HOWTO: Install CoovaChilli on a

Raspberry Pi using Raspbian, FreeRADIU
an! "y#$

Intro!u%tion
I was in need of another project. I should probably just stop here...but I feel I need
to provide a rationale for doing this (mainly for myself or perhaps my wife because
of the time I put into these “projects”).
Anyway, here goes my (shabby) rationale.li!e many of you my wife and I get lots
of visitors who want internet access for their many devices while they"re staying
with us and because of this I"m constantly giving out my wireless password. I have
a separate networ! for guests already that isolates them from my primary internal
networ! where my #leserver, etc, is located so guests don"t have access to anything
important. $o deal with this I could either ta!e the easy route or the fun route. $he
easy route% simply just change my wireless password on a regular basis or after
guests leavebut why do that when you could do it the fun way& 'et up a wireless
hotspot and have a new project

After you"ve gone through this, please feel free to modify and improve upon this
document.

The Inten!e! Au!ien%e

 $he intended audience for this howto are people fairly new to linu and who have
purchased the *aspberry +i as an educational tool. As such, I go into a fair amount
of detail so that the beginner can follow the steps and get to a wor!ing hotspot.
 $he beginner can then go bac! once it is installed and try to understand in more
detail what just happened.
espite the focus being for beginners anyone can use this- there are li!ely a few
areas where the more advanced user may choose to deviate or do things a little
dierently but that"s what this is all about / learning and having fun doing it.

An Overvie& o' the Pro%ess

 

At a very high level the following are the steps re0uired to ta!e your fresh *aspbian
install to a wor!ing 1oova1hilli2powered hotspot.
'tep 3% Install the re0uired software.

'tep 4% 1on#gure how your networ! is setup to get your 5A6 and 7A6 wor!ing
to support a hotspot.

'tep 8% 1on#gure 9y':7. $his will be where you store your usernames and
any restrictions you will place upon any users, etc.

'tep ;% 1on#gure <ree*AI='. In this step we also need to con#gure

<ree*AI=' to wor! with 9y':7 so these two programs can wor! together.

'tep >% Install and con#gure 1oova1hilli. ?n the *aspberry +i you need to
compile 1oova1hilli from its source pac!age and then install the resulting .deb #le.
?nce installed, we"ll con#gure it to wor! together with the other installed software.
'tep @% 1on#gure the #rewall.

'tep % 'et up your Access +oint so your hotspot users can access it.

'tep B% 'et up users and add restrictions

A Fe& Things First

 $here are a few things that re0uire an honourary mention%

• ?bviously, you will need a *aspberry +i / I"ve only tested this on a model C. I
haven"t twea!ed the +i in any way (i.e., no overcloc!ing, etc). It"s also
important to mention that I"ve installed everything on my +i. It is possible to
set this up on your router or on separate devices but this is beyond the scope
of this howto.
•  $o ma!e 1oova1hilli wor! on any system you need to have two 6etwor!
Interface 1ontrollers or 6I1s. 'ince the +i only has one 7A6 port we need to
physically add another and in this case it is simple and inepensive to use a
wireless dongle as our second 6I1.
• <or the wireless dongle I"m using the Ddima D52B33un (however, chec! the
*aspberry +i compatibility list for others). $he only reason I chose this one is
that it was small and didn"t re0uire a powered ='C hub to wor! but the
downside is it is slow.
•  $he operating system I used was% 4E382E24@2wheeFy2raspbian and it is
available to download at raspberrypi.org.
• 5ith the eception of a few pac!ages which, I"ll tell you about when we get to
it, I used the standard repository to download and install the re0uired binary
pac!ages (i.e., .deb #les).
• As a suggestion, before modifying any of the con#guration #les I would
encourage you to ma!e a bac!up copy in case you need or want to go bac!
 

to them. <or the most part the default con#gurations just wor!. Gou
obviously need to twea! them to your speci#c system but generally these are
fairly minor. If you want to have a more advanced set up then I"ll leave that
to you to do further research.
• A wireless router that is con#gurable to the re0uired specs (de#ned below).
• If you run into problems throughout this howto I would encourage you to run
the dierent programs in their debug mode to see what error is showing.
•  Gou will need to have root access to wor! through this process.
• 'ome nomenclature% H means a non2root user while  means a root user
•  $he tet editor I"m using is nano as it comes preinstalled and is a fairly
lightweight basic editor that is easy to use and learn.
• 1reate a root user as it will be re0uired for this howto.
•  $he following tet, used throughout the document, means that you need to
enter this into the command line. 'o in !eeping with the previous bullet let"s
start by creating the root user%
H sudo passwd root

The teps
Step 1: Install the Required Software
 $he software you need to download and install in this section comes from the
repositories only. 5hen we need to download and compile the source pac!ages
we"ll go through that in those sections. $he only assumption at this point is that
you have a newly installed and wor!ing *aspbian command line with internet
access.
<irst, update the software that came with the standard install%
H sudo apt2get update JJ sudo apt2get upgrade

Install the re0uired pac!ages used for building pac!ages from source (we"ll need
these later)%

H sudo apt2get install debhelper libssl2dev libcurl;2gnutls2dev

Install the pac!ages we"ll be using in conjunction with 1oova1hilli%

H sudo apt2get install mys0l2server freeradius freeradius2mys0l

A couple of points to ma!e%

 

• 5hen installing 9y':7 you will be as!ed to enter a root password / please
remember this as you will be using this several times throughout this <A:.
• uring the installation process of <ree*AI=' there will come a point where it
generates iKe2Lellman (L) parameters / the time it ta!es to compute
these is highly variable but typically this is a time to grab a coee as it will
li!ely ta!e a while.
• 5ith the eception of two pac!ages (1oova1hilli and haserl) we now have
everything we need.

Step 2: Networking
 $he purpose of this section is to set up your networ! interfaces appropriately so that
one interface connects to the internet and the other interface is set up so that it can
be used by 1oova1hilli to manage your hotspot clients.
As stated previously, 1oova1hilli re0uires 4 6I1s and therefore we need to setup our
networ!ing for two 6I1s. In this case the assumption is that you have a wireless
dongle plugged in and recogniFed by your +i that will serve as our second 6I1.
5e"ll set it up so your internet connection comes from the wireless dongle
represented by wlanE and the wired interface (ethE) will be managed by
1oova1hilli. $his is probably the simplest setup / the reverse has other
complications that are beyond the scope of this howto.
H sudo nano MetcMnetwor!Minterfaces

9odify the #le to loo! li!e this% (remember to bac! up your original #le)

auto lo
iface lo inet loopbac!

 ethE is the wired interface that will be managed by 1oova1hilli

 $he ip address listed below will be entered into the #le MetcMchilliMdefaults and
assigned to the variable  L'N=A97I'$D6O3E.3.3.3 and the networ! address will be
assigned to HL'N6D$5?*PO3E.3.3.E, L'N7A6I< O ethE
 1oova1hilli isn"t even installed yet so don"t worry too much about this / it"s more
for your information at this point and for reference when you loo! bac! to see how
everything #ts together.

auto ethE
iface ethE inet static
address 3E.3.3.3
 

netmas! 4>>.4>>.4>>.E
networ! 3E.3.3.E

 $he primary internet connection

 Qiven that wlanE is the primary internet connection then later in the #le
MetcMchilliMdefaults we set the variable L'N5A6I<OwlanE

auto wlanE
allow2hotplug wlanE
iface wlanE inet manual
wpa2roam MetcMwpaNsupplicantMwpaNsupplicant.conf 
iface wlanE inet dhcp
wpa2ssid “Gour''I”
wpa2ps! “Gour+assword”

6ow we need to edit the wpaNsupplicant.conf #le%

H sudo nano MetcMwpaNsupplicantMwpaNsupplicant.conf 

 $he following set up assumes you are connected to your router using 5+AM42+'P
mode. I use AD' as it is more secure and faster so I would strongly encourage you
to use it over $PI+. Add this to the end of the #le%
networ!OR
ssidO”Gour''I”
ps!O”Gour+assword”
protoO*'6
!ey2mgmtO5+A2+'P 
pairwiseO119+
authNalgO?+D6
S

5hen you"re done you can restart the networ!ing service%

H sudo MetcMinit.dMnetwor!ing restart

H ifcon#g

 Gou should see that wlanE has an I+ address from your wireless router (con#rm this).
 Gou should also see that the ethE interface has been assigned an I+ address of
3E.3.3.3. If this is not the case then reboot your pi (for whatever reason I had to do
this once for it to pic! up the change / strange).

Step 3: Congure MyS!

5e"ve already installed 9y':7 in step one so now we"re ready to con#gure it. $his
is where you"ll need the 9y':7 root password you created during the installation of
9y':7.
 

<or most of this howto you can save yourself time from typing Tsudo" before every
command by switching to the root user.
H su root

1reate a 9y':7 database called Tradius"%

 echo “create database radius-” U mys0l /u root /p

"R, you can do this

 mys0l /u root /p

mys0lV create database radius-

mys0lV 0uit

 $he reason I showed you this alternative is because when you want to come bac!
later to chec!, edit, update, delete, or what have you, the contents of the tables in
the radius database then it"s easier to do it the second way. $he #rst way is simple
and eKcient as you"re only using one line but you will need to get familiar with
9y':7 if you want to build on this howto.
1reate the tables in the new radius database you just set up. <or this step (i.e.,
schema.s0l) you must be the root user / even sudo doesn"t wor!.
 mys0l /u root /p radius W MetcMfreeradiusMs0lMmys0lMschema.s0l

 mys0l /u root /p radius W MetcMfreeradiusMs0lMmys0lMadmin.s0l

1reate a user. $his is a test user who will login to your 1oova1hilli hotspot account
later.

 echo “insert into radchec! (username, attribute, op, value) values (Tuser3",
T1leartet2+assword", T%O", Tpassword")-” U mys0l /u root /p radius

Step #: Congure $reeR%&I'S

 $he #rst step is to con#gure <ree*AI=' to use the 9y':7 database you just set up.
<ree*AI=' comes con#gured to essentially wor! out of the bo- however, the
default setup is to use Xat #les rather than to use 9y':7. 9uch of this section is
used to get <ree*AI=' to use 9y':7. ?h yeah, the binary version of <ree*AI='
that is installed from the repositories is version 4.3.34.

6ow edit the main radius con#guration #le%

 nano MetcMfreeradiusMradius.conf 
=ncomment the line%
HI617=D s0l.conf 
 

9ore edits to ma!e 9y':7 wor!%

 nano MetcMfreeradiusMsites2availableMdefault

 $his #le is organiFed into sections of code and there are three sections you need to
modify. <ind the following bloc!s of code and uncomment the s0l line in each.

authoriFe R
s0l
S

accounting R
s0l
S

session R
s0l
S

6ow that we have <ree*AI=' con#gured to wor! with 9y':7, let"s test it to ensure
it is con#gured properly. <irst we stop the <ree*AI=' daemon.

 MetcMinit.dMfreeradius stop

 $hen restart <ree*AI=' in debug mode%

 freeradius /Y

At this point you"ll see reams of output #lling up your screen. 5hat"s important
here is to loo! at the end and chec! for a line that says “*eady to process
re0uests”. If you see that then great If not then chec! the reams of output as it
will tell you where the error occurred. 1hec! to ma!e sure you didn"t forget to
uncomment something or you didn"t ma!e a typo, etc.
6ow that <ree*AI=' is processing re0uests we need to ma!e sure it will
authenticate the test user you entered previously, that is, user3 with its associated
Tpassword". ?pen up another terminal (alt2<4 or if you"re using something li!e +utty
then start a new session) and enter the following%
 radtest user3 password localhost E testing348
If all goes well, you should see output that says% “radNrecv% Access2Accept pac!et
from host 34.E.E.3.”. If not, chec! to ma!e sure you added the user and
password correctly and that you"ve followed the correct se0uence above to allow
<ree*AI=' to read the 9y':7 database.

6ote% testing348 is the shared secret that"s con#gured in

MetcMfreeradiusMclients.conf. $his is typically shared between the router using the
5+A4 Dnterprise setting and <ree*AI=' to authenticate each other. In our case it
authenticates <ree*AI=' and 1oova1hilli.
 

6ow you can close the etra terminal you"ve opened and in the #rst terminal hit
Wctrl21V to stop freeradius in debug mode. 6ow restart the freeradius daemon%
 MetcMinit.dMfreeradius start

Step (: Install and Congure Coo)aChilli 1*3*+

In this section we"ll compile and install two programs from source% 1oova1hilli and
haserl. 7et"s begin with 1oova1hilli.
Dnter the MusrMsrc directory and download the following #le%

 cd MusrMsrc

If you are installing this on an i8B@ system (and not a *aspberry +i) then download
the following binary to ma!e your life easier%

 wget http%MMap.coova.orgMchilliMcoova2chilliN3.8.ENi8B@.deb

Cac! to the +ithe #rst step is to get the source code from the 1oova1hilli website%

 wget http%MMap.coova.orgMchilliMcoova2chilli23.8.E.tar.gF

?n my system I calculated the sha4>@sum of this #le to be%

ca4;ac4;8;Ec@>aBeE;e@B@@aE;8BEaBc;;;f4@3baB;EZfEbd3c3@4eB
coova2chilli23.8.E.tar.gF

It"s a good habit to chec! this to ma!e sure your #le is complete. ?n your system
simply do the following to get the sha4>@sum of your .tar.gF #le%

H sha4>@sum coova2chilli23.8.E.tar.gF

6ow compare your number to the one listed above. If the hashes are the same /
perfect If not, then you may want to re2download the #le.

?nce it"s downloaded and veri#ed then unpac! the #le%

MusrMsrc  tar Ff coova2chilli23.8.E.tar.gF

 $his creates a directory called% coova2chilli23.8.E. Dnter the directory%

MusrMsrcM  cd coova2chilli23.8.E

5e are now ready to con#gure the source code. $o do this change bac! to a non2
root user%
MusrMsrcMcoova2chilli23.8.E  eit
As a normal user go bac! into the coova2chilli source code directory (if not already
in it)%
 

H cd MusrMsrcMcoova2chilli23.8.E

6ow we can con#gure the source #les with the following options. It loo!s
intimidating doesn"t it 6ote that the dashes preceding the tags below are double
hyphens ( 22) not singles- those joining two words are a single hyphen.

MusrMsrcMcoova2chilli23.8.E H .Mcon#gure 22pre#OMusr

22mandirO[HHRpre#SMshareMman 22infodirO[HHRpre#SMshareMinfo [
22sysconfdirOMetc 22localstatedirOMvar 22enable2largelimits [
22enable2binstatus#le 22enable2status#le 22enable2chilliproy [
22enable2chilliradsec 22enable2chilliredir 22with2openssl 22with2curl [
22with2poll 22enable2dhcpopt 22enable2sessgarden 22enable2dnslog [
22enable2ipwhitelist 22enable2redirdnsre0 22enable2minicon#g [
22enable2libjson 22enable2layer8 22enable2proyvsa 22enable2miniportal [
22enable2chilliscript 22enable2eapol 22enable2uamdomain#le [
22enable2modules 22enable2multiroute

on"t worry it will come to the end in a bit.and when it does you need to set the
compatibility level for debhelper otherwise you"ll get something li!e%

% 6o compatibility level speci#ed in debianMcompat

 %$he pac!age will soon <$C<'- time to # it
 %1ompatibility levels before > are deprecated (level 3 in use)

<ailing to set the compatibility level may result in a .deb #le that"s incomplete,
unstable or unusable. $herefore let"s set the compatibility level to Z%
MusrMsrcMcoova2chilli23.8.E H echo Z V debianMcompat
6ow we need to modify the MusrMsrcMcoova2chilli23.8.EMdebianMrules #le%

H sudo nano MusrMsrcMcoova2chilli23.8.EMdebianMrules

?n line >; of the #le (close to the bottom) under install% build, we need to replace
the following line%

H(9APD) D'$I*OH(1=*I*)MdebianMtmp install

5ith%
H(9APD) D'$I*OM install

 $his ensures the necessary #les are put into MetcMchilliM directory and not in the
directory speci#ed in the original line. <ailing to do this will cause an error.

5e"re now at the point where we"re ready to compile the source code into an
actual .deb #le that you can install
MusrMsrcMcoova2chilli23.8.E H sudo dp!g2buildpac!age /us /uc
6ow that you just hit enter, you can sit bac! and watch the +i do some real wor!.
 $his ta!es about \M24E minutes on my +i (with no overcloc!ing or twea!ing). ?nce
 

#nished, the resulting .deb #le (including a few other #les) will be located in the
MusrMsrc directory and will be called% coova2chilliN3.8.ENarmhf.deb
6ow we can install our new .deb #le. 9a!e sure you go up a level to the MusrMsrc
directory where the #le is located.

MusrMsrc H sudo dp!g /i coova2chilliN3.8.ENarmhf.deb

5hen this is #nished you"ll be presented with the following options% (]ust select the
default)

1on#guration #le ^MetcMinit.dMchilli_

 OOV <ile on system created by you or by a script.
 OOV <ile also in pac!age provided by pac!age maintainer.
5hat would you li!e to do about it & Gour options are%
 G or I % install the pac!age maintainer_s version
6 or ? % !eep your currently2installed version
 % show the dierences between the versions
 ` % start a shell to eamine the situation
 $he default action is to !eep your current version.
 chilli (GMIM6M?MM`) defaultO6 & 6

 Gou should now get an error that says%

'tarting chilli% 'I?1'I<A*% 6o such device

eth3% D**?* while getting interface Xags% 6o such device

 $his is o!ay. 1hilli tried to start and since we haven"t con#gured it yet it failed.

espite the error, this should be a happy moment in your progress.if you"ve never
compiled and installed a program from its source before give yourself a pat on the
bac!
6ow that we"re on a roll compiling our code from source let"s do it once more. 7et"s
start by downloading the source code%
MusrMsrc H sudo wget http%MMdownloads.sourceforge.netMprojectMhaserlMhaserl2
develMhaserl2E.Z.8E.tar.gF

<GI, haserl is a light2weight program to create cgi web scripts.

6ow unpac! it%

MusrMsrc H sudo tar Ff haserl2E.Z.8E.tar.gF

1alculate the sha4>@sum of this #le and compare it to the one below.

H sha4>@sum haserl2E.Z.8E.tar.gF
E3fZfZ;4c>BbebBeb@acdfdbc>fa84eZ3>@aZbB@8EZZ4defeb>a;Bc>fE;b>E haserl2
E.Z.8E.tar.gF
 

Dnter the haserl directory%

MusrMsrc H cd haserl2E.Z.8E

1on#gure the #le (this time with no options so this feelswelleasy)%

MusrMsrcMhaserl2E.Z.8E H .Mcon#gure

6ow we ma!e and install the #le%

MusrMsrcMhaserl2E.Z.8E H sudo ma!e JJ sudo ma!e install

haserl should now be installed and we"ll come bac! to it in a bit.

6ow we"re ready to actually con#gure 1oova1hilli. <irst we need to enable the
service so it will start. It is turned o by default. $o enable it to start simply edit the
following #le%
 nano MetcMdefaultMchilli

1hange the #rst line from a E to a 3%

'$A*$N1LI77I O 3
?!ay, now we"re going to edit the main chilli con#guration #le%

 nano MetcMchilliMdefaults

6ote this is the #le I referred to previously when we set up our networ!ing. $he #rst
few items we"re changing are to be consistent with what"s in the
MetcMnetwor!Minterfaces #le.

L'N5A6I< O wlanE  <rom our MetcMnetwor!Minterfaces #le

L5N7A6I< O ethE  <rom our MetcMnetwor!Minterfaces #le
L'N6D$5?*P O 3E.3.3.E  <rom our MetcMnetwor!Minterfaces #le
L'N=A97I'$D6 O 3E.3.3.3  <rom our MetcMnetwor!Minterfaces #le
L'N6'3 O B.B.B.B  'et it to google because I !now it wor!s
L'N=A9A77?5 O 3E.3.3.EM4;
L'N*A'D1*D$ O testing348  $his doesn"t need to change but you might want
to change this later.
 

 Gou"ll just need to change it in

MetcMfreeradiusMclients.conf as well
L'N7?1N6A9D O “Quest A+”  1hange this to what you"d li!e to appear on your
login page

Step ,: Congure the $irewall

?ur net step is to con#gure the #rewall using iptables. 1oova1hilli comes
precon#gured to do the heavy lifting for you but we do need to add a couple of
entries. Ddit the following #le%

H sudo nano MetcMchilliMup.sh

At the bottom of the #le add the following line%

iptables /I +?'$*?=$I6Q /t nat /o HL'N5A6I< /j 9A':=D*AD

*emember we installed haserl& 5e"ll now edit the following #le and add the path to
haserl%

H sudo nano MetcMchilliMwwwsh

Qo to the line where it says%
haserl O H(which haserl 4VMdevMnull) and replace it with%

haserl O MusrMlocalMbinMhaserl

5e"re nearly done. 5e only have to restart all of our services. 6ow this doesn"t
have to be done (it"s not 5indows) but I"d suggest rebooting to ensure all changes
are made.
H sudo reboot
?nce you"ve logged bac! into the +i, you will need to start chilli.
H sudo MetcMinit.dMchilli start

?!ay. Gour 1oova1hilli 1aptive +ortal should now be con#gured and, if the stars are
aligned, wor!ing.
If you chec! ifcon#g you should see a new tunE interface / this is a good sign.
H ifcon#g
 

Step -: Setup your %..ess /oint

 $o ma!e 1oova1hilli wor!, you need to turn you router into a bridge. I have dd2wrt
installed on my router so this is possible. Gou need to chec! your router to see if
you can do this on yours. In dd2wrt you need to do the following%

(a) isable the L1+ 'erver

=nder 'etup% Casic 'etup
L1+ 'erver isable

(b) 'et your broadcast ''I

=nder 5ireless% Casic 'ettings
5ireless 6etwor! 6ame (''I) Gour2Lotspot
5ireless 1hannel Auto

(c) isable the 'ecurity 9ode

=nder 5ireless% 5ireless 'ecurity
'ecurity 9ode% isabled

(d) isable the #rewall

=nder 'ecurity
<irewall +rotection isable

 $he physical setup of your router%

+lug the Dthernet cable from your +i into a 7A6 port on your router (not the
5A6Minternet port). *emember your wireless dongle should already be receiving
your internet signal.
6ow let"s test it.

<rom another computer wirelessly connect to the networ! you just set up. 'tart
your web browser and #ngers crossed it should bring up the 1oova login page. If
so, then great job Gou now have your own wireless hotspot Gour (gee!y)
neighbours will be jealous
*emember you set up a test user called Tuser3" with a password of Tpassword".
Dnter those into the userMpassword #elds. If all is successful you should be able to
access the internet through your hotspot. 6ow enter a non2eistent user and
password to see if it fails / it should. If both of these wor! then congrats

Step 0: Setting 'p 'sers and Setting Restri.tions

?!ay, what fun is a hotspot if you can"t set up some restrictions&

 $here are many restrictions you can set up for your users. I"m going to show you
some of the basic ones but if you"d li!e more complicated restrictions then I"d send
you to “google”.

<or the most part the user restrictions are managed and setup through <ree*AI='
rather than 1oova1hilli which means we"ll be modifying our 9y':7 tables to set the
restrictions. ?!ay, so let"s get started. Ddit the following #le%
 

H sudo nano MetcMfreeradiusMradius.conf 

=ncomment the line so it reads%

HI617=D s0lMmys0lMcounter.conf 

6ow we will edit the following #le%

H sudo nano MetcMfreeradiusMsites2availableMdefaults

5ithin the authoriFe section of the #le we"re going to uncomment s0l- however,
depending on the restrictions you want to apply you must also add them to this #le.
5e"re going to add four counters% noresetcounter, dailycounter, monthlycounter,
epiration. All but epiration are found in MetcMfreeradiusMs0lMmys0lMcounter.conf
since epiration is a module.

authoriFe R
s0l  uncomment

noresetcounter add
dailycounter add

monthlycounter add

epiration add
daily  uncomment this one
S
accounting R
daily uncomment

6ow that we"ve modi#ed this #le we need to add some entries into the dictionary%

H sudo nano MetcMfreeradiusMdictionary

Add the following lines%

A$$*IC=$D aily2'ession2$ime 8EEE integer

A$$*IC=$D 9a2aily2'ession 8EE3 integer

A$$*IC=$D 9onthly2'ession2$ime 8EE4 integer

A$$*IC=$D 9a29onthly2'ession 8EE8 integer

A$$*IC=$D 9a2All2'ession2$ime 8EE; integer

A$$*IC=$D 9a2All2'ession 8EE> integer

 

 $o deal with the epiration restriction we need to add some code%

H sudo nano MetcMfreeradiusMs0lMmys0lMcounter.conf 

s0lcounter epiration R
count2attribute O Acct2'ession2$ime
counter2name O 9a2Allowed2'ession
chec!2name O Dpiration
s0lmod2inst O s0l
!ey O =ser26ame
reset O never
0uery O 'D7D1$ I<6=77($I9DN$?N'D1($I9DI<<(6?5(), [
9I6(Acct'tart$ime))),E) <*?9 radacct 5LD*D [
=ser6ameO_HR!eyS_ ?*D* CG Acct'tart$ime 7I9I$ 3-
S

6ow that we"ve got our system con#gured we can now proceed to add new users
along with restrictions%

If we want to add a new user called “'am” with an associated password

“'am"s+assword” we do the following%

 echo “insert into radchec! (username, attribute, op, value) values (T'am",
T1leartet2+assword", T%O", T'am"s+assword")-” U mys0l /u root /p radius

6ow one of the bene#ts of using 9y':7 is that immediately after you added
'am, you can now login as 'am without restarting any of your services.

 Gou can add as many or as few (i.e., none) of the restrictions provided below to
any or all of your users. Add the desired restrictions to the appropriate users in
the 9y':7 database. 'ome eamples follow%

Dample 3%
 $his will set the maimum time that 'am can access the internet to 3EBEE
seconds or 8 hours%
 echo “insert into radchec! (username, attribute, op, value) values (T'am",
T9a2aily2'ession", T%O", 3EBEE)-” U mys0l /u root /p radius

Dample 4%
 $he following will limit when user3 can logon to the internet. 6ote that user3
can only access the internet between Z.EEam and @.EEpm in the eample.
 echo “insert into radchec! (username, attribute, op, value) values (Tuser3",
T7ogin2$ime", T%O", TAlEZEE23BEE")-” U mys0l /u root /p radius
 

Dample 8%

'am is only allowed to be logged on the system once. If you set this to 4 then
'am can logon to the system twice simultaneously. $his prevents people from
sharing their user name and password with their friends and each of them to
login at the same time.

 echo “insert into radchec! (username, attribute, op, value) values (T'am",
T'imultaneous2=se", T%O", 3)-” U mys0l /u root /p radius

Dample ;%

'am"s access epires on August 3, 4E38 at B.EEpm.

 echo “insert into radchec! (username, attribute, op, value) values (T'am",
TDpiration", T%O", TAugust 3 4E38 4E%EE")-” U mys0l /u root /p radius

Dample >%

'am will be rejected no matter what.

 echo “insert into radchec! (username, attribute, op, value) values (T'am",
TAuth2$ype", T%O", T*eject")-” U mys0l /u root /p radius

Dample @%
'am forgets to logout and therefore has an idle session and you want to
automatically log 'am o if the session is idle longer than 34E seconds%

 echo “insert into radreply (username, attribute, op, value) values (T'am", TIdle2
 $imeout", TO", 34E)-” U mys0l /u root /p radius

6ote a couple things% the e0ual sign is an TO" sign and not a T%O", the time is
listed in seconds and the entry is into the table radreply and not radchec!.

Dample %

 Gou want to limit 'am"s sessions to 3E minutes each. In other words, after 'am
has been logged in he will be automatically logged out after 3E minutes. If 'am
logs out and bac! in, he will get another 3E minutes.

 echo “insert into radreply (username, attribute, op, value) values (T'am",
T'ession2$imeout", TO", @EE)-” U mys0l /u root /p radius

'ee the note in eample @.

 $he #nal part which, is optional, is to get chilli to start at boot time. Ddit the
following #le%

H sudo MetcMinit.dMchilli
 

At the top of the #le edit the section to match this%

 CDQI6 I6I$ I6<?

 +rovides% chilli
 *e0uired2'tart% Hnetwor!
 'hould2'tart%
 *e0uired2'top% Hnetwor!
 'hould2'top%
 efault2'tart% 48;>
 efault2'top% E3@
 escription% 1oova1hilli access controller
 D6 I6I$ I6<?

 $o get chilli to start at boot time enter the following command%

H sudo update2rc.d chilli defaults

Cy the way, if you don"t want chilli to start at boot time and you"ve entered the
above command already you can reverse it by entering the following%

H sudo update2rc.d /f chilli remove

Cy now you should have a wor!ing hotspot powered by 1oova1hilli on your

*aspberry +i. +lease feel free to edit this document to improve on it as you see #t.
Dnjoy