Configure a Raspberry Pi running OpenWrt and Coova Chilli to authenticate visitors to an internal Freeradius Server

In this article, I will explain how to configure a standalone captive portal on a Raspberry Pi. The Raspberry Pi will run OpenWrt and will use following components to fulfill our needs:

  • Coova-Chilli (the captive portal)
  • Uhttpd (hosting the splash page and OpenWrt web management (LUCI))
  • Freeradius (the authenticator)

Schema

The following schema shows the actors in presence. Notice that the management workstation is just used for configuration and can be removed once the configuration is completed.

Prerequisite

The prerequisite for this installation is to configure the Rapberry Pi as a routed Access Point as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/create-a-routed-access-point-with-raspberry-pi-and-openwrt/

Once this is done, you should have a Raspberry Pi running OpenWrt and configured as a routed Access Point. The SSID visible to the visitors will be "Guest", but you can rename it easily as you want.

WARNING : be aware that Chilli will create a tunnel (tun0) on the wlan0 interface of the Raspi.

Next, install the local splash page as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/how-to-build-a-captive-portal-with-coova-chilli-and-a-local-splash-page-on-a-raspberry-pi-running-openwrt/

Once this is done, the people connecting to your hostspot will be presented a splash page where they can log on. In this article, we will mainly focus on installing Freeradius on the Raspberry Pi in order to authenticate our users

Install Freeradius

Coova-Chilli only supports PAP encryption protocol when used with Freeradius. This could be a problem if we used an external radius server, the password being transmitted in clear over the network. In our particular case, however, this is not a problem, because we will use a local radius server and the passwords will not be sent over the network.

The following configuration is mainly based on the following article: https://tmikey.tech/tech_daily/2018/08/23/openwrt_freeradius3.html

Install packages

opkg install freeradius3 freeradius3-common

Install tunnels

opkg install freeradius3-mod-pap

Install modules

opkg install freeradius3-mod-preprocess freeradius3-mod-files freeradius3-mod-radutmp freeradius3-mod-attr-filter

Replace mini-wpad with wpad

opkg remove wpad-mini; opkg install wpad

Configure FreeRadius

Create a new site in directory /etc/freeradius3/sites-available

nano /etc/freeradius3/sites-available/lede

And insert following code in it

server lede {
    listen {
        type = auth
        ipaddr = *
        port = 1812
        limit {
            max_connections = 16
            lifetime = 0
            idle_timeout = 30
        }
    }
    listen {
        type = auth
        ipv6addr = ::    # any. ::1 == localhost
        port = 0
        limit {
            max_connections = 16
            lifetime = 0
            idle_timeout = 30
        }
    }
    authorize {
        #preprocess
        files
        pap
    }
    authenticate {
        Auth-Type PAP {
        pap
    }
    }
}

Create a new inner tunnel in directory /etc/freeradius3/sites-available

nano /etc/freeradius3/sites-available/lede-inner-tunnel

And insert following code in it

server inner-tunnel {
    listen {
        ipaddr = 127.0.0.1
        port = 18120
        type = auth
    }
    authorize {
        files
        pap
    }
    authenticate {
        Auth-Type PAP {
            pap
        }
    }
    session {
        radutmp
    }
    post-auth {
        Post-Auth-Type REJECT {
            attr_filter.access_reject
        }
    }
}

Delete the default symlinks and create new ones in directory /etc/freeradius3/sites-enabled

rm /etc/freeradius3/sites-enabled/*

ln -s /etc/freeradius3/sites-available/lede /etc/freeradius3/sites-enabled/

ln -s /etc/freeradius3/sites-available/lede-inner-tunnel /etc/freeradius3/sites-enabled/

Define users

Add your visitor name/passwords by editing following file

nano /etc/freeradius3/mods-config/files/authorize

Add your users as the example bellow for "bob"

#
# The canonical testing user which is in most of the
# examples.
#
bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"

Debug configurations

Now you can debug your server configuration in verbose mode

radiusd -X

Output should be something like

If you want to test your configuration from the management workstation, you should use something like NTRadPing (on windows) or radtest (on Linux). Be sure to introduce your workstation IP address in the clients.conf file of freeradius by editing following file:

nano /etc/freeradius3/clients.conf

And add something like ("ipaddr" should be the Ip address of your management workstation)

client management {
    ipaddr = 192.168.0.34
    secret = testing123
}

Below is a printscreen of NTRadPing

And the same test made with radtest

On the raspberry pi console, you should see something like:

If it's okay, exit with ctrl-c and enable radiusd to survive reboot

/etc/init.d/radiusd enable

And start the service

/etc/init.d/radiusd start

Configure coova-chilli

Modify the chilli configuration

nano /etc/config/chilli

Modify the radius parameters to access the local radius server

 

#
# Sample Coova-Chilli configuration file modified by gremaudpi
#

config chilli

option interval 3600
option swapoctets 1        

######## TUN and DHCP Parameters ########
    
option tundev 'tun0'
option dhcpif 'wlan0'
option net 192.168.182.0/24
option lease 600
option dns1 8.8.8.8
option dns2 8.8.4.4
option ipup '/etc/chilli/up.sh'
option ipdown '/etc/chilli/down.sh'

######## Radius parameters ########

option radiusserver1 '127.0.0.1'
option radiusserver2 ''
option radiusauthport 1812
option radiusacctport 1813
option radiussecret 'testing123'
option radiusnasid 'ap001'
option ssid 'ACME-company'

######## Universal access method (UAM) parameters ########

option uamlisten 192.168.182.1
option uamserver 'http://192.168.0.30/hotspotlogin/hotspotlogin.php'
option uamsecret 'greatsecret'
option uamallowed ''
option uamdomain ''
option uamanydns 1
option uamaliasname 'login'
option nouamsuccess 1

Restart chilli

/etc/init.d/chilli restart

You should now be able to log on to your captive portal with bob/hello

 

Leave a Reply

Close Menu