Provided by: chillispot_1.0-10.1_amd64 bug

NAME

       chilli -  ChilliSpot.org. A Wireless LAN Access Point Controller

SYNOPSIS

       chilli --help

       chilli --version

       chilli

       [  --fg ] [ --debug ] [ --conf file ] [ --pidfile file ] [ --statedir file ] [ --net net ]
       [ --dynip net ] [ --statip net ] [ --dns1 host ] [ --dns2 host ] [  --domain  domain  ]  [
       --ipup  script  ]  [  --ipdown script ] [ --radiuslisten host ] [ --radiusserver1 host ] [
       --radiusserver2  host  ]  [  --radiusauthport  port  ]  [  --radiusacctport   port   ]   [
       --radiussecret   secret   ]   [   --radiusnasid   id   ]   [  --radiuslocationid  id  ]  [
       --radiuslocationname  name  ]  [  --radiusnasporttype  type  ]  [  --coaport  port   ]   [
       --coanoipcheck  ]  [  --proxylisten  host  ] [ --proxyport port ] [ --proxyclient host ] [
       --proxysecret secret ] [ --dhcpif dev ] [ --dhcpmac  address  ]  [  --lease  seconds  ]  [
       --eapolenable  ]  [  --uamserver  url  ]  [  --uamhomepage  url ] [ --uamsecret secret ] [
       --uamlisten host ] [ --uamport port ] [ --uamallowed domain ] [ --uamanydns ] [  --macauth
       ] [ --macallowed ] [ --macsuffix suffix ] [ --macpasswd password ]

DESCRIPTION

       chilli  is  a Wireless LAN HotSpot Controller. It supports of two different access methods
       for a Wireless LAN HotSpot: Universal Access Method (UAM) as well  as  Wireless  Protected
       Access (WPA)

       chilli  has  three  major  interfaces: A downlink interface for accepting connections from
       clients, a radius interface for authenticating clients and an uplink network interface for
       forwarding traffic to other networks.

       Authentication  of  clients  is  performed by an external radius server. For UAM the CHAP-
       Challenge and CHAP-Password as specified by RFC 2865 is used.  For  WPA  the  radius  EAP-
       Message  attribute as defined in RFC 2869 is used. The message attributes described in RFC
       2548 are used  for  transferring  encryption  keys  from  the  radius  server  to  chilli.
       Furthermore the radius interface supports accounting.

       The  downlink  interface  accepts DHCP and ARP requests from clients. The client can be in
       two states: Unauthenticated and authenticated. In unauthenticated state web requests  from
       the client are redirected to an authentication web server.

       In  a  typical  application  unauthenticated clients will be forwarded to a web server and
       prompted for username and password. The web server forwards the user credentials to chilli
       by  means  of  redirecting the web browser to chilli. A received authentication request is
       forwarded to a radius server. If authentication is successful the state of the  client  is
       changed  to  authenticated. This authentication method is known as Universal Access Method
       (UAM).

       As an alternative to UAM the access points can be configured to authenticate  the  clients
       by  using  Wireless  Protected  Access  (WPA). In this case authentication credentials are
       forwarded from the access point to chilli by  using  the  radius  protocol.  The  received
       radius request is proxied by chilli and forwarded to the radius server.

       The uplink interface is implemented by using the TUN/TAP driver.  When chilli is started a
       tun interface is established, and optionally an external configuration script is called.

       Runtime errors are reported using the syslogd (8) facility.

OPTIONS

       --help Print help and exit.

       --version
              Print version and exit.

       --fg   Run in foreground (default = off)

       --debug
              Run in debug mode (default = off)

       --conf file
              Read configuration file (default = /etc/chilli.conf) where each line corresponds to
              one  command  line  option, but with the leading '--' removed. Command line options
              override the options given in the configuration file.

       --interval seconds
              Re-read configuration file and do DNS lookups every interval seconds. This has  the
              same  effect  as  sending the HUP signal. If --interval is 0 (zero) this feature is
              disabled.

              file (default = /etc/chilli.conf) where each line corresponds to one  command  line
              option,  but  with  the  leading  '--'  removed.  Command line options override the
              options given in the configuration file.

       --pidfile file
              Filename of process id file (default = /var/run/chilli.pid)

       --statedir path
              path to directory of nonvolatile data (default = /var/lib/chilli/)

       --net net
              Network address of the uplink interface (default = 192.168.182.0/24).  The  network
              address  is  set during initialisation when chilli establishes a tun device for the
              uplink interface. The network address is specified  as  either  <address>/<netmask>
              (192.168.182.0/255.255.255.0) or <address>/<prefix> (192.168.182.0/24).

       --dynip net
              Dynamic  IP  address pool. Specifies a pool of dynamic IP addresses. If this option
              is omitted the network address specified by the --net option is used for dynamic IP
              address  allocation.  See the --net option for a description of the network address
              format.

       --statip net
              Static IP address pool. Specifies a  pool  of  static  IP  addresses.  With  static
              address  allocation  the  IP  address  of the client can be specified by the radius
              server. Static address allocation can be  used  for  both  MAC  authentication  and
              Wireless Protected Access.

       --dns1 host
              DNS Server 1. It is used to inform the client about the DNS address to use for host
              name resolution. If this option is not given the system primary DNS is used.

       --dns2 host
              DNS Server 2. It is used to inform the client about the DNS address to use for host
              name resolution. If this option is not given the system secondary DNS is used.

       --domain domain
              Domain  name.  It is used to inform the client about the domain name to use for DNS
              lookups.

       --ipup script
              Script executed after the tun network interface has been brought up.  Executed with
              the following parameters: <devicename> <ip address> <mask>

       --ipdown script
              Script executed after the tun network interface has been taken down.  Executed with
              the following parameters: <devicename> <ip address> <mask>

       --radiuslisten host
              Local interface IP address to use  for  the  radius  interface.  This  option  also
              determines  the value for the NAS-IP-Address radius attribute. If --radiuslisten is
              omitted then the NAS-IP-Address attribute will be set to "0.0.0.0" and  the  source
              IP  address  of  the  radius  requests  will  be determined by the operating system
              routing tables.

       --radiusserver1 host
              The IP address of radius server 1 (default=rad01.hotradius.com).

       --radiusserver2 host
              The IP address of radius server 2 (default=rad02.hotradius.com).

       --radiusauthport port
              The UDP port number to use for radius authentication requests (default=1812).

       --radiusacctport port
              The UDP port number to use for radius accounting requests (default=1813).

       --radiussecret secret
              Radius shared secret for both servers (default=testing123). This secret  should  be
              changed in order not to compromise security.

       --radiusnasid id
              Network access server identifier (default=nas01).

       --radiuslocationid id
              WISPr   Location   ID.   Should   be   in   the  format:  isocc=<ISO_Country_Code>,
              cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>. This parameter is
              further  described  in  the  document: Wi-Fi Alliance - Wireless ISP Roaming - Best
              Current Practices v1, Feb 2003.

       --radiuslocationname name
              WISPr Location Name. Should be in the  format:  <HOTSPOT_OPERATOR_NAME>,<LOCATION>.
              This  parameter is further described in the document: Wi-Fi Alliance - Wireless ISP
              Roaming - Best Current Practices v1, Feb 2003.

       --radiusnasporttype type
              Value of NAS-Port-Type attribute. Defaults to 19 (Wireless-IEEE-802.11).

       --coaport port
              UDP port to listen to for accepting radius disconnect requests.

       --coanoipcheck
              If this option is given no check is performed on the source IP  address  of  radius
              disconnect  requests.  Otherwise  it  is  checked  that  radius disconnect requests
              originate from --radiusserver1 or --radiusserver2.

       --proxylisten host
              Local interface IP address to use for accepting radius requests.

       --proxyport port
              UDP Port to listen to for accepting radius requests.

       --proxyclient host
              IP address from which radius requests are accepted. If omitted the server will  not
              accept radius requests.

       --proxysecret secret
              Radius shared secret for clients. If not specified it defaults to --radiussecret.

       --dhcpif dev
              Ethernet  interface  to  listen  to for the downlink interface. This option must be
              specified.

       --dhcpmac address
              MAC address to listen to. If not specified the MAC address of the interface will be
              used.  The  MAC  address  should  be chosen so that it does not conflict with other
              addresses on the LAN. An address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF
              falls within the IANA range of addresses and is not allocated for other purposes.

              The  --dhcpmac  option can be used in conjunction with access filters in the access
              points, or with access points which supports packet forwarding to  a  specific  MAC
              address.  Thus  it is possible at the MAC level to separate access point management
              traffic from user traffic for improved system security.

              The --dhcpmac option will set the interface in promisc mode.

       --lease seconds
              Use a DHCP lease of seconds (default = 600).

       --eapolenable
              If this option is given IEEE 802.1x  authentication  is  enabled.  ChilliSpot  will
              listen for EAP authentication requests on the interface specified by --dhcpif.  EAP
              messages received on this interface are forwarded to the radius server.

       --uamserver url
              URL of web server to use for authenticating clients.

       --uamhomepage url
              URL of homepage to  redirect  unauthenticated  users  to.  If  not  specified  this
              defaults to --uamserver.

       --uamsecret secret
              Shared  secret between uamserver and chilli. This secret should be set in order not
              to compromise security.

       --uamlisten host
              IP address to listen to for authentication of clients. If an unauthenticated client
              tries to access the Internet she will be redirected to this address.

       --uamport port
              TCP  port  to  bind  to  for  authenticating  clients  (default  =  3990).   If  an
              unauthenticated client tries to access the Internet she will be redirected to  this
              port on the --uamlisten IP address.

       --uamallowed domain
              Comma  separated  list of domain names, IP addresses or network segments the client
              can access without first authenticating.  Example:

              --uamallowed www.chillispot.org,10.11.12.0/24

              This option is useful for access to a credit card payment gateway,  for  access  to
              community  and other free information as well as for access to a company VPN server
              without first having to login to the HotSpot.

              ChilliSpot resolves the domain names to a set of IP addresses during startup.  Some
              big  sites  change the returned IP addresses for each lookup. This behaviour is not
              compatible with this option.

              It is possible to specify the uamallowed option several times. This  is  useful  if
              many domain names has to be specified.

       --uamanydns
              Allow  any  DNS  server.   Normally  unauthenticated  clients  are  only allowed to
              communicate with the DNS servers specified by the dns1 and  dns2  options.  If  the
              --uamanydns  option  is  given  ChilliSpot  will  allow  the  client to use all DNS
              servers. This is convenient for clients which are configured to use a fixed set  of
              DNS servers. For security reasons this option should be combined with a destination
              NAT firewall rule which forwards all DNS requests to a given DNS server.

       --macauth
              If this option is given ChilliSpot will try to  authenticate  all  users  based  on
              their  mac  address  alone. The User-Name sent to the radius server will consist of
              the MAC address and an optional  suffix  which  is  specified  by  the  --macsuffix
              option. If the --macauth option is specified the --macallowed option is ignored.

       --macallowed mac
              List of MAC addresses for which MAC authentication will be performed.  Example:

              --macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9

              The  User-Name  sent  to  the  radius server will consist of the MAC address and an
              optional suffix which is specified by the  --macsuffix  option.  If  the  --macauth
              option is specified the --macallowed option is ignored.

              It  is  possible  to specify the macallowed option several times. This is useful if
              many mac addresses has to be specified.

       --macsuffix suffix
              Suffix to add to the MAC address in order to form the User-Name, which is  sent  to
              the radius server.

       --macpasswd password
              Password used when performing MAC authentication. (default = password)

FILES

       /etc/chilli.conf
              The configuration file for chilli.
       /var/run/chilli.pid
              Process ID file.

SIGNALS

       Sending HUP to chilli will cause the configuration file to be reread and DNS lookups to be
       performed.  The configuration options are not affected by sending HUP: [ --fg ]  [  --conf
       file ] [ --pidfile file ] [ --statedir file ] [ --net net ] [ --dynip net ] [ --statip net
       ] [ --uamlisten host ] [ --uamport port ] [ --radiuslisten host ] [  --coaport  port  ]  [
       --coanoipcheck  ]  [  --proxylisten  host  ] [ --proxyport port ] [ --proxyclient host ] [
       --proxysecret secret ] [ --dhcpif dev ] [ --dhcpmac  address  ]  [  --lease  seconds  ]  [
       --eapolenable ]

       The above configuration options can only be changed by restarting the daemon.

SEE ALSO

       syslogd(8)

NOTES

       Please see the ChilliSpot project homepage at www.chillispot.org for further documentation
       and community support.

       Besides the long options documented in this man page chilli also accepts a number of short
       options  with  the  same  functionality.  Use  chilli  --help  for  a full list of all the
       available options.

       The TUN/TAP driver is required for proper operation of chilli.  For  linux  kernels  later
       than  2.4.7 the TUN/TAP driver is included in the kernel, but typically needs to be loaded
       manually with modprobe tun.  For automatic loading the line  alias  char-major-10-200  tun
       can     be     added     to     /etc/modules.conf.      For     other     platforms    see
       http://vtun.sourceforge.net/tun/ for information on how to install and configure  the  tun
       driver.

COPYRIGHT

       Copyright (C) 2002, 2003, 2004, 2005 by Mondru AB.

       All rights reserved.

                                           January 2005                                 chilli(8)