
mysql> show columns from radgroupreply; |
330 |
+-----------+------------------+------+-----+---------+----------------+ |
331 |
| Field | Type | Null | Key | Default | Extra | |
332 |
+-----------+------------------+------+-----+---------+----------------+ |
333 |
| id | int(11) unsigned | | PRI | NULL | auto_increment | |
334 |
| GroupName | varchar(64) | | MUL | | | |
335 |
| Attribute | varchar(32) | | | | | |
336 |
| op | char(2) | | | = | | |
337 |
| Value | varchar(253) | | | | | |
338 |
+-----------+------------------+------+-----+---------+----------------+ |
339 |
5 rows in set (0.00 sec) |
340 |
|
341 |
mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Session-Timeout', '3600'); |
342 |
Query OK, 1 row affected (0.00 sec) |
343 |
|
344 |
mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Idle-Timeout', '600'); |
345 |
Query OK, 1 row affected (0.00 sec) |
346 |
|
347 |
mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Acct-Interim-Interval', '60'); |
348 |
Query OK, 1 row affected (0.01 sec) |
349 |
|
350 |
mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Redirection-URL', 'http://www.geeklan.co.uk'); |
351 |
Query OK, 1 row affected (0.00 sec) |
352 |
|
353 |
mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Bandwidth-Max-Up', '128000'); |
354 |
Query OK, 1 row affected (0.01 sec) |
355 |
|
356 |
mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Bandwidth-Max-Down', '512000'); |
357 |
Query OK, 1 row affected (0.01 sec) |
358 |
|
359 |
mysql> select * from radgroupreply; |
360 |
+----+-----------+--------------------------+----+--------------------------+ |
361 |
| id | GroupName | Attribute | op | Value | |
362 |
+----+-----------+--------------------------+----+--------------------------+ |
363 |
| 1 | dynamic | Session-Timeout | = | 3600 | |
364 |
| 2 | dynamic | Idle-Timeout | = | 600 | |
365 |
| 3 | dynamic | Acct-Interim-Interval | = | 60 | |
366 |
| 4 | dynamic | WISPr-Redirection-URL | = | http://www.geeklan.co.uk | |
367 |
| 5 | dynamic | WISPr-Bandwidth-Max-Up | = | 128000 | |
368 |
| 6 | dynamic | WISPr-Bandwidth-Max-Down | = | 512000 | |
369 |
+----+-----------+--------------------------+----+--------------------------+ |
370 |
6 rows in set (0.00 sec) |
371 |
|
372 |
Test: |
373 |
%%PREFIX%%/bin/radtest fry walkingonsunshine localhost 1812 s3cr3t |
374 |
Sending Access-Request of id 250 to 127.0.0.1 port 1812 |
375 |
User-Name = "fry" |
376 |
User-Password = "walkingonsunshine" |
377 |
NAS-IP-Address = 255.255.255.255 |
378 |
NAS-Port = 1812 |
379 |
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=250, length=106 |
380 |
Class = 0x30373032333435363738 |
381 |
Session-Timeout = 3600 |
382 |
Idle-Timeout = 600 |
383 |
Acct-Interim-Interval = 60 |
384 |
WISPr-Redirection-URL = "http://www.geeklan.co.uk" |
385 |
WISPr-Bandwidth-Max-Up = 128000 |
386 |
WISPr-Bandwidth-Max-Down = 512000 |
387 |
|
388 |
13) Nearly There |
389 |
edit %%PREFIX%%/etc/chilli.conf |
390 |
& change the dns1 & dns2 entries to your dns servers |
391 |
(note, if you're not running a dns server locally you'll need to uncomment uamanydns) |
392 |
change radiusserver1 & radiusserver2 to localhost |
393 |
set radiussecret to whatever you selected in step 9 |
394 |
e.g s3cr3t |
395 |
set dhcpif to your wifi card e.g ral0 |
396 |
change uamserver to https://192.168.182.1/cgi-bin/hotspotlogin.cgi |
397 |
(if you're not running a dns server locally, if you are use the fqdn) |
398 |
change the uamsecret to another value, then edit %%PREFIX%%/www/cgi-bin/hotspotlogin.cgi & add the same value to $uamsecret |
399 |
|
400 |
14) Finishing Stage |
401 |
Edit /etc/pf.conf & make sure the $ext_if & $int_if are correct |
402 |
Edit /etc/rc.conf & add the following: |
403 |
chillispot_enable="YES" |
404 |
apache_enable="YES" |
405 |
radiusd_enale="YES" |
406 |
mysql_enable="YES" |
407 |
pf_enable="YES" # Enable PF (load module if required) |
408 |
pf_rules="/etc/pf.conf" # rules definition file for pf |
409 |
pf_flags="" # additional flags for pfctl startup |
410 |
pflog_enable="YES" # start pflogd(8) |
411 |
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile |
412 |
pflog_flags="" # additional flags for pflogd startup |
413 |
gateway_enable="YES" |
414 |
|
415 |
& remove any IP addresses assigned to your wifi card |
416 |
this is enough for chilli to work: |
417 |
ifconfig_ral0="ssid chilli mediaopt hostap mode 11b" |
418 |
|
419 |
save & reboot or quit to back to the shell & run the following to get everything started |
420 |
%%PREFIX%%/etc/rc.d/chillispot start |
421 |
%%PREFIX%%/etc/rc.d/apache.sh start you'll be asked for the password that you assigned whilst generating the certs in the step 3 |
422 |
%%PREFIX%%/etc/rc.d/mysql-server start |
423 |
%%PREFIX%%/etc/rc.d/radiusd start |
424 |
pfctl -e |
425 |
pfctl -f /etc/pf.conf |
426 |
|
427 |
|
428 |
|
429 |
THE END!!! |
430 |
|
431 |
|
432 |
|
433 |
Original Sources for info: |
434 |
OpenBSD PF FAQ |
435 |
http://www.openbsd.org/faq/ |
436 |
|
437 |
The FreeBSD HandBook |
438 |
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html |
439 |
|
440 |
SB's very rough notes to FreeRadius and MySQL |
441 |
http://www.frontios.com/freeradius.html |
442 |
|
443 |
ONLamp Getting Started with FreeRADIUS |
444 |
http://www.onlamp.com/pub/a/onlamp/excerpt/radius_5/index1.html?page=1 |
445 |
|
446 |
|
447 |
TAASC MySQL Basics |
448 |
http://www.analysisandsolutions.com/code/mybasic.htm |
449 |
|
450 |
This work is licensed under the Creative Commons Attribution-Share Alike 2.5 License. To view a copy of this license, visit |
451 |
http://creativecommons.org/licenses/by-sa/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, |
452 |
94105, USA. |
453 |
|