CoovaChilli FreeRADIUS setup with UAM
Dear List Greetings *Setup Example: * i have CoovaChilli / FreeRADIUS setup with UAM (Universal Access Manager) server. Basically means it is different web server than NAS it self (NAS = CoovaChilli). UAM serve the login page for hotspot users. Saying other way, separate web server for content management system (serving login page base on geographical location, distance, vlan numbers etc. etc..) When any of following condition becomes true 1.) User has fill the wrong password 2.) User calling outside of time slot 3.) User already downloaded the quota specified FreeRADIUS reject the access, which is obvious. Fine !!!! *Question: * how can i configure FreeRADIUS to send the reply messages (Your username/password is wrong) to UAM server rather than NAS ? i am very sure there would be a way to do it and i am not coming across using google search over a week. Thanks / Regards RM --
Russell Mike wrote:
*Question: * how can i configure FreeRADIUS to send the reply messages (Your username/password is wrong) to UAM server rather than NAS ?
No. The NAS should sent it to the UAM server. You *could* use the Post-Auth-Type Reject block. Run a program which contacts the UAM server, and sends the message to it. But that kind of solution is very site-specific.
i am very sure there would be a way to do it and i am not coming across using google search over a week.
Probably because you're stuck on a particular solution. Are all of the systems connected to a network? Can they all reach each other? Can you run a program on the RADIUS server to poke the UAM? Yes to all? Well... the solution is pretty clear. Alan DeKok.
Dear Alan Million thanks for showing light end of the tunnel. Please look the answer near your question below. On Tue, Feb 11, 2014 at 3:19 PM, Alan DeKok <aland@deployingradius.com>wrote:
Russell Mike wrote:
*Question: * how can i configure FreeRADIUS to send the reply messages (Your username/password is wrong) to UAM server rather than NAS ?
No. The NAS should sent it to the UAM server.
OK Alan, Thanks for telling me this, i did not know.
You *could* use the Post-Auth-Type Reject block. Run a program which contacts the UAM server, and sends the message to it. But that kind of solution is very site-specific.
1.) Dear Alan - What is site specific means ?
2.) Since you advised the solution. Could you please kindly assist little more by elaborating more. Which kind of program you are talking about? i am asking because i could not understand fully. Please help me with small example. I shall try to workout.
i am very sure there would be a way to do it and i am not coming across using google search over a week.
Probably because you're stuck on a particular solution.
Are all of the systems connected to a network? Can they all reach each other? Can you run a program on the RADIUS server to poke the UAM?
1.) ISP has their own wireless network across the country build with Motorola Canopy. 2.) It is multi tenancy setup. CoovaChilli NAS is central in ISP NOC Data Center. One Linux server is running about 76 instances of CoovaChilli on VLANs interfaces. FR && UAM is also Central in NOC. Is this what you asked? Please forgive me if i did not answered your question.
Yes to all? Well... the solution is pretty clear.
Thanks Alan D. I am seriously grateful. Regards --RM
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Russell Mike wrote:
1.) Dear Alan - What is site specific means ?
It means that the problem is specific to your site. Most people don't do that kind of thing.
2.) Since you advised the solution. Could you please kindly assist little more by elaborating more. Which kind of program you are talking about? i am asking because i could not understand fully. Please help me with small example. I shall try to workout.
I'm not sure there's more to say. You need to poke the UAM. So... write a program to poke the UAM. I have no idea how that's done, because I'm not using your UAM. Then, make FreeRADIUS run the program. That part should be simple. Alan DeKok.
I check the login before sending it to the Chilli to login. public function get_user_password($username) { $stmt = $this->mysqli->prepare("SELECT value FROM radcheck WHERE username = ? AND attribute = 'Cleartext-Password'"); $stmt->bind_param('s', $username); $stmt->execute(); $stmt->store_result(); if ($stmt->num_rows() == 0) $return = NULL; else { $stmt->bind_result($password); $stmt->fetch(); $return = $password; } $stmt->free_result(); $stmt->close(); return $return; } ... function chilli_login() { if (!empty($_GET['challenge'])) $challenge = $_GET['challenge']; elseif (!empty($_SESSION['chilli']['challenge'])) $challenge = $_SESSION['chilli']['challenge']; if (empty($challenge) || empty($_POST['username']) || empty($_POST['password'])) error('CHILLI_LOGIN_FAILED'); $_SESSION['login'] = $_POST; $uamsecret = 'zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'; $hexchal = pack("H32", $challenge); $newchal = pack("H*", md5($hexchal . $uamsecret)); $response = md5("\0" . $_POST['password'] . $newchal); $query = http_build_query(array( 'username' => $_POST['username'], 'response' => $response, // 'userurl' => $_GET['userurl'] ), '', '&', PHP_QUERY_RFC3986); header("Location: http://10.1.0.1:3990/login?" . $query); die(); } ... if (isset($_GET['login'])) { if (!$db_radius->user_exists($_POST['username'])) $errors[] = 'Name does not exist.'; if ($_POST['password'] != $db_radius->get_user_password($_POST['username'])) $errors[] = 'Password incorrect.'; if (empty($errors)) { chilli_login(); } } if (!empty($_GET['res'])) { switch ($_GET['res']) { case 'failed': if (isset($_GET['reply'])) if ($_GET['reply'] == 'Your maximum daily usage time has been reached' || $_GET['reply'] == 'Your maximum weekly usage time has been reached' || $_GET['reply'] == 'Your maximum monthly usage time has been reached') { $bandwidth = $db_radius->get_user_bandwidth($_SESSION['login']['username']); $bandwidth_types = array('all-time', 'daily', 'weekly', 'monthly'); $errors[] = "You have used your " . format_bytes($bandwidth['limit']['bytes'], 2) . " of {$bandwidth_types[$bandwidth['limit']['type']]} bandwidth!"; $remaining_time = ($bandwidth['remaining']['time'] > 0 ? duration($bandwidth['remaining']['time']) : '∞'); $errors[] = "Your bandwidth resets in: {$remaining_time}."; } elseif ($_GET['reply'] == 'Your maximum never usage time has been reached') { $errors[] = "You have used all your bandwidth."; $errors[] = "You need to buy more to use the Internet."; } else $errors[] = $_GET['reply']; else $errors[] = "Username and/or password rejected."; } } On Wed, Feb 12, 2014 at 6:16 AM, Alan DeKok <aland@deployingradius.com>wrote:
Russell Mike wrote:
1.) Dear Alan - What is site specific means ?
It means that the problem is specific to your site. Most people don't do that kind of thing.
2.) Since you advised the solution. Could you please kindly assist little more by elaborating more. Which kind of program you are talking about? i am asking because i could not understand fully. Please help me with small example. I shall try to workout.
I'm not sure there's more to say. You need to poke the UAM. So... write a program to poke the UAM. I have no idea how that's done, because I'm not using your UAM.
Then, make FreeRADIUS run the program. That part should be simple.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Jed Gainer -
Russell Mike