Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
chilli.conf(5)		      File Formats Manual		chilli.conf(5)

NAME
       chilli.conf -  Chilli Configuration

DESCRIPTION
       chilli  has  many  configuration	parameters which can either be used on
       the command line	or in a	configuration file. When on the	command	 line,
       options	are  prefixed with two dashes and may or may not have an equal
       sign, for instance, these are equivalent:

       chilli --uamallowed coova.org --uamanydns

       chilli --uamallowed="coova.org" --uamanydns

       Options that do not have	arguments behave the same  way,	 just  without
       any  equal sign or second argument. When	in the configuration file, op-
       tions must not have any dashes, but can still be	used with  or  without
       the equal sign, as in:

       uamallowed coova.org

       uamallowed=coova.org

       uamanydns

       Options	given  on the command line take	precedent over any options de-
       fined in	a configuration	file. The default main configuration  file  is
       /usr/local/etc/chilli.conf which	can be overridden using	the --conf op-
       tion (or	just --c for short) on the command line.  Configuration	 files
       may also	include	other configuration files as in:

       include /path/to/chilli/configfile.conf

       Blank lines and comment lines starting with '#' are also	allowed	in the
       configuration file.

OPTIONS
       As mentioned above, all options below are able to be put	on the command
       line  (prefixed	with  '--') or in a configuration file.	A few options,
       shown below with	the leading dashes, are	typically  only	 used  on  the
       command line.

       --help Or -h for	short; prints help and exits (command line)

       --version
	      Or -V for	short; prints version and exits	(command line)

       --fg   Or -f for	short; runs server in foreground (command line)

       --debug
	      Or -d for	short; run server in debug mode	(command line)

       --debugfacility level
	      Increase	the  debug level (command line)	(should	be named debu-
	      glevel)

       --conf file
	      Or -c file for short; use	the configuration file file instead of
	      the default show in FILES	(command line)

       logfacility facility
	      The syslog(8) facility to	use for	logging.

       interval	seconds
	      Re-read  configuration  file  and	 do DNS	lookups	every interval
	      seconds. This has	the same effect	as sending the HUP signal.  If
	      interval is 0 (zero) this	feature	is disabled.

       pidfile file
	      Filename to put the process id, see FILES	for default.

       statedir	path
	      Directory	of non-volatile	data, see FILES	for default.

       cmdsock file
	      UNIX  socket  used  for  communication  with chilli_query(1) see
	      FILES for	default.

       net net
	      Network	address	  of   the   uplink   interface	  (default   =
	      192.168.182.0/24). The network address is	set during initialisa-
	      tion when	chilli establishes a tun device	for the	uplink	inter-
	      face. The	network	address	is specified as	either <address>/<net-
	      mask>   (192.168.182.0/255.255.255.0)   or    <address>/<prefix>
	      (192.168.182.0/24).

       dynip net
	      Dynamic  IP  address  pool.  Specifies  a	pool of	dynamic	IP ad-
	      dresses. If this option is omitted the network address specified
	      by the net option	is used	for dynamic IP address allocation. See
	      the net option for a description of the network address format.

       statip net
	      Static IP	address	pool. Specifies	a pool of static IP addresses.
	      With  static address allocation the IP address of	the client can
	      be specified by the radius server. Static	address	allocation can
	      be  used	for both MAC authentication and	Wireless Protected Ac-
	      cess.

       dns1 host
	      DNS Server 1. It is used to inform the client about the DNS  ad-
	      dress  to	 use  for  host	name resolution. If this option	is not
	      given the	system primary DNS is used.

       dns2 host
	      DNS Server 2. It is used to inform the client about the DNS  ad-
	      dress  to	 use  for  host	name resolution. If this option	is not
	      given the	system secondary DNS is	used.

       domain domain
	      Domain name. It is used to inform	the client  about  the	domain
	      name to use for DNS lookups.

       ipup script
	      Script  executed	after  the  TUN/TAP network interface has been
	      brought up.  Executed with the  following	 parameters:  _device-
	      name_ _ip-address_ _net-mask_ and	with environment variables:

	      DEV=_tun/tap-device-name_
		     The TUN/TAP device	being brought up.

	      ADDR=_tun/tap-device-ip_
		     The TUN/TAP device	IP address being brought up.

	      MASK=_tun/tap-device-mask_
		     The TUN/TAP device	net mask being brought up.

	      NET=_tun/tap-device-net_
		     The TUN/TAP device	network	being brought up.

	      DHCPIF=_interface_
		     The dhcpif	configured in chilli.conf(5)

	      UAMPORT=_port-num_
		     The uamport configured in chilli.conf(5)

	      UAMUIPORT=_port-num_
		     The uamuiport configured in chilli.conf(5)

       ipdown script
	      Script  executed	after the tun network interface	has been taken
	      down with	the same arguments and environment variables as	above.

       conup script
	      Script executed after the	tun network interface has been brought
	      up.   Executed  with  the	 following  environment	variables (see
	      source code for possibly more):

	      DEV=_tun/tap-device_
		     The TUN/TAP device.

	      ADDR=_chilli-ip_
		     IP	Address	of chilli, see the uamlisten option.

	      NET=_chilli-net_
		     Network of	chilli,	see the	net option.

	      MASK=_chilli-net-mask_
		     Network mask of chilli, see the net options.

	      NAS_IP_ADDRESS=_radiuslisten_
		     Is	set to the radiuslisten	value.

	      NAS_ID=_nas-id_
		     The radiusnasid option.

	      WISPR_LOCATION_ID=_location-id_
		     The radiuslocationid option.

	      WISPR_LOCATION_NAME=_location-name_
		     The radiuslocationname option.

	      USER_NAME=_username_
		     User-name used to login.

	      FRAMED_IP_ADDRESS=_client-ip_
		     The client's IP Address.

	      CALLING_STATION_ID=_client-mac_
		     The client's MAC Address.

	      CALLED_STATION_ID=_chilli-mac_
		     The MAC address of	the chilli interface.

	      FILTER_ID=_filter_
		     A possible	filter ID returned in RADIUS Filter-ID.

	      SESSION_TIMEOUT=_seconds_
		     The max session time, as set by RADIUS Session-Timeout.

	      IDLE_TIMEOUT=_seconds_
		     The max idle time,	as set by RADIUS Idle-Timeout.

	      WISPR_BANDWIDTH_MAX_UP=_bandwidth_
		     Max up stream bandwidth set  by  RADIUS  WISPr-Bandwidth-
		     Max-Up.

	      WISPR_BANDWIDTH_MAX_DOWN=_bandwidth_
		     Max  down stream bandwidth	set by RADIUS WISPr-Bandwidth-
		     Max-Down.

	      CHILLISPOT_MAX_INPUT_OCTETS=_bytes_
		     Max input	octets	set  by	 RADIUS	 ChilliSpot-Max-Input-
		     Octets.

	      CHILLISPOT_MAX_OUTPUT_OCTETS=_bytes_
		     Max  output  octets  set by RADIUS	ChilliSpot-Max-Output-
		     Octets.

	      CHILLISPOT_MAX_TOTAL_OCTETS=_bytes_
		     Max total	octets	set  by	 RADIUS	 ChilliSpot-Max-Total-
		     Octets.

       condown script
	      Script  executed after a session has moved from authorized state
	      to unauthorized with the same environment	variables as above.

       ssid ssid
	      A	parameter that is passed on to the UAM server in  the  initial
	      redirect URL.

       vlan vlan
	      A	 parameter  that is passed on to the UAM server	in the initial
	      redirect URL.

       nasip ipaddress
	      Value to use in RADIUS NAS-IP-Address attribute. If not present,
	      radiuslisten is used (which defaults to "0.0.0.0").

       nasmac mac
	      MAC  address value to use	in RADIUS Called-Station-ID attribute.
	      If not present, the MAC  address	of  the	 dhcpif	 is  used  for
	      Called-Station-ID.

       radiuslisten host
	      Local  interface IP address to use for the radius	interface. De-
	      faults to	the value used in RADIUS NAS-IP-Address	when nasip  is
	      not set.

       radiusserver1 host
	      The IP address of	radius server 1	(default=rad01.coova.org).

       radiusserver2 host
	      The IP address of	radius server 2	(default=rad01.coova.org).

       radiusauthport port
	      The  UDP	port  number to	use for	radius authentication requests
	      (default 1812).

       radiusacctport port
	      The UDP port number to use for radius accounting	requests  (de-
	      fault 1813).

       radiussecret secret
	      Radius shared secret for both servers (default coova-anonymous).
	      This secret should be changed in order not to  compromise	 secu-
	      rity.

       radiusnasid id
	      Network access server identifier (default	nas01).

       radiuslocationid	id
	      WISPr  Location  ID.  Should  be in the format: isocc=<ISO_Coun-
	      try_Code>, cc=<E.164_Country_Code>,  ac=<E.164_Area_Code>,  net-
	      work=<ssid/ZONE>.	 This  parameter  is  further described	in the
	      document:	Wi-Fi Alliance - Wireless ISP Roaming -	 Best  Current
	      Practices	v1, Feb	2003.

       radiuslocationname name
	      WISPr  Location  Name.  Should be	in the format: <HOTSPOT_OPERA-
	      TOR_NAME>,<LOCATION>. This parameter is further described	in the
	      document:	 Wi-Fi	Alliance - Wireless ISP	Roaming	- Best Current
	      Practices	v1, Feb	2003.

       radiusnasporttype type
	      Value of NAS-Port-Type  attribute.  Defaults  to	19  (Wireless-
	      IEEE-802.11).

       radiusoriginalurl
	      Flag (defaults to	off) to	send the ChilliSpot-OriginalURL	RADIUS
	      VSA in Access-Request.

       adminuser username
	      User-name	to use for Administrative-User authentication in order
	      to pick up chilli	configurations and establish a device 'system'
	      session.

       adminpasswd password
	      Password to use for Administrative-User authentication in	 order
	      to pick up chilli	configurations and establish a device 'system'
	      session.

       swapoctets
	      Swap the meaning of "input octets" and "output octets" as	it re-
	      lated to RADIUS attribtues.

       openidauth
	      Allows OpenID authentication by sending ChilliSpot-Config=allow-
	      openidauth in RADIUS Access-Requests to inform the RADIUS	server
	      of the option.

       wpaguests
	      Allows WPA Guest authentication by sending ChilliSpot-Config=al-
	      low-wpa-guests in	RADIUS Access-Requests to  inform  the	RADIUS
	      server  of  the option. The RADIUS may return with an Access-Ac-
	      cept containing ChilliSpot-Config=require-uam-auth to  give  WPA
	      access, but enforce the captive portal.

       coaport port
	      UDP port to listen to for	accepting radius disconnect requests.

       coanoipcheck
	      If  this	option is given	no check is performed on the source IP
	      address of radius	disconnect requests. Otherwise it  is  checked
	      that  radius disconnect requests originate from radiusserver1 or
	      radiusserver2.

       proxylisten host
	      Local interface IP address to use	for accepting radius requests.

       proxyport port
	      UDP Port to listen to for	accepting radius requests.

       proxyclient host
	      IP address from which radius requests are	accepted.  If  omitted
	      the server will not accept radius	requests.

       proxysecret secret
	      Radius  shared  secret for clients. If not specified it defaults
	      to radiussecret.

       dhcpif dev
	      Ethernet interface to listen to for the downlink interface. This
	      option must be specified.

       usetap Use the TAP interface instead of TUN (Linux only).

       tundev dev
	      The specific device to use for the TUN/TAP interface.

       txqlen bytes
	      The TX queue length to set on the	TUN/TAP	interface.

       dhcpmac address
	      MAC  address  to	listen to. If not specified the	MAC address of
	      the interface will be used. The MAC address should be chosen  so
	      that  it	does  not conflict with	other addresses	on the LAN. An
	      address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls
	      within  the  IANA	 range	of  addresses and is not allocated for
	      other purposes.
	      The dhcpmac option can be	used in	conjunction with  access  fil-
	      ters  in the access points, or with access points	which supports
	      packet forwarding	to a specific MAC address. Thus	it is possible
	      at  the  MAC  level  to separate access point management traffic
	      from user	traffic	for improved system security.

	      The dhcpmac option will set the interface	in promisc mode.

       lease seconds
	      Use a DHCP lease of seconds (default 600).

       dhcpstart number
	      Where to start assigning IP addresses (default 10).

       dhcpend number
	      Where to stop assigning IP addresses (default 254).

       eapolenable
	      If this option is	given IEEE 802.1x authentication  is  enabled.
	      ChilliSpot  will	listen	for EAP	authentication requests	on the
	      interface	specified by dhcpif.  EAP messages  received  on  this
	      interface	are forwarded to the radius server.

       uamserver url
	      URL of web server	to use for authenticating clients.

       uamhomepage url
	      URL  of  homepage	 to  redirect unauthenticated users to.	If not
	      specified	this defaults to uamserver.

       wisprlogin url
	      A	specific URL to	be given in  WISPr  XML	 LoginURL.  Otherwise,
	      uamserver	is used.

       uamsecret secret
	      Shared  secret  between uamserver	and chilli. This secret	should
	      be set in	order not to compromise	security.

       uamlisten host
	      IP address to listen to for authentication  of  clients.	If  an
	      unauthenticated  client tries to access the Internet she will be
	      redirected to this address.

       uamport port
	      TCP port to bind to for authenticating clients (default =	3990).
	      If  an  unauthenticated  client tries to access the Internet she
	      will be redirected to this port on the uamlisten IP address.

       uamuiport port
	      TCP port to bind to for only serving embedded content.

       uamallowed domain
	      Comma separated list of resources	the client can access  without
	      first  authenticating.  Each  entry  in the list can be a	domain
	      names, IP	addresses, or network segment. Example:

	      uamallowed www.chillispot.org,10.11.12.0/24

	      Where each entry can be made more	specific by specifying a  pro-
	      tocol  and  port	in  the	 format	 host/network:port  or	proto-
	      col:host/network or protocol:host/network:port where protocol is
	      a	 protocol  name	 from  /etc/protocols, host/network is just as
	      above (a domain, IP, or network),	and port is a port number. Ex-
	      ample:

	      uamallowed coova.org:80,icmp:coova.org

	      Adding  to your walled garden is useful for allowing access to a
	      credit card payment gateways, community website, or  other  pub-
	      licly available resources.

	      ChilliSpot  resolves  the	 domain	names to a set of IP addresses
	      during startup. Some big sites change the	returned IP  addresses
	      for  each	lookup.	This behaviour is not compatible with this op-
	      tion. Domain names in the	list do	get updated periodically based
	      on the interval option.

	      It  is  possible to specify the uamallowed option	several	times.
	      This is useful if	many domain names have to be specified.

       uamdomain domain
	      One domain prefix	per use	of the option; defines a list  of  do-
	      main  names  to  automatically add to the	walled garden. This is
	      done by the inspecting of	DNS packets being  sent	 back  to  the
	      subscriber.

       uamlogoutip ipaddress
	      Use  this	 IP  address to	instantly logout a client accessing it
	      (defaults	to 1.1.1.1).

       defsessiontimeout seconds
	      Default session timeout (max session time) unless	otherwise  set
	      by RADIUS	(defaults to 0,	meaning	unlimited).

       defidletimeout seconds
	      Default idle timeout (max	idle time) unless otherwise set	by RA-
	      DIUS (defaults to	0, meaning unlimited).

       definteriminterval seconds
	      Default interim-interval for RADIUS accounting unless  otherwise
	      set by RADIUS (defaults to 0, meaning unlimited).

       acctupdate
	      Allow updating of	session	parameters with	RADIUS attributes sent
	      in Accounting-Response.

       wwwdir path
	      Directory	where embedded local web content is placed. This  con-
	      tent is accessible using the URL format http://<uamlisten>:<uam-
	      port>/www/<filename>

       wwwbin script
	      Executable to run	as a CGI type program (like haserl)  for  URLs
	      with  extention  .chi  -	in the format http://<uamlisten>:<uam-
	      port>/www/<file>.chi

       uamui script
	      An init.d	style program to handle	local content on the uamuiport
	      web server.

       uamanydns
	      Allow any	DNS server.  Normally unauthenticated clients are only
	      allowed to communicate with the DNS  servers  specified  by  the
	      dns1  and	 dns2 options. If the uamanydns	option is given	Chill-
	      iSpot will allow the client to use all DNS servers. This is con-
	      venient  for  clients which are configured to use	a fixed	set of
	      DNS servers. For security	reasons	this option should be combined
	      with  a destination NAT firewall rule which forwards all DNS re-
	      quests to	a given	DNS server.

       dnsparanoia
	      Inspect DNS packets and drop responses with any non-  A,	CNAME,
	      SOA, or MX records (to prevent dns tunnels; experimental).

       uamanyip
	      Allow  clients  to use any IP settings they wish by spoofing ARP
	      (experimental).

       nouamsuccess
	      Do not return to UAM server on login success, just  redirect  to
	      original URL.

       nouamwispr
	      Do  not  do any WISPr XML, assume	the back-end is	doing this in-
	      stead.

       usestatusfile
	      Write the	status of clients in a non-volatile state file (exper-
	      imental).

       chillixml
	      Return the so-called Chilli XML along with WISPr XML.

       macauth
	      If  this option is given ChilliSpot will try to authenticate all
	      users based on their mac address alone. The  User-Name  sent  to
	      the  radius  server  will	 consist of the	MAC address and	an op-
	      tional suffix which is specified by the macsuffix	option.	If the
	      macauth option is	specified the macallowed option	is ignored.

       macallowed mac
	      List  of MAC addresses for which MAC authentication will be per-
	      formed.  Example:

	      macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9

	      The User-Name sent to the	radius server will consist of the  MAC
	      address and an optional suffix which is specified	by the macsuf-
	      fix option. If the macauth option	is  specified  the  macallowed
	      option is	ignored.

	      It  is  possible to specify the macallowed option	several	times.
	      This is useful if	many mac addresses has to be specified.

       macsuffix suffix
	      Suffix to	add to the MAC address in order	to form	the User-Name,
	      which is sent to the radius server.

       macpasswd password
	      Password	used  when  performing	MAC authentication. (default =
	      password)

       macallowlocal
	      An option	to allow MAC authentication based on macallowed	 with-
	      out the use of RADIUS authentication.

       localusers file
	      A	colon seperated	file containing	usernames and passwords	of lo-
	      cally authenticated users.

       postauthproxy ipaddress
	      Used with	postauthproxyport to define a post authentication HTTP
	      proxy server.

       postauthproxyport port
	      Used  with  postauthproxy	 to  define a post authentication HTTP
	      proxy server.

       locationname name
	      Human readable location name used	in JSON	interface.

       papalwaysok
	      (now depreciated;	always on) Was used to allow  PAP  authentica-
	      tion.

FILES
       /usr/local/etc/chilli.conf
	      The  main	 chilli	configuration file. Per	default, this file in-
	      cludes three other files;	main.conf,  hs.conf,  and  local.conf.
	      The  main.conf  and hs.conf are created by the shell script rou-
	      tines in functions based on configurations  in  the  files  men-
	      tioned  below  and possibility taking some configurations	from a
	      remote RADIUS server or URL. The local.conf file is reserved for
	      location specific	configurations.

       /usr/local/etc/chilli/defaults
	      Default  configurations  used by the chilli init.d and functions
	      scripts in creating the actual configuration files. See the com-
	      ments  in	 this  file  for  more information on how to configure
	      chilli and related scripts and embedded content.

       /usr/local/etc/chilli/config
	      Location specific	configurations used by chilli init.d and func-
	      tions  scripts. Copy the defaults	file mentioned above and edit.
	      This file	is loaded after	the defaults and  thus	will  override
	      settings.

       /usr/local/etc/chilli/functions
	      Helps configure chilli by	loading	the above configurations, sets
	      some defaults, and provides  functions  for  writing  main.conf,
	      hs.conf, and local.conf based on local and possibily centralized
	      settings.

       /usr/local/etc/init.d/chilli
	      The init.d file for chilli which defaults	 to  using  the	 above
	      configurations  to  build	 a  set	of configurations files	in the
	      /usr/local/etc/chilli directory -	 taking	 local	configurations
	      and optionally centralized configurations	from RADIUS or a URL.

SEE ALSO
       chilli(8) chilli-radius(5) chilli_radconfig(1) syslogd(8)

NOTES
       See  http://coova.org/ for further documentation	and community support.
       The original ChilliSpot project homepage	is/was at www.chillispot.org.

AUTHORS
       CoovaChilli and ChilliSpot are licensed under the Gnu  Public  License.
       Copyright   (C)	 2002-2005   by	  Mondru  AB.,	2006-2007  David  Bird
       <david@coova.com>, All rights reserved.

				  August 2007			chilli.conf(5)

NAME | DESCRIPTION | OPTIONS | FILES | SEE ALSO | NOTES | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=chilli.conf&sektion=5&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help