2014-12-09 - Re: [GRASE-Hotspot] Grase Hotspot working with DD-WRT routers in remote locations.

Header Data

From: Norberto Esteves <no***e@gmail.com>
Message Hash: b9d385106aefcad44376eef194fc2d81dbacb953b88747bd02e358df123318ab
Message ID: <9a654d53-4322-4199-bc9c-221fe6cb0291@grasehotspot.org>
Reply To: <CAGUY4fxQncfQnd–gBABaFHucTQ8AJnYgoPoOvvT2NR=XaeuLA@mail.gmail.com>
UTC Datetime: 2014-12-09 13:43:27 UTC
Raw Date: Tue, 09 Dec 2014 12:43:27 -0800

Raw message 

Hi Edward,

This is not the case. Grase will not work in routed networks, 
authentication is done with MAC address. If you put a regular router in the 
middle, Grase and Freeradius will authenticate the router MAC address, once 
router is authenticated, everybody else can access without entering 
username/password.

The difference here is that you can have multiple locations that share 
Grase Portal and Freeradius authentication. Each location must have a Coova 
Chilli Service that redirects users to Grase Portal and then check 
username, password, bandwith, data limit, time limit, etc.. with 
freeradius. This way each local Coova Chilli knows each user MAC address.

If you need to use a routed network then each network segment should have 
Coova chilli service running locally.
In my manual I use the same network in every location 10.1.0.0/16 (with 
different and non overlapping DHCP ranges). The reason for this is that 
Coova is always same IP 10.1.0.1 which is already hard coded in Grase 
portal. If you use different networks (like 192.168.1.0/24), Coova will 
have diferent IPs depending on the location, this IPs are send to Grase 
server in a field called UAMIP then we should change Grase code to 
recognise them. This solution is harder to do because involves several 
modifications in Grase code.

 
Regards,

Norberto



  

 

Terça-feira, 9 de Dezembro de 2014 19:26:48 UTC, Edward Allen escreveu:
>
> Hi Norberto
>
>
> Let me get this correct.
> This modification changes grase to work based off IP addresses instead of 
> mac addresses right?
>
> If so then technically and theoretically with proper routing then its 
> possible to use regular AP routers(without chilli/coova) with Grase at 
> master control in routed/vlan networks that's usually present in school 
> networks. This as grase would now be seeing all the clients based on their 
> ip and such be in a position to authenticate them individually.
>
>
> On Tue, Dec 2, 2014 at 2:38 PM, Norberto Esteves <no***.@gmail.com 
> <javascript:>> wrote:
>
>> Hi all,
>>
>> I managed to get this configuration working.
>>
>> Basically I have the Grase Hotspot installed in a machine (shuttle XPC 
>> DS6) in the office and one router (D-Link DIR-615) with DD-WRT in my house 
>> for testing.
>> The remote site (D-Link Router) uses the Coova Chilli included with the 
>> DD-WRT firmware to redirect users to the Grase authentication Portal, after 
>> that, the username, password, and other attributes are checked with the 
>> radius server. If the authentication is successful then the user is allowed 
>> to use the Internet and DD-WRT Coova Chilli takes care of the session even 
>> if the main site (Grase) goes down. DD-WRT Coova Chilli also sends 
>> periodical data (every 5 minutes) to Radius server to keep information up 
>> to date. 
>>
>> So far I had to change a few things in the follwing files:
>> hotspot.php, nojsstatus.php, /includes/site.inc.php
>>
>> I do not use VPN, so, there is a few ports that need forwarding:
>> In the main site: Radius (1812, 1813, 1814), UAM (3990) and HTTP (80) 
>> ports forward to Grase Hotspot machine.
>> The remote site only needs port forwarding for COA port 3779 if you are 
>> going to use the radclient to disconnect users.
>>
>> Freeradius also needs to allow remote site to connect, to do this you 
>> need to add remote client to clients.conf, or use nas table.
>>   
>> So far I'am still testing and correcting some "bugs" i found.
>>
>> The bad new is that this setup don't work with Javascript login, I did 
>> some tests and I think DD-WRT is not able to use the JSON interface for 
>> Coova Chilli. So if you want to use DD-WRT, Java script login should be 
>> disabled.
>>
>> If anyone is interested in multi-location setup using DD-WRT I can make a 
>> document and share with the community.
>>
>> Regards,
>>
>> Norberto Esteves
>>
>>
>>  -- 
>> This mailing list is for the Grase Hotspot Project 
>> http://grasehotspot.org
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to gr***.@grasehotspot.org <javascript:>.
>> To post to this group, send email to gr***.@grasehotspot.org 
>> <javascript:>.
>> Visit this group at 
>> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/fdecd37a-fa21-4d62-a6b5-50601889ecb6%40grasehotspot.org 
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/fdecd37a-fa21-4d62-a6b5-50601889ecb6%40grasehotspot.org?utm_medium=email&utm_source=footer>
>> .
>>
>
>
>
> -- 
> ---
>
> Edward Allen
> Network/System/IT Solutions Provider/Consultant
> Voice: 876-891-8982,  876-797-3226
> yb***.@gmail.com <javascript:>
> Kingston, Jamaica
>
>

Thread