Debian Wi-Fi hotspot using CoovaChilli, FreeRadius, MySQL and daloRADIUS

I decide to create hotspot from my server to allow other connect to Internet for free. I used “Captive portal” solution based on these applications:

When somebody wants to connect to Internet using my wifi, the first page he can see is the register/login page (whatever page he wants to visit).
After registration/login he is able to connect to Internet.

So let’s see how I did it.

Let’s have one server with two network interfaces – first (eth0) goes to Internet, the second one (eth1) is the wifi for “unknown” clients.



Install basic software:

aptitude install mysql-server phpmyadmin freeradius freeradius-utils freeradius-mysql apache2 php-pear php-db
a2enmod ssl
a2ensite default-ssl
service apache2 restart
cd /tmp && wget 'http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius-0.9-8/daloradius-0.9-8.tar.gz'
tar xvzf daloradius-0.9-8.tar.gz
mv /tmp/daloradius-0.9-8 /var/www/daloradius
chown -R www-data:www-data /var/www/daloradius
cp -r /var/www/daloradius/contrib/chilli/portal2/* /var/www/
rm /var/www/index.html

Because my machine is 64 bit I need to build CoovaChilli package myself:

aptitude --assume-yes install dpkg-dev debhelper libssl-dev
cd /tmp
wget -c http://ap.coova.org/chilli/coova-chilli-1.2.2.tar.gz
tar xzf coova-chilli*.tar.gz
cd coova-chilli*
dpkg-buildpackage -rfakeroot

Install CoovaChilli:

cd ..
dpkg -i coova-chilli_*_amd64.deb

Configure FreeRadius

Change /etc/freeradius/clients.conf:

client 127.0.0.1 {
 secret     = mysecret
}

Change /etc/freeradius/sql.conf:

        server = "localhost"
        login = "root"
        password = "xxxx"

Uncomment in /etc/freeradius/sites-available/default:

authorize {
          sql
}

accounting {
         sql
}

Uncomment in /etc/freeradius/radiusd.conf:

       $INCLUDE sql.conf

Configure MySQL database for FreeRadius

mysql -u root --password=xxxx
mysql> CREATE DATABASE radius;
mysql> exit

mysql -u root --password=xxxx radius < /var/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

daloRADIUS configuration

Modify this file /var/www/daloradius/library/daloradius.conf.php

[/cc]

$configValues['CONFIG_DB_PASS'] = 'xxxx';
$configValues['CONFIG_MAINT_TEST_USER_RADIUSSECRET'] = 'mysecret';
$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';

You also need to modify following configuration files to setup sign in web pages /var/www/signup-*/library/daloradius.conf.php:

$configValues['CONFIG_DB_PASS'] = 'xxxx';
$configValues['CONFIG_DB_NAME'] = 'radius';
$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';
$configValues['CONFIG_SIGNUP_SUCCESS_MSG_LOGIN_LINK'] = "<br />Click <b>here</b>".
                                        " to return to the Login page and start your surfing<br /><br />";

Chnage lines in /var/www/signup*/index.php to (changed ‘User-Password’ -> ‘Cleartext-Password’ and ‘==’ -> ‘:=’):

  $sql = "INSERT INTO ".$configValues['CONFIG_DB_TBL_RADCHECK']." (id, Username, Attribute, op, Value) ".
                                        " VALUES (0, '$username', 'Cleartext-Password', ':=', '$password')";

Another file need to be modified to communicate with CoovaChilli is /var/www/hotspotlogin/hotspotlogin.php

$uamsecret = "uamsecret";

Now you should be able to reach daloRADIUS installation on http://127.0.0.1/daloradius/

username: administrator
password: radius

Routing

We should not forget to enable packet forwarding and setup NAT:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
sed --in-place=.old 's/^#\(net.ipv4.ip_forward=1\)/\1/' /etc/sysctl.conf
sysctl -p

CoovaChilli configuration

Let’s start with /etc/chilli/defaults:

HS_NETWORK=192.168.10.0
HS_UAMLISTEN=192.168.10.1

HS_RADSECRET=mysecret
HS_UAMSECRET=uamsecret
HS_UAMFORMAT=https://\$HS_UAMLISTEN/hotspotlogin/hotspotlogin.php
HS_UAMHOMEPAGE=https://\$HS_UAMLISTEN

Then don’t forget to enable CoovaChilli to start in /etc/default/chilli

START_CHILLI=1

Maybe you need to execute chilli and radius server with some debug options to see “errors” during client connection:

chilli --fg --debug
freeradius -X

Few links we created:

  • http://192.168.10.1/signup-free/ – sign up page (if you don’t have username/password)
  • http://192.168.10.1:3990/prelogin – use for login to your portal
  • http://192.168.10.1/daloradius/ – daloradius admin page
  • http://192.168.10.1/phpmyadmin/ – phpmyadmin page (useful for sql database)

This how-to describe simple configuration of CoovaChilli so there are many things to configure. I didn’t mentioned anything about security – so it’s up to you to tweak it yourself.

You can find additional info on this web page:

https://help.ubuntu.com/community/WifiDocs/CoovaChilli

Engoy… ;-)

VN:F [1.9.20_1166]
Rating: 7.9/10 (8 votes cast)
Debian Wi-Fi hotspot using CoovaChilli, FreeRadius, MySQL and daloRADIUS, 7.9 out of 10 based on 8 ratings
  1. jonathan
    April 5th, 2010 at 03:36
    Reply | Quote | #1

    hi,

    I get the error

    redir.c: 1121: 98 (Address already in use) IP: 192.168.10.1 Port: 3990 – Waiting for retry.
    in chilli and
    Failed binding to socket: Address already in use
    /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
    in radius

    please help

    Thank you very much for your time.

  2. April 6th, 2010 at 08:40
    Reply | Quote | #2

    It looks like some process is using port 3990 and 1812.
    Try netstat (netstat -onatpe) to see what is the process pid and kill it.
    Then it should be fine…

  3. April 24th, 2010 at 16:04
    Reply | Quote | #3

    Me too… the same message.

    redir.c: 1121: 98 (Address already in use) IP: 192.168.10.1 Port: 3990 – Waiting for retry.

    The process its ok…
    what happens?

  4. Matt H
    May 24th, 2010 at 17:09
    Reply | Quote | #4

    Same error here too:
    redir.c: 1121: 98 (Address already in use) IP: 10.0.7.1 Port: 3990 – Waiting for retry.

  5. chinna
    June 2nd, 2010 at 11:56
    Reply | Quote | #5

    Dear all..
    i install and configure using your steps properly .lastly i try to open web browser using: http://127.0.0.1/daloradius/ but i am not get any pages and username&
    password just going to this page http://127.0.0.1/daloradius/login.php but its blank page please guide me any one .i dont know where i made mistake

  6. John Everett
    June 8th, 2010 at 17:13
    Reply | Quote | #6

    Thanks much for your documentation! Coova-Chilli has so little documentation. This is a great help.

    I notice that you have your wireless described as ‘eth1′? Is your “eth1″ an ethernet adapter (with an external wireless bridge connected) or is it an actual wireless adapter in your Debian box? I can’t tell if your diagram is showing the Hotspot_Server’s eth1 *as* a wireless device, or *connected to* a wireless device.

    In my Debian box, the wireless adapter shows up as ath0 and it needs to be configured to work in AP mode (wlanconfig ath0 create wlandev wifi0 wlanmode ap; iwconfig ath0 essid MYNETWORK) before Coova-chilli can even start to see clients. What sort of interfaces and interface setup does your server have? If eth1 is indeed a wireless card, did you have to do anything to set it up (e.g. iwconfig wlan0 essid MYNETWORK; iwconfig wlan0 mode ap)?

    Also, your diagram shows the WiFi_Client as having address (eth0)192.168.10.1, which is the same address as the Hotspot_Server (eth1)192.168.10.1. Should the client have perhaps 192.168.10.2?

    Thanks again.

  7. June 10th, 2010 at 08:30
    Reply | Quote | #7

    Hi.

    In the examples above I used VirtualBox with emulated network cards. I used it because it doesn’t matter if you will use wifi card or network card connected to switch with computers.
    In the real (wifi) situation I’m using wlan0 and program hostapd on my server. Hostapd is creating AP with WPA2 from my wireless card. You can also use iwconfig to set up ap mode – usually depends on the wireless card you are using, but you can’t setup WPA with it.
    Thank you for letting me know about the picture – it’s mistake there – I’ll fix it asap :-)

    See you

    PetrR

  8. Jim P
    June 17th, 2010 at 14:47
    Reply | Quote | #8

    Hello,

    I recently followed your tutorial and I am running into an odd issue.. When I try to fire up chilli with the debug command. I get this outpout constantly..

     coova-chilli: Error opening configuration file '/etc/chilli/main.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/hs.conf'
    coova-chilli: Error opening configuration file '/etc/chilli/local.conf'
    coova-chilli[21354]: options.c: 174: could not generate configuration (/tmp/chilli-21354/config.bin), sleeping one second

    Any idea what I might have missed that can be causing this?

  9. Jim P
    June 17th, 2010 at 16:52
    Reply | Quote | #9

    @Jim P

    Nevermind! :) starting chilli via the init.d directory seemed to have resolved that issue.

  10. John Everett
    June 18th, 2010 at 17:44

    I had a similar problem. In order to get the debug/foreground options (–fg –debug) I had to add them the start block of the chilli script in init.d.

    It came in handy too because when I switched from the instructions here (for eth0) to my wireless (ath0), the default MTU was too large for Coova Chilli and the debug output showed the problem for me to fix (with ifconfig ath0 mtu xxxx).

  11. chinna
    July 21st, 2010 at 14:08

    same problem here, any one help what i made mistake , and also notice “http://192.168.10.1:3990/prelogin – use for login to your portal” following links are not working i dont know where i made mistake

    coova-chilli: Error opening configuration file ‘/etc/chilli/main.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/hs.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/local.conf’
    coova-chilli[14423]: options.c: 174: could not generate configuration (/tmp/chilli-14423/config.bin), sleeping one second

    Please guide me anyone for this issue

  12. July 21st, 2010 at 16:36

    For user having “could not generate config” error , create a fullpath folders to your scriot. ex: if the error is could not generate /tmp/chilli-14423/config.bin , so create the folders needed with mkdir -p /tmp/chilli-14423 and restart your service. This is necessary when your chilli try to create configs in some folder that not exist.

    After some errors I make it working well.

    Sorry by poor english.

  13. joseph
    August 5th, 2010 at 12:13

    dear …

    please guide me …

    Not working this link: other links are working fine
    http://192.168.10.1:3990/prelogin – use for login to your portal

    what reason i don know any one help me

  14. joseph
    August 5th, 2010 at 13:34

    hi..

    i type the following command as root user i get the message : please tell how to solve this:

    radiusd: #### Opening IP addresses and Ports ####
    listen {
    type = “auth”
    ipaddr = *
    port = 0
    Failed binding to authentication address * port 1812: Address already in use
    /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812

  15. Yogesh Patil
    August 17th, 2010 at 20:40

    hi,
    i have followed all the steps you have given, i got success running everything locally on the Linux-PC and it is also leasing IP to client, but i am not able to access any link i.e. prelogin, daloradius etc.., also not able to ping to the server (i.e. Chillispot PC)

    i have already seen that you told that there is need to tweak security settings, please give settings for the allowing access from client PC

    Thanks

  16. August 19th, 2010 at 20:57

    You mentioned you created a few links. Where did you create the links? I assume they were on the Wireless Router and not the server??

  17. Admin
    October 17th, 2010 at 08:18

    hello …

    Any one help me .same problem here

    joseph
    August 5th, 2010 at 12:13
    Reply | Quote | #13
    dear …

    please guide me …

    Not working this link: other links are working fine
    http://192.168.10.1:3990/prelogin – use for login to your portal

    what reason i don know any one help me

  18. Admin
    October 17th, 2010 at 08:19

    @joseph
    Same problem here help me any one

  19. Admin
    October 20th, 2010 at 13:23

    Any one tell me ? what is this my problem?

    chilli status

    coova-chilli: Error opening configuration file ‘/etc/chilli/main.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/hs.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/local.conf’
    coova-chilli[9345]: options.c: 164: could not generate configuration (/var/run/chilli.9345.cfg.bin), sleeping one second
    coova-chilli: Error opening configuration file ‘/etc/chilli/main.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/hs.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/local.conf’
    coova-chilli[9345]: options.c: 164: could not generate configuration (/var/run/chilli.9345.cfg.bin), sleeping one second
    coova-chilli: Error opening configuration file ‘/etc/chilli/main.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/hs.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/local.conf’
    coova-chilli[9345]: options.c: 164: could not generate configuration (/var/run/chilli.9345.cfg.bin), sleeping one second
    coova-chilli: Error opening configuration file ‘/etc/chilli/main.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/hs.conf’
    coova-chilli: Error opening configuration file ‘/etc/chilli/local.conf’
    coova-chilli[9345]: options.c: 164: could not generate configuration (/var/run/chilli.9345.cfg.bin), sleeping one second

  20. October 20th, 2010 at 14:03

    Hello guys.

    I’m glad this “how-to” brings many interest to CoovaChilli. Unfortunately I’m no longer using it and I’m not able to help you. As I wrote before – this is not step by step how-to for beginners. It’s just few notes I write when I configured/used it.

    Good luck…

    PetrR

  21. November 2nd, 2010 at 07:33

    This tutorial is fine..
    but i cant understant whay you use both (chilli & dalo) at a time..?
    i think one is sufficient.

    http://ciitix.ciit.net.pk/index.php/ciitix-wifi-documentation

    Regards:
    .
    Kashif Aziz Awan

  22. November 2nd, 2010 at 11:50

    Hello.

    As far as I know daloRADIUS is just webgui, where you can see your users, their accesses, date/times. CoovaChilli is Captive Portal solution. These two are separate projects and can be used standalone. They are doing different jobs too…

  23. aku82
    November 27th, 2010 at 19:03

    @Admin
    Have you used “sudo”

  24. January 4th, 2011 at 15:57

    yes i am in super user(root)@aku82

  25. Flo
    January 12th, 2011 at 16:52

    Hello guy !
    (sorry for the english, i’m french)
    i have followed step by step you howto, but i have this message :
    “Enginx hotspot Login Failed”
    no pop-up, however the login/pwd is in the daloradius database
    can you help me ?
    thx a lot
    it’s for my internship (?)

  26. Luke
    January 14th, 2011 at 02:10

    Can someone please help me understand how i can do this on Centos 5? I need to create a server with freeradius that also has the login page for wifi users to get authenticated (like a paid hotspot)

  27. Mohammad Dashti
    January 14th, 2011 at 22:34

    Hi,

    First (answer to Flo), I should mention that in “CoovaChilli configuration” part,

    instead of

    HS_UAMHOMEPAGE=https://$HS_UAMLISTEN

    should be

    HS_UAMHOMEPAGE=http://$HS_UAMLISTEN:$HS_UAMPORT/prelogin

    —-
    but after performing all above operations, there is only one point left! When I enter my username/password in hotspotlogin page (from client machine), I see below result in freeradius debug output (from server machine):

    [sql] expand: %{User-Name} -> dashti
    [sql] sql_set_user escaped user –> ‘dashti’

    [pap] login attempt with password “�?c�??B_?�I?�?Z�”
    [pap] Using CRYPT encryption.
    [pap] Passwords don’t match
    ++[pap] returns reject
    Failed to authenticate the user.
    WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
    Using Post-Auth-Type Reject
    +- entering group REJECT {…}
    [attr_filter.access_reject] expand: %{User-Name} -> dashti

    I also rechecked all secret words in mentioned configuration files.

    Any solution?

  28. February 23rd, 2011 at 02:37

    For anyone having trouble with this. I started a project awhile ago that creates deb packages (debian/ubuntu) that do all the hard work for you. It also includes a GUI for managing users. It still uses Coova Chilli, FreeRadius, MySQL, but does the hard work of integrating them for you.
    See http://sourceforge.net/projects/grase/ for details. There is a single deb to download that installs the repository, then you pull in the components you need and it sets it up accordingly. Please contact me if you are using it so I can keep you updated.

    Tim

  29. edwin
    March 22nd, 2011 at 15:17

    @Mohammad Dashti
    you might want to check the sql.conf where user name and password for database is. make sure it match the user name of the database you created. Example user:root password:yourdatabasepassword

  30. edwin
    March 22nd, 2011 at 15:20

    @Tim
    does the captive portal look the same or you made any change ?

  31. edwin
    March 22nd, 2011 at 15:23

    @Flo
    you need to do this before it works
    sudo apt-get update
    then apt-get install upgrade
    take a walk comebvack like half an our then reboot and check it out

  32. edwin
    March 22nd, 2011 at 15:27

    @edwin
    sorry apt-get upgrade

  33. May 5th, 2011 at 06:42

    I have a client that is interested in setting up hotspots in 150 locations.
    It will be free access and the only thing that have found is the monthly payment services.

    I would like to set up my own system, Do you have the know how to do this and would you be available to work on this, if so please contact me.

  34. Alvin Arnardu
    November 10th, 2011 at 15:18

    guys i just installed free rad using some of the above instrauctions thos is what i get , i am no also sure how the 192.168.10.1/.. pages are supposed to come up i mean do they just pop up or do i have to connect the AP..Im a newbee please explain:

    address: localhost! [Success]
    coova-chilli[18841]: options.c: 181: could not generate configuration (/usr/local/var/run/chilli.18841.cfg.bin), sleeping one second
    main-opt.c: 523: 0 (Debug) DHCP Listen: 10.1.0.1
    main-opt.c: 524: 0 (Debug) UAM Listen: 10.1.0.1
    garden.c: 143: 0 (Debug) Uamallowed http://www.coova.org
    garden.c: 124: 0 (Debug) Uamallowed IP address #0:128: proto=0 host=174.129.195.118 port=0
    garden.c: 143: 0 (Debug) Uamallowed 10.1.0.1
    garden.c: 124: 0 (Debug) Uamallowed IP address #1:128: proto=0 host=10.1.0.1 port=0
    garden.c: 143: 0 (Debug) Uamallowed
    garden.c: 207: 0 (Debug) Invalid uamallowed domain or address: !
    garden.c: 143: 0 (Debug) Uamallowed http://www.coova.org
    garden.c: 96: 0 (Debug) Uamallowed already exists #0:128: proto=0 host=174.129.195.118 port=0

  35. edwin
    November 19th, 2011 at 16:03

    hey sure I do email me a edwinosantos@gmail.com hope its no too late@Joah Santos

  36. edwin
    November 22nd, 2011 at 19:03

    Joah Santos :I have a client that is interested in setting up hotspots in 150 locations.
    It will be free access and the only thing that have found is the monthly payment services.
    I would like to set up my own system, Do you have the know how to do this and would you be available to work on this, if so please contact me.

    edwinosantos@gmail.com

  37. December 19th, 2011 at 08:26

    Install “haserl” for coovachilli

  38. December 27th, 2011 at 16:18

    Hi, I’ve gone through this walkthrough and I’m unable to authenticate clients and what not through the system. Getting the server to pass traffic from one interface to the other was challenging, but I’ve finally gotten data to be able to pass through the box and to the internet. Any help would be much appriciated. I know this appears to be a dead thread, but here is my email in case anyone wants to try and help me out.

    kyle_hoehn@hotmail.com

  39. Andy B
    February 26th, 2012 at 22:27

    Hi, this is my first foray into a hotspot/radius though I’m “reasonable” with linux (been a unix/linux admin for longer than I care to remember 8-).

    Having a problem with the radius server… daloradius is telling me that radius is disabled and the radius log file is showing: -

    Sun Feb 26 19:49:16 2012 : Info: Loaded virtual server inner-tunnel
    Sun Feb 26 19:49:16 2012 : Info: Loaded virtual server
    Sun Feb 26 19:49:16 2012 : Info: Ready to process requests.
    Sun Feb 26 19:49:17 2012 : Info: Received HUP signal.
    Sun Feb 26 19:49:17 2012 : Info: HUP – Re-reading configuration files
    Sun Feb 26 19:49:17 2012 : Info: HUP – loading modules
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module “files”
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module “suffix”
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module “detail”
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module “pap”
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module “radutmp”
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module “attr_filter.access_reject”
    Sun Feb 26 19:49:17 2012 : Info: Module: Reloaded module “attr_filter.accounting_response”
    Sun Feb 26 19:49:17 2012 : Info: Loaded virtual server inner-tunnel
    Sun Feb 26 19:49:17 2012 : Info: Loaded virtual server
    Sun Feb 26 21:03:26 2012 : Info: Exiting normally.
    Sun Feb 26 21:04:50 2012 : Error: Failed to add duplicate client 127.0.0.1
    Sun Feb 26 21:04:50 2012 : Error: /etc/freeradius/clients.conf[235]: Failed to add client 127.0.0.1

    I can’t for the life of me spot what’s causing the errors – any ideas?

    Thanks!

    Andy B.

  40. November 25th, 2012 at 16:03

    hello!

    Can we make some MAC who that they will not have to log in and as soon as the connect will have immediate access?