chilli - ChilliSpot.org. A Wireless LAN Access Point Controller
[ --fg ] [ --debug ] [ --conf file ] [ --pidfile file ] [ --statedir
file ] [ --net net ] [ --dynip net ] [ --statip net ] [ --dns1 host ] [
--dns2 host ] [ --domain domain ] [ --ipup script ] [ --ipdown script ]
[ --radiuslisten host ] [ --radiusserver1 host ] [ --radiusserver2 host
] [ --radiusauthport port ] [ --radiusacctport port ] [ --radiussecret
secret ] [ --radiusnasid id ] [ --radiuslocationid id ] [
--radiuslocationname name ] [ --radiusnasporttype type ] [ --coaport
port ] [ --coanoipcheck ] [ --proxylisten host ] [ --proxyport port ] [
--proxyclient host ] [ --proxysecret secret ] [ --dhcpif dev ] [
--dhcpmac address ] [ --lease seconds ] [ --eapolenable ] [ --uamserver
url ] [ --uamhomepage url ] [ --uamsecret secret ] [ --uamlisten host ]
[ --uamport port ] [ --uamallowed domain ] [ --uamanydns ] [ --macauth
] [ --macallowed ] [ --macsuffix suffix ] [ --macpasswd password ]
chilli is a Wireless LAN HotSpot Controller. It supports of two
different access methods for a Wireless LAN HotSpot: Universal Access
Method (UAM) as well as Wireless Protected Access (WPA)
chilli has three major interfaces: A downlink interface for accepting
connections from clients, a radius interface for authenticating clients
and an uplink network interface for forwarding traffic to other
Authentication of clients is performed by an external radius server.
For UAM the CHAP-Challenge and CHAP-Password as specified by RFC 2865
is used. For WPA the radius EAP-Message attribute as defined in RFC
2869 is used. The message attributes described in RFC 2548 are used for
transferring encryption keys from the radius server to chilli.
Furthermore the radius interface supports accounting.
The downlink interface accepts DHCP and ARP requests from clients. The
client can be in two states: Unauthenticated and authenticated. In
unauthenticated state web requests from the client are redirected to an
authentication web server.
In a typical application unauthenticated clients will be forwarded to a
web server and prompted for username and password. The web server
forwards the user credentials to chilli by means of redirecting the web
browser to chilli. A received authentication request is forwarded to a
radius server. If authentication is successful the state of the client
is changed to authenticated. This authentication method is known as
Universal Access Method (UAM).
As an alternative to UAM the access points can be configured to
authenticate the clients by using Wireless Protected Access (WPA). In
this case authentication credentials are forwarded from the access
point to chilli by using the radius protocol. The received radius
request is proxied by chilli and forwarded to the radius server.
The uplink interface is implemented by using the TUN/TAP driver. When
chilli is started a tun interface is established, and optionally an
external configuration script is called.
Runtime errors are reported using the syslogd (8) facility.
--help Print help and exit.
Print version and exit.
--fg Run in foreground (default = off)
Run in debug mode (default = off)
Read configuration file (default = /etc/chilli.conf) where each
line corresponds to one command line option, but with the
leading ’--’ removed. Command line options override the options
given in the configuration file.
Re-read configuration file and do DNS lookups every interval
seconds. This has the same effect as sending the HUP signal. If
--interval is 0 (zero) this feature is disabled.
file (default = /etc/chilli.conf) where each line corresponds to
one command line option, but with the leading ’--’ removed.
Command line options override the options given in the
Filename of process id file (default = /var/run/chilli.pid)
path to directory of nonvolatile data (default =
Network address of the uplink interface (default =
192.168.182.0/24). The network address is set during
initialisation when chilli establishes a tun device for the
uplink interface. The network address is specified as either
<address>/<netmask> (192.168.182.0/255.255.255.0) or
Dynamic IP address pool. Specifies a pool of dynamic IP
addresses. If this option is omitted the network address
specified by the --net option is used for dynamic IP address
allocation. See the --net option for a description of the
network address format.
Static IP address pool. Specifies a pool of static IP addresses.
With static address allocation the IP address of the client can
be specified by the radius server. Static address allocation can
be used for both MAC authentication and Wireless Protected
DNS Server 1. It is used to inform the client about the DNS
address to use for host name resolution. If this option is not
given the system primary DNS is used.
DNS Server 2. It is used to inform the client about the DNS
address to use for host name resolution. If this option is not
given the system secondary DNS is used.
Domain name. It is used to inform the client about the domain
name to use for DNS lookups.
Script executed after the tun network interface has been brought
up. Executed with the following parameters: <devicename> <ip
Script executed after the tun network interface has been taken
down. Executed with the following parameters: <devicename> <ip
Local interface IP address to use for the radius interface. This
option also determines the value for the NAS-IP-Address radius
attribute. If --radiuslisten is omitted then the NAS-IP-Address
attribute will be set to "0.0.0.0" and the source IP address of
the radius requests will be determined by the operating system
The IP address of radius server 1 (default=rad01.hotradius.com).
The IP address of radius server 2 (default=rad02.hotradius.com).
The UDP port number to use for radius authentication requests
The UDP port number to use for radius accounting requests
Radius shared secret for both servers (default=testing123). This
secret should be changed in order not to compromise security.
Network access server identifier (default=nas01).
WISPr Location ID. Should be in the format:
This parameter is further described in the document: Wi-Fi
Alliance - Wireless ISP Roaming - Best Current Practices v1, Feb
WISPr Location Name. Should be in the format:
<HOTSPOT_OPERATOR_NAME>,<LOCATION>. This parameter is further
described in the document: Wi-Fi Alliance - Wireless ISP Roaming
- Best Current Practices v1, Feb 2003.
Value of NAS-Port-Type attribute. Defaults to 19 (Wireless-
UDP port to listen to for accepting radius disconnect requests.
If this option is given no check is performed on the source IP
address of radius disconnect requests. Otherwise it is checked
that radius disconnect requests originate from --radiusserver1
Local interface IP address to use for accepting radius requests.
UDP Port to listen to for accepting radius requests.
IP address from which radius requests are accepted. If omitted
the server will not accept radius requests.
Radius shared secret for clients. If not specified it defaults
Ethernet interface to listen to for the downlink interface. This
option must be specified.
MAC address to listen to. If not specified the MAC address of
the interface will be used. The MAC address should be chosen so
that it does not conflict with other addresses on the LAN. An
address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls
within the IANA range of addresses and is not allocated for
The --dhcpmac option can be used in conjunction with access
filters in the access points, or with access points which
supports packet forwarding to a specific MAC address. Thus it is
possible at the MAC level to separate access point management
traffic from user traffic for improved system security.
The --dhcpmac option will set the interface in promisc mode.
Use a DHCP lease of seconds (default = 600).
If this option is given IEEE 802.1x authentication is enabled.
ChilliSpot will listen for EAP authentication requests on the
interface specified by --dhcpif. EAP messages received on this
interface are forwarded to the radius server.
URL of web server to use for authenticating clients.
URL of homepage to redirect unauthenticated users to. If not
specified this defaults to --uamserver.
Shared secret between uamserver and chilli. This secret should
be set in order not to compromise security.
IP address to listen to for authentication of clients. If an
unauthenticated client tries to access the Internet she will be
redirected to this address.
TCP port to bind to for authenticating clients (default = 3990).
If an unauthenticated client tries to access the Internet she
will be redirected to this port on the --uamlisten IP address.
Comma separated list of domain names, IP addresses or network
segments the client can access without first authenticating.
This option is useful for access to a credit card payment
gateway, for access to community and other free information as
well as for access to a company VPN server without first having
to login to the HotSpot.
ChilliSpot resolves the domain names to a set of IP addresses
during startup. Some big sites change the returned IP addresses
for each lookup. This behaviour is not compatible with this
It is possible to specify the uamallowed option several times.
This is useful if many domain names has to be specified.
Allow any DNS server. Normally unauthenticated clients are only
allowed to communicate with the DNS servers specified by the
dns1 and dns2 options. If the --uamanydns option is given
ChilliSpot will allow the client to use all DNS servers. This is
convenient for clients which are configured to use a fixed set
of DNS servers. For security reasons this option should be
combined with a destination NAT firewall rule which forwards all
DNS requests to a given DNS server.
If this option is given ChilliSpot will try to authenticate all
users based on their mac address alone. The User-Name sent to
the radius server will consist of the MAC address and an
optional suffix which is specified by the --macsuffix option. If
the --macauth option is specified the --macallowed option is
List of MAC addresses for which MAC authentication will be
The User-Name sent to the radius server will consist of the MAC
address and an optional suffix which is specified by the
--macsuffix option. If the --macauth option is specified the
--macallowed option is ignored.
It is possible to specify the macallowed option several times.
This is useful if many mac addresses has to be specified.
Suffix to add to the MAC address in order to form the User-Name,
which is sent to the radius server.
Password used when performing MAC authentication. (default =
The configuration file for chilli.
Process ID file.
Sending HUP to chilli will cause the configuration file to be reread
and DNS lookups to be performed. The configuration options are not
affected by sending HUP: [ --fg ] [ --conf file ] [ --pidfile file ] [
--statedir file ] [ --net net ] [ --dynip net ] [ --statip net ] [
--uamlisten host ] [ --uamport port ] [ --radiuslisten host ] [
--coaport port ] [ --coanoipcheck ] [ --proxylisten host ] [
--proxyport port ] [ --proxyclient host ] [ --proxysecret secret ] [
--dhcpif dev ] [ --dhcpmac address ] [ --lease seconds ] [
The above configuration options can only be changed by restarting the
Please see the ChilliSpot project homepage at www.chillispot.org for
further documentation and community support.
Besides the long options documented in this man page chilli also
accepts a number of short options with the same functionality. Use
chilli --help for a full list of all the available options.
The TUN/TAP driver is required for proper operation of chilli. For
linux kernels later than 2.4.7 the TUN/TAP driver is included in the
kernel, but typically needs to be loaded manually with modprobe tun.
For automatic loading the line alias char-major-10-200 tun can be added
to /etc/modules.conf. For other platforms see
http://vtun.sourceforge.net/tun/ for information on how to install and
configure the tun driver.
Copyright (C) 2002, 2003, 2004, 2005 by Mondru AB.
All rights reserved.
January 2005 chilli(8)