Captive Portal with CoovaChilli
A captive portal provides a checkpoint for users where the browser is hijacked and redirected to a page that requires the user to provide either credentials or other information to pass normal traffic. Ideally this is a standalone server and will not disrupt other services like content filtration or other web authentication parameters.
Development of CoovaChilli for ClearOS has stopped. This howto is listed for historical purposes and should give an outline of how it once was possible to run CoovaChilli under ClearOS 5. If you are interested in prototyping or creating an app for the ClearOS marketplace, please contact ClearCenter or create a project in the forums. To visit the Coova site, click here
. Other methods for captive portal work with varying success including using the default Dansguardian content filter in blanket block mode and then scripting the block page to move the user into a different content filter policy or by pushing a firewall rule.
If you want to contribute to this howto, please contact Dave Loper (dloper).
You will need the working RADIUS server via Marketplace to get this going.
You will need to set up localhost as an authorized client of the RADIUS server.
Create a user called coovachilli with mail only and make a group called chilli.
Setup DHCP for the network.
Set the following values:
HS_LANIF, change this value if it is wrong (ie. HS_LANIF=eth2).
HS_NETWORK, set this to the values of your network (ie. HS_NETWORK=192.168.1.0).
HS_NETMASK, change this value if it is wrong (ie. HS_NETMASK=255.255.255.128).
HS_UAMLISTEN, set this to the IP of your server (ie. HS_UAMLISTEN=192.168.1.1).
HS_DNS1 and HS_DNS1, set these to the IP address of your local DNS server, in this case your server (ie. HS_DNS1=192.168.1.1 and HS_DNS2=192.168.1.1).
HS_RADSECRET, set this to the secret password that you placed in the RADIUS configuration for the localhost entry in Webconfig (ie. HS_RADSECRET=mysecretpassword).
HS_RAD_PROTO=mschapv2, set this so the program knows to use the NT-Password infrastructure of LDAP described in the PAP section of the FreeRADIUS 2 Howto. This value does NOT exist and you must define it (set this to HS_RAD_PROTO=mschapv2).
HS_UAMDOMAINS, set all the domains that you want for your 'walled garden. These sites will work even if users don't authenticate via your captive portal:
Start Coova Chilli
service chilli start
Testing it all
Stop the radiusd service and in a dedicated shell start it in debugging mode.
radiusd -X -xxx
Open a browser and try to connect to a site LISTED in your walled garden (ie. www.clearfoundation.com). Then try to connect to a site NOT listed in your walled garden. You should be prompted for a username and password. Supply a user that is authorized to use the RADIUS server.