daloRADIUS

Captive Portal Setup

2009
by Liran Tal
liran@enginx.com


daloRADIUS Hands-on Guides
Captive Portal Setup
The captive portal provides a Unified Access Method (UAM) to allow users with access to the service via their
web browser, where-as they can login, register for a new account, view a service's terms of usage, and more.

The essence of the captive portal functionality is to (always) redirect any web traffic a user requests to the
service's web pages which provide access to the service (via Login or Signup pages).

Some references to captive portal software are Wifidog, NoCatAuth, Chillispot, and maybe the most common
and popular of all is CoovaChilli which is the successor of the Chillispot project which suffered from
abandoned development, there-fore, Coova's maintainer, David Bird, has assumed the role of continuing it's
development under the new name CoovaChilli.


daloRADIUS ships with CoovaChilli (and Chillispot's) captive portal pages and support those only.
Moreover, it provides a PHP version for the captive portal pages which are suitable to deploy on a LAMP
based install, while introducing a a templating system for the captive portal pages which makes it extremely
easy and convenient for businesses to modify the portal pages and customize to their needs.


Project's References:
1. Wifidog: http://dev.wifidog.org
2. NoCatAuth: http://nocat.net
3. Chillispot: http://chillispot.info
4. CoovaChilli: http://coova.org/CoovaChilli

Deploying the Captive Portal
As stated above in the brief introduction, daloRADIUS ships with Captive Portal pages, ready to be used.
More than that, it ships with 3 different versions of the captive portal pages:
1. A stripped-down version of the pages Very basic HTML
2. A themed version of the captive portal pages (option 1)
3. A themed version of the captive portal pages (option 2)
We will focus on deploying the captive portal pages with the 2
nd
version which is available in the daloRADIUS
package: contrib/chilli/portal2.



Out-lined below are the steps to take for a Ubuntu or a Debian-based Linux distribution:
(while the document refers to CoovaChilli, most if not all configuration examples are relevant to Chillispot as
well and so, CoovaChilli and Chillispot are interchange-able in the scope of the document)

1. Get latest release of daloRADIUS ( >= 0.9-8 ) and unpack the tar.gz package to a local directory.







2. Copy the hotspotlogin directory from contrib/chilli/portal2 (found in the top-level directory of the
daloRADIUS package) to the website accessible directory of your choice. For the example through-out
this document we will use /var/www/dalohosting/hotspotlogin/






3. Adjust file permissions for the web server user and group








4. CoovaChilli (and Chillispot) communicates with the (remote) portal pages over SSL, and the
CoovaChilli directive that is required in CoovaChilli's configuration is:







Information regarding these parameters and others is available through CoovaChilli's homepage,
forums, mailing list and documentation.

In the given example, the hotspotlogin directory is accessible from that example domain. It's
necessary to make sure that a good shared secret is used for the uamsecret directive which needs to
match the same in both the hotspotlogin files and the CoovaChilli configuration files.

5. Configuring the hotspotlogin directory, we need to specify the uamsecret that was set previously in
the CoovaChilli configuration. Use the preferred editor by your choice to edit the file
/var/www/dalohosting/hotspotlogin/hotspotlogin.php and set the uamsecret variable at the beginning
of the file accordingly:

# mkdir p /var/www/dalohosting
# cp -arp /tmp/daloradius-0.9-8/contrib/chilli/portal2/hotspotlogin/ /var/www/dalohosting/
C
O
D
E

# cd /tmp
# wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius-0.9-
8/daloradius-0.9-8.tar.gz?use_mirror=garr
# tar zxvf daloradius-0.9-8.tar.gz

C
O
D
E

# chown www-data:www-data /var/www/dalohosting/hotspotlogin/* -R
# chown www-data:www-data /var/www/dalohosting/hotspotlogin


C
O
D
E

# uamlisten 192.168.182.1
# uamport 3990
# uamserver https://www.example.com/hotspotlogin/hotspotlogin.php
# uamsecret mysecretuampassword

C
O
D
E











6. It is required to make the hotspotlogin directory accessible to the web server via the exact location as
we set in CoovaChilli's uamserver definition. To achieve this we define a VirtualHost entry: (though it
is beyond the scope of this document to explain it in every other possible way, use apache's
references).

Enabling SSL support in apache:









While this isn't an apache guide, the steps above should be sufficient for an already installed apache2
server to add SSL support.

Next, adding a VirtualHost file entry (assuming a NameVirtualHost entry for this domain already
exist). The





















Save the above file as /etc/apache2/sites-enabled/hotspotlogin-ssl effectively replacing the
VirtualHost IP address of 1.1.1.1 with correct settings, as well as other configuration options in the
file, enable this site entry and restart/reload apache:




# Shared secret used to encrypt challenge with. Prevents dictionary attacks.
# You should change this to your own shared secret.
$uamsecret = "mysecretuampassword";

C
O
D
E

# apt-get install ssl-cert
# mkdir /etc/apache2/ssl
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
# a2enmod ssl && /etc/init.d/apache2 restart

C
O
D
E

<VirtualHost 1.1.1.1:443>
ServerName www.example.com
ServerAlias www.example.com
DocumentRoot /var/www/dalohosting/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews
Order allow,deny
Allow from all

</Directory>
</VirtualHost>

C
O
D
E

# a2ensite hotspotlogin-ssl
# /etc/init.d/apache2 restart
C
O
D
E



It might be a good idea to make sure the web server is configured to listen for SSL on the correct IP
address as stated above. Take a look at /etc/apache2/ports.conf



Successful Login

Finally,

When the captive portal pages have been installed and configured correctly in the remote web server, and
the CoovaChilli configuration has correct parameters and the software is running on a NAS or a sandbox
Linux system, if the user attempts to connect to the wireless network (at least, wireless in most cases) an IP
address is allocated by the DHCP server ran by CoovaChilli for the user.

At this point, the user will attempt to open the browser and surf the Internet, since CoovaChilli is configured
to run as a captive portal software it will intercept the user's port 80 (web traffic) request and displays the
configured captive portal page, as shown in the screenshot:




Feedback
We hope you enjoyed this tutorial and made the best of it.
For comments and general feedback please contact us via email at team@enginx.com