2014-12-05 - Re: [GRASE-Hotspot] Re: Grase Hotspot working with DD-WRT routers in remote locations.

Header Data

From: Norberto Esteves <no***e@gmail.com>
Message Hash: dde5dd014d74b256083e8d6a73c75c68fbe50b21fcc8910dd2f44ecb111c3fd7
Message ID: <a81ce388-adb6-4a1e-bf9e-2b476b7359c1@grasehotspot.org>
Reply To: <7B5C943A-4A35-437C-9148-8ED05548C9FB@campa4bt.it>
UTC Datetime: 2014-12-05 18:59:56 UTC
Raw Date: Fri, 05 Dec 2014 17:59:56 -0800

Raw message 

Hi all,

As promised, here is the information you need to setup Grase Hotspot on 
Multiple-locationst (please Tim, feel free to move this to the wiki if you 
wish). 

I made several tests with the setup described below and everything seams to 
work fine, even the javascript login interface. 

*Please note:*

*This procedure is not for beginners, you can damage your router if you 
flash a wrong file to it. Also you can break Grase if you place the wrong 
code when editing the files, please make backup of the original files 
before editing.*
*Do it at your own risk!*

*1 - Description:*

The goal is to deploy multiple location Hotspots with one server in the 
main site (headquarters) and several routers in remote locations:

<https://lh5.googleusercontent.com/-SlK2BszGtB0/VIJJ5jrE8aI/AAAAAAAAAKE/rohge8JLbBk/s1600/Grase.jpg>

To make this work we need:

- One server running Grase Hotspot at the Headquarters.
- Static public IP address at the Headquarters. This wont work with dynamic 
ip address.
- Routers running DD-WRT at remote locations.


*2 - Redirecting Ports *

First we need to allow remote routers to connect to our server, so we need 
to redirect the following ports to our Grase Server:

Radius: UDP: 1812, 1813 and 1814
UAM: TCP: 3990
HTTP: TCP: 80
COA: TCP: 3779 (this one is optional)

My Draytek Configuration:

1. RADIUS1 All UDP 1812 10.10.10.5 v2. RADIUS2 All UDP 1813 10.10.10.5 v3.
 RADIUS3 All UDP 1814 10.10.10.5 v4. UAM All TCP 3990 10.10.10.5 v5. HTTP
 All TCP 80 10.10.10.5 v6. COA All TCP 3779 10.10.10.5 v
 

*3 - Freeradius configuration*

At this point we need to edit /*etc/freeradius/clients.conf* to allow our 
remote routers to connect:
If the remote router has a static public IP you should add them right after 
the following code: 

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#

If they have dynamic IPs (the most common case) you should either use the 
nas table and advanced freeradius configuration to add them dynamically or 
you can allow all to connect (Please note, this is not the best way because 
its less secure).
If you are ok with less security you can add the following;

client 0.0.0.0/1 {
secret = hotspotradius
shortname = NAS
nastype     = other
}

client 128.0.0.0/1 {
secret = hotspotradius
shortname = NAS
nastype     = other
}

This will allow any IP to connect to radius server as long as the secret is 
correct.
the default secret is *hotspotradius* its highly recommended to change this 
to a more complex password.

clients.conf will look like this after line 190:

*...*

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#

client 0.0.0.0/1 {
secret = hotspotradius
shortname = NAS
nastype     = other
}

client 128.0.0.0/1 {
secret = hotspotradius
shortname = NAS
nastype     = other
}

#client 192.168.0.0/24 {
# secret = hotspotradius-1
# shortname = private-network-1
#}
#
#client 192.168.0.0/16 {
# secret = hotspotradius-2
# shortname = private-network-2
#}

...

 
We are done with freeradius, *restart the serve*r in order to load new 
configuration.


*4 - Grase configuration and files editing*

Go to grase admin interface -> Network settings and configure IP and 
netmask as follows:


<https://lh4.googleusercontent.com/-B6Rd3-wkKOc/VIJXc0B29EI/AAAAAAAAAKs/QNMT6rJ45zQ/s1600/Grase2.jpg>
Go to Cooova Chilli Settings ad configure:

<https://lh6.googleusercontent.com/-NAxRz6I3qv4/VIJYHm-N49I/AAAAAAAAAK0/5tA-xMVGq90/s1600/Grase3.jpg>
We need to add different DHCP ranges for each remote router to avoid 
problems having same IP assigned to clients in the Grase server network and 
in the remote routers. In fact there are other ways to avoid it but that 
will include several modifications in the Grase structure. So , to keep it 
simple we use this method. Each site will have a different DHCP Start and 
End.

*File editing:*

we neeed to edit: */usr/share/grase/www/uam/hotspot.php *beecause we need 
to capture the remote client IP address and pass it to the nojsstatus.php 
file to get the correct status information.

Edit *hotspot.php *and add: "session_start();" in the second line:

<?php
session_start();
require_once('includes/site.inc.php');
....

And the code:"$_SESSION['ipaddress'] = $_GET['ip'];" after line 30 to look 
like this:

...

$res = @$_GET['res'];
$userurl = @$_GET['userurl'];
$challenge = @$_GET['challenge'];

// add this line to store user IP address in session.
$_SESSION['ipaddress'] = $_GET['ip'];

if($userurl == 'http://logout/') $userurl = '';
if($userurl == 'http://1.0.0.0/') $userurl = '';

...

Then we need to edit 

*/usr/share/grase/www/uam/nojsstatus.php*

Also need to start the session so, add: "session_start();" in the second 
line:

<?php
session_start();
require_once('includes/site.inc.php');

...

Then we need to retrieve the IP address commenting out the code: 
"//$ipaddress = $_SERVER['REMOTE_ADDR'];"
and adding: "$ipaddress = $_SESSION['ipaddress'];" at line 12:

...

// Meta refresh to update

//$ipaddress = $_SERVER['REMOTE_ADDR'];

$ipaddress = $_SESSION['ipaddress'];

$username = 
DatabaseFunctions::getInstance()->getRadiusUserByCurrentSession($ipaddress);

...

Save both files and we are done with editing.


*5 - DD-WRT*

I'm not going to explain how to install DD-WRT, I will assume that you 
already have a router with DD-WRT firmware.
If you are already familiar with DD-WRT this is going to be piece of cake. 
If not, you should visit http://www.dd-wrt.com and check if your router is 
supported and follow the procedures to flash it. You can brick your router 
doing this, please be careful.

I use D-link DIR-615 for testing and Netgear WNDR3700 V4 at the remote 
sites since this are very reliable routers.

*Configuration:*

Configure Wan interface in order to get internet access:

<https://lh3.googleusercontent.com/-u1XM9_yogqA/VIJViDVwBvI/AAAAAAAAAKU/lSdjB4SK2g4/s1600/ddwrt%2Bwan.jpg>
 LAN IP Is not important, just configure something out of the chillispot 
range (10.1.0.0/16). Disable DHCP and make sure that you enable NTP Client 
and use the correct Server and Time Zone:

<https://lh4.googleusercontent.com/-E_kIqIU0bo8/VIJWfmB7HvI/AAAAAAAAAKg/PlSBo1EDCGY/s1600/ddwrt%2Blan.jpg>
   Configure the Wireless interface:

<https://lh6.googleusercontent.com/-_PXOMiKAvE4/VIJbb1ucw4I/AAAAAAAAALA/O4k9KCPtYvc/s1600/Grase4.jpg>
Now the Coova Chilli configuration:
Go to Services -> Hotspot, enable Cillispot and configurre as follows:


<https://lh3.googleusercontent.com/-cbyIbcDR-6g/VIJebFOkvuI/AAAAAAAAALY/Txgg9lsEj8o/s1600/Grase5.jpg>
Redirect url is: *http://YOUR.GRASE.SERVER.IP/grase/uam/hotspot*

You can add as many DD-WRT Routers as you want, just make sure to use 
different and non overlaping DHCP ranges on each. 

The changes made in the files may be replaced when updating Grase package. 
Hope this will be included in next releases.

Thats it!!

Hope this could help someone.

Regards,

Norberto Esteves





Quinta-feira, 4 de Dezembro de 2014 21:37:45 UTC, michele.campanelli 
escreveu:

> Great Norberto!
>
> For every support you need, ask if you need.
>
> Good Job!
>
> Michele
>
>
> Il giorno 04/dic/2014, alle ore 22.02, Norberto Esteves ha scritto:
>
> Hi all!
>
> António, that is the configuration I have right now. I moved Grase to a 
> virtual machine. 
> I plan to use this setup to replace an old server with the old version of 
> Chillispot that we bought a few years ago and is used to manage several 
> hotspots (arround 20). All the hotspots are already using DD-WRT, so I'm 
> trying to adapt Grase to the DD-WRT configuration I already have.
>
> Everything seams to work fine with non Java login. And I found a way to 
> use the Javascipt login, the problem I still have with it is the pop up 
> window not showing the information after login and the logout button not 
> working, also some android phones with Opera mobile are not able to login.
>
> Since I had a very busy week I hope I can do some more tests in the 
> weekend and make a document on how to get this working. 
> In order to make a document valid to every one I will have to setup a new 
> machine with the nighttly build because mine has lots of modifications on 
> the original code and I don't know anymore which files are original and 
> which are modified by me...
>
> Regards,
>
> Norberto Esteves  
>
> Terça-feira, 2 de Dezembro de 2014 19:38:54 UTC, Norberto Esteves escreveu:
>>
>> Hi all,
>>
>> I managed to get this configuration working.
>>
>> Basically I have the Grase Hotspot installed in a machine (shuttle XPC 
>> DS6) in the office and one router (D-Link DIR-615) with DD-WRT in my house 
>> for testing.
>> The remote site (D-Link Router) uses the Coova Chilli included with the 
>> DD-WRT firmware to redirect users to the Grase authentication Portal, after 
>> that, the username, password, and other attributes are checked with the 
>> radius server. If the authentication is successful then the user is allowed 
>> to use the Internet and DD-WRT Coova Chilli takes care of the session even 
>> if the main site (Grase) goes down. DD-WRT Coova Chilli also sends 
>> periodical data (every 5 minutes) to Radius server to keep information up 
>> to date. 
>>
>> So far I had to change a few things in the follwing files:
>> hotspot.php, nojsstatus.php, /includes/site.inc.php
>>
>> I do not use VPN, so, there is a few ports that need forwarding:
>> In the main site: Radius (1812, 1813, 1814), UAM (3990) and HTTP (80) 
>> ports forward to Grase Hotspot machine.
>> The remote site only needs port forwarding for COA port 3779 if you are 
>> going to use the radclient to disconnect users.
>>
>> Freeradius also needs to allow remote site to connect, to do this you 
>> need to add remote client to clients.conf, or use nas table.
>>   
>> So far I'am still testing and correcting some "bugs" i found.
>>
>> The bad new is that this setup don't work with Javascript login, I did 
>> some tests and I think DD-WRT is not able to use the JSON interface for 
>> Coova Chilli. So if you want to use DD-WRT, Java script login should be 
>> disabled.
>>
>> If anyone is interested in multi-location setup using DD-WRT I can make a 
>> document and share with the community.
>>
>> Regards,
>>
>> Norberto Esteves
>>
>>
>>
> -- 
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> --- 
> You received this message because you are subscribed to the Google Groups 
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to gr***.@grasehotspot.org <javascript:>.
> To post to this group, send email to gr***.@grasehotspot.org 
> <javascript:>.
> Visit this group at 
> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit 
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org 
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org?utm_medium=email&utm_source=footer>
> .
>
>
>

Thread