Chirispot インストール

提供:TuntunkunMediaWiki

移動: 案内, 検索

目次

Chilispotとは

ChilliSpotは、無線LANアクセスポイントのコントローラです。無線LANのユーザーを認証するために使用され公共のホットスポット、WISPの"スマートクライアント"認証のための標準であるWebベースのログインをサポートしており、Wi-Fi保護アクセス(WPAおよびWPA2)をサポートしています。認証、許可、およびアカウンティング(AAAプロトコル)は、RADIUS(ボードまたはリモート)を介して処理されます。

Radisサーバーのインストール

Chilispotの認証部分はRADIUSサーバーに依存しているためRadiusサーバーの構築を行います。

FreeRadiusのインストール

yum install -y freeradius freeradius-mysql freeradius-utils


ローカルユーザーを設定しテストをおこなう

クライアントの設定ファイル編集

vi /etc/raddb/users

//ファイルの最後に追加
testuser Cleartext-Password := "testpassword"

radiusサーバーを起動する

chkconfig radiusd on
/etc/init.d/radiusd restart

Radiusサーバーへの認証テスト実行

radtest user1 password1 localhost 1812 testing123

以下のように表示された場合成功

Sending Access-Request of id 86 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpassword"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=86, length=20

変更をもとに戻す

vim /etc/raddb/users

# テストユーザーをコメントアウト
#ユーザー名                     パスワード
#testuser Cleartext-Password := "testpassword"

MySQLのインストール

// インストール
yum -y install mysql mysql-server
// mysqlサーバーの起動
/etc/rc.d/init.d/mysqld start

クライアントファイル編集

vi /etc/raddb/clients.conf

client  0.0.0.0 {
ipaddr=127.0.0.1
secret = testing123
shortname = localhost
}

データベース設定

cd /etc/raddb/sql/mysql/

vi /etc/raddb/sql/mysql/admin.sql

CREATE USER 'radius'@'localhost';
SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass');
GRANT All ON radius.* TO 'radius'@'localhost';

データベース作成

mysql -u root
create database radius;
exit

テーブル作成

mysql -u root radius < /etc/raddb/sql/mysql/admin.sql
mysql -u root radius < /etc/raddb/sql/mysql/schema.sql
mysql -u root radius < /etc/raddb/sql/mysql/nas.sql
mysql -u root radius < /etc/raddb/sql/mysql/ippool.sql

SQL認証を使用するように設定ファイルを編集

vi /etc/raddb/radiusd.conf

$INCLUDE sql.conf

vi /etc/raddb/sites-enabled/default

authorize {
	preprocess
	chap
	mschap
	suffix
	eap
	sql
	pap
}
accounting {
	detail
	sql
} 
session {
	radutmp
	sql
}

MySQL接続時のパスワードを変更下場合は設定ファイルを変更する

vim /etc/raddb/sql.conf

sql {
        #
        #  Set the database to one of:
        #
        #       mysql, mssql, oracle, postgresql
        #
        database = "mysql"

        #
        #  Which FreeRADIUS driver to use.
        #
        driver = "rlm_sql_${database}"

        # Connection info:
        server = "localhost"
        #port = 3306
        login = "radius"
        password = "radpass"

テストデータを挿入

mysql -u root
use radius;
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('user1', 'Password','password1');
exit

RADIUSサーバを再起動

/etc/rc.d/init.d/radiusd restart

テスト実行

radtest user1 password1 localhost 1812 testing123

以下のように表示された場合成功

Sending Access-Request of id 129 to 127.0.0.1 port 1812
User-Name = "user1"
User-Password = "password1"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=129, length=20

自動機動の設定

chkconfig mysqld on
chkconfig radiusd on

Chilispotのダウンロードとインストール

Chilispotは、以下のページからダウンロードできます。http://www.chillispot.info

// 依存関係の解決
yum -y install glibc
yum -y install perl-Digest-MD5
 
wget http://www.chillispot.info/download/chillispot-1.1.0.i386.rpm
rpm -ivh chillispot-1.1.0.i386.rpm

Chirispotの設定

設定を行うマシンには、NICが二つ刺さっておりem1はdhcpでipを取得p37p1はChirispotでの認証を行わせ認証を通ればインターネットへのアクセスを許可するように設定を行います。

vim /etc/chilli.conf

##############################################################################
#
# Sample ChilliSpot configuration file
#
##############################################################################

# TAG: fg
# Include this flag if process is to run in the foreground
#fg

# TAG: debug
# Include this flag to include debug information.
#debug

# TAG: interval
# Re-read configuration file at this interval. Will also cause new domain
# name lookups to be performed. Value is given in seconds.
#interval 3600

# TAG: pidfile
# File to store information about the process id of the program.
# The program must have write access to this file/directory.
#pidfile /var/run/chilli.pid

# TAG: statedir
# Directory to use for nonvolatile storage.
# The program must have write access to this directory.
# This tag is currently ignored
#statedir ./


# TUN parameters

# TAG: net
# IP network address of external packet data network
# Used to allocate dynamic IP addresses and set up routing.
# Normally you do not need to uncomment this tag.
net 192.168.182.0/24

# TAG: dynip
# Dynamic IP address pool
# Used to allocate dynamic IP addresses to clients.
# If not set it defaults to the net tag.
# Do not uncomment this tag unless you are an experienced user!
#dynip 192.168.182.0/24

# TAG: statip
# Static IP address pool
# Used to allocate static IP addresses to clients.
# Do not uncomment this tag unless you are an experienced user!
#statip 192.168.182.0/24


# TAG: dns1
# Primary DNS server.
# Will be suggested to the client. 
# If omitted the system default will be used.
# Normally you do not need to uncomment this tag.
dns1 8.8.8.8

# TAG: dns2
# Secondary DNS server.
# Will be suggested to the client.
# If omitted the system default will be used.
# Normally you do not need to uncomment this tag.
#dns2 172.16.0.6

# TAG: domain
# Domain name
# Will be suggested to the client.
# Normally you do not need to uncomment this tag.
#domain key.chillispot.org

# TAG: ipup
# Script executed after network interface has been brought up.
# Executed with the following parameters: <devicename> <ip address>
# <mask>
# Normally you do not need to uncomment this tag.
#ipup /etc/chilli.ipup

# TAG: ipdown
# Script executed after network interface has been taken down.
# Executed with the following parameters: <devicename> <ip address>
# <mask>
# Normally you do not need to uncomment this tag.
#ipdown /etc/chilli.ipdown

# TAG: conup
# Script executed after a user has been authenticated.
# Executed with the following parameters: <devicename> <ip address>
# <mask> <user ip address> <user mac address> <filter ID>
# Normally you do not need to uncomment this tag.
#conup /etc/chilli.conup

# TAG: conup
# Script executed after a user has disconnected.
# Executed with the following parameters: <devicename> <ip address>
# <mask> <user ip address> <user mac address> <filter ID>
# Normally you do not need to uncomment this tag.
#conup /etc/chilli.condown


# Radius parameters

# TAG: radiuslisten
# IP address to listen to
# Normally you do not need to uncomment this tag.
radiuslisten 127.0.0.1

# TAG: radiusserver1
# IP address of radius server 1
# For most installations you need to modify this tag.
radiusserver1 127.0.0.1

# TAG: radiusserver2
# IP address of radius server 2
# If you have only one radius server you should set radiusserver2 to the
# same value as radiusserver1.
# For most installations you need to modify this tag.
#radiusserver2 rad02.chillispot.org

# TAG: radiusauthport
# Radius authentication port
# The UDP port number to use for radius authentication requests.
# The same port number is used for both radiusserver1 and radiusserver2.
# Normally you do not need to uncomment this tag.
radiusauthport 1812

# TAG: radiusacctport
# Radius accounting port
# The UDP port number to use for radius accounting requests.
# The same port number is used for both radiusserver1 and radiusserver2.
# Normally you do not need to uncomment this tag.
radiusacctport 1813

# TAG: radiussecret
# Radius shared secret for both servers
# For all installations you should modify this tag.
radiussecret radiustune

# TAG: radiusnasid
# Radius NAS-Identifier
# Normally you do not need to uncomment this tag.
#radiusnasid nas01

# TAG: radiusnasip
# Radius NAS-IP-Address
# Normally you do not need to uncomment this tag.
#radiusnasip 127.0.0.1

# TAG: radiuscalled
# Radius Called-Station-ID
# Normally you do not need to uncomment this tag.
#radiuscalled 00133300

# TAG: radiuslocationid
# WISPr Location ID. Should be in the format: isocc=<ISO_Country_Code>,
# cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>
# Normally you do not need to uncomment this tag.
#radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport

# TAG: radiuslocationname
# WISPr Location Name. Should be in the format: 
# <HOTSPOT_OPERATOR_NAME>,<LOCATION>
# Normally you do not need to uncomment this tag.
#radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport


# Radius proxy parameters

# TAG: proxylisten
# IP address to listen to
# Normally you do not need to uncomment this tag.
#proxylisten 10.0.0.1

# TAG: proxyport
# UDP port to listen to. 
# If not specified a port will be selected by the system
# Normally you do not need to uncomment this tag.
#proxyport 1645

# TAG: proxyclient
# Client(s) from which we accept radius requests
# Normally you do not need to uncomment this tag.
#proxyclient 10.0.0.1/24

# TAG: proxysecret
# Radius proxy shared secret for all clients
# If not specified defaults to radiussecret
# Normally you do not need to uncomment this tag.
#proxysecret testing123


# Remote configuration management

# TAG: confusername
# If confusername is specified together with confpassword chillispot
# will at regular intervals specified by the interval option query the
# radius server for configuration information.
# Normally you do not need to uncomment this tag.
#confusername conf

# TAG: confpassword
# If confusername is specified together with confpassword chillispot
# will at regular intervals specified by the interval option query the
# radius server for configuration information.
# Normally you do not need to uncomment this tag.
#confpassword secret


# DHCP Parameters

# TAG: dhcpif
# Ethernet interface to listen to.
# This is the network interface which is connected to the access points.
# In a typical configuration this tag should be set to eth1.
dhcpif p37p1

# TAG: dhcpmac
# Use specified MAC address.
# An address in the range  00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls
# within the IANA range of addresses and is not allocated for other
# purposes.
# Normally you do not need to uncomment this tag.
#dhcpmac 00:00:5E:00:02:00

# TAG: lease
# Time before DHCP lease expires
# Normally you do not need to uncomment this tag.
#lease 600


# Universal access method (UAM) parameters

# TAG: uamserver
# URL of web server handling authentication.
uamserver https://192.168.182.1/cgi-bin/hotspotlogin.cgi

# TAG: uamhomepage
# URL of welcome homepage.
# Unauthenticated users will be redirected to this URL. If not specified
# users will be redirected to the uamserver instead.
# Normally you do not need to uncomment this tag.
uamhomepage http://192.168.182.1:3990/prelogin

# TAG: uamsecret
# Shared between chilli and authentication web server
uamsecret tuntunkun

# TAG: uamlisten
# IP address to listen to for authentication requests
# Do not uncomment this tag unless you are an experienced user!
uamlisten 192.168.182.1

# TAG: uamport
# TCP port to listen to for authentication requests
# Do not uncomment this tag unless you are an experienced user!
uamport 3990

# TAG: uamallowed
# Comma separated list of domain names, IP addresses or network segments
# the client can access without first authenticating.
# It is possible to specify this tag multiple times.
# Normally you do not need to uncomment this tag.
#
# ログインしなくてもアクセス可能なドメインやIPアドレス
uamallowed 127.0.0.1

# TAG: uamanydns
# If this flag is given unauthenticated users are allowed to use
# any DNS server.
# Normally you do not need to uncomment this tag.
#uamanydns


# MAC authentication

# TAG: macauth
# If this flag is given users will be authenticated only on their MAC
# address.
# Normally you do not need to uncomment this tag.
#macauth

# TAG: macallowed
# List of MAC addresses.
# The MAC addresses specified in this list will be authenticated only on
# their MAC address.
# This tag is ignored if the macauth tag is given.
# It is possible to specify this tag multiple times.
# Normally you do not need to uncomment this tag.
#macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9

# TAG: macpasswd
# Password to use for MAC authentication.
# Normally you do not need to uncomment this tag.
#macpasswd password

# TAG: macsuffix
# Suffix to add to MAC address in order to form the username.
# Normally you do not need to uncomment this tag.
#macsuffix suffix

Chirispotの起動

/etc/rc.d/init.d/chilli restart

Apacheのインストールと設定

yum -y install httpd mod_ssl
/etc/rc.d/init.d/httpd start

CGIの設置

cp /usr/share/doc/chillispot-1.1.0/hotspotlogin.cgi /var/www/cgi-bin/

スクリプト内のコメントアウトが施してあるuamsecretという変数を/etc/chilli.confの中の値と同じにしておく必要があります。

パケットの転送許可

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
個人用ツール
名前空間
変種
操作
案内
ツールボックス