2014-12-06 - Re: [GRASE-Hotspot] Re: Grase Hotspot working with DD-WRT routers in remote locations.

Header Data

From: Norberto Esteves <no***e@gmail.com>
Message Hash: 38a2e4b48f6d559f82a3778276b579ab33d5df038111da4ae859eaebd2bc76c7
Message ID: <01b5eb73-78c1-4ee0-b67a-561db1806be9@grasehotspot.org>
Reply To: <a81ce388-adb6-4a1e-bf9e-2b476b7359c1@grasehotspot.org>
UTC Datetime: 2014-12-06 03:18:35 UTC
Raw Date: Sat, 06 Dec 2014 02:18:35 -0800

Raw message

Hi again,

Just a few extra information:

I forgot to tell you that after modifying Chillispot, or some other 
settings in DD-WRT configuration you will always need to reboot router.

The last image on the Chillispot configuration will work but is not 100% 
accurate (subnet mask is wrong and forgot to put YOUR.GRASE.SERVER.IP in 
UAM Allowed ...), this is the correct one:

<https://lh5.googleusercontent.com/-PyR13K7BpCE/VILOX34vpuI/AAAAAAAAALo/NZXeSRcjDNs/s1600/graseddwrt.jpg>
The bad news, the things that will not work on Remote sites:

- They will not record session log (only normal session information, time, 
data, login, logout, etc..) since there is no squid3 to log locally. You 
can use some DD-WRT tools to log sessions but that is not relevant for this 
tutorial.
- DHCP Leases wont show remote assigned IP adresses, (thats obvious since 
each DHCP server is a different machine)
- After a few more testes I found out that some devices, (Android with 
opera mobile) wont work with javascript login, so I suggest to disable it 
in Grase configuration.

Other important information that is not directly related but will save you 
a couple of hours is that if you want to use the UAM Domains on DD-WRT 
routers they will not work if you just put the domains there (i.e. 
google.com facebook.com ...). I found out there is a bug (at least there is 
in the version I use) and you need to:

- Enable Hotspot System
- Select White Label Protocolhttp  
- Write the UAM Domains you want to use:
UAM Domains (space separated)
Save settings

- Then disable Hotspot System
- Enable Chillispot again and put there the same UAM Domains, Save and 
Reboot.

I will be testing this for the next days, if I found out some other bugs or 
things that need to be changed I will be updating this post.
Also if you found any bugs, please let me know.

Regards,

Norberto Esteves



Sábado, 6 de Dezembro de 2014 1:59:56 UTC, Norberto Esteves escreveu:
>
> Hi all,
>
> As promised, here is the information you need to setup Grase Hotspot on 
> Multiple-locationst (please Tim, feel free to move this to the wiki if you 
> wish). 
>
> I made several tests with the setup described below and everything seams 
> to work fine, even the javascript login interface. 
>
> *Please note:*
>
> *This procedure is not for beginners, you can damage your router if you 
> flash a wrong file to it. Also you can break Grase if you place the wrong 
> code when editing the files, please make backup of the original files 
> before editing.*
> *Do it at your own risk!*
>
> *1 - Description:*
>
> The goal is to deploy multiple location Hotspots with one server in the 
> main site (headquarters) and several routers in remote locations:
>
>
> <https://lh5.googleusercontent.com/-SlK2BszGtB0/VIJJ5jrE8aI/AAAAAAAAAKE/rohge8JLbBk/s1600/Grase.jpg>
>
> To make this work we need:
>
> - One server running Grase Hotspot at the Headquarters.
> - Static public IP address at the Headquarters. This wont work with 
> dynamic ip address.
> - Routers running DD-WRT at remote locations.
>
>
> *2 - Redirecting Ports *
>
> First we need to allow remote routers to connect to our server, so we need 
> to redirect the following ports to our Grase Server:
>
> Radius: UDP: 1812, 1813 and 1814
> UAM: TCP: 3990
> HTTP: TCP: 80
> COA: TCP: 3779 (this one is optional)
>
> My Draytek Configuration:
>
> 1. RADIUS1 All UDP 1812 10.10.10.5 v2. RADIUS2 All UDP 1813 10.10.10.5 v3.
>  RADIUS3 All UDP 1814 10.10.10.5 v4. UAM All TCP 3990 10.10.10.5 v5. HTTP
>  All TCP 80 10.10.10.5 v6. COA All TCP 3779 10.10.10.5 v
>  
>
> *3 - Freeradius configuration*
>
> At this point we need to edit /*etc/freeradius/clients.conf* to allow our 
> remote routers to connect:
> If the remote router has a static public IP you should add them right 
> after the following code: 
>
> #
> #  You can now specify one secret for a network of clients.
> #  When a client request comes in, the BEST match is chosen.
> #  i.e. The entry from the smallest possible network.
> #
>
> If they have dynamic IPs (the most common case) you should either use the 
> nas table and advanced freeradius configuration to add them dynamically or 
> you can allow all to connect (Please note, this is not the best way because 
> its less secure).
> If you are ok with less security you can add the following;
>
> client 0.0.0.0/1 {
> secret = hotspotradius
> shortname = NAS
> nastype     = other
> }
>
> client 128.0.0.0/1 {
> secret = hotspotradius
> shortname = NAS
> nastype     = other
> }
>
> This will allow any IP to connect to radius server as long as the secret 
> is correct.
> the default secret is *hotspotradius* its highly recommended to change 
> this to a more complex password.
>
> clients.conf will look like this after line 190:
>
> *...*
>
> #
> #  You can now specify one secret for a network of clients.
> #  When a client request comes in, the BEST match is chosen.
> #  i.e. The entry from the smallest possible network.
> #
>
> client 0.0.0.0/1 {
> secret = hotspotradius
> shortname = NAS
> nastype     = other
> }
>
> client 128.0.0.0/1 {
> secret = hotspotradius
> shortname = NAS
> nastype     = other
> }
>
> #client 192.168.0.0/24 {
> # secret = hotspotradius-1
> # shortname = private-network-1
> #}
> #
> #client 192.168.0.0/16 {
> # secret = hotspotradius-2
> # shortname = private-network-2
> #}
>
> ...
>
>  
> We are done with freeradius, *restart the serve*r in order to load new 
> configuration.
>
>
> *4 - Grase configuration and files editing*
>
> Go to grase admin interface -> Network settings and configure IP and 
> netmask as follows:
>
>
>
> <https://lh4.googleusercontent.com/-B6Rd3-wkKOc/VIJXc0B29EI/AAAAAAAAAKs/QNMT6rJ45zQ/s1600/Grase2.jpg>
> Go to Cooova Chilli Settings ad configure:
>
>
> <https://lh6.googleusercontent.com/-NAxRz6I3qv4/VIJYHm-N49I/AAAAAAAAAK0/5tA-xMVGq90/s1600/Grase3.jpg>
> We need to add different DHCP ranges for each remote router to avoid 
> problems having same IP assigned to clients in the Grase server network and 
> in the remote routers. In fact there are other ways to avoid it but that 
> will include several modifications in the Grase structure. So , to keep it 
> simple we use this method. Each site will have a different DHCP Start and 
> End.
>
> *File editing:*
>
> we neeed to edit: */usr/share/grase/www/uam/hotspot.php *beecause we need 
> to capture the remote client IP address and pass it to the nojsstatus.php 
> file to get the correct status information.
>
> Edit *hotspot.php *and add: "session_start();" in the second line:
>
> <?php
> session_start();
> require_once('includes/site.inc.php');
> ....
>
> And the code:"$_SESSION['ipaddress'] = $_GET['ip'];" after line 30 to look 
> like this:
>
> ...
>
> $res = @$_GET['res'];
> $userurl = @$_GET['userurl'];
> $challenge = @$_GET['challenge'];
>
> // add this line to store user IP address in session.
> $_SESSION['ipaddress'] = $_GET['ip'];
>
> if($userurl == 'http://logout/') $userurl = '';
> if($userurl == 'http://1.0.0.0/') $userurl = '';
>
> ...
>
> Then we need to edit 
>
> */usr/share/grase/www/uam/nojsstatus.php*
>
> Also need to start the session so, add: "session_start();" in the second 
> line:
>
> <?php
> session_start();
> require_once('includes/site.inc.php');
>
> ...
>
> Then we need to retrieve the IP address commenting out the code: 
> "//$ipaddress = $_SERVER['REMOTE_ADDR'];"
> and adding: "$ipaddress = $_SESSION['ipaddress'];" at line 12:
>
> ...
>
> // Meta refresh to update
>
> //$ipaddress = $_SERVER['REMOTE_ADDR'];
>
> $ipaddress = $_SESSION['ipaddress'];
>
> $username = 
> DatabaseFunctions::getInstance()->getRadiusUserByCurrentSession($ipaddress);
>
> ...
>
> Save both files and we are done with editing.
>
>
> *5 - DD-WRT*
>
> I'm not going to explain how to install DD-WRT, I will assume that you 
> already have a router with DD-WRT firmware.
> If you are already familiar with DD-WRT this is going to be piece of cake. 
> If not, you should visit http://www.dd-wrt.com and check if your router 
> is supported and follow the procedures to flash it. You can brick your 
> router doing this, please be careful.
>
> I use D-link DIR-615 for testing and Netgear WNDR3700 V4 at the remote 
> sites since this are very reliable routers.
>
> *Configuration:*
>
> Configure Wan interface in order to get internet access:
>
>
> <https://lh3.googleusercontent.com/-u1XM9_yogqA/VIJViDVwBvI/AAAAAAAAAKU/lSdjB4SK2g4/s1600/ddwrt%2Bwan.jpg>
>  LAN IP Is not important, just configure something out of the chillispot 
> range (10.1.0.0/16). Disable DHCP and make sure that you enable NTP 
> Client and use the correct Server and Time Zone:
>
>
> <https://lh4.googleusercontent.com/-E_kIqIU0bo8/VIJWfmB7HvI/AAAAAAAAAKg/PlSBo1EDCGY/s1600/ddwrt%2Blan.jpg>
>    Configure the Wireless interface:
>
>
> <https://lh6.googleusercontent.com/-_PXOMiKAvE4/VIJbb1ucw4I/AAAAAAAAALA/O4k9KCPtYvc/s1600/Grase4.jpg>
> Now the Coova Chilli configuration:
> Go to Services -> Hotspot, enable Cillispot and configurre as follows:
>
>
>
> <https://lh3.googleusercontent.com/-cbyIbcDR-6g/VIJebFOkvuI/AAAAAAAAALY/Txgg9lsEj8o/s1600/Grase5.jpg>
> Redirect url is: *http://YOUR.GRASE.SERVER.IP/grase/uam/hotspot 
> <http://YOUR.GRASE.SERVER.IP/grase/uam/hotspot>*
>
> You can add as many DD-WRT Routers as you want, just make sure to use 
> different and non overlaping DHCP ranges on each. 
>
> The changes made in the files may be replaced when updating Grase package. 
> Hope this will be included in next releases.
>
> Thats it!!
>
> Hope this could help someone.
>
> Regards,
>
> Norberto Esteves
>
>
>
>
>
> Quinta-feira, 4 de Dezembro de 2014 21:37:45 UTC, michele.campanelli 
> escreveu:
>
>> Great Norberto!
>>
>> For every support you need, ask if you need.
>>
>> Good Job!
>>
>> Michele
>>
>>
>> Il giorno 04/dic/2014, alle ore 22.02, Norberto Esteves ha scritto:
>>
>> Hi all!
>>
>> António, that is the configuration I have right now. I moved Grase to a 
>> virtual machine. 
>> I plan to use this setup to replace an old server with the old version of 
>> Chillispot that we bought a few years ago and is used to manage several 
>> hotspots (arround 20). All the hotspots are already using DD-WRT, so I'm 
>> trying to adapt Grase to the DD-WRT configuration I already have.
>>
>> Everything seams to work fine with non Java login. And I found a way to 
>> use the Javascipt login, the problem I still have with it is the pop up 
>> window not showing the information after login and the logout button not 
>> working, also some android phones with Opera mobile are not able to login.
>>
>> Since I had a very busy week I hope I can do some more tests in the 
>> weekend and make a document on how to get this working. 
>> In order to make a document valid to every one I will have to setup a new 
>> machine with the nighttly build because mine has lots of modifications on 
>> the original code and I don't know anymore which files are original and 
>> which are modified by me...
>>
>> Regards,
>>
>> Norberto Esteves  
>>
>> Terça-feira, 2 de Dezembro de 2014 19:38:54 UTC, Norberto Esteves 
>> escreveu:
>>>
>>> Hi all,
>>>
>>> I managed to get this configuration working.
>>>
>>> Basically I have the Grase Hotspot installed in a machine (shuttle XPC 
>>> DS6) in the office and one router (D-Link DIR-615) with DD-WRT in my house 
>>> for testing.
>>> The remote site (D-Link Router) uses the Coova Chilli included with the 
>>> DD-WRT firmware to redirect users to the Grase authentication Portal, after 
>>> that, the username, password, and other attributes are checked with the 
>>> radius server. If the authentication is successful then the user is allowed 
>>> to use the Internet and DD-WRT Coova Chilli takes care of the session even 
>>> if the main site (Grase) goes down. DD-WRT Coova Chilli also sends 
>>> periodical data (every 5 minutes) to Radius server to keep information up 
>>> to date. 
>>>
>>> So far I had to change a few things in the follwing files:
>>> hotspot.php, nojsstatus.php, /includes/site.inc.php
>>>
>>> I do not use VPN, so, there is a few ports that need forwarding:
>>> In the main site: Radius (1812, 1813, 1814), UAM (3990) and HTTP (80) 
>>> ports forward to Grase Hotspot machine.
>>> The remote site only needs port forwarding for COA port 3779 if you are 
>>> going to use the radclient to disconnect users.
>>>
>>> Freeradius also needs to allow remote site to connect, to do this you 
>>> need to add remote client to clients.conf, or use nas table.
>>>   
>>> So far I'am still testing and correcting some "bugs" i found.
>>>
>>> The bad new is that this setup don't work with Javascript login, I did 
>>> some tests and I think DD-WRT is not able to use the JSON interface for 
>>> Coova Chilli. So if you want to use DD-WRT, Java script login should be 
>>> disabled.
>>>
>>> If anyone is interested in multi-location setup using DD-WRT I can make 
>>> a document and share with the community.
>>>
>>> Regards,
>>>
>>> Norberto Esteves
>>>
>>>
>>>
>> -- 
>> This mailing list is for the Grase Hotspot Project 
>> http://grasehotspot.org
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to gr***.@grasehotspot.org.
>> To post to this group, send email to gr***.@grasehotspot.org.
>> Visit this group at 
>> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org 
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org?utm_medium=email&utm_source=footer>
>> .
>>
>>
>>

Thread