Captive Portal with CoovaChilli
A captive portal provides a checkpoint for users where the browser is hijacked and redirected to a page that requires the user to provide either credentials or other information to pass normal traffic. Ideally this is a standalone server and will not disrupt other services like content filtration or other web authentication parameters.
Developers
If you want to contribute to this howto, please contact Dave Loper (dloper).
Preparation
You will need the working RADIUS server via Marketplace to get this going.
You will need to set up localhost as an authorized client of the RADIUS server.
Create a user called coovachilli with mail only and make a group called chilli.
Setup DHCP for the network.
Configure CoovaChilli
/etc/chilli/defaults
Set the following values: HS_LANIF, change this value if it is wrong (ie. HS_LANIF=eth2).
HS_NETWORK, set this to the values of your network (ie. HS_NETWORK=192.168.1.0).
HS_NETMASK, change this value if it is wrong (ie. HS_NETMASK=255.255.255.128).
HS_UAMLISTEN, set this to the IP of your server (ie. HS_UAMLISTEN=192.168.1.1).
HS_DNS1 and HS_DNS1, set these to the IP address of your local DNS server, in this case your server (ie. HS_DNS1=192.168.1.1 and HS_DNS2=192.168.1.1).
HS_RADSECRET, set this to the secret password that you placed in the RADIUS configuration for the localhost entry in Webconfig (ie. HS_RADSECRET=mysecretpassword).
HS_RAD_PROTO=mschapv2, set this so the program knows to use the NT-Password infrastructure of LDAP described in the PAP section of the FreeRADIUS 2 Howto. This value does NOT exist and you must define it (set this to HS_RAD_PROTO=mschapv2).
HS_UAMDOMAINS, set all the domains that you want for your 'walled garden. These sites will work even if users don't authenticate via your captive portal:
HS_UAMDOMAINS=".clearcenter.com,.clearfoundation.com"
Start Coova Chilli
Start CoovaChilli
service chilli start
Testing it all
Stop the radiusd service and in a dedicated shell start it in debugging mode.
radiusd -X -xxx
Open a browser and try to connect to a site LISTED in your walled garden (ie. www.clearfoundation.com). Then try to connect to a site NOT listed in your walled garden. You should be prompted for a username and password. Supply a user that is authorized to use the RADIUS server.