Home

Features

Release Notes

FAQ

man chilli

Forum

Mailing List

Download

Donate

man chilli

SYNOPSIS

chilli --version

chilli [ --fg ] [ --debug ] [ --conf file ] [ --pidfile file ] [ --statedir file ] [ --net net ] [ --dynip net ] [ --statip net ] [ --dns1 host ] [ --dns2 host ] [ --domain domain ] [ --ipup script ] [ --ipdown script ] [ --radiuslisten host ] [ --radiusserver1 host ] [ --radiusserver2 host ] [ --radiusauthport port ] [ --radiusacctport port ] [ --radiussecret secret ] [ --radiusnasid id ] [ --radiuslocationid id ] [ --radiuslocationname name ] [ --coaport port ] [ --coanoipcheck ] [ --proxylisten host ] [ --proxyport port ] [ --proxyclient host ] [ --proxysecret secret ] [ --dhcpif dev ] [ --dhcpmac address ] [ --lease seconds ] [ --uamserver url ] [ --uamredirect url ] [ --uamsecret secret ] [ --uamip host ] [ --uamport port ] [ --uamallowed domain ] [ --uamanydns ] [ --macauth ] [ --macallowed ] [ --macsuffix suffix ] [ --macpasswd password ]

DESCRIPTION

chilli has three major interfaces: A downlink interface for accepting connections from clients, a radius interface for authenticating clients and an uplink network interface for forwarding traffic to other networks.

Authentication of clients is performed by an external radius server. For UAM the CHAP-Challenge and CHAP-Password as specified by RFC 2865 is used. For WPA the radius EAP-Message attribute as defined in RFC 2869 is used. The message attributes described in RFC 2548 are used for transferring encryption keys from the radius server to chilli. Furthermore the radius interface supports accounting.

The downlink interface accepts DHCP and ARP requests from clients. The client can be in two states: Unauthenticated and authenticated. In unauthenticated state web requests from the client are redirected to an authentication web server.

In a typical application unauthenticated clients will be forwarded to a web server and prompted for username and password. The web server forwards the user credentials to chilli by means of redirecting the web browser to chilli. A received authentication request is forwarded to a radius server. If authentication is successful the state of the client is changed to authenticated. This authentication method is known as Universal Access Method (UAM).

As an alternative to UAM the access points can be configured to authenticate the clients by using Wireless Protected Access (WPA). In this case authentication credentials are forwarded from the access point to chilli by using the radius protocol. The received radius request is proxied by chilli and forwarded to the radius server.

The uplink interface is implemented by using the TUN/TAP driver. When chilli is started a tun interface is established, and optionally an external configuration script is called.

Runtime errors are reported using the syslogd (8) facility.

OPTIONS

--help

Print help and exit.

--version

Print version and exit.

--fg

Run in foreground (default = off)

--debug

Run in debug mode (default = off)

--conf file

Read configuration file (default = /etc/chilli.conf) where each line corresponds to one command line option, but with the leading '--' removed. Command line options override the options given in the configuration file.

--pidfile file

Filename of process id file (default = /var/run/chilli.pid)

--statedir path

path to directory of nonvolatile data (default = /var/lib/chilli/)

--net net

Network address of the uplink interface (default = 192.168.182.0/24). The network address is set during initialisation when chilli establishes a tun device for the uplink interface. The network address is specified as either <address>/<netmask> (192.168.182.0/255.255.255.0) or <address>/<prefix> (192.168.182.0/24).

--dynip net

Dynamic IP address pool. Specifies a pool of dynamic IP addresses. If this option is omitted the network address specified by the --net option is used for dynamic IP address allocation. See the --net option for a description of the network address format.

--statip net

Static IP address pool. Specifies a pool of static IP addresses. With static address allocation the IP address of the client can be specified by the radius server. Static address allocation can be used for both MAC authentication and Wireless Protected Access.

--dns1 host

DNS Server 1. It is used to inform the client about the DNS address to use for host name resolution. If this option is not given the system primary DNS is used.

--dns2 host

DNS Server 2. It is used to inform the client about the DNS address to use for host name resolution. If this option is not given the system secondary DNS is used.

--domain domain

Domain name. It is used to inform the client about the domain name to use for DNS lookups.

--ipup script

Script executed after the tun network interface has been brought up. Executed with the following parameters: <devicename> <ip address> <mask>

--ipdown script

Script executed after the tun network interface has been taken down. Executed with the following parameters: <devicename> <ip address> <mask>

--radiuslisten host

Local interface IP address to use for the radius interface. If omitted the IP address will be determined by the routing tables.

--radiusserver1 host

The IP address of radius server 1 (default=rad01.hotradius.com).

--radiusserver2 host

The IP address of radius server 2 (default=rad02.hotradius.com).

--radiusauthport port

The UDP port number to use for radius authentication requests (default=1812).

--radiusacctport port

The UDP port number to use for radius accounting requests (default=1813).

--radiussecret secret

Radius shared secret for both servers (default=testing123). This secret should be changed in order not to compromise security.

--radiusnasid id

Network access server identifier (default=nas01).

--radiuslocationid id

WISPr Location ID. Should be in the format: isocc=<ISO_Country_Code>, cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>. This parameter is further described in the document: Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1, Feb 2003.

--radiuslocationname name

WISPr Location Name. Should be in the format: <HOTSPOT_OPERATOR_NAME>,<LOCATION>. This parameter is further described in the document: Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1, Feb 2003.

--coaport port

UDP port to listen to for accepting radius disconnect requests.

--coanoipcheck

If this option is given no check is performed on the source IP address of radius disconnect requests. Otherwise it is checked that radius disconnect requests originate from --radiusserver1 or --radiusserver2.

--proxylisten host

Local interface IP address to use for accepting radius requests.

--proxyport port

UDP Port to listen to for accepting radius requests.

--proxyclient host

IP address from which radius requests are accepted. If omitted the server will not accept radius requests.

--proxysecret secret

Radius shared secret for clients. If not specified it defaults to --radiussecret.

--dhcpif dev

Ethernet interface to listen to for the downlink interface. This option must be specified.

--dhcpmac address

MAC address to listen to. If not specified the MAC address of the interface will be used. The MAC address should be chosen so that it does not conflict with other addresses on the LAN. An address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls within the IANA range of addresses and is not allocated for other purposes.

The --dhcpmac option can be used in conjunction with access filters in the access points, or with access points which supports packet forwarding to a specific MAC address. Thus it is possible at the MAC level to separate access point management traffic from user traffic for improved system security.

The --dhcpmac option will set the interface in promisc mode.

--lease seconds

Use a DHCP lease of seconds (default = 600).

--uamserver url

URL of web server to use for authenticating clients.

--uamhomepage url

URL of homepage to redirect unauthenticated users to. If not specified this defaults to --uamserver.

--uamsecret secret

Shared secret between uamserver and chilli. This secret should be set in order not to compromise security.

--uamlisten host

IP address to listen to for authentication of clients. If an unauthenticated client tries to access the Internet she will be redirected to this address.

--uamport port

TCP port to bind to for authenticating clients (default = 3990). If an unauthenticated client tries to access the Internet she will be redirected to this port on the --uamlisten IP address.

--uamallowed domain

Comma separated list of domain names, IP addresses or network segments the client can access without first authenticating. Example:

--uamallowed www.chillispot.org,10.11.12.0/24

This option is useful for access to a credit card payment gateway, for access to community and other free information as well as for access to a company VPN server without first having to login to the HotSpot.

ChilliSpot resolves the domain names to a set of IP addresses during startup. Some big sites change the returned IP addresses for each lookup. This behaviour is not compatible with this option.

--uamanydns

Allow any DNS server. Normally unauthenticated clients are only allowed to communicate with the DNS servers specified by the dns1 and dns2 options. If the --uamanydns option is given ChilliSpot will allow the client to use all DNS servers. This is convenient for clients which are configured to use a fixed set of DNS servers. For security reasons this option should be combined with a destination NAT firewall rule which forwards all DNS requests to a given DNS server.

--macauth

If this option is given ChilliSpot will try to authenticate all users based on their mac address alone. The User-Name sent to the radius server will consist of the MAC address and an optional suffix which is specified by the --macsuffix option.

--macallowed mac

List of MAC addresses for which MAC authentication will be performed. Example:

--macallowed 000A5EACBE51,00301B3C32E9

The User-Name sent to the radius server will consist of the MAC address and an optional suffix which is specified by the --macsuffix option.

--macsuffix suffix

Suffix to add to the MAC address in order to form the User-Name, which is sent to the radius server.

--macpasswd password

Password used when performing MAC authentication. (default = password)

FILES

The configuration file for chilli.

Process ID file.

SEE ALSO

NOTES

Please see the ChilliSpot project homepage at for further documentation and community support.

Besides the long options documented in this man page chilli also accepts a number of short options with the same functionality. Use chilli --help for a full list of all the available options.

The TUN/TAP driver is required for proper operation of chilli. For linux kernels later than 2.4.7 the TUN/TAP driver is included in the kernel, but typically needs to be loaded manually with modprobe tun. For automatic loading the line alias char-major-10-200 tun can be added to /etc/modules.conf. For other platforms see for information on how to install and configure the tun driver.

COPYRIGHT

Copyright (C) 2002, 2003, 2004 by Mondru AB.