chilli.conf - Chilli Configuration
chilli has many configuration parameters which can either be used on the command line or in a configuration file. When on the command line, options are prefixed with two dashes and may or may not have an equal sign, for instance, these are equivalent:
chilli –uamallowed www.coova.org –uamanydns
chilli –uamallowed=”www.coova.org” –uamanydns
Options that do not have arguments behave the same way, just without any equal sign or second argument. When in the configuration file, options must not have any dashes, but can still be used with or without the equal sign, as in:
Options given on the command line take precedent over any options defined in a configuration file. The default main configuration file is /usr/local/etc/chilli.conf which can be overridden using the –conf option (or just –c for short) on the command line. Configuration files may also include other configuration files as in:
Blank lines and comment lines starting with ’#’ are also allowed in the configuration file.
As mentioned above, all options below are able to be put on the command line (prefixed with ‘–’) or in a configuration file. A few options, shown below with the leading dashes, are typically only used on the command line.
Or -h for short; prints help and exits (command line)
Or -V for short; prints version and exits (command line)
Or -f for short; runs server in foreground (command line)
Or -d for short; run server in debug mode (command line)
Increase the debug level (command line) (should be named debuglevel)
Or -c file for short; use the configuration file file instead of the default show in FILES (command line)
The syslog(8)facility to use for logging.
Re-read configuration file and do DNS lookups every interval seconds. This has the same effect as sending the HUP signal. If interval is 0 (zero) this feature is disabled.
Filename to put the process id, see FILES for default.
Directory of non-volatile data, see FILES for default.
UNIX socket used for communication with chilli_query see FILES for default.
UNIX port used for communication with chilli_query Only used when cmdsocket is not defined. Default port is 42424
Network address of the uplink interface (default = 192.168.182.0/24). The network address is set during initialisation when chilli establishes a tun device for the uplink interface. The network address is specified as either <address>/
Dynamic IP address pool. Specifies a pool of dynamic IP addresses. If this option is omitted the network address specified by the net option is used for dynamic IP address allocation. See the net option for a description of the network address format.
Static IP address pool. Specifies a pool of static IP addresses. With static address allocation the IP address of the client can be specified by the radius server. Static address allocation can be used for both MAC authentication and Wireless Protected Access.
IP address of a DHCP server (on the uplink network). If configured DHCP requests will be relayed to this server.
Port number to use when relaying requests to the DHCP server configured via fI dhcpgateway fR at. Defaults to 67.
IP address to use when relaying DHCP requests to the DHCP gateway.
DNS Server 1. It is used to inform the client about the DNS address to use for host name resolution. If this option is not given the system primary DNS is used.
DNS Server 2. It is used to inform the client about the DNS address to use for host name resolution. If this option is not given the system secondary DNS is used.
Domain name. It is used to inform the client about the domain name to use for DNS lookups.
Script executed after the TUN/TAP network interface has been brought up. Executed with the following parameters: *
The TUN/TAP device being brought up.
The TUN/TAP device IP address being brought up.
The TUN/TAP device net mask being brought up.
The TUN/TAP device network being brought up.
The dhcpif configured in chilli.conf
The uamport configured in chilli.conf
The uamuiport configured in chilli.conf
Script executed after the tun network interface has been taken down with the same arguments and environment variables as above.
Script executed after a session is authorized. Executed with the following environment variables (see source code for possibly more): >
The TUN/TAP device.
IP Address of chilli, see the uamlisten option.
Network of chilli, see the net option.
Network mask of chilli, see the net options.
Is set to the radiuslisten value.
The radiusnasid option.
The radiuslocationid option.
The radiuslocationname option.
User-name used to login.
The client’s IP Address.
The client’s MAC Address.
The MAC address of the chilli interface.
A possible filter ID returned in RADIUS Filter-ID.
The max session time, as set by RADIUS Session-Timeout.
The max idle time, as set by RADIUS Idle-Timeout.
Max up stream bandwidth set by RADIUS WISPr-Bandwidth-Max-Up.
Max down stream bandwidth set by RADIUS WISPr-Bandwidth-Max-Down.
Max input octets set by RADIUS ChilliSpot-Max-Input-Octets.
Max output octets set by RADIUS ChilliSpot-Max-Output-Octets.
Max total octets set by RADIUS ChilliSpot-Max-Total-Octets.
Script executed after a session has moved from authorized state to unauthorized with the same environment variables as above.
A parameter that is passed on to the UAM server in the initial redirect URL.
A parameter that is passed on to the UAM server in the initial redirect URL.
Value to use in RADIUS NAS-IP-Address attribute. If not present, radiuslisten is used (which defaults to “0.0.0.0”).
MAC address value to use in RADIUS Called-Station-ID attribute. If not present, the MAC address of the dhcpif is used for Called-Station-ID.
Local interface IP address to use for the radius interface. Defaults to the value used in RADIUS NAS-IP-Address when nasip is not set.
The IP address of radius server 1 (default=rad01.coova.org).
The IP address of radius server 2 (default=rad01.coova.org).
The UDP port number to use for radius authentication requests (default 1812).
The UDP port number to use for radius accounting requests (default 1813).
Radius shared secret for both servers (default coova-anonymous). This secret should be changed in order not to compromise security.
Network access server identifier (default nas01).
WISPr Location ID. Should be in the format: isocc=
WISPr Location Name. Should be in the format:
Value of NAS-Port-Type attribute. Defaults to 19 (Wireless-IEEE-802.11).
Flag (defaults to off) to send the ChilliSpot-OriginalURL RADIUS VSA in Access-Request.
User-name to use for Administrative-User authentication in order to pick up chilli configurations and establish a device ‘system’ session.
Password to use for Administrative-User authentication in order to pick up chilli configurations and establish a device ‘system’ session.
The file to use as the Administrative-User update file. When used in combination with the above adminuser and adminpasswd options, ChilliSpot-Config RADIUS attributes found in the Administrative-User Access-Accept are put into the specified file. If the file changes, chilli will reload it’s configuration (it’s assumed that this file is included into the chilli configuration file).
Swap the meaning of “input octets” and “output octets” as it related to RADIUS attribtues.
Allows OpenID authentication by sending ChilliSpot-Config=allow-openidauth in RADIUS Access-Requests to inform the RADIUS server of the option.
Allows WPA Guest authentication by sending ChilliSpot-Config=allow-wpa-guests in RADIUS Access-Requests to inform the RADIUS server of the option. The RADIUS may return with an Access-Accept containing ChilliSpot-Config=require-uam-auth to give WPA access, but enforce the captive portal.
UDP port to listen to for accepting radius disconnect requests.
If this option is given no check is performed on the source IP address of radius disconnect requests. Otherwise it is checked that radius disconnect requests originate from radiusserver1 or radiusserver2.
Local interface IP address to use for accepting radius requests.
UDP Port to listen to for accepting radius requests.
IP address from which radius requests are accepted. If omitted the server will not accept radius requests.
Radius shared secret for clients. If not specified it defaults to radiussecret.
Ethernet interface to listen to for the downlink interface. This option must be specified.
Use the TAP interface instead of TUN (Linux only).
Do not create arp table entries in when using TAP. (Linux only).
Specify a MAC address which is the layer 2 next hop to route packets to (used with usetap only).
Option to launch the chilli_rtmon daemon with the specified file as the update file. The chilli_rtmon daemon will update the file with a nexthop ** configuration entry before sending chilli a SIGHUP to reread it’s configuration.
Specify an integer value for the TCP Window and TCP Maximum Segment Size. If set, packets are rewritten with the values for both Window and MSS.
The specific device to use for the TUN/TAP interface.
The TX queue length to set on the TUN/TAP interface.
MAC address to listen to. If not specified the MAC address of the interface will be used. The MAC address should be chosen so that it does not conflict with other addresses on the LAN. An address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls within the IANA range of addresses and is not allocated for other purposes. >The dhcpmac option can be used in conjunction with access filters in the access points, or with access points which supports packet forwarding to a specific MAC address. Thus it is possible at the MAC level to separate access point management traffic from user traffic for improved system security.
The dhcpmac option will set the interface in promisc mode.
Use a DHCP lease of seconds (default 600).
Where to start assigning IP addresses (default 10).
Where to stop assigning IP addresses (default 254).
Always respond to DHCP to the broadcast IP, when no relay.
If this option is given IEEE 802.1x authentication is enabled. ChilliSpot will listen for EAP authentication requests on the interface specified by dhcpif. EAP messages received on this interface are forwarded to the radius server.
Option to enable support for 802.1Q/VLAN network on the dhcpif interface.
URL of web server to use for authenticating clients.
URL of homepage to redirect unauthenticated users to. If not specified this defaults to uamserver.
When chilli is built with the –enable-chilliproxy compile-time option, this configuration option can be used to define a URL to use for the HTTP AAA protocol described here: http://www.coova.org/CoovaChilli/Proxy
A specific URL to be given in WISPr XML LoginURL. Otherwise, uamserver is used.
Shared secret between uamserver and chilli. This secret should be set in order not to compromise security.
IP address to listen to for authentication of clients. If an unauthenticated client tries to access the Internet she will be redirected to this address.
TCP port to bind to for authenticating clients (default = 3990). If an unauthenticated client tries to access the Internet she will be redirected to this port on the uamlisten IP address.
TCP port to bind to for only serving embedded content.
Comma separated list of resources the client can access without first authenticating. Each entry in the list can be a domain names, IP addresses, or network segment. Example:
Where each entry can be made more specific by specifying a protocol and port in the format host/network:port or protocol:host/network or protocol:host/network:port where protocol is a protocol name from /etc/protocols, host/network is just as above (a domain, IP, or network), and port is a port number. Example:
Adding to your walled garden is useful for allowing access to a credit card payment gateways, community website, or other publicly available resources.
ChilliSpot resolves the domain names to a set of IP addresses during startup. Some big sites change the returned IP addresses for each lookup. This behaviour is not compatible with this option. Domain names in the list do get updated periodically based on the interval option.
It is possible to specify the uamallowed option several times. This is useful if many domain names have to be specified.
One domain prefix per use of the option; defines a list of domain names to automatically add to the walled garden. This is done by the inspecting of DNS packets being sent back to the subscriber.
When chilli is built with the –enable-chilliredir option given to the configure script, the uamregex option is available. The value should be a :: separated list of three values; the regex patterns to match the Host header, the URL path, and the query string of the request. The patterns follow the regex(7)syntax with the addition of *** ** meaning anything (or to not check that field) and any pattern starting with ! ** will be negated in meaning.
This will allow all requests to a .google.com host except if the URL starts with mail (links to Gmail).
Default session timeout (max session time) unless otherwise set by RADIUS (defaults to 0, meaning unlimited).
Default idle timeout (max idle time) unless otherwise set by RADIUS (defaults to 0, meaning unlimited).
Default interim-interval for RADIUS accounting unless otherwise set by RADIUS (defaults to 0, meaning unlimited).
Default bandwidth max down set in bps, same as WISPr-Bandwidth-Max-Down.
Default bandwidth max up set in bps, same as WISPr-Bandwidth-Max-Up.
Allow updating of session parameters with RADIUS attributes sent in Accounting-Response.
Directory where embedded local web content is placed. This content is accessible using the URL format http://
Executable to run as a CGI type program (like haserl) for URLs with extention .chi - in the format http://
An init.d style program to handle local content on the uamuiport web server.
Allow any DNS server. Normally unauthenticated clients are only allowed to communicate with the DNS servers specified by the dns1 and dns2 options. If the uamanydns option is given ChilliSpot will allow the client to use all DNS servers. This is convenient for clients which are configured to use a fixed set of DNS servers. Since the server may not be available, requests are forwarded to the dns1 server.
Use this IP address to instantly logout a client accessing it (defaults to 22.214.171.124).
A special IP address that will always get hijacked to the UAM server (either to the uamuiport, if defined, otherwise uamport; defaults to 126.96.36.199).
An (unqualified, so no dots) hostname that is used as a DNS alias for the uamaliasip defined above. Any DNS request for this hostname, or this hostname under the domain will be returned with the uamaliasip IP address.
Inspect DNS packets and drop responses with any non- A, CNAME, SOA, or MX records (to prevent dns tunnels; experimental).
Option to have chilli return the uamaliasip for all DNS requests for a hostname under the domain that is configured.
Allow clients to use any IP settings they wish by spoofing ARP (experimental).
Do not return to UAM server on login success, just redirect to original URL.
Do not do any WISPr XML, assume the back-end is doing this instead.
Write the status of clients in a non-volatile state file (experimental).
Return the so-called Chilli XML along with WISPr XML.
If this option is given ChilliSpot will try to authenticate all users based on their mac address alone. The User-Name sent to the radius server will consist of the MAC address and an optional suffix which is specified by the macsuffix option. If the macauth option is specified the macallowed option is ignored.
List of MAC addresses for which MAC authentication will be performed. Example:
The User-Name sent to the radius server will consist of the MAC address and an optional suffix which is specified by the macsuffix option. If the macauth option is specified the macallowed option is ignored.
It is possible to specify the macallowed option several times. This is useful if many mac addresses has to be specified.
Suffix to add to the MAC address in order to form the User-Name, which is sent to the radius server.
Password used when performing MAC authentication. (default = password)
An option to allow MAC authentication based on macallowed without the use of RADIUS authentication.
A file containing MAC address and IP address mappings for DHCP allocation. The file should be formatted as:
A colon seperated file containing usernames and passwords of locally authenticated users.
Used with postauthproxyport to define a post authentication HTTP proxy server.
Used with postauthproxy to define a post authentication HTTP proxy server.
Human readable location name used in JSON interface.
(now depreciated; always on) Was used to allow PAP authentication.
The following options are available when chilli is built with SSL support.
Defines the location of the PEM formatted private key file.
The password (if any) that protects the private key.
Defines the location of the PEM formatted certificate file.
Defines the location of the PEM formatted CA certificate file.
When set, HTTPS requests by unauthorized clients get hijacked instead of dropped. Requires at least sslkeyfile and sslcertfile to be defined.
When set, the uamuiport is enabled with SSL. Requires at least sslkeyfile and sslcertfile to be defined.
When set, a RadSec RADIUS tunnel is establised. Requires at least sslkeyfile, sslcertfile, and sslcafile to be defined.
/usr/local/etc/chilli.conf >The main chilli configuration file. Per default, this file includes three other files; main.conf, hs.conf, and local.conf. The main.conf and hs.conf are created by the shell script routines in functions based on configurations in the files mentioned below and possibility taking some configurations from a remote RADIUS server or URL. The local.conf file is reserved for location specific configurations.
/usr/local/etc/chilli/defaults >Default configurations used by the chilli init.d and functions scripts in creating the actual configuration files. See the comments in this file for more information on how to configure chilli and related scripts and embedded content.
/usr/local/etc/chilli/config >Location specific configurations used by chilli init.d and functions scripts. Copy the defaults file mentioned above and edit. This file is loaded after the defaults and thus will override settings.
/usr/local/etc/chilli/functions >Helps configure chilli by loading the above configurations, sets some defaults, and provides functions for writing main.conf, hs.conf, and local.conf based on local and possibily centralized settings.
/usr/local/etc/init.d/chilli >The init.d file for chilli which defaults to using the above configurations to build a set of configurations files in the /usr/local/etc/chilli directory - taking local configurations and optionally centralized configurations from RADIUS or a URL.
See http://www.coova.org/ for further documentation and community support. The original ChilliSpot project homepage is/was at www.chillispot.org.
Copyright (C) 2002-2005 by Mondru AB., 2006-2012 David Bird (Coova Technologies) All rights reserved.
CoovaChilli is licensed under the GNU General Public License.