How to configure DD-WRT, Chillispot, Apache2, FreeRadius, freeradius-dialupadmin, and MySQL on Debian 4.0

From DD-WRT Wiki

Jump to: navigation, search

How to configure DD-WRT, Chillispot, Apache2, FreeRadius, freeradius-dialupadmin, and MySQL on Debian 4.0

This will show how to configure the above apps in order to create a hotspot. Also, I will go over some attributes to control bandwidth. I am not an expert with any of these apps, but I got it working. If anyone has any suggestion, please do not hesitate on commenting.



  • Requirements (most of these are in Debian's Synaptic Package Manager)

    • Apache2

    • MySQL Server

    • PHP4

    • freeradius

    • freeradius-dialupadmin

    • php4-mysql

    • openssl

    • freeradius-mysql

    • php4-cgi

    • Download chillispot-1.1.0 (do not install)

    • Download MySQL Quick Admin



  • Configuring DD-WRT. I am using firmware v24 RC4

  1. Make sure your wireless router has Internet access.

  2. Open your Internet browser to “http://192.168.1.1

  3. Click “Administration” and make sure you change your router's username and password.

  4. Click on “Setup”, under “Basic Setup”. In the DHCP setting, deselect “DHCP-Authoritative”. Click the “Apply Settings” button at the bottom.

Image:001.gif

  1. Click “Wireless” and in the “Wireless Network Name (SSID)” textbox type the name of the hotspot. For this how to, we will use the fancy name “HotSpot”. Click the “Apply Settings” button at the bottom.

  2. Click “Services” and then “Hotspot”

  3. Enable Chillispot. Insert these settings: (On my Debian machine, I assigned a static ip address of 192.168.1.2)Primary Radius Server IP/DNS: 192.168.1.2

    • Primary Radius Server IP/DNS: 192.168.1.2

    • Backup Radius Server IP/DNS: 192.168.1.2

    • DNS IP: “this is your ISP DNS server”

    • Remote Network: “use the default”

    • Redirect URL: “https://192.168.1.2/cgi-bin/hotspotlogin.cgi/

    • Shared Key: testing123

    • DHCP Interface: WLAN

    • Radius NAS ID: ID_HotSpot

    • UAM Secret: testing123

Image:002.gif

  1. leave the rest at their default settings

  2. Click “Apply Settings” and reboot router.



Switch over to the machine with Debian (192.168.1.2). Make sure you have install all packages required.



  • Configuring freeradius

I like to use Nautilus to navigate as root. To do this, open a “Root Terminal”. Type the following: nautilus --no-desktop –browser.

  1. Navigate to /etc/freeradius

  2. Edit “radiusd.conf”

    • Line 428: change “proxy-requests” to “no”

    • goto “authorize {“, Line 1773

    • Line 1844: uncomment “sql”

    • goto “accounting {“, Line 1973

    • Line 2001: uncomment “sql”

    • goto “session {“, Line 2018

    • Line 2023: uncomment “sql”

  1. Save and close the file.

  2. Let's create a user and test freeradius.

  3. Edit “user” in /etc/freeradius

  4. On line 53, insert the following:

  • test1 User-Password == “password1”

  • DEFAULT Auth-Type := chap

  • Fall-Through := 1

  1. Save and close the file.

  2. Edit “clients.conf” in /etc/freeradius

    • Line 35: change the “secret” to the one you used in DD-WRT configuration (testing123)

  1. Save and close the file.

  2. Goto you “Root Terminal” and restart freeradius

    • /etc/init.d/freeradius restart

  1. Test user

    • radtest test1 password1 127.0.0.1 0 testing123

    (If you get “re-sending” continuously, check your setting again. If you get something like this “rad-recv: Access-Reject”, then we know freeradius is working and we can move on. Also you might want to delete the test user out of “clients.conf”.)



  • Configuring MySQL

  1. This how-to is a fresh installation of Debian, so I will have to set the password for the root of MySQL.

  2. Open “Root Terminal” and type the following:

    • mysql -u root -p

      ***Press enter when it asks for the password (there is no password)

    • set password for 'root'@'localhost'=password('root_password');

    • quit;

  1. Create the radius database and create a new MySql user to access database. On the “Root Terminal”, type:

    • mysql -u root -p

      ***Enter the new password (root_password).

    • create database db_radius;

    • grant all privileges on db_radius.* to 'user_radius'@'localhost' identified by 'user_radius_password';

    • flush privileges;

    • quit;

  1. Import MySql statement to the db_radius. Download and extract “http://www.freeradius.org/download.html ” This will download to your desktop. Type the following in “Root Terminal”:

    • cd /home/username/Desktop/freeradius-1.1.7/doc/examples/

    • mysql -u user_radius -p db_radius < mysql.sql

  1. Let see if the database and information is there. Type the following in “Root Terminal”:

    • mysql -u user_radius -p

    • show databases;

    • use db_radius;

    • show tables;

    • ***You should see the following tables: nas, radacct, radcheck, radgroupcheck, radgroupreply, radippool, radpostauth, radreply, and usergroup.

    • quit;



  • Configure freeradius to use MySQL

  1. Using Nautilus, navigate to /etc/freeradius and edit sql.conf

    • Line 22: change to “user_radius”

    • Line 23: change to “user_radius_password”

    • Line 26: change to “db_radius”

    • save and close the file.

  1. Let's create a test user for MySQL. Open “Root Terminal”. And type the following:

    • mysql -u user_radius -p db_radius

    • insert into radcheck (Username, Attribute, Value) VALUES ('testsql', 'Password', 'passwordsql');

    • select * from radcheck; (***this will show the information you just typed)

    • quit;

  1. Restart freeradius. Using “Root Terminal”, type:

    • /etc/init.d/freeradius restart

  1. Test the account. Using “Root Terminal”, type:

    • radtest testsql passwordsql 127.0.0.1 0 testing123



  • Configuring SSL certificate

  1. Open a terminal. I open a terminal as root. Goto the top-left, click “Applications”, “Accessories” and then “Root Terminal”

  2. change directory to apache2

    • cd /etc/apache2

  1. create a new directory called “ssl”

    • mkdir ssl

  1. change directory to the new folder

    • cd ssl

  1. Type the following commands to create the certificate:

    • openssl genrsa -out hotspot.DomainName.com.key 1024

    • openssl req -new -key hotspot.DomainName.com.key -out hotspot.DomainName.com.csr

(fill in the appropriate information, when “Common Name” comes up use the name of the web site, hotspot.DomainName.com)

    • openssl x509 -req -days 730 -in hotspot.DomainName.com.csr -signkey hotspot.DomainName.com.key -out hotspot.DomainName.com.crt

The certificate has been created. Now we will move on to freeradius.

  • Configuring Apache2

  1. Using Nautilus, navigate to “/etc/apache2” and edit “ports.conf”. Add this line after “Listen 80”

    • Listen 443

  1. Enable ssl modules.

    • With “Nautilus, navigate to “cd /etc/apache2/mods-available. Right-click “ssl.conf” and “ssl.load” and select “Make Link”. This will make to links, “link to ssl.conf” and “link to ssl.load”

    • Cut and paste these two files to “/etc/apache2/mods-enabled”

    • Rename each file by removing “link to”. They should look like “ssl.conf” and “ssl.load” with an arrow

  1. Navigate to “/etc/apache2/sites-available” and edit “default”

    • Line 1: remove “NameVirtualHost *” and add “ServerName hotspot.DomainName.com”

    • Line 2: change to “<VirtualHost *:443>

    • Line 17: comment out “RedirectMatch ^/$ /apache2-default/”

      ***Right before </VirtualHost>, type:

    • SSLEngine on

    • SSLCertificateFile /etc/apache2/ssl/hotspot.hechtburdeshaw.com.crt

    • SSLCertificateKeyFile /etc/apache2/ssl/hotspot.hechtburdeshaw.com.key

  1. Save and close the file. Restart apache2 in “Root Terminal”

    • apache2 -k restart

  1. Open an Internet browser and in the address bar type:

    • https://localhost/

      ***Your Internet browser should ask you to accept the certificate that was created.



  • Install and configure “hotspotlogin.cgi”

  1. Download and extract http://www.chillispot.info/download.html

  2. Don't install chillispot. Navigate to “/home/username/Desktop/chillispot-1.1.0/doc” with Nautilus

  3. Copy “hotspotlogin.cgi” to “/usr/lib/cgi-bin”

  4. Edit “hotspotlogin.cgi”

    • Line 27: uncomment “$uamsecret”

    • insert your secret (testing123)

  1. Using Nautilus, navigate to “/etc/freeradius” and edit “clients.conf”

    • Line 27: change “client 127.0.0.1” to “client 192.168.1.1”

      *** this should be the ip address of your DD-WRT

  1. Save and close the file. Now restart freeradius. Open “Root Terminal” and type:

    • /etc/init.d/freeradius restart

  1. Grab a laptop and turn it on. Check to see if you got the right ip address (should be something like, 192.168.182.X)

  2. Open an Internet browser. The page should be redirected and a pop-up about accepting a certificate should come up. Accept it and you should see the “hotspotlogin.cgi” asking for a username and password. Enter the sql test user (testsql passwordsql). You should now be logged in and able to surf the web.

    ***If you get a blank screen, check your permissions on “hotspotlogin.cgi” file. Other should have “execute” checked.



  • Configure freeradius-dialupadmin

  1. Create a folder and a link. Open a “Root Terminal” and type:

    • cd /var/www

    • mkdir dialup

    • ln -s /usr/share/freeradius-dialupadmin/htdocs /var/www/dialup

  1. There is no username/password for freeradius-dialupadmin, so we will create one. With Nautilus, navigate to “/etc/apache2” and edit “httpd.conf”. Add the following:

    • DocumentRoot /var/www/dialup

    • <Directory /var/www/dialup/htdocs>

    • AuthName "Restricted Area"

    • AuthType Basic

    • AuthUserFile /var/www/.htaccess

    • require valid-user

    • </Directory>

    • <Directory /var/www/>

    • Options Indexes FollowSymLinks MultiViews

    • AllowOverride None

    • Order allow,deny

    • allow from all

    • </Directory>

  1. Create .htacces file for the directory. Open a “Root Terminal” and type:

    • htpasswd -cm /var/www/.htaccess dialup-user

      ***After you hit enter, it will ask for the new password (dialup-password). Restart apache2 with “Root Terminal”

    • apache2 -k restart

  1. Test it out by open an internet browser and going to “http://localhost/htdocs

  2. When it ask for the username/password, enter the ones you created for dialupadmin (dialup-user/dialup-password).

  3. Edit /usr/share/freeradius-dailupadmin/conf/admin.conf

    • Line 123: replace “XXXXXX” with your radius secret (testing123).

    • Line 128: replace “crypt:” with “clear”

    • Line 221: replace “dialup_admin” with “user_radius”

    • Line 222: replace “XXXXXX” with “user_radius_password”

    • Line 223: replace “radius” with “db_radius”

    • Line 250: replace “true” with “false” (change back to true if you want to debug)

    ***You can start using this setup from here on, by using freeradius-dialupadmin to add users and groups. The next part I will show how to insert attributes in order to control bandwidth.



  • Configuring attributes to control users bandwidth

  1. Adding more sql tables to db_radius. Using Nautilus, navigate to “/usr/share/freeradius-dialupadmin/sql”. Edit userinfo.sql and badusers.sql.

    • Line 5 of both files remove “DEFAULT '0' “

      ***Save and close.

  1. Import the tables to db_radius. Type the following on a “Root Terminal” :

    • cd /usr/share/freeradius-dialupadmin/sql

    • mysql -u user_radius -p db_radius < badusers.sql

    • mysql -u user_radius -p db_radius < mtotacct.sql

    • mysql -u user_radius -p db_radius < totacct.sql

    • mysql -u user_radius -p db_radius < userinfo.sql

  1. Install and configure MySQL Quick Admin (MQA)

    • Download http://www.mysqlquickadmin.com/ and extract content

    • I renamed the folder to just “mqa”

    • copy the “mqa” folder to “/var/www/dialup”

    • Goto your Internet browser and type in this url: http://localhost/mqa

    • It should ask for a username and password. Use the username and password you created for the radius database (user_radius, user_radius_password)

    • When it shows the databases assign to user_radius, click on db_radius. You should now see all the tables.

  1. Create two groups in dialupadmin

    • Open your Internet browser to http://localhost/htdocs>

    • On the left, click “New Group”

    • For the “Group name” use “Default” and then click the “Create” button

    • If you click on the “Show Groups” on the left you should see the “Default” group

    • Click “New Group” on the left again.

    • Call this new group “Full Bandwidth”

  1. Adding attributes

    • Open your Internet browser to http://localhost/mqa

    • Enter username and password

    • When it shows the databases assign to user_radius, click on db_radius.

    • Click “radgroupcheck” and then click “Insert”. Under “Values” column insert the following:

      • id: 1

      • GroupName: Default

      • Attribute: Auth-Type

      • op: ==

      • Value: Local

    • Click the “Insert” button. Now let's enter the next group “Full Bandwidth”

      • id: 2

      • GroupName: Full Bandwith

      • Attribute: Auth-Type

      • op: ==

      • Value: Local

    • Click the “Insert” button

    • On the left, click “radgroupreply” and then click “Insert”. Under “Values” column insert the following:

      • id: 1

      • GroupName: Default

      • Attribute: Session-Timeout

      • op: =

      • Value: 3600

    • Click the “Insert” button and enter the next attribute

      • id: 2

      • GroupName: Default

      • Attribute: Idle-Timeout

      • op: =

      • Value: 600

    • Click the “Insert” button and enter the next attribute

      • id: 3

      • GroupName: Default

      • Attribute: Acct-Interim-Interval

      • op: =

      • Value: 60

    • Click the “Insert” button and enter the next attribute

    • Click the “Insert” button and enter the next attribute

      • id: 5

      • GroupName: Default

      • Attribute: WISPr-Bandwidth-Max-Up

      • op: =

      • Value: 128000

    • Click the “Insert” button and enter the next attribute

      • id: 6

      • GroupName: Default

      • Attribute: WISPr-Bandwidth-Max-Down

      • op: =

      • Value: 256000

    • Click the “Insert” button. Now let's enter some attributes for “Full Bandwidth”:

      • id: 7

      • GroupName: Full Bandwidth

      • Attribute: Session-Timeout

      • op: =

      • Value: 3600

    • Click the “Insert” button and enter the next attribute

      • id: 8

      • GroupName: Full Bandwidth

      • Attribute: Idle-Timeout

      • op: =

      • Value: 600

    • Click the “Insert” button and enter the next attribute

      • id: 9

      • GroupName: Full Bandwidth

      • Attribute: Acct-Interim-Interval

      • op: =

      • Value: 60

    • Click the “Insert” button and enter the next attribute

    • Click the “Insert” button. If you click the “Browse” link, you will see all your entries.



  • Testing your hotspot.

    • On mqa, click “radcheck” on the left. Then click “Browse” and delete the “testsql” you created earlier.

    • Open your Internet browser to “http://localhost/htdocs

    • On the left of dialupadmin, click “New User”. Enter information and select the group you want the user to be in. Enter a user for both groups.

    • Grab a laptop and connect hotspot. When you asked for a username/password, enter the one that you just created.

    • Go to http://www.speedtest.net/. You should the difference between both users.



Bonus: How to enable WDS with your new chillispot

Let's take our newly created hotspot and extend the range by enabling WDS (Wireless Distribution Service). Here is the scenario: the newly created hotspot will be called main. Also we will use two other wireless router with DD-WRT installed as clients called client2 and client3.



  • Configure Main

  1. Open Internet browser to 192.168.1.1. I am using the freeradius server 192.168.1.2

  2. Click “Setup” and scroll down to “Router IP” address and change the subnet mask to 255.255.255.248. Click “Apply Settings”. This will limit the amount of IP addresses to 192.168.1.1-192.168.1.6

  3. Scroll down to “Network Address Server Settings (DHCP)” and disable DHCP Server. Click “Apply Settings”

  4. Click the “Wireless” tab and write down your SSID name. Then click “WDS” and write down the “Wireless MAC” (11:11:11:11:11:11)

  • Configure Client2

    1. Use a desktop or laptop and connect directly to Client2 with a CAT5.

    2. Change your TCP/IP for the laptop to 192.168.1.5

    3. Open your Internet browser and enter in the URL: 192.168.1.1

    4. Change the username/password under “Administration”

    5. Click “Setup” and change the “Router Name” to “Client2”. Click “Apply Settings”

    6. Scroll down to “Router IP” and change to:

      • Local IP Address 192.168.1.3

      • Subnet Mask 255.255.255.248

      • Gateway 192.168.1.1

      • Local DNS 192.168.1.1

    1. Click “Apply Settings”

    2. When the IP address changes, you will have to enter in your URL the new address (192.168.1.3)

    3. Sroll down to “Network Address Server Settings (DHCP)” and disable DHCP Server. Click “Apply Settings”

    4. Click “Wireless” tab and change the “SSID” to match the Main router's SSID

    5. Click “WDS” and write down the “Wireless MAC” ( 22:22:22:22:22:22).

    6. In the first entry, select “LAN” and then enter the Main's “Wireless MAC” (11:11:11:11:11:11). Enter “Main” for the description. Click “Apply Settings”.

    7. Click “Security” tab and disable the firewall. Click “Apply Settings”.

    8. Click “Services” tab and then click “Hotspot”

    9. Enable “Chillispot” with the same configuration as the Main router

      Image:002.gif

        1. Click “Apply Settings” and reboot Client2 (under “Administration” tab).

      • Configure Client3

      1. Just follow the instructions for configuring Client2 with these changes:

      2. “Router Name” is Client3

      3. “Router IP” is 192.168.1.4

      4. Write down the “Wireless MAC” under “Wireless” then “WDS” (33:33:33:33:33:33)



      • Finish configuring Main

      1. Open your Internet browser to 192.168.1.1

      2. Click the “Wireless” tab and then click “WDS”

      3. You will have two entries. Select “LAN” for both entries and enter the “Wireless MAC” of Client2 (22:22:22:22:22:22) and Client3 (33:33:33:33:33:33).

      4. Click “Apply Settings”



      • Configure your freeradius server (192.168.1.2)

      1. Goto your freeradius server 192.168.1.2

      2. Open a “Root Terminal”. Type the following: nautilus --no-desktop –browser.

      3. Navigate to /etc/freeradius and edit clients.conf

      4. On line 79, enter the following

        client 192.168.1.3 {

          secret = testing123

          shortname = ID-Hotspot

          nastype = other

            }

        client 192.168.1.4 {

          secret = testing123

          shortname = ID-Hotspot

          nastype = other

            }

      5. Save and close. Exit out of Nautilus.

      6. On “Root Terminal”, type:

      /etc/init.d/freeradius restart


      This should do it. Go around and plug in Client2 and Client3. Make sure they are with in range of the Main. Go back to your freeradius server and ping each address (192.168.1.3 and 192.168.1.4), you should get a reply.