Captive Portal in Linux

Description

*Note: Most of the default settings will be used to obtain a functional portal Captive with the minimum configuration
we will assume most of the default.*

Requirements

Hardware

• Internet connection
• Wireless LAN Access Point
• 2 network cards

Software

• CentOS 7

Installation

All the commands listed below will be executed as root.

1. Update CentOS 7:

    yum check-update
    yum update

2. Disable firewall by default:

    systemctl stop firewalld
    systemctl disable firewalld

3. Install packages and dependencies:

    # Tools
    yum install wget nano
    # Firewall
    yum install iptables-services
    # FreeRADIUS
    yum install freeradius freeradius-utils
    # Web Server
    yum install httpd openssl mod_ssl
    # Chillispot dependencies
    yum install glibc-devel.i686 glibc-i686 perl-Digest-MD5

4. Install Chillispot:

    wget https://raw.githubusercontent.com/zoilomora/captive-portal/master/chillispot-1.1.0.i386.rpm
    rpm -Uvh chillispot-1.1.0.i386.rpm

5. Edit the file /etc/chilli.conf and modify the following lines:

    # DNS
    dns1 8.8.8.8
    dns2 8.8.4.4
    # FreeRADIUS
    radiusserver1 127.0.0.1
    radiusserver2 127.0.0.1
    radiussecret secret-password-for-radius
    # DHCP
    dhcpif eth1
    # Universal access method (UAM)
    uamserver https://192.168.182.1/cgi-bin/hotspotlogin.cgi
    uamhomepage https://192.168.182.1/
    uamsecret secret-password-for-uam

6. Link dictionary from Chillispot to FreeRADIUS

    echo "\$INCLUDE /usr/share/doc/chillispot-1.1.0/dictionary.chillispot" >> /etc/raddb/dictionary

7. Copy the login script and grant permissions:

    cd /var/www/cgi-bin/
    cp /usr/share/doc/chillispot-1.1.0/hotspotlogin.cgi ./hotspotlogin.cgi
    chown apache.apache ./hotspotlogin.cgi
    chmod 700 ./hotspotlogin.cgi

8. Edit the file /var/www/cgi-bin/hotspotlogin.cgi:

    # Uncomment the lines
    $uamsecret = "secret-password-for-uam";
    $userpassword = 1;

9. Create the /var/www/html/index.html file with the content:

    <html>
       <body>
           <a href="http://192.168.182.1:3990/prelogin">Click here to login</a>
       </body>
    </html>

10. Enable Chillispot firewall rules:

    # Executes iptables rules and is enabled in memory
    /usr/share/doc/chillispot-1.1.0/firewall.iptables
    # The rules persist
    service iptables save

11. Enable IP Forward:

    # Add the line to the end of the file
    echo "net.ipv4.ip_forward = 1" >> /usr/lib/sysctl.d/50-default.conf
    # Applies the settings to the system
    /sbin/sysctl -p

12. Adjust the FreeRADIUS shared secret by editing the file /etc/raddb/clients.conf:

    client localhost {
        # Replace the default password with that of step 5 (radiussecret)
        secret = secret-password-for-radius
    }

13. Register user in FreeRADIUS by editing the file /etc/raddb/users:

    # Insert a line for each user at the end of the file
    john Cleartext-Password := "hello"

14. Check access to FreeRADIUS from console:

    radtest "john" "hello" 127.0.0.1 0 testing123

    • Correct result of the command

        Sent Access-Request Id 215 from 0.0.0.0:51134 to 127.0.0.1:1812 length 75
            User-Name = "john"
            User-Password = "hello"
            NAS-IP-Address = 127.0.0.1
            NAS-Port = 0
            Message-Authenticator = 0x00
            Cleartext-Password = "hello"
        Received Access-Accept Id 215 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

15. Activate the services so that they start at startup:

    systemctl enable iptables
    systemctl enable httpd
    systemctl enable radiusd
    systemctl enable chilli

16. Restart the server to apply and activate the services

    reboot

Notes

• Start freeradius in debug mode to check in case of error:

    radiusd -X