Setting up Chillispot on DD-WRT

Chillispot on DD-WRT does not work out of the box ie. Chillispot is not self contained but requires external web server (and RADIUS server) to operate. Let's put it together.

1. Set up your RADIUS server. This is how you set up RADIUS server with OpenLDAP.

2. Set up a web server on a PC (it could be the same machine as the RADIUS server depending on your security paranoia)

3. Install Chillispot on that PC and configure hotspotlogin.cgi. From another machine on your network open up following URL https://webserver/cgi-bin/hotspotlogin.cgi. You should be greeted with following message.

Login Failed

Login must be performed through Chillispot daemon.
That is a good sign :-).

4. Log into the admin interface on DD-WRT. Turn off DD-WRT's DHCP server. This may not be required but I would see funny behavior when I would reboot the router. ChilliSpot has a built-in DHCP server so it is better to lessen the confusion.

5. Go to the Administration page and configure Chillispot ie.

Primary Radius Server IP - RADIUS server IP
Backup Radius Server IP - If you don't have backup put the same IP address as the Primary
DNS - IP address of your DNS server
Redirect URL - This is the URL we tried above ie. https://webserver/cgi-bin/hotspotlogin.cgi
Shared Key - This is the RADIUS shared secret
DHCP Interfaces - Do you want ChilliSpot to apply to only wired ports, wireless or both

You could also configure additional Chillispot options e.g. if you want to allow people to be able to access certain IP addresses or ranges you can add

uamallowed 192.168.182.1,192.168.0.0/16

6. Only other gotcha is if you are using RADIUS to authenticate against e.g. /etc/passwd, YP/NIS or LDAP with MD5/SHA1 hashes you will need to configure hotspotlogin.cgi on external webserver as follows

# Uncomment the following line if you want to use ordinary user-password
# for radius authentication. Must be used together with $uamsecret.
$userpassword=1;
$uamsecret="testing123";

And add

uamsecret testing123

Under DD-WRT Chillispot additional options.

7. If you are curious about mechanics of this configuration please check out following post

http://chillispot.org/pipermail/chillispot_chillispot.org/2005-May/000212.html

In short Damjan says (spelling corrected)

5.6.7.8 doesn't communicate with the radius on 1.2.3.4, 5.6.7.8 sends a HTML response to the client, but in that response there's also a hidden XML part. Since this response passes through chillispot, chillispot parses that XML, decodes the username and the password (either plain text or CHAP-challenge,CHAP-password), and then chillispot itself communicates with the radius server on 1.2.3.4. BTW.

I too was wondering the same questions, since chillispot documentation doesn't describe how it operates, so I started debugging with Firefox, LiveHTTPHeaders, netcat etc..

Last Update: $Date$ Author: Vladimir Vuksan E-mail me