This post will show you how to configure a Raspberry Pi as an Access Point, using Radiusdesk to authenticate the users before allowing them to connect to internet.

Scenario

Before starting with the configuration process, we will establish following scenario.

We are working for a company named ACME. This company has been invited to participate to a public exposition and wants to provide a hotspot to its visitors. When the visitors will connect with their smartphones or tablets to the company's WiFi Hotspot, a login page will be automatically presented to them. By clicking on a button, they will be redirected to the home page of the company and have access to the internet for one hour with a maximum bandwidth of 1Mb/s.

Material

The following lists the material needed :

• A raspberry pi (running OpenWrt)
• A management workstation (running VMware Workstation Pro)
  • A virtual machine (running RadiusDesk) on the management workstation
• A xDSL router connecting to the internet

The following schema will give you a better understanding of the actors in presence

Schema

Radiusdesk Installation

The installation of Radiusdesk is pretty easy because we will use the virtual appliance available on this link: https://sourceforge.net/projects/radiusdesk/files/VM-Images/

Download and open the provided .ova file into your favorite virtualization application (I use VMware Workstation PRO). Be aware to configure the network adapters as "Bridged" in order for the Radiusdesk server to be directly accessible on the LAN subnet.

Logon to the console with system/admin

Keyboard configuration

Configure the keyboard to match your locale

dpkg-reconfigure keyboard-configuration

Network configuration

Set a fixed IP address for the Radiusdesk server by editing following file

sudo nano /etc/network/interfaces

And insert the following content

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.31
netmask 255.255.255.0
gateway 192.168.0.254
dns-nameservers 192.168.0.254

Prevent the local coova-chilli service to run

As we won't use the coova-chilli service on the Radiusdesk server, so it's better to disable it.

service chilli stop
systemctl disable chilli

Reboot the virtual machine

You should now be able to access the web interface from the management station by typing following url in a browser : http://192.168.0.31/rd

Login with root/admin

Radiusdesk configuration

To implement our scenario, we will only use a very small part of Radiusdesk. Typically, we won't use Meshdesk at all.

Create a Realm

Start by creating a Real for our organization.

In the Radiusdesk web interface, navigate to Admin – Realms (groups) and click on the "Plus" button to add following realm

• Owner: root
• Name: ACME-company
• Make available to sub-proviers: unchecked
• Suffix: ACME-company
• Add suffix when creating Permanent Users: checked
• Ad suffix when creating Vouchers: checked
• Add suffix when creating BYOD: checked

Validate by clicking "Save" button.

Create a profile

This profile will allow us to limit our visitors to one hour of internet connection with a 1Mb/s bandwidth (see scenario above)

In the Radiusdesk web interface, navigate to Profiles – Profiles and click on the "Plus" sign to add following profile

• Owner: Logged in user
• Name: 1 Hour-BW-1Mbs click to connect

Validate by clicking "Next" button.

Then, edit your freshly created profile by clicking the "Pen" button and adding following component

• Profile component: BW-1Mbps
• Priority: 5

This will restrict our visitors to 1Mb/s bandwidth. Validate with "Ok" button

Add following component using the same method

• Profile component: 1HOUR per MAC daily
• Priority: 3

The new profile is now created

Create a user

Now, we need to create a user and to assign the newly created profile to it.

In the Radiusdesk web interface, navigate to Users – Permanent Users and click on the "Plus" sign and add following User

• Owner: Logged in user
• Username: click_to_connect
• Password: click_to_connect
• Realm: ACME-company
• Profile: 1 HOUR-BW-1Mbs click to connect
• Cap type for time: Hard

Leave the other fields empty for now. Validate by clicking "Next" button.

The new user is now created

Create a NAS device

This device is actually the Raspberry Pi Access Point that we will configure later on

In the Radiusdesk web interface, navigate to Radius – NAS devices and click on the "Plus" sign to add following device

• Owner: Logged in user
• Fixed Ip: Selected
• Owner: Logged in user

Validate with "Next" button

• IP address: 192.168.0.30
• Name: ap001
• Secret: testing123

Select lower tab "Realms" and assign this NAS device to our organization's Realm

Validate with "Next" button

The NAS device is now created

Select the newly created NAS device and edit it by clicking on the "Pen" button.

Then select the lower "Optional info" tab to add following parameters

• NAS identifier: ap001
• Type: coovaChili
• Description: Radius client

Validate with the "Save" button

Then select the lower "Monitoring settings" tab to add following parameters

• Monitor method: ping
• Ping interval: 300

Validate with the "Save" button

Then select the lower "Monitoring settings" tab to add following parameters

• Record authentication requests: checked
• Auto close stale sessions: checked
• Auto close activation time: 600

Validate with the « Save" button

Create a login page

We will now create a dynamic login page for our visitors

In the Radiusdesk web interface, navigate to Other – Dynamic Login Pages and click on the "Plus" sign to add following dynamic page

• Owner: Logged in user
• Name: ACME Login Page

Validate with "Ok" button

The dynamic login page is now created

Select the newly created login page and edit it with the "Pen" button.

Go to "Photo" tab and click the "Plus" button to add an image

• Title: Welcome to ACME Hotspot
• Description: Click on the button below to get one-hour free internet access
• Photo: <path to an image on the management workstation>
• Active: checked

Validate with "Save" button

Now we need to assign the newly created login page to our Raspberry Pi Access Point. This is the tricky part ! We will add the field "nasid" from our NAS device as a dynamic key pair to link it to our dynamic login page.

Select the "Dynamic keys" tab and click the "Plus" button to following key

• Name: nasid
• Value: ap001
• Priority: 1

Validate with the "Save" button

Then, navigate to the "Click to connect" tab to finish the configuration

• Enable: checked
• Connect as: click_to_connect
• Delay before connecting (seconds): 0
• Only click to Connect: checked

Validate with "Save" button. Our Dynamic Login Page is now ready to accept requests.

The Radiusdesk part is done, lets proceed with the configuration of the Raspberry Pi.

Raspberry Pi installation

The prerequisite for this installation is to configure the Rapberry Pi as a routed Access Point as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/create-a-routed-access-point-with-raspberry-pi-and-openwrt/

Once this is done, you should have a Raspberry Pi running OpenWrt and configured as a routed accesspoint. The SSID visible to the visitors will be "Guest", but you can rename it easily as you want.

The rest of the configuration is mainly based on https://openwrt.org/docs/guide-user/services/captive-portal/wireless.hotspot.coova-chilli

Install coova-chilli

Log on to the raspberry using root/<no password> and install coova-chilli.

opkg update
opkg install coova-chilli
opkg install nano

Stop and disable chilli to avoid lock down

/etc/init.d/chilli stop
/etc/init.d/chilli disable

Configure coova-chilli

Save original config file and recreate one

mv /etc/config/chilli /etc/config/chilli-orig
nano /etc/config/chilli

Paste the following content (the yellow lines are the most relevant for our needs)

#
# Sample Coova-Chilli configuration file modified by gremaudpi
#
config chilli
option interval 3600
option swapoctets 1        
######## TUN and DHCP Parameters ########
option tundev 'tun0'
option dhcpif 'wlan0'
option net 192.168.182.0/24
option lease 600
option dns1 8.8.8.8
option dns2 8.8.4.4
option ipup '/etc/chilli/up.sh'
option ipdown '/etc/chilli/down.sh'
######## Radius parameters ########
option radiusserver1 '192.168.0.31'
option radiusserver2 ''
option radiusauthport 1812
option radiussecret 'testing123'
option radiusnasid 'ap001'

option ssid 'ACME-company'
######## Universal access method (UAM) parameters ########
option uamlisten 192.168.182.1
option uamserver 'http://192.168.0.31/cake3/rd_cake/dynamic-details/chilli-browser-detect/'
option uamsecret 'greatsecret'
option uamallowed ''
option uamdomain ''
option uamanydns 1
option uamaliasname 'login'
option nouamsuccess 1

Start chilli

/etc/init.d/chilli start

Verify that chilli loaded our configuration by looking at following file

cat /var/run/chilli*.conf

Test the solution

Verify that our complete solution works by connecting to the hotspot with a WiFi enabled device

You should see our Login Page

By clicking on the "Connectez vous" button, you should see the following screen

By clicking on the "Accès gratuit" button, you should see the following screen

Notice that the name of the connected user is "click_to_connect@ap001"

By clicking to "Accéder à internet" the user is redirected to google

If it works fine, it's time to re-enable coova-chilli on the Raspberry so that it survives reboot.

/etc/init.d/chilli enable

Redirecting users to our homepage

If you want to redirect the user to your homepage, you can go do the following:

In the Radiusdesk web interface, navigate to Other – Dynamic Login Pages and click on the "Pen" sign to modify our Dynamic Login Page. Then, navigate to the upper tab "Setting" and lower tab "Redirect". Change the following parameters:

• Redirect after connect: checked
• Redirect URL: <your home page>
• Show usage: Unchecked

Validate with "Save" button.

Final check

On Radiusdesk, you can now see statistics about your visitors' traffic

And there are plenty of other interesting things to play with …

That's all folks…