By default JSON interface makes use of CHAP passwords. So, in this article, we will learn following things.

1. javascript that used to interact with JSON interface

2. modifications required to be able to use PAP passwords through the javascript JSON objects

JSON interface and JSON service terms are used interchangeably and refer the same thing.


Configuration Options


chilli.conf – It is main config file that will source various secondary configuration files under the chilli directory. It also defines the scripts to start and shutdown the chilli program.

main.conf – it is automatically generated and overwritten.

hs.conf – it is created by startup script

local.conf – it is also created by startup script

defaults – it contains the default values that will be used by /chilli/functions to produce the /chilli/main.conf file

config – it starts out as a copy of defaults file and subsequently modified by the user. it is used together with defaults file to generate main.conf file during startup scripts.


JSON in coova chilli


Status can be checked


To communicate JSON interface with Coova Chilli, we use ChilliLibrary.js javascript file which contains chilliController object. This objects needs to be set-up correctly to reflect the values defined for our specific set-up.

Chilli daemon will then redirect to the page defined in the HS_UAMFORMAT variable.

A simple captive portal page



And, chilli.js file will be like

We assume that the user got an IP from the coova chilli daemon, and navigates to a web page.
If the ‘HS_UAMHOMEPAGE’ value is defined, it will redirect the user first to this page.
As mentioned before, this is typically a ‘splash’ type page which will then redirect the user to the ‘/prelogin’ service.
User gets a captive portal page.
The ‘/prelogin’ service will redirect the user to the page defined as the HS_UAMFORMAT variable.
This will then be the index.html page which we created.
It will be called with a query string containing info such as the IP and port that the coova chilli daemon runs on, as well as the site the user tried to connect to.
index.html calls chilli.js
The index.html page sources the chilli.js file.
This piece of Javascript gets the IP and port on which the coova chilli daemon runs from the window.location object. (The URL of the page which includes the query string added by the ‘/prelogin’ service.)
It will use this info to get the /www/chillijs.chi file.
The content of /www/chilli.chi gets dynamically created by the haserl program to include coova chilli specifics specified in the configuration files.
If the Javascript code could not get a valid IP and port from the URL of the page’s query string, it assumes the page was not called by the ‘/prelogin’ service, and will display a message informing the user about this. calls is a shell script which does the following.
Run which will source the variables defined in ‘defaults’ and ‘config’ files.
Sources the ChilliLibrary.js file.
Set certain attributes of the chilliController object based on the values received from the script.
Sources the chilliController.js file.
As a note, if you are curious to see more detail on the JSON communication between the captive portal page and the coova chilli daemon’s JSON interface, you can activate Firebug in Firefox and add
echo “chilliController.debug = true;”
to the script.
This will output dedug info to Firebug’s console.
chillController.js calls chilliform.chi
The chilliController.js file creates a complete login and status page from Javascript.
To accomplish this it also sources chillifrom.chi as a Javascript object.
Chilliform.chi calls is a shell script which sources the json_html.tmpl file and replace the innerHTML of the ‘loginForm’ object with this text.
User gets his logon page
After all the above is completed the user is faced with a logon page asking for their credentials.


Using FreeRADIUS PAP passwords and JSON
The code in the ChilliLibrary.js uses CHAP (Challenge and Reply protocol) but you can with little effort get it to work with PAP. We need a few things in place for this.

The password will be passed in cleartext, thus to prevent other people to potentially sniff the packets and obtaining a username and password pair, we have to use HTTPS.

You may also note that compared to the JSON interface’s feedback of the coova chilli daemon there is now a ‘chilliJSON.reply’ wrapper around it. The coova chilli daemon is intelligent and check how it gets called. If it gets called as a Javascript object it will include the ‘chilliJSON.reply’. If it gets called from a web page, it will exclude it. The ‘chillJSON.reply’ is a callback function which gets called as soon as the response is completed.


Modify the ChilliLibrary.js to accommodate PAP passwords
The logon query to the JSON service for CHAP passwords looks like this:
The logon query for PAP passwords looks like this
where $pappasword is the value returned by the UAM JSON web service for the challenge from the coova chilli daemon.
You need to modify the ChilliLibrary.js file to authenticate with PAP by changing the following line under ‘chilliController.logonStep3′.

This will now attempt to logon using PAP instead of CHAP.
Specify where the JSON UAM web service reside by defining the following setting:
Ensure the value of HS_UAMSECRET is the same as in the file.