665
edits
Changes
From SME Server
Jump to navigationJump to search
mLine 1:
Line 1: + + − + − + − mailto:daniel@firewall-services.com+ + + + Line 29:
Line 34: − − (For now, you may also have to enable the repo smetest as smeserver-coova-chilli requires e-smith-radiusd => 1.0.0-18 which is in smetest repo) Line 53:
Line 56: − + Line 62:
Line 65: − + Line 83:
Line 86: + + + + Line 89:
Line 96: − *'''radiussecret''': the secret shared between the radius server and chilli daemon. For each installation, a random secret is generated, so you shouldn't have to change it.+ − − + + Line 116:
Line 123: + + + + Line 162:
Line 173: − + − + − + Line 186:
Line 197: − + − + − + Line 217:
Line 228: − + − + Line 243:
Line 254: − + Line 252:
Line 263: − === Source === − The source for this contrib can be found in the smeserver [http://smeserver.cvs.sourceforge.net/smeserver/smeserver-coova-chilli/ CVS] on sourceforge. Line 260:
Line 269: +
→What authenticated users have access to ?
{{Languages}}
{{Languages}}
===Maintainer===
===Maintainer===
[[User:VIP-ire|Daniel B.]]<br/>
[mailto:daniel@firewall-services.com[[User:VIP-ire|Daniel B.]]] from [http://www.firewall-services.com Firewall Services]
[http://www.firewall-services.com Firewall Services]<br>
=== Version ===
{{ #smeversion: smeserver-coova-chilli }}
{{ #smeversion: coova-chilli }}
=== Description ===
=== Description ===
yum --enablerepo=smecontribs install smeserver-coova-chilli
yum --enablerepo=smecontribs install smeserver-coova-chilli
*Enable the service
*Enable the service
*Attach an AP
*Attach an AP
The final step is to connect an AP on the NIC. I'm talking about a AP and not a router. If you have a WiFi router, it is possible to work if these conditions are met:
The final step is to connect an AP on the NIC. I'm talking about a AP and not a router. If you have a WiFi router, it is possible to make it work if these conditions are met:
**Dhcp is disabled on the router
**Dhcp is disabled on the router
*Login
*Login
Connect a client, and try to open a web page, you should fall on a page like this:
Connect a client, and try to open a web page, you should be redirected on a page like this one:
[[Image:ChilliLogin-noguest.jpg]]
[[Image:ChilliLogin-noguest.jpg]]
*'''dhcpif''': the physical interface to use, in most cases, it will be eth2
*'''dhcpif''': the physical interface to use, in most cases, it will be eth2
*'''dhcpstart''': where to start assigning IPs (DHCP range)
*'''dhcpend''': where to stop assigning IPs
*'''dns1''' and '''dns2''': gives clients the dns servers to use. Here I have placed two public DNS servers.
*'''dns1''' and '''dns2''': gives clients the dns servers to use. Here I have placed two public DNS servers.
*'''net''': the network range to use. The server uses the first IP available from the network (and thus default 10.1.0.1) and provide clients with addresses in this range.
*'''net''': the network range to use. The server uses the first IP available from the network (and thus default 10.1.0.1) and provide clients with addresses in this range.
*'''status''': there's no trap, this key defines the state of service, and whether it should be started when the server boots up.
*'''status''': there's no trap that defined the state of service, and whether it should be started when the server boots up.
*'''tundev''': defines the tun interface to use (chilli mask the real interface eth2 and the system sees the traffic as comming from a tun interface).
*'''tundev''': defines the tun interface to use (chilli mask the real interface eth2 and the system sees the traffic as comming from a tun interface).
By default, tun0, you can change if tun0 is already used for a VPN for example.
By default, tun0, you can change if tun0 is already used for a VPN for example.
*'''uamhomepage''': URL of homepage to redirect unauthenticated users to. If not specified this defaults to the login page
*'''uamallowed''': A list of host that will be accessible before authentication. It can be a simple list of host, or a list of the form host:port, or protocol:host, or protocol:host:port
*'''uamallowed''': A list of host that will be accessible before authentication. It can be a simple list of host, or a list of the form host:port, or protocol:host, or protocol:host:port
*'''guestUpLink''': if guestAccess is enabled, this will limit the uplink bandwidth for guest user (in kbps)
*'''guestUpLink''': if guestAccess is enabled, this will limit the uplink bandwidth for guest user (in kbps)
*'''noc2c''': can be enabled or disabled (default is enabled). If enabled, clients will get a /32 netmask, and a special route will be added so they can contact the gateway. This prevent direct client to client communication. Note that it's a layer 3 isolation, a better way to prevent client to client is a layer 2 isolation, some AP and switch provides this.
*'''macallowed''': A comma separated list of MAC addresses which won't need to authenticate
After you've changed the configuration, just run the command
After you've changed the configuration, just run the command
$uplink = $uplink * 1000;
$uplink = $uplink * 1000;
$OUT =<<END;
$OUT =<<END;
guest NAS-Identify == "chilli", Auth-Type: = Local User-Password == 'guest'
guest NAS-Identify == "localhost", Auth-Type: = Local User-Password == 'guest'
WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
END
END
if (($chilli{'status'} || 'disabled') eq' enabled ') {
if (($chilli{'status'} || 'disabled') eq' enabled ') {
$OUT = <<END;
$OUT = <<END;
DEFAULT Group == "chilli", NAS-Identify == "chilli", Auth-Type: = unix
DEFAULT Group == "chilli", NAS-Identify == "localhost", Auth-Type: = unix
# WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
# WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
DEFAULT Group! = "chilli", NAS-Identify == "chilli", Auth-Type: Reject =
DEFAULT Group! = "chilli", NAS-Identify == "localhost", Auth-Type: Reject =
Reply Message = "Your are not allowed member of the group"
Reply Message = "Your are not allowed member of the group"
END
END
$uplink = $uplink * 1000;
$uplink = $uplink * 1000;
$OUT =<<END;
$OUT =<<END;
guest NAS-Identify == "chilli", Auth-Type: = Local User-Password == 'guest'
guest NAS-Identify == "localhost", Auth-Type: = Local User-Password == 'guest'
WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
END
END
if (($chilli{'status'} || 'disabled') eq' enabled ') {
if (($chilli{'status'} || 'disabled') eq' enabled ') {
$OUT = <<END;
$OUT = <<END;
DEFAULT Group == "'''wifi'''", NAS-Identify == "chilli", Auth-Type: = unix
DEFAULT Group == "'''wifi'''", NAS-Identify == "localhost", Auth-Type: = unix
# WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
# WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
DEFAULT Group! = "'''wifi'''", NAS-Identify == "chilli", Auth-Type: Reject =
DEFAULT Group! = "'''wifi'''", NAS-Identify == "localhost", Auth-Type: Reject =
Reply Message = "Your are not allowed member of the group"
Reply Message = "Your are not allowed member of the group"
END
END
{{Note box|This will just open the corresponding port(s), you need to make sure the service listen on the correct interface.}}
{{Note box|This will just open the corresponding port(s), you need to make sure the service listen on the correct interface.}}
*AllowedOutgoing will allow more outgoing traffic. It's list of proto/host/port clients will be able to contact on the internet (These rules only apply to forwarded traffic, nothing will be allowed to the private network). Wildcard '*' (or keyword any) can replace host or port. Eg:
*AllowedOutgoing will allow more outgoing traffic. It's a list of proto/host/port clients will be able to contact on the internet (These rules only apply to forwarded traffic, nothing will be allowed to the private network). Wildcard '*' (or keyword 'any') can replace host or port. Eg:
db configuration setprop AllowedOutgoing tcp:56.23.41.1:25,udp:*:1194,tcp:4.5.6.7:any,tcp:any:123
db configuration setprop chilli AllowedOutgoing tcp:56.23.41.1:25,udp:*:1194,tcp:4.5.6.7:any,tcp:any:123
This will allow:
This will allow:
If you get an error, check the log /var/log/messages
If you get an error, check the log /var/log/messages
*Check tun0 (or what you have configured as tundev) is up, with a valid ip
*Check tun0 (or what you have configured as tundev) is up, with a valid ip
ifconfig
ifconfig tun0
*Check the client gets a ip in the range 10.1.0.0/24 (or what ever you have configured as net)
*Check the client gets a ip in the range 10.1.0.0/24 (or what ever you have configured as net)
If it's not the case, check that the AP is working properly (tcpdump on tun0 to check that your server sees dhcp requests). You can try to connect your client directly to eth2 with a crossed cable to eliminate an AP or wifi-level issue
If it's not the case, check that the AP is working properly (tcpdump on tun0 to check that your server sees dhcp requests). You can try to connect your client directly to eth2 with a crossed cable to eliminate an AP or wifi-level issue
yum remove smeserver-coova-chilli coova-chilli
yum remove smeserver-coova-chilli coova-chilli
=== Bugs ===
=== Bugs ===
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
----
----
[[Category:Contrib]]
[[Category:Contrib]]
[[Category:Administration:Remote Access]]
