DaloRADIUS - Captive Portal Setup
DaloRADIUS - Captive Portal Setup
DaloRADIUS - Captive Portal Setup
daloRADIUS ships with CoovaChilli (and Chillispot's) captive portal pages and support those only. Moreover, it provides a PHP version for the captive portal pages which are suitable to deploy on a LAMP based install, while introducing a a templating system for the captive portal pages which makes it extremely easy and convenient for businesses to modify the portal pages and customize to their needs.
Project's References: 1. Wifidog: http://dev.wifidog.org 2. NoCatAuth: http://nocat.net 3. Chillispot: http://chillispot.info 4. CoovaChilli: http://coova.org/CoovaChilli
Out-lined below are the steps to take for a Ubuntu or a Debian-based Linux distribution: (while the document refers to CoovaChilli, most if not all configuration examples are relevant to Chillispot as well and so, CoovaChilli and Chillispot are interchange-able in the scope of the document)
1. Get latest release of daloRADIUS ( >= 0.9-8 ) and unpack the tar.gz package to a local directory.
2. Copy the hotspotlogin directory from contrib/chilli/portal2 (found in the top-level directory of the daloRADIUS package) to the website accessible directory of your choice. For the example through-out this document we will use /var/www/dalohosting/hotspotlogin/
3. Adjust file permissions for the web server user and group
4. CoovaChilli (and Chillispot) communicates with the (remote) portal pages over SSL, and the CoovaChilli directive that is required in CoovaChilli's configuration is:
5. Configuring the hotspotlogin directory, we need to specify the uamsecret that was set previously in the CoovaChilli configuration. Use the preferred editor by your choice to edit the file /var/www/dalohosting/hotspotlogin/hotspotlogin.php and set the uamsecret variable at the beginning of the file accordingly:
# # # #
Information regarding these parameters and others is available through CoovaChilli's homepage, forums, mailing list and documentation. In the given example, the hotspotlogin directory is accessible from that example domain. It's necessary to make sure that a good shared secret is used for the uamsecret directive which needs to match the same in both the hotspotlogin files and the CoovaChilli configuration files.
6. It is required to make the hotspotlogin directory accessible to the web server via the exact location as we set in CoovaChilli's uamserver definition. To achieve this we define a VirtualHost entry: (though it is beyond the scope of this document to explain it in every other possible way, use apache's references). Enabling SSL support in apache:
# Shared secret used to encrypt challenge with. Prevents dictionary attacks. # You should change this to your own shared secret. $uamsecret = "mysecretuampassword";
# # # #
apt-get install ssl-cert mkdir /etc/apache2/ssl /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem a2enmod ssl && /etc/init.d/apache2 restart
While this isn't an apache guide, the steps above should be sufficient for an already installed apache2 server to add SSL support. Next, adding a VirtualHost file entry (assuming a NameVirtualHost entry for this domain already exist). The <VirtualHost 1.1.1.1:443> ServerName www.example.com ServerAlias www.example.com DocumentRoot /var/www/dalohosting/ SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
Save the above file as /etc/apache2/sites-enabled/hotspotlogin-ssl effectively replacing the VirtualHost IP address of 1.1.1.1 with correct settings, as well as other configuration options in the file, enable this site entry and restart/reload apache: # a2ensite hotspotlogin-ssl # /etc/init.d/apache2 restart
It might be a good idea to make sure the web server is configured to listen for SSL on the correct IP address as stated above. Take a look at /etc/apache2/ports.conf
Successful Login
Finally, When the captive portal pages have been installed and configured correctly in the remote web server, and the CoovaChilli configuration has correct parameters and the software is running on a NAS or a sandbox Linux system, if the user attempts to connect to the wireless network (at least, wireless in most cases) an IP address is allocated by the DHCP server ran by CoovaChilli for the user. At this point, the user will attempt to open the browser and surf the Internet, since CoovaChilli is configured to run as a captive portal software it will intercept the user's port 80 (web traffic) request and displays the configured captive portal page, as shown in the screenshot:
Feedback
We hope you enjoyed this tutorial and made the best of it. For comments and general feedback please contact us via email at [email protected]