2015-11-24 - Re: [GRASE-Hotspot] Re: Grase Hotspot working with DD-WRT routers in remote locations.

Header Data

From: Dražen Žuvela <dr***a@radez.hr>
Message Hash: d9a02f043a0d6c7c7d0639fbfe0f1c136393dd7c410ba6b1dc9d10e65c2febb7
Message ID: <56546F15.8010702@radez.hr>
Reply To: <a81ce388-adb6-4a1e-bf9e-2b476b7359c1@grasehotspot.org>
UTC Datetime: 2015-11-24 07:07:17 UTC
Raw Date: Tue, 24 Nov 2015 15:07:17 +0100

Raw message 

Hi Norberto,
I am just folowing your last year instructions and can get remote 
clients to authenticate to grase and get access.
Only thing what I didn't get working are machine accounts.
They are connected to DD-WRT, they get IP from belonging range, but soon 
login aplet will pop-up asking for username password.

I can't see yet what is wrong. I am trying to explore some grase logs. 
Found nothing clever yet.

Only difference from your setup, is that all my DD-WRTs are in same 
local network. They are not from other side of any router, so no ports 
redirecting was neceseary.

Do you have any advice.
Tnx!

*Drazen *


6.12.2014. u 2:59, Norberto Esteves je napisao/la:
> Hi all,
>
> As promised, here is the information you need to setup Grase Hotspot 
> on Multiple-locationst (please Tim, feel free to move this to the wiki 
> if you wish).
>
> I made several tests with the setup described below and everything 
> seams to work fine, even the javascript login interface.
>
> *Please note:*
> *
> *
> *This procedure is not for beginners, you can damage your router if 
> you flash a wrong file to it. Also you can break Grase if you place 
> the wrong code when editing the files, please make backup of the 
> original files before editing.*
> *Do it at your own risk!*
>
> *1 - Description:*
>
> The goal is to deploy multiple location Hotspots with one server in 
> the main site (headquarters) and several routers in remote locations:
>
> <https://lh5.googleusercontent.com/-SlK2BszGtB0/VIJJ5jrE8aI/AAAAAAAAAKE/rohge8JLbBk/s1600/Grase.jpg>
>
>
> To make this work we need:
>
> - One server running Grase Hotspot at the Headquarters.
> - Static public IP address at the Headquarters. This wont work with 
> dynamic ip address.
> - Routers running DD-WRT at remote locations.
>
>
> *2 - Redirecting Ports *
>
> First we need to allow remote routers to connect to our server, so we 
> need to redirect the following ports to our Grase Server:
>
> Radius: UDP: 1812, 1813 and 1814
> UAM: TCP: 3990
> HTTP: TCP: 80
> COA: TCP: 3779 (this one is optional)
>
> My Draytek Configuration:
>
> 1. 	 RADIUS1 	 All 	 UDP 	 1812 	 10.10.10.5 	 v
> 2. 	 RADIUS2 	 All 	 UDP 	 1813 	 10.10.10.5 	 v
> 3. 	 RADIUS3 	 All 	 UDP 	 1814 	 10.10.10.5 	 v
> 4. 	 UAM 	 All 	 TCP 	 3990 	 10.10.10.5 	 v
> 5. 	 HTTP 	 All 	 TCP 	 80 	 10.10.10.5 	 v
> 6. 	 COA 	 All 	 TCP 	 3779 	 10.10.10.5 	 v
>
>
> *3 - Freeradius configuration*
>
> At this point we need to edit /*etc/freeradius/clients.conf* to allow 
> our remote routers to connect:
> If the remote router has a static public IP you should add them right 
> after the following code:
>
> #
> #  You can now specify one secret for a network of clients.
> #  When a client request comes in, the BEST match is chosen.
> #  i.e. The entry from the smallest possible network.
> #
>
> If they have dynamic IPs (the most common case) you should either use 
> the nas table and advanced freeradius configuration to add them 
> dynamically or you can allow all to connect (Please note, this is not 
> the best way because its less secure).
> If you are ok with less security you can add the following;
>
> client 0.0.0.0/1 {
> secret= hotspotradius
> shortname= NAS
> nastype     = other
> }
>
> client 128.0.0.0/1 {
> secret= hotspotradius
> shortname= NAS
> nastype     = other
> }
>
> This will allow any IP to connect to radius server as long as the 
> secret is correct.
> the default secret is *hotspotradius* its highly recommended to change 
> this to a more complex password.
>
> clients.conf will look like this after line 190:
> *
> *
> *...*
>
> #
> #  You can now specify one secret for a network of clients.
> #  When a client request comes in, the BEST match is chosen.
> #  i.e. The entry from the smallest possible network.
> #
>
> client 0.0.0.0/1 {
> secret= hotspotradius
> shortname= NAS
> nastype     = other
> }
>
> client 128.0.0.0/1 {
> secret= hotspotradius
> shortname= NAS
> nastype     = other
> }
>
> #client 192.168.0.0/24 {
> #secret= hotspotradius-1
> #shortname= private-network-1
> #}
> #
> #client 192.168.0.0/16 {
> #secret= hotspotradius-2
> #shortname= private-network-2
> #}
>
> ...
>
> We are done with freeradius, *restart the serve*r in order to load new 
> configuration.
>
>
> *4 - Grase configuration and files editing*
>
> Go to grase admin interface -> Network settings and configure IP and 
> netmask as follows:
>
>
> <https://lh4.googleusercontent.com/-B6Rd3-wkKOc/VIJXc0B29EI/AAAAAAAAAKs/QNMT6rJ45zQ/s1600/Grase2.jpg>
>
> Go to Cooova Chilli Settings ad configure:
>
> <https://lh6.googleusercontent.com/-NAxRz6I3qv4/VIJYHm-N49I/AAAAAAAAAK0/5tA-xMVGq90/s1600/Grase3.jpg>
>
> We need to add different DHCP ranges for each remote router to avoid 
> problems having same IP assigned to clients in the Grase server 
> network and in the remote routers. In fact there are other ways to 
> avoid it but that will include several modifications in the Grase 
> structure. So , to keep it simple we use this method. Each site will 
> have a different DHCP Start and End.
>
> *File editing:*
>
> we neeed to edit: */usr/share/grase/www/uam/hotspot.php *beecause we 
> need to capture the remote client IP address and pass it to the 
> nojsstatus.php file to get the correct status information.
>
> Edit *hotspot.php *and add: "session_start();" in the second line:
>
> <?php
> session_start();
> require_once('includes/site.inc.php');
> ....
>
> And the code:"$_SESSION['ipaddress'] = $_GET['ip'];" after line 30 to 
> look like this:
>
> ...
>
> $res = @$_GET['res'];
> $userurl = @$_GET['userurl'];
> $challenge = @$_GET['challenge'];
>
> // add this line to store user IP address in session.
> $_SESSION['ipaddress'] = $_GET['ip'];
>
> if($userurl == 'http://logout/') $userurl = '';
> if($userurl == 'http://1.0.0.0/') $userurl = '';
>
> ...
>
> Then we need to edit
>
> */usr/share/grase/www/uam/nojsstatus.php*
>
> Also need to start the session so, add: "session_start();" in the 
> second line:
>
> <?php
> session_start();
> require_once('includes/site.inc.php');
>
> ...
>
> Then we need to retrieve the IP address commenting out the code: 
> "//$ipaddress = $_SERVER['REMOTE_ADDR'];"
> and adding: "$ipaddress = $_SESSION['ipaddress'];" at line 12:
>
> ...
>
> // Meta refresh to update
>
> //$ipaddress = $_SERVER['REMOTE_ADDR'];
>
> $ipaddress = $_SESSION['ipaddress'];
>
> $username = 
> DatabaseFunctions::getInstance()->getRadiusUserByCurrentSession($ipaddress);
>
> ...
>
> Save both files and we are done with editing.
>
>
> *5 - DD-WRT*
> *
> *
> I'm not going to explain how to install DD-WRT, I will assume that you 
> already have a router with DD-WRT firmware.
> If you are already familiar with DD-WRT this is going to be piece of 
> cake. If not, you should visit http://www.dd-wrt.com and check if your 
> router is supported and follow the procedures to flash it. You can 
> brick your router doing this, please be careful.
>
> I use D-link DIR-615 for testing and Netgear WNDR3700 V4 at the remote 
> sites since this are very reliable routers.
>
> *Configuration:*
>
> Configure Wan interface in order to get internet access:
>
> <https://lh3.googleusercontent.com/-u1XM9_yogqA/VIJViDVwBvI/AAAAAAAAAKU/lSdjB4SK2g4/s1600/ddwrt%2Bwan.jpg>
>
>  LAN IP Is not important, just configure something out of the 
> chillispot range (10.1.0.0/16). Disable DHCP and make sure that you 
> enable NTP Client and use the correct Server and Time Zone:
>
> <https://lh4.googleusercontent.com/-E_kIqIU0bo8/VIJWfmB7HvI/AAAAAAAAAKg/PlSBo1EDCGY/s1600/ddwrt%2Blan.jpg>
>
>    Configure the Wireless interface:
>
> <https://lh6.googleusercontent.com/-_PXOMiKAvE4/VIJbb1ucw4I/AAAAAAAAALA/O4k9KCPtYvc/s1600/Grase4.jpg>
>
> Now the Coova Chilli configuration:
> Go to Services -> Hotspot, enable Cillispot and configurre as follows:
>
>
> <https://lh3.googleusercontent.com/-cbyIbcDR-6g/VIJebFOkvuI/AAAAAAAAALY/Txgg9lsEj8o/s1600/Grase5.jpg>
>
> Redirect url is: *http://YOUR.GRASE.SERVER.IP/grase/uam/hotspot*
>
> You can add as many DD-WRT Routers as you want, just make sure to use 
> different and non overlaping DHCP ranges on each.
>
> The changes made in the files may be replaced when updating Grase 
> package. Hope this will be included in next releases.
>
> Thats it!!
>
> Hope this could help someone.
>
> Regards,
>
> Norberto Esteves
>
>
>
>
>
> Quinta-feira, 4 de Dezembro de 2014 21:37:45 UTC, michele.campanelli 
> escreveu:
>
>     Great Norberto!
>
>     For every support you need, ask if you need.
>
>     Good Job!
>
>     Michele
>
>
>     Il giorno 04/dic/2014, alle ore 22.02, Norberto Esteves ha scritto:
>
>>     Hi all!
>>
>>     Ant�nio, that is the configuration I have right now. I moved
>>     Grase to a virtual machine.
>>     I plan to use this setup to replace an old server with the old
>>     version of Chillispot that we bought a few years ago and is used
>>     to manage several hotspots (arround 20). All the hotspots are
>>     already using DD-WRT, so I'm trying to adapt Grase to the DD-WRT
>>     configuration I already have.
>>
>>     Everything seams to work fine with non Java login. And I found a
>>     way to use the Javascipt login, the problem I still have with it
>>     is the pop up window not showing the information after login and
>>     the logout button not working, also some android phones with
>>     Opera mobile are not able to login.
>>
>>     Since I had a very busy week I hope I can do some more tests in
>>     the weekend and make a document on how to get this working.
>>     In order to make a document valid to every one I will have to
>>     setup a new machine with the nighttly build because mine has lots
>>     of modifications on the original code and I don't know anymore
>>     which files are original and which are modified by me...
>>
>>     Regards,
>>
>>     Norberto Esteves
>>
>>     Ter�a-feira, 2 de Dezembro de 2014 19:38:54 UTC, Norberto Esteves
>>     escreveu:
>>
>>         Hi all,
>>
>>         I managed to get this configuration working.
>>
>>         Basically I have the Grase Hotspot installed in a machine
>>         (shuttle XPC DS6) in the office and one router (D-Link
>>         DIR-615) with DD-WRT in my house for testing.
>>         The remote site (D-Link Router) uses the Coova Chilli
>>         included with the DD-WRT firmware to redirect users to the
>>         Grase authentication Portal, after that, the username,
>>         password, and other attributes are checked with the radius
>>         server. If the authentication is successful then the user is
>>         allowed to use the Internet and DD-WRT Coova Chilli takes
>>         care of the session even if the main site (Grase) goes down.
>>         DD-WRT Coova Chilli also sends periodical data (every 5
>>         minutes) to Radius server to keep information up to date.
>>
>>         So far I had to change a few things in the follwing files:
>>         hotspot.php, nojsstatus.php, /includes/site.inc.php
>>
>>         I do not use VPN, so, there is a few ports that need forwarding:
>>         In the main site: Radius (1812, 1813, 1814), UAM (3990) and
>>         HTTP (80) ports forward to Grase Hotspot machine.
>>         The remote site only needs port forwarding for COA port 3779
>>         if you are going to use the radclient to disconnect users.
>>
>>         Freeradius also needs to allow remote site to connect, to do
>>         this you need to add remote client to clients.conf, or use
>>         nas table.
>>
>>         So far I'am still testing and correcting some "bugs" i found.
>>
>>         The bad new is that this setup don't work with Javascript
>>         login, I did some tests and I think DD-WRT is not able to use
>>         the JSON interface for Coova Chilli. So if you want to use
>>         DD-WRT, Java script login should be disabled.
>>
>>         If anyone is interested in multi-location setup using DD-WRT
>>         I can make a document and share with the community.
>>
>>         Regards,
>>
>>         Norberto Esteves
>>
>>
>>
>>     -- 
>>     This mailing list is for the Grase Hotspot Project
>>     http://grasehotspot.org <http://grasehotspot.org/>
>>     ---
>>     You received this message because you are subscribed to the
>>     Google Groups "Grase Hotspot" group.
>>     To unsubscribe from this group and stop receiving emails from it,
>>     send an email to gr***.@grasehotspot.org <javascript:>.
>>     To post to this group, send email to gr***.@grasehotspot.org
>>     <javascript:>.
>>     Visit this group at
>>     http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/
>>     <http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/>.
>>     To view this discussion on the web visit
>>     https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org
>>     <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org?utm_medium=email&utm_source=footer>.
>
> -- 
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google 
> Groups "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to gr***e@grasehotspot.org 
> <mailto:gr***e@grasehotspot.org>.
> To post to this group, send email to gr***t@grasehotspot.org 
> <mailto:gr***t@grasehotspot.org>.
> Visit this group at 
> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit 
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/a81ce388-adb6-4a1e-bf9e-2b476b7359c1%40grasehotspot.org 
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/a81ce388-adb6-4a1e-bf9e-2b476b7359c1%40grasehotspot.org?utm_medium=email&utm_source=footer>.

Thread