In this article, I will explain how to configure a standalone captive portal on a Raspberry Pi. The Raspberry Pi will run OpenWrt and will use following components to fulfill our needs:
- Coova-Chilli (the captive portal)
- Uhttpd (hosting the splash page and OpenWrt web management (LUCI))
- Freeradius (the authenticator)
Schema
The following schema shows the actors in presence. Notice that the management workstation is just used for configuration and can be removed once the configuration is completed.
Prerequisite
The prerequisite for this installation is to configure the Rapberry Pi as a routed Access Point as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/create-a-routed-access-point-with-raspberry-pi-and-openwrt/
Once this is done, you should have a Raspberry Pi running OpenWrt and configured as a routed Access Point. The SSID visible to the visitors will be "Guest", but you can rename it easily as you want.
WARNING : be aware that Chilli will create a tunnel (tun0) on the wlan0 interface of the Raspi.
Next, install the local splash page as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/how-to-build-a-captive-portal-with-coova-chilli-and-a-local-splash-page-on-a-raspberry-pi-running-openwrt/
Once this is done, the people connecting to your hostspot will be presented a splash page where they can log on. In this article, we will mainly focus on installing Freeradius on the Raspberry Pi in order to authenticate our users
Install Freeradius
Coova-Chilli only supports PAP encryption protocol when used with Freeradius. This could be a problem if we used an external radius server, the password being transmitted in clear over the network. In our particular case, however, this is not a problem, because we will use a local radius server and the passwords will not be sent over the network.
The following configuration is mainly based on the following article: https://tmikey.tech/tech_daily/2018/08/23/openwrt_freeradius3.html
Install packages
opkg install freeradius3 freeradius3-common
Install tunnels
opkg install freeradius3-mod-pap
Install modules
opkg install freeradius3-mod-preprocess freeradius3-mod-files freeradius3-mod-radutmp freeradius3-mod-attr-filter
Replace mini-wpad with wpad
opkg remove wpad-mini; opkg install wpad
Configure FreeRadius
Create a new site in directory /etc/freeradius3/sites-available
nano /etc/freeradius3/sites-available/lede
And insert following code in it
server lede {
listen {
type = auth
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
authorize {
#preprocess
files
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
}
Create a new inner tunnel in directory /etc/freeradius3/sites-available
nano /etc/freeradius3/sites-available/lede-inner-tunnel
And insert following code in it
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
files
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
}
Delete the default symlinks and create new ones in directory /etc/freeradius3/sites-enabled
rm /etc/freeradius3/sites-enabled/*
ln -s /etc/freeradius3/sites-available/lede /etc/freeradius3/sites-enabled/
ln -s /etc/freeradius3/sites-available/lede-inner-tunnel /etc/freeradius3/sites-enabled/
Define users
Add your visitor name/passwords by editing following file
nano /etc/freeradius3/mods-config/files/authorize
Add your users as the example bellow for "bob"
#
# The canonical testing user which is in most of the
# examples.
#
bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"
Debug configurations
Now you can debug your server configuration in verbose mode
radiusd -X
Output should be something like
If you want to test your configuration from the management workstation, you should use something like NTRadPing (on windows) or radtest (on Linux). Be sure to introduce your workstation IP address in the clients.conf file of freeradius by editing following file:
nano /etc/freeradius3/clients.conf
And add something like ("ipaddr" should be the Ip address of your management workstation)
client management {
ipaddr = 192.168.0.34
secret = testing123
}
Below is a printscreen of NTRadPing
And the same test made with radtest
On the raspberry pi console, you should see something like:
If it's okay, exit with ctrl-c and enable radiusd to survive reboot
/etc/init.d/radiusd enable
And start the service
/etc/init.d/radiusd start
Configure coova-chilli
Modify the chilli configuration
nano /etc/config/chilli
Modify the radius parameters to access the local radius server
# config chilli option interval 3600 ######## TUN and DHCP Parameters ######## ######## Radius parameters ######## option radiusserver1 '127.0.0.1' ######## Universal access method (UAM) parameters ######## option uamlisten 192.168.182.1 |
Restart chilli
/etc/init.d/chilli restart
You should now be able to log on to your captive portal with bob/hello