CarlosGuerra

Author: Carlos Guerra Alberti

The goal of this work is to give the maximum connectivity under minimum resources. Using a small box with only one pci slot, the objective is to create a Wireless Access Point under a Linux server using only opensource software.

Hardware

The Hardware used for this purpose is as basic and simple as possible:

* Servicebox:

Motherboard: VIA TechVIA Technologies, Inc.

Processor: VIA Samuel 2 800 Mhz.

Ram: 367 SDRam.

Hard Disc: Seagate 40 GB.

Back up disc: 250 MB Memory Card.

Ethernet: VIA Technologies, Inc. VT6102 [Rhine-II].

* Conceptronic c54i pci Wireless Ethernet.

Software

The Software specifications are the following:

Operating System: Debian GNU/Linux (Sarge).

The way of installing packages under Debian and its proved stability makes this distribution a very good option for accomplish this goal.

Debian uses the Linux kernel (the core of an operating system), but most of the basic OS tools come from the GNU Project; hence the name GNU/Linux.

Using the apt-get or dpkg tool, a user can install thousands of precompiled packages listed on official or unofficial list.

Linux Kernel: 2.4.27

Is necessary adapt our kernel to the hardware requirements. Like for example tunneling optiones with tun.o

Other:

Wireless ethernet driver: Madwifi – MADWiFi is short for Multiband Atheros Driver for WiFi and provides a Linux kernel driver for Atheros-based Wireless LAN devices. The driver works such that your WLAN card will appear as normal network interface in the system (ath0) and gives the possibility to perfom the Wlan card in master mode.

Chillispot: ChilliSpot is an open source Wireless LAN access point controller. ChilliSpot is a captive portal which authenticates users of a wireless LAN. It supports web based login which is today’s standard for public HotSpots, Authentication, authorization and accounting (AAA) is handled by a radius server.

Radius server: Freeradius – The FreeRADIUS server is being used all over the world in large scale installations comprising multiple radius servers with thousands of users and millions of sessions.

Database: Mysql is used for storing the user/passwords and other fields from the radius server.

Database management: PhpMyAdmin is used for controlling (adding, deleting, modifying, etc) the user/passwords parameters from the database.

Madwifi Project driver

We need to use this driver because for building the AccessPoint, the master mode is required.

First of all, we must be sure our Wireless Lan Card has the Atheros chipset and can work under the madwifi driver, so after plugin it we should do a lspci to find out this information:

12:35 [EW_AP~]# lspci

0000:00:00.0 Host bridge: VIA Technologies, Inc. VT8601 [Apollo ProMedia] (rev 05)

0000:00:01.0 PCI bridge: VIA Technologies, Inc. VT8601 [Apollo ProMedia AGP]

0000:00:11.0 ISA bridge: VIA Technologies, Inc. VT8231 [PCI-to-ISA Bridge] (rev 10)

0000:00:11.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06)

0000:00:11.2 USB Controller: VIA Technologies, Inc. VT82xxUHCI USB 1.1 Controller (rev 1e)

0000:00:11.4 Bridge: VIA Technologies, Inc. VT8235 ACPI (rev 10)

0000:00:12.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 51)

0000:00:14.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01)

0000:01:00.0 VGA compatible controller: Trident Microsystems CyberBlade/i1 (rev 6a)

There are currently 3 generations of Atheros 802.11 wireless devices:

5210 supports 11a only

5211 supports both 11a and 11b

5212 supports 11a, 11b, and 11g

Our Atheros chipset model is AR5212, this card uses the 5212+2112 Chipset (and operates in b/g modes) and since the8/11/2003 version, this PCI card seems to be working at least in 802.11b, both in ad-hoc and master mode.

Nowadays Madwifi driver is not included in the Kernel series, so its compilation and building is required in order to run it into the system, the documentantion and for downloading the madwifi, user can access in the project webpage: madwifi.sourceforge.net

The driver functions as a normal network device and uses the Wireless Extensions API. As such normal Linux tools can and should be used with it.

There is only one driver included here; it supports miniPCI and Cardbus devices. The driver can be built as a module or linked into the kernel.

The driver depends on two other modules: wlan.o and ath_hal.o.

Downloading the driver

The current version of MADWiFi can be retrieved from CVS with the following command:

cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi

Previously its possible that we need to install the CVS package, we can do it easily throught the apt-get tool:

apt-get install cvs

Building the driver

To build the driver at the top level you may need to edit Makefile.inc to set the pathname to your Linux kernel distribution. By default this path is obtained automatically.

If you are cross-compiling the driver for a different platform define the CC, LD, and STRIP macros appropriately. For example:

#CC= /export/tools/bin/mips-linux-gcc

#LD= /export/tools/bin/mips-linux-ld

#STRIP= /export/tools/bin/mips-linux-strip

Once you’ve got Makefile.inc configured appropriately, do:

make

This will generate three important files:

Linux 2.4

driver/ath_pci.o (driver for PCI/Cardbus devices),

ath_hal/ath_hal.o (Atheros HAL), and

wlan/wlan.o (802.11 support layer)

Using the driver

These files can be loaded with insmod or modprobe; e.g.

Linux 2.4

insmod wlan/wlan.o

insmod ath_hal/ath_hal.o

insmod driver/ath_pci.o

We should include this file in the /etc/modules file if we want them to be loaded since the starting of the system.

So we edit the /etc/modules file and add:

ath_pci

We check if modules are working with an ls of the modules:

13:31 [EW_AP~]# lsmod

Module Size Used by Tainted: P

bnep 9012 1 (autoclean)

rfcomm 27776 0 (autoclean)

l2cap 14508 3 (autoclean) [bnep rfcomm]

hci_usb 6172 1

bluez 27652 3 [bnep rfcomm l2cap hci_usb]

via82cxxx_audio 18808 0 (unused)

soundcore 3460 2 [via82cxxx_audio]

ac97_codec 12012 0 [via82cxxx_audio]

ftdi_sio 19160 0 (unused)

usbserial 19324 0 [ftdi_sio]

usb-uhci 20972 0 (unused)

usbcore 62464 1 [hci_usb ftdi_sio usbserial usb-uhci]

hostap 84456 0 (unused)

ath_pci 28448 1

wlan 40744 1 [ath_pci]

ath_hal 108208 1 [ath_pci]

via-rhine 11600 1

mii 2304 0 [via-rhine]

crc32 2848 0 [bnep via-rhine]

So our new device interface is ath0, and we can see how kernel log has recognize it:

13:42 [EW_AP~]# cat /var/log/kern.log.0 | grep ath0

Apr 11 18:09:17 EW_AP kernel: ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps

Apr 11 18:09:17 EW_AP kernel: ath0: 802.11 address: 00:0d:88:56:0b:a2

Apr 11 18:09:17 EW_AP kernel: ath0: Atheros 5212: mem=0xe3000000, irq=11

Management uses the normal Linux tools such as ifconfig and the recient wireless-tools package, very useful to interactuate with the card, for installing these tools we need to perform:

apt-get install wireless-tools

iwconfig is the star program inside the wireless-tools package, here we are some iwconfig options:

13:44 [EW_AP~]# iwconfig –help

Usage: iwconfig interface [essid {NN|on|off}]

[nwid {NN|on|off}]

[mode {managed|ad-hoc|...}

[freq N.NNNN[k|M|G]]

[channel N]

[ap {N|off|auto}]

[sens N]

[nick N]

[rate {N|auto|fixed}]

[rts {N|auto|fixed|off}]

[frag {N|auto|fixed|off}]

[enc {NNNN-NNNN|off}]

[power {period N|timeout N}]

13:29 [EW_AP~]# iwconfig

ath0 IEEE 802.11g ESSID:”NordicAP” Nickname:”WareAP”

Mode:Master Frequency:2.457 GHz Access Point: 00:0D:88:56:0B:A2

Bit Rate:0 kb/s Tx-Power:off Sensitivity=0/3

Retry:off RTS thr:off Fragment thr:off

Encryption key:off

Power Management:off

Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:0 Missed beacon:0

13:29 [EW_AP~]# ifconfig ath0

ath0 Link encap:Ethernet HWaddr 00:0D:88:56:0B:A2

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:82504 errors:296765 dropped:0 overruns:0 frame:95134

TX packets:1021 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:199

RX bytes:3267369 (3.1 MiB) TX bytes:65344 (63.8 KiB)

Interrupt:11 Memory:d00a2000-d00b2000

We are going to insert a valid IP configuration for this device, on the /etc/network/interfaces, something like:

auto ath0

iface ath0 inet static

_..address 1.0.0.1

_..netmask 255.255.255.0

_..network 1.0.0.0

_..broadcast 1.0.0.255

_..wireless_essid NordicAP

_..wireless_mode master

_..wireless_channel 10

Chillispot

Chillispot is a tool destinated to give a Wifi service through the authetification in a webpage using https protocol with a user/password controlled by a Radius server and protect itself from the non-authentificated connections. For all this, Chillispot creates one new virtual interface device, tun0 where all this traffic will pass and will be filtered.

Chillispot supports two authentication methods:

*

Universal Access Method (UAM)
*

Wireless Protected Access (WPA)

At this time we will use the UAM method in the Wireless Access Point. With UAM the wireless client requests an IP address, and is allocated a an IP address by Chilli. When the user starts a web browser chilli will capture the tcp connection and redirect to browser to an authentication web server. The web server queries the user for his username and password. The password is encrypted and sent back to chilli.Then chilli forwards the authentication request to a radius server. The radius server sends an access-accept message back to chilli if authentication was successful. Otherwise an access-reject is sent back.

An authentication web server is needed in order to authenticate users using the universal access method.

The communication interface to the web server is implemented using only the HTTP protocol. No “call backs” from the web server to chilli is needed in order to authenticate the client. This means that the HotSpot can be placed behind a NAT gateway, proxy or firewall, while the web server is located on the public Internet.

A cgi script for your web server which will query the user for his username and password. Once this information has been entered by the user the encrypted password is sent back to chilli which forwards the request to the radius server. We should use SSL/TLS on the web server in order to protect the username and passwords, we will use, of course, Apache-SSL.

So, basically, Chillispot is composed by a cgi script “hotspotlogin.cgi” and a daemon “chilli”.

The Chillispot used in the moment of writing this document is 0.96-1

17:37 [EW_AP~]# dpkg -l chillispot

Name Version Description

===================================================================

===================================================================

chillispot 0.96-1 ChilliSpot is a Wireless LAN Access Point Controller.

Preparing the Software

Before downloading and installing Chillispot, we need to install some tools in order to have the “best conditions” for making it works.

*

Iptables: Iptables is a building block of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling.Iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

For installing we will type:

apt-get install iptables

*

Apache-ssl: Will be our secure webserver that will protect the process of inserting the user and password, for that ssl module will encrypt the user and password in order to avoid any undesired trying of getting this kind of information.

For installing we will type this time:

apt-get install apache-ssl

*

Mysql: Will be the database for storing the users and password and rest of data.

For installing we will type:

apt-get install mysql-server
apt-get install mysql-client

*

Freeradius: Will be the Radius Server which will support the user/password service. The package was included recently in the Sarge version of Debian GNU/Linux.

For installing we will type now:

apt-get install freeradius
apt-get install freeradius-mysql

*

Module TUN/TAP: We will use the tun.o from our Kernel in order to provides a virtual point-to-point network interfaces so the IP packets written to the /dev/tun0 character device will be received by the kernel from the tun0 interface.

TUN/TAP should be included in our Kernel, if not it will be necessary to recompile it.

[*] Network device support

< *> Universal TUN/TAP device driver support

Debian will not create any “tun” virtual device automatically so we will need to type the following in our system:

mkdir /dev/net
mknod /dev/net/tun c 10 200
modprobe tun

Now we should make sure if the following line:
alias char-major-10-200 tun
is included in our /etc/modules.conf file. If not, then we should add it.

For finishing TUN configuration we will type the following in our shell:

echo “alias char-major-10-200 tun” >> /etc/modutils/chillispot
update-modules

Installing the Chillispot package

Still while writing this document, chillispot deb package is not included in the official respository source.list of the Debian Operating System, we could find it under any unofficial respository but in this time we will install it downloading the package manually and using the dpkg tool.

For downloading the Chillispot, we will go to the official website of the project, located at: www.chillispot.org where we will visit: chillispot.org/download.html and will download directly the debian binary package (.deb).

Once we download the package (chillispot_0.96-1_i386.deb in this case) we will use dpkg tool to install it:

dpkg -i chillispot_0.96-1_i386.deb

That will install the chillispot package in our system and leave directories/files at:

/usr/share/doc/chillispot/firewall.iptables –> Firewall rules.

/usr/share/doc/chillispot/hotspotlogin.cgi.gz –> cgi script (index for webserver)

/etc/chilli.conf –> configuration file

/etc/init.d/chilli –> daemon

Now we will configurate the cgi script,

cp /usr/share/doc/chillispot/hotspotlogin.cgi.gz /usr/lib/cgi-bin/
cd /usr/lib/cgi-bin
gunzip hotspotlogin.cgi.gz
chmod a+x hotspotlogin.cgi

On the resultant hotspotlogin.cgi we will uncomment the following line:

$uamsecret = “secretchilli”;

Now we will configure the chilli daemon, configuration file is located at /etc/chilli.conf, we will change some parameters:

net 5.0.0.0/24 ::: The IP of our Wireless LAN will be of this private 5.0.0.0 IP range.

dns1 194.47.0.30 ::: Or any other DNS server, this is from Högskolan Halmstad (Sweden) .

radiuslisten 127.0.0.1 ::: Our server will be where the radius server will be as well.
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1

radiussecret secretradius ::: Same key as in cgi script.

radiusnasid NordicAP ::: Name of our Access Point

radiuslocationid isocc=es,cc=34,ac=46020,network=N_AP ::: Detailed information about the WAP

radiuslocationname PNM,Valencia

dhcpif ath0 ::: Over which ethernet will the Chilli serve the IP described on “net” parameter above.

uamserver https://5.0.0.1/cgi-bin/hotspotlogin.cgi ::: web server handling auth.

uamsecret secretchilli ::: Shared between chilli and authentication web server.

uamlisten 5.0.0.1 ::: IP address to listen to for auth. request.

uamallowed www.carlosguerra.com ::: Allow browsing without first authentication.

Iptables rules configuration of the firewall

Its time now to configure some iptables rules for our firewall, first we should copy the file chilli.iptables on the /etc/ folder:

cp /usr/share/doc/chillispot/firewall.iptables /etc/chilli.iptables
chmod u+x /etc/chilli.iptables

Inside the file /etc/chilli.iptables, we need to modify the EXTIF and INTIF parameters.

EXTIF=”eth0″ ::: Provides us the LAN and Internet connection.

INTIF=”ath0″ ::: Device where EXTIF is propagated, that is, the Access Point.

The rest of file is composed by iptables rules about allowing, denying and filtering the traffic and ports from the tunnel with the devices, etc.

But of course, we should verify in the /etc/network/options configuration file that ip_forward variable is set to yes, if not we must change it:

ip_forward=yes

Freeradius configuration

We installed the freeradius server before with the apt-get instruction, now that chilli daemon is already set up, we have to modify some parameters in the freeradius configuration.

First of all, we have to change the shared key we modify in the /etc/chilli.conf, so we should modify the “secret” parameter inside /etc/freeradius/clients.conf

secret = secretradius

Now Let’s add the following lines on the /etc/chilli.iptables in order to have access to certains ports when the authentication is not validated still:

# SSH
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp –dport 22 –syn -j ACCEPT
# imap over SSL
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp –dport 993 –syn -j ACCEPT

We have to create the database where the information required from the radius server will be allocated, as this document is not for learning mysql commands, we will create the database very fast and entering commands from the shell directly.

For create the mysql database we will type the following in our shell prompt:

echo “create database radius;” | mysql -u root -p

echo “grant all on radius.* to radius@’%’ identified by ‘password_sql’; flush privileges;” | mysql -u root -p

zcat /usr/share/doc/freeradius/examples/db_mysql.sql.tgz | mysql -u root -p radius

Note: where in -p, we should put our root password for the mysql-server

We should configurate the sql.conf from the freeradius in order to tell the freeradius that it should find out the user/password information in a database.

The file to modify is /etc/freeradius/sql.conf

sql {
driver = “rlm_sql_mysql”
server = “localhost”
login = “radius”
password = “password_sql”
radius_db = “radius”
[...]
}

No we need to determine that the database type is mysql in the /etc/freeradius/radiusd.conf file:

$INCLUDE ${confdir}/sql.conf
authorize {
[...]
sql
[...]
}
accounting {
[...]
sql
[...]
}

The access point configuration is finished, let’s restart the daemons and services with the restart command:

/etc/init.d/mysql restart

/etc/init.d/apache-ssl restart

/etc/init.d/chilli restart

/etc/init.d/freeradius restart

/etc/chilli.iptables

For ending this document, we will explain how to create, erase, modify users on the radius database:

We access to the database through web browsing the phpmyadmin we have installed previously, for that we type at the web browser the local IP address of the server and slash phpmyadmin, for example: http://11.0.0.54/phpmyadmin

Once we have validate our user and password, we should explore the radiusact table, on this table is where the user information is, we need now to add a new line and fill the form with the new user and password, also is posible to delete and edit this kind of data.

Carlos Guerra Alberti

mapache@carlosguerra.com