ChilliSpot

De Wiki do Bernardino
Ir para: navegação, pesquisa

Chillispot.png

ChilliSpot is an open source captive portal or wireless LAN access point controller. It is used for authenticating users of a wireless LAN. It supports web based login which is today's standard for public HotSpots. Authentication, authorization and accounting (AAA) is handled by your favorite radius server.

Binary downloads are available for Redhat, Febora, Debian, Mandrake and OpenWRT. ChilliSpot is an ebuild in Gentoo and compiles under FreeBSD. Source code under GPL is available for other platforms.

All the above are included in one package at HotSpot System's turnkey hotspot solution.

ChilliSpot HotSpot Architecture


You can install the radius and web server on the same PC as ChilliSpot or they can be located on the Internet.

Nota Projeto descontinuado, novo fork com o nome de CoovaChilli http://coova.org/CoovaChilli/

ChilliSpot Architecture

ChilliSpot is an open source Wireless LAN access point controller. ChilliSpot is a captive portal which authenticates users of a wireless LAN. To build your own HotSpot you need the following items:

   Internet connection
   A wireless LAN access point
   ChilliSpot software for your PC
   Radius server
   Web server

Chilli.png

You can host the radius server and web server on the same PC as the ChilliSpot software, or they can be located on the Internet.

Chilli

Chilli is the name of the software you install on your PC. It supports two authentication methods:

   Universal Access Method (UAM)
   Wireless Protected Access (WPA)

With UAM the wireless client requests an IP address, and is allocated a an IP address by Chilli. When the user starts a web browser chilli will capture the tcp connection and redirect to browser to an authentication web server. The web server queries the user for his username and password. The password is encrypted and sent back to chilli.

With WPA authentication is handled by the access point, and subsequently forwarded from the access point to chilli. If WPA is used the connection between the access point and the client is encrypted.

For both UAM and WPA chilli forwards the authentication request to a radius server. The radius server sends an access-accept message back to chilli if authentication was successful. Otherwise an access-reject is sent back.

Chilli is currently only available for Linux.

Authentication Web Server

An authentication web server is needed in order to authenticate users using the universal access method. For wireless protected access this web server is not needed.

The communication interface to the web server is implemented using only the HTTP protocol. No "call backs" from the web server to chilli is needed in order to authenticate the client. This means that the HotSpot can be placed behind a NAT gateway, proxy or firewall, while the web server is located on the public Internet.

We provide a cgi script for your web server which will query the user for his username and password. Once this information has been entered by the user the encrypted password is sent back to chilli which forwards the request to the radius server. You should use SSL/TLS on your web server in order to protect the username and passwords.

Radius

Radius Server We do not provide any radius server software. For small projects we recommend that you use an open source radius server such as FreeRADIUS, Cistron or OpenRADIUS.

Attribute
#
Type
Auth

req

Auth

reply

Acct

req

Comment
User-name
1
String
X

X
Full username as entered by the

user.

User-Password
2
String
X


Used for UAM as alternative to

CHAP-Password and CHAP-Challenge.

CHAP-Password
3
String
X

Used for UAM
CHAP-Challenge
60
String
X


Used for UAM
EAP-Message
79
String
X
X

Used for WPA
NAS-IP-Address
4
IPaddr
X

X
IP address of Chilli

(set by the radiusnasip or radiuslisten option). If neither radiuslisten nor nasipaddress are set NAS-IP-Address is set to "0.0.0.0".

Service-Type
6
Integer
X
X
Set to Login (1) for normal

authentication requests.  For RFC 2882 style configuration management Access-Request messages to the radius server this is set to ChilliSpot-Authorize-Only  (0x38df0001). The Access-Accept message from the radius server for configuration management messages must also be set to ChilliSpot-Authorize-Only  (0x38df0001).

Framed-IP-Address
8
IPaddr
X
X X
IP address of the user.
Reply-Message
18
String

X

Reason of reject if present.
State
24
String
X
X

Sent to chilli in

Access-Accept or Access-Challenge. Used transparently in subsequent Access-Request.

Class
25
String

X
X
Copied transparently by chilli

from Access-Accept to Accounting-Request.

Session-Timeout
27
Integer

X

Logout once session timeout

is reached (seconds)

Idle-Timeout
28
Integer

X

Logout once idle timeout is

reached (seconds)

Called-Station-ID
30
String
X

X
Set to the radiuscalled command

line option or the MAC address of ChilliSpot if not present.

Calling-Station-ID
31
String
X

X
MAC address of client
NAS-ID
32
String
X

X
Set to radiusnasid option if

present.

Acct-Status-Type
40
Integer


X
1=Start, 2=Stop, 3=Interim-Update
Acct-Input-Octets
42
Integer


X
Number of octets received from

client.

Acct-Output-Octets 43
Integer


X
Number of octets transmitted to

client.

Acct-Session-ID
44
String
X

X
Unique ID to link Access-Request

and Accounting-Request messages.

Acct-Session-Time
46
Integer


X
Session duration in seconds.
Acct-Input-Packets
47
Integer


X
Number of packets received from

client.

Acct-Output-Packets
48
Integer


X
Number of packets transmitted to

client.

Acct-Terminate-Cause
49
Integer


X
1=User-Request, 2=Lost-Carrier,

4=Idle-Timeout, 5=Session-Timeout, 11=NAS-Reboot

Acct-Input-Gigawords 52
Integer

X Number of times the

Acct-Input-Octets counter has wrapped around.

Acct-Output-Gigawords 53
Integer

X Number of times the

Acct-Output-Octets counter has wrapped around.

NAS-Port-Type
61
Integer
X

X
19=Wireless-IEEE-802.11
Message-Authenticator
80
String
X X

Is always included in

Access-Request. If present in Access-Accept, Access-Challenge or Access-reject chilli will validate that the Message-Authenticator is correct.

Acct-Interim-Interval
85
Integer

X

If present in Access-Accept

chilli will generate interim accounting records with the specified interval (seconds).

WISPr-Location-ID
14122, 1
String
X

X
Location ID is set to the

radiuslocationid option if present. Should be in the format: isocc=<ISO_Country_Code>, cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>

WISPr-Location-Name
14122, 2
String
X

X
Location Name is set to the

radiuslocationname option if present. Should be in the format: <HOTSPOT_OPERATOR_NAME>,<LOCATION>

WISPr-Logoff-URL
14122, 3
String
X


Chilli includes this attribute

in Access-Request messages in order to notify the operator of the log off URL to use for logging off clients. Defaults to "http://192.168.182.1:3990/logoff".

WISPr-Redirection-URL
14122, 4
String

X

If present the client will be

redirected to this URL once authenticated. This URL should include a link to WISPr-Logoff-URL in order to enable the client to log off.

WISPr-Bandwidth-Max-Up
14122, 7
Integer

X

Maximum transmit rate (b/s).

Limits the bandwidth of the connection. Note that this attribute is specified in bits per second.

WISPr-Bandwidth-Max-Down
14122, 8
Integer

X

Maximum receive rate (b/s).

Limits the bandwidth of the connection. Note that this attribute is specified in bits per second.

WISPr-Session-Terminate-Time 14122, 9
String
X

The time when the user should be

disconnected in ISO 8601 format (YYYY-MM-DDThh:mm:ssTZD). If TZD is not specified local time is assumed. For example a disconnect on 18 December 2001 at 7:00 PM UTC would be specified as 2001-12-18T19:00:00+00:00.

ChilliSpot-Max-Input-Octets
14559, 1
Integer

X
Maximum number of octets the

user is allowed to transmit. After this limit has been reached the user will be disconnected.

ChilliSpot-Max-Output-Octets 14559, 2
Integer
X
Maximum number of octets the

user is allowed to receive. After this limit has been reached the user will be disconnected.

ChilliSpot-Max-Total-Octets 14559, 3


X
Maximum number of octets the

user is allowed to transfer (sum of octets transmitted and received). After this limit has been reached the user will be disconnected.

ChilliSpot-UAM-Allowed



X
When received from the radius

server in an RFC 2882 style configuration management message this attribute will override the uamallowed command line option.

ChilliSpot-MAC-Allowed



X
When received from the radius

server in an RFC 2882 style configuration management message this attribute will override the macallowed command line option.

ChilliSpot-MAC-Interval




When received from the radius

server in an RFC 2882 style configuration management message this attribute will override the interval command line option.

MS-MPPE-Send-Key 311,16 String

X

Used for WPA
MS-MPPE-Recv-Key
311,17
String

X

Used for WPA

The WISPr vendor attributes are specified in Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1", Feb 2003. The MS vendor attributes are specified in RFC 2548.

Access Points

We do not recommend access points from any particular vendor. For UAM just about any access point will do.

If you want to support WPA you need an access point which supports this. ChilliSpot was tested with access points from Cisco and Proxim for the WPA functionality.

Wireless Client

The wireless client can be just about any device which has a WLAN PC card or build in wireless LAN. You should look for a client which is "wifi" compatible.

For UAM the client needs to have a web browser. Examples of wireless clients without a web browser include embedded devises and some WLAN VoIP phones.

For WPA you need a client which supports this. This needs to be supported by both the WLAN PC card as well as the operating system. Microsoft provides a WPA package for Windows XP.

Software Architecture

The primary platform for ChilliSpot is Linux, but it should also be possible to compile the software on other posix compliant platforms: FreeBSD, OpenBSD, Solaris and even Apple OSX.

The main design goals of ChilliSpot were stability, portability and scalability. This resulted in the following design choices:

   Programmed in (ANSI) C in order to improve portability to other platforms.
   Concurrency is implemented using a single select() loop in order to improve portability and at the same time achieve high throughput. A client process is created whenever a http authentication request from a client is received.
   Application was developed in user space only. Provides good portability at the cost of performance. Performance can be increased by implementing user plane handling in kernel space.
   Conservative handling of memory allocation and error checking. Helps improve stability, but should be optimized for performance at a later stage.


Chilli Manual

chilli - chillispot.info. A Wireless LAN Access Point Controller


SYNOPSIS chilli --help

chilli --version

chilli

[ --fg ] [ --debug ] [ --conf file ] [ --pidfile file ] [ --statedir file ] [ --net net ] [ --dynip net ] [ --statip net ] [ --dns1 host ] [ --dns2 host ] [ --domain domain ] [ --ipup script ] [ --ipdown script ] [ --conup script ] [ --condown script ] [ --radiuslisten host ] [ --radiusserver1 host ] [ --radiusserver2 host ] [ --radiusauthport port ] [ --radiusacctport port ] [ --radiussecret secret ] [ --radiusnasid id ] [ --radiusnasip host ] [ --radiuscalled name ] [ --radiuslocationid id ] [ --radiuslocationname name ] [ --radiusnasporttype type ] [ --coaport port ] [ --coanoipcheck ] [ --proxylisten host ] [ --proxyport port ] [ --proxyclient host ] [ --proxysecret secret ] [ --confusername username ] [ --confpassword password ] [ --dhcpif dev ] [ --dhcpmac address ] [ --lease seconds ] [ --eapolenable ] [ --uamserver url ] [ --uamhomepage url ] [ --uamsecret secret ] [ --uamlisten host ] [ --uamport port ] [ --uamallowed domain ] [ --uamanydns ] [ --macauth ] [ --macallowed ] [ --macsuffix suffix ] [ --macpasswd password ]


DESCRIPTION chilli is a Wireless LAN HotSpot Controller. It supports of two different access methods for a Wireless LAN HotSpot: Universal Access Method (UAM) as well as Wireless Protected Access (WPA)

chilli has three major interfaces: A downlink interface for accepting connections from clients, a radius interface for authenticating clients and an uplink network interface for forwarding traffic to other networks.

Authentication of clients is performed by an external radius server. For UAM the CHAP-Challenge and CHAP-Password as specified by RFC 2865 is used. For WPA the radius EAP-Message attribute as defined in RFC 2869 is used. The message attributes described in RFC 2548 are used for transferring encryption keys from the radius server to chilli. Furthermore the radius interface supports accounting.

The downlink interface accepts DHCP and ARP requests from clients. The client can be in two states: Unauthenticated and authenticated. In unauthenticated state web requests from the client are redirected to an authentication web server.

In a typical application unauthenticated clients will be forwarded to a web server and prompted for username and password. The web server forwards the user credentials to chilli by means of redirecting the web browser to chilli. A received authentication request is forwarded to a radius server. If authentication is successful the state of the client is changed to authenticated. This authentication method is known as Universal Access Method (UAM).

As an alternative to UAM the access points can be configured to authenticate the clients by using Wireless Protected Access (WPA). In this case authentication credentials are forwarded from the access point to chilli by using the radius protocol. The received radius request is proxied by chilli and forwarded to the radius server.

The uplink interface is implemented by using the TUN/TAP driver. When chilli is started a tun interface is established, and optionally an external configuration script is called.

Runtime errors are reported using the syslogd (8) facility.


OPTIONS

--help

   Print help and exit.

--version

   Print version and exit.

--fg

   Run in foreground (default = off)

--debug

   Run in debug mode (default = off)

--conf file

   Read configuration file (default = /etc/chilli.conf) where each line corresponds to one command line option, but with the leading '--' removed. Command line options override the options given in the configuration file.

--interval seconds

   Re-read configuration file and do DNS lookups every interval seconds. This has the same effect as sending the HUP signal. If interval is 0 (zero) this feature is disabled.
   file (default = /etc/chilli.conf) where each line corresponds to one command line option, but with the leading '--' removed. Command line options override the options given in the configuration file.

--pidfile file

   Filename of process id file (default = /var/run/chilli.pid)

--statedir path

   path to directory of nonvolatile data (default = /var/lib/chilli/)

--net net

   Network address of the uplink interface (default = 192.168.182.0/24). The network address is set during initialisation when chilli establishes a tun device for the uplink interface. The network address is specified as either <address>/<netmask> (192.168.182.0/255.255.255.0) or <address>/<prefix> (192.168.182.0/24).

--dynip net

   Dynamic IP address pool. Specifies a pool of dynamic IP addresses. If this option is omitted the network address specified by the net option is used for dynamic IP address allocation. See the net option for a description of the network address format.

--statip net

   Static IP address pool. Specifies a pool of static IP addresses. With static address allocation the IP address of the client can be specified by the radius server. Static address allocation can be used for both MAC authentication and Wireless Protected Access.

--dns1 host

   DNS Server 1. It is used to inform the client about the DNS address to use for host name resolution. If this option is not given the system primary DNS is used.

--dns2 host

   DNS Server 2. It is used to inform the client about the DNS address to use for host name resolution. If this option is not given the system secondary DNS is used.

--domain domain

   Domain name. It is used to inform the client about the domain name to use for DNS lookups.

--ipup script

   Script executed after the tun network interface has been brought up. Executed with the following parameters: <devicename> <ip address> <mask>

--ipdown script

   Script executed after the tun network interface has been taken down. Executed with the following parameters: <devicename> <ip address> <mask>

--conup script

   Script executed after a user has been authenticated. Executed with the following parameters: <devicename> <ip address> <mask> <user ip address> <user mac address> <filter ID>

--condown script

   Script executed after a user has logged off. Executed with the following parameters: <devicename> <ip address> <mask> <user ip address> <user mac address> <filter ID>

--radiuslisten host

   Local interface IP address to use for the radius interface. This option also determines the value for the NAS-IP-Address radius attribute. If radiuslisten is omitted then the NAS-IP-Address attribute will be set to "0.0.0.0" and the source IP address of the radius requests will be determined by the operating system routing tables.

--radiusserver1 host

   The IP address of radius server 1 (default=rad01.hotradius.com).

--radiusserver2 host

   The IP address of radius server 2 (default=rad02.hotradius.com).

--radiusauthport port

   The UDP port number to use for radius authentication requests (default=1812).

--radiusacctport port

   The UDP port number to use for radius accounting requests (default=1813).

--radiussecret secret

   Radius shared secret for both servers (default=testing123). This secret should be changed in order not to compromise security.

--radiusnasid id

   Network access server identifier (default=nas01).

--radiusnasip host

   IP address to report in NAS-IP-Address attribute. Defaults to the IP address specified by the radiuslisten option.

--radiuscalled name

   Name to report in Called-Station-ID attribute. Defaults to mac address of wireless interface which can be specified by the dhcpmac option.

--radiuslocationid id

   WISPr Location ID. Should be in the format: isocc=<ISO_Country_Code>, cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>. This parameter is further described in the document: Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1, Feb 2003.

--radiuslocationname name

   WISPr Location Name. Should be in the format: <HOTSPOT_OPERATOR_NAME>,<LOCATION>. This parameter is further described in the document: Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1, Feb 2003.

--radiusnasporttype type

   Value of NAS-Port-Type attribute. Defaults to 19 (Wireless-IEEE-802.11).

--coaport port

   UDP port to listen to for accepting radius disconnect requests.

--coanoipcheck

   If this option is given no check is performed on the source IP address of radius disconnect requests. Otherwise it is checked that radius disconnect requests originate from radiusserver1 or radiusserver2.

--proxylisten host

   Local interface IP address to use for accepting radius requests.

--proxyport port

   UDP Port to listen to for accepting radius requests.

--proxyclient host

   IP address from which radius requests are accepted. If omitted the server will not accept radius requests.

--proxysecret secret

   Radius shared secret for clients. If not specified it defaults to radiussecret.

--confusername username

   If confusername is specified together with confpassword chillispot will at regular intervals specified by the interval option query the radius server for configuration information. The reply from the radius server must have the Service-Type attribute set to ChilliSpot-Authorize-Only in order to have any effect. Currently ChilliSpot-UAM-Allowed, ChilliSpot-MAC-Allowed and ChilliSpot-Interval is supported. These attributes override the uamallowed , macallowed and interval options respectively.

--confpassword password

   See under the confusername option.

--dhcpif dev

   Ethernet interface to listen to for the downlink interface. This option must be specified.

--dhcpmac address

   MAC address to listen to. If not specified the MAC address of the interface will be used. The MAC address should be chosen so that it does not conflict with other addresses on the LAN. An address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls within the IANA range of addresses and is not allocated for other purposes.
   The --dhcpmac option can be used in conjunction with access filters in the access points, or with access points which supports packet forwarding to a specific MAC address. Thus it is possible at the MAC level to separate access point management traffic from user traffic for improved system security.
   The --dhcpmac option will set the interface in promisc mode.

--lease seconds

   Use a DHCP lease of seconds (default = 600).

--eapolenable

   If this option is given IEEE 802.1x authentication is enabled. ChilliSpot will listen for EAP authentication requests on the interface specified by --dhcpif. EAP messages received on this interface are forwarded to the radius server.

--uamserver url

   URL of web server to use for authenticating clients.

--uamhomepage url

   URL of homepage to redirect unauthenticated users to. If not specified this defaults to uamserver.

--uamsecret secret

   Shared secret between uamserver and chilli. This secret should be set in order not to compromise security.

--uamlisten host

   IP address to listen to for authentication of clients. If an unauthenticated client tries to access the Internet she will be redirected to this address.

--uamport port

   TCP port to bind to for authenticating clients (default = 3990). If an unauthenticated client tries to access the Internet she will be redirected to this port on the --uamlisten IP address.

--uamallowed domain

   Comma separated list of domain names, IP addresses or network segments the client can access without first authenticating. Example:
   --uamallowed http://www.chillispot.info,10.11.12.0/24
   This option is useful for access to a credit card payment gateway, for access to community and other free information as well as for access to a company VPN server without first having to login to the HotSpot.
   ChilliSpot resolves the domain names to a set of IP addresses during startup. Some big sites change the returned IP addresses for each lookup. This behaviour is not compatible with this option.
   It is possible to specify the uamallowed option several times. This is useful if many domain names has to be specified.

--uamanydns

   Allow any DNS server. Normally unauthenticated clients are only allowed to communicate with the DNS servers specified by the dns1 and dns2 options. If the uamanydns option is given ChilliSpot will allow the client to use all DNS servers. This is convenient for clients which are configured to use a fixed set of DNS servers. For security reasons this option should be combined with a destination NAT firewall rule which forwards all DNS requests to a given DNS server.

--macauth

   If this option is given ChilliSpot will try to authenticate all users based on their mac address alone. The User-Name sent to the radius server will consist of the MAC address and an optional suffix which is specified by the macsuffix option. If the macauth option is specified the macallowed option is ignored.

--macallowed mac

   List of MAC addresses for which MAC authentication will be performed. Example:
   --macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9
   The User-Name sent to the radius server will consist of the MAC address and an optional suffix which is specified by the macsuffix option. If the macauth option is specified the macallowed option is ignored.
   It is possible to specify the macallowed option several times. This is useful if many mac addresses has to be specified.

--macsuffix suffix

   Suffix to add to the MAC address in order to form the User-Name, which is sent to the radius server.

--macpasswd password

   Password used when performing MAC authentication. (default = password)


FILES /etc/chilli.conf

   The configuration file for chilli. 

/var/run/chilli.pid

   Process ID file. 


SIGNALS Sending HUP to chilli will cause the configuration file to be reread and DNS lookups to be performed. The configuration options are not affected by sending HUP: [ --fg ] [ --conf file ] [ --pidfile file ] [ --statedir file ] [ --net net ] [ --dynip net ] [ --statip net ] [ --uamlisten host ] [ --uamport port ] [ --radiuslisten host ] [ --coaport port ] [ --coanoipcheck ] [ --proxylisten host ] [ --proxyport port ] [ --proxyclient host ] [ --proxysecret secret ] [ --dhcpif dev ] [ --dhcpmac address ] [ --lease seconds ] [ --eapolenable ]

The above configuration options can only be changed by restarting the daemon.


SEE ALSO syslogd(8)


NOTES

Please see the ChilliSpot project homepage at www.chillispot.info for further documentation and community support.

Besides the long options documented in this man page chilli also accepts a number of short options with the same functionality. Use chilli --help for a full list of all the available options.

The TUN/TAP driver is required for proper operation of chilli. For linux kernels later than 2.4.7 the TUN/TAP driver is included in the kernel, but typically needs to be loaded manually with modprobe tun. For automatic loading the line alias char-major-10-200 tun can be added to /etc/modules.conf. For other platforms see http://vtun.sourceforge.net/tun/ for information on how to install and configure the tun driver.


COPYRIGHT

Copyright (C) 2002, 2003, 2004 by Mondru AB.

Downloads

Ficheiro:Chillispot-1.1.0.tar.gz

Fontes:

http://www.chillispot.info

New implemention: http://coova.org

Other produts:'

- NoCatNet http://nocat.net/

- WiFiDog http://dev.wifidog.org/