This guideline is based on the 2019 year event. It may not working at some points, please be cautious at all cost!
Hi! This is my first guideline written in Markdown. We are going to create WiFi Authentication system by using FreeRADIUS with Chillispot on CentOS 7.6.
We are going to use CentOS 7.6 as Operation System. We will use Rufus to create bootable USB for installer.
When installing, Setup Network & Host Name first. Make sure to get Internet working as we need it in the next steps. Also make sure to set Internet network to Static IP. First Ethernet interface will be use for Internet network. Second Ethernet interface will be use for WiFi Access Point.
Remember IP and interface names as we will need them later!
Setup Software Selection with Infrastructure Server without select any add-on as we don't need them now.
This is summary commands to install all packages. You can read for line by line explanation below. If you really need to get it done quickly, just copy and paste this.
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
yum -y install epel-release
rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php73
yum -y install httpd mod_ssl php php-common php-cli php-mysqlnd php-pdo phpmyadmin mariadb-server mariadb freeradius freeradius-mysql freeradius-utils vsftpd bind bind-utils glibc.i686 perl-Digest-MD5
rpm -i http://www.chillispot.org/download/chillispot-1.1.0.i386.rpm
We will install most necessary packages with yum. We need to import Remi repository for more available packages.
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
yum -y install epel-release
rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm
We can now install all packages we needed.
First, We will install PHP 7.3 on Apache Web Server. We will also install its extensions and phpMyAdmin as well.
yum-config-manager --enable remi-php73
yum -y install httpd mod_ssl php php-common php-cli php-mysqlnd php-pdo phpmyadmin
We will install MariaDB for Database Server.
yum -y install mariadb-server mariadb
We will install FreeRADIUS for RADIUS Server.
yum -y install freeradius freeradius-mysql freeradius-utils
We will install vsftpd for FTP Server.
yum -y install vsftpd
We will install bind for DNS Server.
yum -y install bind bind-utils
We will install ChilliSpot for WiFi Captive Portal.
yum -y install glibc.i686 perl-Digest-MD5
rpm -i http://www.chillispot.org/download/chillispot-1.1.0.i386.rpm
You may need to connect to the server from different computer. So I am assuming you want to stop firewalld service.
systemctl stop firewalld.service
First, We will create a new user to have FTP access to the server. We are going to name this new user with username "ftpuser".
adduser ftpuser
passwd ftpuser
Next, We are going to edit vsftpd.conf file.
nano /etc/vsftpd/vsftpd.conf
You can follow these settings as I guide.
anonymous_enable=NO # Disable anonymous access
local_enable=YES # Enable local login
write_enable=YES # Enable write access
Now, We can start service and make it start on boot.
systemctl start vsftpd.service
systemctl enable vsftpd.service
You can now try to login FTP Server with your password.
We are going to edit named.conf file.
nano /etc/named.conf
You can follow these settings as I guide.
listen-on port 53 { any; };
allow-query { any; };
Now, We can start service and make it start on boot.
systemctl start named.service
systemctl enable named.service
You can now try query DNS with this command.
nslookup google.com 127.0.0.1
We should be able to access phpMyAdmin from anywhere. So we are going to allow any IP to access phpMyAdmin.
We are going to edit phpMyAdmin.conf file.
nano /etc/httpd/conf.d/phpMyAdmin.conf
You can follow these settings as I guide.
<IfModule mod_authz_core.c>
# Apache 2.4
# <RequireAny>
# Require ip 127.0.0.1
# Require ip ::1
# </RequireAny>
Require all granted
</IfModule>
At this point, We can now start Apache Web Server. We should make the service start on boot as well.
systemctl start httpd.service
systemctl enable httpd.service
We should start MariaDB service to continue the setup. We should make the service start on boot as well.
systemctl start mariadb.service
systemctl enable mariadb.service
As we didn't setup root password yet, We can setup RADIUS first.
mysql -e "CREATE DATABASE radius"
mysql -uroot radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
mysql -uroot < /etc/raddb/mods-config/sql/main/mysql/setup.sql
mysql -e "FLUSH PRIVILEGES"
You will see user "radius" appear in Database. It will use "radpass" as default password. It is really insecure to use in real world situation. You can change this user password from phpMyAdmin later.
Now, we are going to secure MariaDB with this command.
mysql_secure_installation
It is best to say "Yes" for all questions it asks.
Set root password? [Y/n] y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
Now, you may try to access it from phpMyAdmin if you want.
FreeRADIUS comes with "testing123" as default secret. You can change it by edit clients.conf file.
nano /etc/raddb/clients.conf
Change your secret on this part.
secret = testing123
Then, you need to enable SQL for FreeRADIUS by this command.
ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/sql
You will need to config /etc/raddb/mods-enabled/sql file.
nano /etc/raddb/mods-enabled/sql
You can follow these settings, or change value if you needed to.
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "radpass"
radius_db = "radius"
read_groups = yes
read_clients = yes
If you want to get all FreeRADIUS features working on SQL, You will need to uncomment all "sql" in these 2 files.
/etc/raddb/sites-enabled/default
nano /etc/raddb/sites-enabled/default
This is example how will you need to uncomment.
authorize {
sql
}
accounting {
sql
}
session {
sql
}
post-auth {
sql
Post-Auth-Type REJECT {
sql
}
}
/etc/raddb/sites-enabled/inner-tunnel
nano /etc/raddb/sites-enabled/inner-tunnel
This is example how will you need to uncomment.
authorize {
sql
}
post-auth {
sql
Post-Auth-Type REJECT {
sql
}
}
Now, We can start service and make it start on boot.
systemctl start radiusd.service
systemctl enable radiusd.service
Make sure to make it run after MariaDB start.
nano /etc/systemd/system/multi-user.target.wants/radiusd.service
Add "After=mariadb.service" after "[Unit]" section. It should look like this on "[Unit]" section.
[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service
After=mariadb.service
You can now try query RADIUS server with this command.
radtest username password 127.0.0.1 1 testing123
It should "Received Access-Reject" if all settings are correct.
First, We are going to edit chilli.conf file.
nano /etc/chilli.conf
You can follow these settings, or change value if you needed to.
Replace "testing123" to your FreeRADIUS secret. Replace "ht2eb8ej6s4et3rg1ulp" to your ChilliSpot secret. Replace "eth1" to your WiFi Access Point interface.
net 192.168.182.0/24
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
radiussecret testing123
dhcpif eth1
uamserver https://192.168.182.1/cgi-bin/hotspotlogin.cgi
uamhomepage http://192.168.182.1:3990/prelogin
uamsecret ht2eb8ej6s4et3rg1ulp
uamlisten 192.168.182.1
Now, We can start service and make it start on boot.
systemctl start chilli.service
chkconfig chilli on
First, We will need to enable port-forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
We will use example firewall.iptables file from ChilliSpot.
cp /usr/share/doc/chillispot-1.1.0/firewall.iptables /etc/
Then, We will need to edit firewall.iptables file.
nano /etc/firewall.iptables
Replace "eth0" to your Internet Network interface. Replace "eth1" to your WiFi Access Point interface. Any other iptables script should be add in this file as well.
EXTIF="eth0"
INTIF="eth1"
Now, We need to run and make iptables script run on boot.
sh /etc/firewall.iptables
echo "sh /etc/firewall.iptables" | tee -a /etc/rc.local
chmod +x /etc/rc.d/rc.local
If you did stop firewalld service, we will need to start it now.
systemctl start firewalld.service
We will use example hotspotlogin.cgi file for login page now.
cp /usr/share/doc/chillispot-1.1.0/hotspotlogin.cgi /var/www/cgi-bin/
We will need to edit hotspotlogin.cgi file.
nano /var/www/cgi-bin/hotspotlogin.cgi
Uncomment "$uamsecret" and "$userpassword". Replace "ht2eb8ej6s4et3rg1ulp" to your ChilliSpot secret.
$uamsecret = "ht2eb8ej6s4et3rg1ulp";
$userpassword = 1;
We can now try login our Hotspot. (Replace with your IP) http://192.168.182.1:3990/prelogin