Hi,
as per my other post I cannot confirm that setting the three parameters

eapolenable
coaport 3799
coanoipcheck

in /etc/chilli.conf enable WPA enterprise on their own. My Vista client still shows the Hotspot as 'Unsecured Network'. Some other configuration seems to be missing. 

Any other input/ideas anyone?

Cheers

*************

2

(2 replies, posted in Special Configurations)

Hi

I wish I could confirm that. But putting these parameters into the chilli.conf file alone did not create a WPA enabled wifi network on the router.
There must be something else.

Looking at the 'Features' tab of chillispot.info there are parameters called MS-MPPE-Send-Key and MS-MPPE-Recv-Key. That sounds more like it as WPA requires some encryption key to be shared between both parties. Now, this can be preshared (not realistic in a hotspot scenario), or one would imagine that a radius server can pass an encryption key back to the user once she has identified hereself as valid user on the captive portal. That is the functionality one would expect, but I have not seen a decent discription on how to implement this.

On the old chillispot.org forum there must have been entries on this topic. One can still find the pages in search engines, but of course the content is gone with the chillispot.org website.

Any ideas welcome...

Hi Andrew,
thanks for your reply. I have all this running now quite well, too.
The question about the freeradius setup was not coined towards the WISPr or Chillispot parameters, but how did you set it up to enable Enterprise WAP? Is it really just those three parameters in chillispot? Nothing to be done on freeradius?
Can you confirm this is so and what you meant?
Thanks
*************

Thanks for the reply.
Can you expand a bit on 'the freeradius server needs to be set up correctly'?
What reply parameters does chilli need to work? Which authentication methods need to be activated on the radius server (PAP, CHAP, others) or is this irrelevant?
Most importantly, does there need to be any installation on the client, i.e. laptop? Is a preshared key required? Or is this provided by the radius server on authentication? If so, again, what parameter is used to do that?

Any thoughts/input?

*************

When chillispot calls hotspotlogin.php or hotspotlogin.cgi it passes a few paramters through the URL. It appears to be the users device mac address, a challenge, the nasid and the userurl as well as a status.

How can I configure chillispot so the ROUTER (no the user's) mac address is sent through a POST or GET parameter to the hotspotlogin script?

Cheers

*************

Thanks for the reply,
yes this must have been it. Now the freeradius sends the correct group responses. Hurray!

Now, what I ment with tun1 was this. You will see the interfaces instantiated on the router with the command 'ifconfig'. If you have chillispot running on openwrt one of these interfaces will be 'tun0' - a tunnel opened by chillispot so it can excert control over the traffic going through the router (i.e. enforce session-timeout bandwidht restrictions etc.). If you also have openvpn running at the same time you will notice a second interface, named 'tun1', which openvpn uses to do its own thing. Indeed the nubering depedns entirely on the order in which you start up chillispot and openvpn. If the order in /etc/init.d starts openvpn first, openvpn will have the tun0 interface and chillispot will have tun1.

Both of these tunnels have to be explicitly 'allowed' and declared to the firewall - otherwise the traffic won't go through. My question to you was regarding the behaviour of the S35firewall script, as it is a deviation to the OpenWRT standard.

My question was what configuration had to be put in to enable openvpn. with the standard OpenWRT firewall script and firewall.user configuration script all that needed to be done was add the two lines:
iptables -A forwarding_rule -i tun0 -j ACCEPT
iptables -A forwarding_rule -i tun1 -j ACCEPT
No fussing with ports - all was working fine. Your script works different by the looks of it, so my question is, what entry needs to be added to allow openvpn, as "iptables -A forwarding_rule -i tun1 -j ACCEPT" is probably not going to work anymore.

You kind of answered the question though in your last post. So are you saying that adding something like:
#Allow openvpn on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 1194 --syn -j ACCEPT
$IPTABLES -A INPUT -p udp -m tcp --dport 1194 --syn -j ACCEPT
should lead to success?

Thanks for your patience :-)

*************

Thanks again for the response.
The WISPr document you refer to is indeed interesting, but does not address my question:
How do you install or enable WISPr attributes on Freeradius. I cannot get freeradius to include WISPr attributes in its authentication response as much as I try.

Back to the original question. Did my clarification help?
So, is all wifi traffic forced through tun0 with the help of that firewall script?
And what has to be done to open a tun1 on the firewall for openvpn?

Thanks

*************

8

(4 replies, posted in Radius Configuration)

Hi,

great to hear that you got freradius to send these attributes in the first place. i want to use WISPr and Chillispot attributes but for the life of me I cannot get freeradius to send these attributes - regardles whether I enter them in radreply or radgroupreply.

Is there a decent description of what needs to be done? So far, what I have done is add the relevant attributes to the attrs file in /etc/freeradius of my freeradius server.

Thanks in advance for any hints.

*************

Hi ajauberg,

Thanks for the fast response.

My question was obviouly a bit cryptic. I am not interested in IP or MAc based routing or authorisation, as I run a hotspot and I need to authenticate any IP or MAC address that comes in. The purpose of ensuring all wireless traffic (eth1) goes through the ************* tunnel (tun0) is to be able to enforce further attributes like WISPr. have look at http://www.chillispot.info/chilliforum/ … php?id=107 to see what I am getting at.

The second tunnel is not for a seconf ************* process but for openvpn, which will open a second tunnel (in my configuration tun1). To allow traffic of  openvpn to go through the router, I had to open tun1 in the firewall.user file (see the quoted entries. my question to you was, how do these entries have to be chnaged (or maybe they are not required at all?) given your new /etc/init.d/S35firewall script, which seems to replace the standard OpenWRT firewall script.

Thanks

*************

PS: Do you have some views/input on http://www.chillispot.info/chilliforum/ … php?id=107?

I have seen the following attributes:

VENDOR        WISPr                14122

BEGIN-VENDOR    WISPr

ATTRIBUTE    WISPr-Location-ID            1    string
ATTRIBUTE    WISPr-Location-Name            2    string
ATTRIBUTE    WISPr-Logoff-URL            3    string
ATTRIBUTE    WISPr-Redirection-URL            4    string
ATTRIBUTE    WISPr-Bandwidth-Min-Up            5    integer
ATTRIBUTE    WISPr-Bandwidth-Min-Down        6    integer
ATTRIBUTE    WISPr-Bandwidth-Max-Up            7    integer
ATTRIBUTE    WISPr-Bandwidth-Max-Down        8    integer
ATTRIBUTE    WISPr-Session-Terminate-Time        9    string
ATTRIBUTE    WISPr-Session-Terminate-End-Of-Day    10    string
ATTRIBUTE    WISPr-Billing-Class-Of-Service        11    string

END-VENDOR    WISPr

and also

VENDOR          ChilliSpot                   14559

BEGIN-VENDOR    ChilliSpot

ATTRIBUTE    ChilliSpot-Max-Input-Octets        1    integer
ATTRIBUTE    ChilliSpot-Max-Output-Octets        2    integer
ATTRIBUTE    ChilliSpot-Max-Total-Octets        3    integer
ATTRIBUTE       ChilliSpot-Bandwidth-Max-Up            4       integer
ATTRIBUTE       ChilliSpot-Bandwidth-Max-Down          5       integer
ATTRIBUTE       ChilliSpot-Config                      6       string
ATTRIBUTE       ChilliSpot-Lang                        7       string
ATTRIBUTE       ChilliSpot-Version                     8       string
ATTRIBUTE       ChilliSpot-OriginalURL                 9       string
ATTRIBUTE       ChilliSpot-Acct-View-Point             10    integer

VALUE    ChilliSpot-Acct-View-Point ChilliSpot-NAS-View-Point    1
VALUE    ChilliSpot-Acct-View-Point ChilliSpot-Client-View-Point 2

# Configuration management parameters (ChilliSpot Only)
ATTRIBUTE    ChilliSpot-UAM-Allowed            100    string
ATTRIBUTE    ChilliSpot-MAC-Allowed            101    string
ATTRIBUTE    ChilliSpot-Interval            102    integer

# Inline with RFC 2882 use of VSE-Authorize-Only for remote config
# Note that 14559 = 0x38df is used as prefix for the VSE.
# This is recognized as the best (but bad) way of doing VSEs.
# (ChilliSpot Only - CoovaChilli uses Service-Type = Administrative-User)
VALUE    Service-Type            ChilliSpot-Authorize-Only 0x38df0001

END-VENDOR    ChilliSpot

Now, I love what I see there and would like to impleemnt these attributes. However, just putting them into the radcheck table as entries did not result in these attributes being enforced. Obviously some more configuration is required.

Where can I find a good and comprehensive description as to how to implement these attributes.

I am using chillispot 1.0, freeradus 1.1.7, OpenWRT Whiterussion and MySQL 5.0

Any input appreciated.

Thanks

*************

Auckland, New Zealand

Hi,

I have chillispot 1.0 on OpenWRT, working with freeradius 1.17 and mysql 5.0 driving a hotspot solution. I only use use the following attributes:
User-Password
Simultaneous-Use
Max-All-Session
Expiration
It all works fine, but I have no encryption on the wifi connection. Can I use chillispot in conjunction with wpa enterprise? If so, what would I need to configure on OpenWRT and/or the freeradius server and/or chillispot?
If this is not feasible, what other options do I have to encrypt wifi traffic without a key that people have to manually type in (as with normal WPA is the case)?
Any input welcome.

Thanks

*************
Auckland, New Zealand

Hi,

I have chillispot 1.0 working with freeradius 1.17 and mysql 5.0. I only use use the following attributes:
User-Password
Simultaneous-Use
Max-All-Session
Expiration
I now want to implement some WISPr and/or Chillispot. I understand from previous other posts on other forums that all wifi traffic must be pushed through the tunnel (tun0) that Chillispot uses, so the parameters can be enforced.

Can I ask regarding the great Howto you posted with the S35firewall script - will this script indeed force the traffice through the tunnel opened by chillispot? Even if it is not tun0 but, say, tun1?

What needs to be chnaged in the script (if anything), to allow traffic through a second tunnel, for openvpn for example? Or will S35firewall still work and just some entry in fiewall.user is sufficient? I have currently added the line
iptables -A forwarding_rule -i tun0 -j ACCEPT
ro allow chillispot to go through and
iptables -A forwarding_rule -i tun1 -j ACCEPT
to firewall.user, which enables openvpn to go through in combination with the stock standard WRT54GL firewall script in /etc/init.d
Do I still have to make these entries? Will the entry for tun1 break the forcing of all ethernet traffic though tun0?

I (and some more people, I am sure) would really value your clarification.

Thanks

*************
Auckland, New Zealand

Hi,
thanks for that HowTo. Very helpful indeed.
Before I get stuck into it, I would like to ask for some clarification, as the HowTo appears to make some assumptions:
- Where are all chillispot and freeradius packages installed in your setup? All on the router? Or all on a gateway PC? Or chillispot on the router and freeradius on a PC? Or does it matter at all?
I assume freeradius could be installed anywhere - even remotely on a hosted server, as long as it can be reached via an IP address.
Waht about chillispot, does it have to be on the router? Could chillispot be hosted remotely like freeradius?
And where does the hotspotlogin.cgi have to be placed. Router? Server? remote server?

And would all these variations make a difference for your set up?

Please advise

Best wishes

*************
Auckland, New Zealand