ChilliSpot Open Source Wireless LAN Access Point Controller


		Home	Features	Release Notes	FAQ	man chilli	Forum	Download

Features

Introduction

ChilliSpot is an open source Wireless LAN access point controller. ChilliSpot is a captive portal which authenticates users of a wireless LAN. To build your own HotSpot you need the following items:

Internet connection
A wireless LAN access point
ChilliSpot software for your PC
Radius server
Web server

You can host the radius server and web server on the same PC as the ChilliSpot software, or they can be located on the Internet.

Chilli

Chilli is the name of the software you install on your PC. It supports two authentication methods:

Universal Access Method (UAM)
Wireless Protected Access (WPA)

With UAM the wireless client requests an IP address, and is allocated a an IP address by Chilli. When the user starts a web browser chilli will capture the tcp connection and redirect to browser to an authentication web server. The web server queries the user for his username and password. The password is encrypted and sent back to chilli.

With WPA authentication is handled by the access point, and subsequently forwarded from the access point to chilli. If WPA is used the connection between the access point and the client is encrypted.

For both UAM and WPA chilli forwards the authentication request to a radius server. The radius server sends an access-accept message back to chilli if authentication was successful. Otherwise an access-reject is sent back.

Chilli is currently only available for Linux.

Authentication Web Server

An authentication web server is needed in order to authenticate users using the universal access method. For wireless protected access this web server is not needed.

The communication interface to the web server is implemented using only the HTTP protocol. No "call backs" from the web server to chilli is needed in order to authenticate the client. This means that the HotSpot can be placed behind a NAT gateway, proxy or firewall, while the web server is located on the public Internet.

We provide a cgi script for your web server which will query the user for his username and password. Once this information has been entered by the user the encrypted password is sent back to chilli which forwards the request to the radius server. You should use SSL/TLS on your web server in order to protect the username and passwords.

Radius

Radius Server

We do not provide any radius server software. For small projects we recommend that you use an open source radius server such as FreeRADIUS, Cistron or OpenRADIUS.

Radius Attributes

ChilliSpot supports the following radius attributes:

Attribute	#	Type	Auth req	Auth reply	Acct req	Comment
User-name	1	String	X		X	Full username as entered by the user.
User-Password	2	String	X			Used for UAM as alternative to CHAP-Password and CHAP-Challenge.
CHAP-Password	3	String	X			Used for UAM
CHAP-Challenge	60	String	X			Used for UAM
EAP-Message	79	String	X	X		Used for WPA
NAS-IP-Address	4	IPaddr	X		X	IP address of Chilli (set by the radiusnasip or radiuslisten option). If neither radiuslisten nor nasipaddress are set NAS-IP-Address is set to "0.0.0.0".
Service-Type	6	Integer	X	X		Set to Login (1) for normal authentication requests. For RFC 2882 style configuration management Access-Request messages to the radius server this is set to ChilliSpot-Authorize-Only (0x38df0001). The Access-Accept message from the radius server for configuration management messages must also be set to ChilliSpot-Authorize-Only (0x38df0001).
Framed-IP-Address	8	IPaddr	X	X	X	IP address of the user.
Reply-Message	18	String		X		Reason of reject if present.
State	24	String	X	X		Sent to chilli in Access-Accept or Access-Challenge. Used transparently in subsequent Access-Request.
Class	25	String		X	X	Copied transparently by chilli from Access-Accept to Accounting-Request.
Session-Timeout	27	Integer		X		Logout once session timeout is reached (seconds)
Idle-Timeout	28	Integer		X		Logout once idle timeout is reached (seconds)
Called-Station-ID	30	String	X		X	Set to the radiuscalled command line option or the MAC address of ChilliSpot if not present.
Calling-Station-ID	31	String	X		X	MAC address of client
NAS-ID	32	String	X		X	Set to radiusnasid option if present.
Acct-Status-Type	40	Integer			X	1=Start, 2=Stop, 3=Interim-Update
Acct-Input-Octets	42	Integer			X	Number of octets received from client.
Acct-Output-Octets	43	Integer			X	Number of octets transmitted to client.
Acct-Session-ID	44	String	X		X	Unique ID to link Access-Request and Accounting-Request messages.
Acct-Session-Time	46	Integer			X	Session duration in seconds.
Acct-Input-Packets	47	Integer			X	Number of packets received from client.
Acct-Output-Packets	48	Integer			X	Number of packets transmitted to client.
Acct-Terminate-Cause	49	Integer			X	1=User-Request, 2=Lost-Carrier, 4=Idle-Timeout, 5=Session-Timeout, 11=NAS-Reboot
Acct-Input-Gigawords	52	Integer			X	Number of times the Acct-Input-Octets counter has wrapped around.
Acct-Output-Gigawords	53	Integer			X	Number of times the Acct-Output-Octets counter has wrapped around.
NAS-Port-Type	61	Integer	X		X	19=Wireless-IEEE-802.11
Message-Authenticator	80	String	X	X		Is always included in Access-Request. If present in Access-Accept, Access-Challenge or Access-reject chilli will validate that the Message-Authenticator is correct.
Acct-Interim-Interval	85	Integer		X		If present in Access-Accept chilli will generate interim accounting records with the specified interval (seconds).
WISPr-Location-ID	14122, 1	String	X		X	Location ID is set to the radiuslocationid option if present. Should be in the format: isocc=<ISO_Country_Code>, cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>
WISPr-Location-Name	14122, 2	String	X		X	Location Name is set to the radiuslocationname option if present. Should be in the format: <HOTSPOT_OPERATOR_NAME>,<LOCATION>
WISPr-Logoff-URL	14122, 3	String	X			Chilli includes this attribute in Access-Request messages in order to notify the operator of the log off URL to use for logging off clients. Defaults to "http://192.168.182.1:3990/logoff".
WISPr-Redirection-URL	14122, 4	String		X		If present the client will be redirected to this URL once authenticated. This URL should include a link to WISPr-Logoff-URL in order to enable the client to log off.
WISPr-Bandwidth-Max-Up	14122, 7	Integer		X		Maximum transmit rate (b/s). Limits the bandwidth of the connection. Note that this attribute is specified in bits per second.
WISPr-Bandwidth-Max-Down	14122, 8	Integer		X		Maximum receive rate (b/s). Limits the bandwidth of the connection. Note that this attribute is specified in bits per second.
WISPr-Session-Terminate-Time	14122, 9	String		X		The time when the user should be disconnected in ISO 8601 format (YYYY-MM-DDThh:mm:ssTZD). If TZD is not specified local time is assumed. For example a disconnect on 18 December 2001 at 7:00 PM UTC would be specified as 2001-12-18T19:00:00+00:00.
ChilliSpot-Max-Input-Octets	14559, 1	Integer		X		Maximum number of octets the user is allowed to transmit. After this limit has been reached the user will be disconnected.
ChilliSpot-Max-Output-Octets	14559, 2	Integer		X		Maximum number of octets the user is allowed to receive. After this limit has been reached the user will be disconnected.
ChilliSpot-Max-Total-Octets	14559, 3			X		Maximum number of octets the user is allowed to transfer (sum of octets transmitted and received). After this limit has been reached the user will be disconnected.
ChilliSpot-UAM-Allowed				X		When received from the radius server in an RFC 2882 style configuration management message this attribute will override the uamallowed command line option.
ChilliSpot-MAC-Allowed				X		When received from the radius server in an RFC 2882 style configuration management message this attribute will override the macallowed command line option.
ChilliSpot-MAC-Interval						When received from the radius server in an RFC 2882 style configuration management message this attribute will override the interval command line option.
MS-MPPE-Send-Key	311,16	String		X		Used for WPA
MS-MPPE-Recv-Key	311,17	String		X		Used for WPA

The WISPr vendor attributes are specified in Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1", Feb 2003. The MS vendor attributes are specified in RFC 2548.

Access Points

We do not recommend access points from any particular vendor. For UAM just about any access point will do.

If you want to support WPA you need an access point which supports this. ChilliSpot was tested with access points from Cisco and Proxim for the WPA functionality.

Wireless Client

The wireless client can be just about any device which has a WLAN PC card or build in wireless LAN. You should look for a client which is "wifi" compatible.

For UAM the client needs to have a web browser. Examples of wireless clients without a web browser include embedded devises and some WLAN VoIP phones.

For WPA you need a client which supports this. This needs to be supported by both the WLAN PC card as well as the operating system. Microsoft provides a WPA package for Windows XP.

Software Architecture

The primary platform for ChilliSpot is Linux, but it should also be possible to compile the software on other posix compliant platforms: FreeBSD, OpenBSD, Solaris and even Apple OSX.

The main design goals of ChilliSpot were stability, portability and scalability. This resulted in the following design choices:

Programmed in (ANSI) C in order to improve portability to other platforms.
Concurrency is implemented using a single select() loop in order to improve portability and at the same time achieve high throughput. A client process is created whenever a http authentication request from a client is received.
Application was developed in user space only. Provides good portability at the cost of performance. Performance can be increased by implementing user plane handling in kernel space.
Conservative handling of memory allocation and error checking. Helps improve stability, but should be optimized for performance at a later stage.