2016-02-21 - Re: [GRASE-Hotspot] Re: Limit voucher login to single device

Header Data

From: Reflex INKY <re***y@gmail.com>
Message Hash: 15744eda6e2da3bf3f20e01789b0a4c740dd92ee002a4584ce7a00b5f5bfecee
Message ID: <CAASt=XT5R51B-+WuEG0snues0aAeUMzzuHHYML=_sVFGTPhWOw@mail.gmail.com>
Reply To: <CAESLx0KxddgJwXdpjFHwSfD2WCJHDaZOfdzOVUu2+Yb+AJy7Rg@mail.gmail.com>
UTC Datetime: 2016-02-21 05:09:08 UTC
Raw Date: Sun, 21 Feb 2016 08:09:08 -0400

Raw message 

That was very quick!!! Thank you very much!

On Sun, Feb 21, 2016 at 8:03 AM, Timothy White <ti***8@gmail.com> wrote:

> Hi Reflex
>
> At login, the actual processing of whether a user is allowed to login or
> not is handled by FreeRadius.
>
> The login flow is as follows:
>
>    - Coova Chilli checks if we have an active session, if not we redirect
>    to the Captive Portal
>    - From the captive portal, we either put a username and password in,
>    or click free login
>       - If doing a 'Free Login', we call a simple script that takes the
>       users current MAC address, generates it a user account, then sends back the
>       encoded UAM challenge to the Captive Portal.
>       - If we are doing a normal login, the javascript gets the username
>       and password, hashes the password with the UAM challenge
>    - Regardless of which flow, the browser now has a username and uam
>    challenge and response, it submits these to Coova Chilli
>    - Coova Chilli starts a Radius session with Free Radius, and passes
>    the username and uam response/challenge to Freeradius
>    - Freeradius looks up the user in the database, checks if the UAM
>    challenge/response matches the password stored, then continues a number of
>    checks before replying with either an Accept or Reject response, with a
>    number of other attributes.
>    - Coova Chilli takes the response, and either rejects the login, or
>    starts a session that is bound by the attributes passed back (like time
>    limit etc)
>
> To do what you want to do, we'd need to hook in at the Freeradius level.
> We currently have some of our own code in a Freeradius module. It's here
> you'd need to add in the logic to reject new logins if the MAC address
> doesn't match the previous one used.
>
> Have a look at https://github.com/GraseHotspot/grase-conf-freeradius for
> some of that code.
>
> Hope that gives you a good idea of the flow.
>
> Regards
>
> Tim
>
> On Sun, Feb 21, 2016 at 9:50 PM, Reflex INKY <re***y@gmail.com>
> wrote:
>
>> I submitted a ticket but could you help me understand the flow of the
>> login process. When I looked at the hotspot.php file i see that the mac
>> address is being captured. I wanted to know if that could then be used to
>> search against the radius database and if it exists for another username
>> then do not allow the login. If you could point me to the files and or
>> variables that would be helpful.
>>
>> Thanks
>>
>> On Mon, Feb 15, 2016 at 7:10 AM, Timothy White <ti***8@gmail.com>
>> wrote:
>>
>>> Hi Reflex
>>>
>>> In theory, this could be done with Calling-Station-Id as suggested
>>> by Mohammed Farouk. Basically, it would need to be coded that on first
>>> login, we'd insert a new radcheck item for the Calling-Station-Id for that
>>> user, restricting future logins to that MAC address.
>>>
>>> Feel free to open a ticket (
>>> https://github.com/GraseHotspot/grase-www-portal/issues) for this so it
>>> can be worked on in the future. It's not Coova-Chilli that needs to be
>>> modified, rather the FreeRadius modules that need to be modified.
>>> Currently, the custom module is written in Perl, however I'm hoping to
>>> write future modules in Python as I like it more.
>>>
>>> Regards
>>>
>>> Tim
>>>
>>> On Mon, Feb 15, 2016 at 8:41 PM, Reflex INKY <re***y@gmail.com
>>> > wrote:
>>>
>>>> Thank you Tasyo. I figured that this is what I would have to do except
>>>> I do not know how. I wanted to do this at the point of login as any other
>>>> way would mean a cron job( I think). I am seeing the info in the radius
>>>> database but don't know where in the code to modify. For example, I am
>>>> seeing a dologin() function in config.local.sh that I want to change
>>>> to check for the username-mac address combination. I would then do the
>>>> steps in 2 outlined in your response but against the radius database. Now
>>>> trying to go through the code to understand how chilli works.
>>>>
>>>> On Mon, Feb 15, 2016 at 4:45 AM, Pilosopong Tasyo <
>>>> pi***7@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> You can use *chilli_query* to extract the username-MAC address pair
>>>>> of all logged-in users and make a comparison if each pair matches the one
>>>>> on file.  A shell script should foot the bill nicely.  Basically, the
>>>>> script does the following:
>>>>>
>>>>>
>>>>>    1. Use *chilli_query list* to extract the username and MAC address
>>>>>    of all logged-in users.  You'll need to filter the list using
>>>>>    *grep* and *cut* (you only need *USERNAME* and *MAC_ADDRESS*) and
>>>>>    save it *"ACTIVE_USERS_FILE"* for processing.
>>>>>    2. For every USERNAME and MAC_ADDRESS in the *ACTIVE_USERS_FILE*,
>>>>>    make a comparison:
>>>>>       - *USERNAME* doesn't exist on file yet -> first time log-in,
>>>>>       create *USERNAME* with *MAC_ADDRESS* as it's content
>>>>>       - *USERNAME* already exist and *MAC_ADDRESS* matches the one on
>>>>>       file -> no action, the credentials matches the one on file
>>>>>       - *USERNAME* already exist but *MAC_ADDRESS* doesn't match the
>>>>>       one on file -> unauthorized device (i.e., *USERNAME* is being
>>>>>       used with another device that has a different *MAC_ADDRESS*),
>>>>>       use *chilli_query logout* to kick out the *USER_NAME*
>>>>>    3. Repeat the entire procedure.
>>>>>
>>>>> So even if the there's a successful login, it won't take long for the
>>>>> user to get logged out.  Very effective in deterring users from sharing
>>>>> their credentials with someone else (or preventing users from using their
>>>>> credentials on another device even if they own it).
>>>>>
>>>>> Hope this helps.  Cheers.
>>>>>
>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***e@grasehotspot.org.
>>>>> To post to this group, send email to gr***t@grasehotspot.org.
>>>>> Visit this group at
>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>> --
>>>> This mailing list is for the Grase Hotspot Project
>>>> http://grasehotspot.org
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to gr***e@grasehotspot.org.
>>>> To post to this group, send email to gr***t@grasehotspot.org.
>>>> Visit this group at
>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXQAFw%3DtFGv65RkH_2n6%2B%2BpkkASrT98NGHnFVVHrJ9T9nQ%40mail.gmail.com
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXQAFw%3DtFGv65RkH_2n6%2B%2BpkkASrT98NGHnFVVHrJ9T9nQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To post to this group, send email to gr***t@grasehotspot.org.
>>> Visit this group at
>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Kygo0NktdXnbjm%2BQ0EKYWO%3Dn0yQhU7yu0c%2BCaT1yKpBA%40mail.gmail.com
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Kygo0NktdXnbjm%2BQ0EKYWO%3Dn0yQhU7yu0c%2BCaT1yKpBA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To post to this group, send email to gr***t@grasehotspot.org.
>> Visit this group at
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXS4es_K1wP93L6pmsZD2LZz-OqprFfzr3vrJ1Od96%3DT3A%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXS4es_K1wP93L6pmsZD2LZz-OqprFfzr3vrJ1Od96%3DT3A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0KxddgJwXdpjFHwSfD2WCJHDaZOfdzOVUu2%2BYb%2BAJy7Rg%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0KxddgJwXdpjFHwSfD2WCJHDaZOfdzOVUu2%2BYb%2BAJy7Rg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread