eduroam along with commercial hotspot system
This chapter describes a sophisticated deployment of Wireless LAN that includes both eduroam access (as
service provider, not identity provider) and a commercial hotspot deployment that offers three distinct classes of
access and multiple billing models. The following access models are covered:
- Commercial web redirect login portal.
- Commercial WPA2-Enterprise secured access.
- WPA2-Enterprise access for institution staff (not eduroam-eligible).
- eduroam access for R&E users.
Every usage class is assigned a separate VLAN and allows isolation of users. Four SSIDs are in use, and are
named "ccrn-hotspot" (web redirect), "ccrn-wpa" (commercial WPA), a hidden SSID (staff access) and
The billing models for the commercial access allow:
- Online-time based billing.
- Time window based billing.
- Volume based billing.
This mixture of a commercial system and eduroam access can be applied to any operator who is not in the
Research and Education community. The commercial system generates revenue while offering eduroam is a
competitive advantage against other providers. Several deployments of eduroam in non-R&E locations have
shown that eduroam attracts students to these places and by that may generate extra revenue – pubs are a
prime example for this business model.
The following instructions demonstrate how to set up such a hotspot solution with a single hardware server,
switches, Access Points and pure Open Source Software. This is a real-life scenario deployed in the city of
Luxembourg at the "Centre Culturel de Rencontre Abbaye de Neumünster" (CCRN).
These instructions assumes that a server with at least two network interfaces is present, where eth0 connects to
the outside internet, and eth1 is free for use with the hotspot system. It uses IP addresses in the 10.10.0.0/8
range within the system. The instructions attempt to be distribution-neutral. However, users should note that
this example was installed on an openSUSE 10.2 Linux operating system, and distribution-specific information
may be present.
- Prepare a Linux server with a distribution of choice and install the following packages at a minimum:
vconfig -> provides the VLAN configuration tool vconfig (separate download required:
chillispot -> provides the web-redirect portal binary, chilli (version 1.1.0 is on openSUSE 10.2
iptables -> provides firewall manipulation tools iptables, ip6tables (version 1.3.6 is on openSUSE 10.2
apache2 -> provides the web server for the web-redirect portal httpd (version 2.2.3 is on openSUSE
10.2 installation media).
MySQL -> provides the datastore for user accounts mysql (version 5.0.26 is on openSUSE 10.2
apache2-mod-perl -> enables execution of perl CGIs (version 2.0.2 is on openSUSE 10.2 installation
php5 -> provides php (version 5.2.0 is on openSUSE 10.2 installation media).
phpmyprepaid -> provides user management web interface (separate download required:
http://sourceforge.net/projects/phpmyprepaid, in this deployment version 0.3.3 is in use).
freeradius -> provides the RADIUS server radiusd (version 1.1.3 is on openSUSE 10.2 installation
○ dhcp-server -> provides the DHCP server dhcpd (version 3.0.5 is on openSUSE 10.2 installation
- Ensure the following configurations are met:
Kernel: must support
IEEE 802.1q VLANs
tun/tap network interfaces
must have routing capabilities
Note: The openSUSE 10.2 kernel supports all of the above.
VLANs: add with
vconfig add eth1 10
vconfig add eth1 11
vconfig add eth1 12
vconfig add eth1 13
assign IP addresses to
eth1: ifconfig eth1 10.10.0.1 netmask 255.255.255.0 up
eth1.10: ifconfig eth1.10 10.10.10.1 netmask 255.255.255.0 up
eth1.11: ifconfig eth1.11 10.10.11.1 netmask 255.255.255.0 up
eth1.12: ifconfig eth1.12 10.10.12.1 netmask 255.255.255.0 up
Do NOT assign an IP address to eth1.13 but make sure the interface is running (ifconfig eth1.13 up)
Make sure routing is turned on (cat /proc/sys/net/ipv4/ip_forward must give the result "1").
INTIF is eth1.13
EXTIF is eth0
set uamsecret to an arbitrary value; the same value must be in CGI configuration below
RADIUS server is localhost; use the shared secret for localhost (typically testing123)
copy hotspotlogin.cgi into apache's cgi-bin store
copy dictionary.chillispot into /etc/raddb
modify ruleset to allow RADIUS traffic in INPUT chain from eth1
modify ruleset to allow DHCP requests in INPUT from eth1.10, eth1.11, eth1.12
MySQL: create database "radius" and user for access
make sure CGI support for perl is active
make sure PHP support is enabled
request a certificate from a well-known authority that includes the TLS Web Server Authentication
OID (for example, Thawte and Verisign include this OID)
SSL support on port TCP/443 is mandatory: install the server cert
install somewhere in apache2 document root
set database details in dbconnect.php
point browser at installation path and follow instructions
set up a "location" first, then billing models
It is not necessary to define Access Points
define DHCP ranges for subnets 10.10.10.1/24, 10.10.11.1/24, 10.10.12.1/24
don't bind on interfaces eth0, eth1 and eth1.13
use database "radius" on localhost as authentication source
$INCLUDE dictionary.chillispot into file dictionary
define a realm DEFAULT that points to the eduroam infrastructure
realms NULL and LOCAL have auth source LOCAL
tag incoming requests in "hints" file to match SSIDs and user auth sources
allow EAP passthrough for eduroam users
— install server cert for EAP sessions for own users (-wpa, -staff)
It is useful to put VLAN definitions, IP allocations, firewall ruleset application into an init script to automate theboot process, an example init script is provided at http://www.eduroam.org/downloads/docs/eduroamcookbook\-
3. Add dhcpd, mysql, apache2, freeradius, chilli (init script included) to default runlevel (init script from
above should have precedence); under SUSE, runlevels are manipulated with "insserv":
4. Attached for convenience
init script for VLANs, IP
init script for chilli daemon
chilli.conf (comments stripped)
dhcpd.conf (comments stripped)
modified iptables ruleset
/etc/raddb files (comments stripped)
sample Lancom AP config (shared secrets, IP info strippedI