2016-02-21 - Re: [GRASE-Hotspot] Re: Limit voucher login to single device
Header Data
From: Reflex INKY <re***y@gmail.com>
Message Hash: 15744eda6e2da3bf3f20e01789b0a4c740dd92ee002a4584ce7a00b5f5bfecee
Message ID: <CAASt=XT5R51B-+WuEG0snues0aAeUMzzuHHYML=_sVFGTPhWOw@mail.gmail.com>
Reply To: <CAESLx0KxddgJwXdpjFHwSfD2WCJHDaZOfdzOVUu2+Yb+AJy7Rg@mail.gmail.com>
UTC Datetime: 2016-02-21 05:09:08 UTC
Raw Date: Sun, 21 Feb 2016 08:09:08 -0400
Raw message
That was very quick!!! Thank you very much!
On Sun, Feb 21, 2016 at 8:03 AM, Timothy White <ti***8@gmail.com> wrote:
> Hi Reflex
>
> At login, the actual processing of whether a user is allowed to login or
> not is handled by FreeRadius.
>
> The login flow is as follows:
>
> - Coova Chilli checks if we have an active session, if not we redirect
> to the Captive Portal
> - From the captive portal, we either put a username and password in,
> or click free login
> - If doing a 'Free Login', we call a simple script that takes the
> users current MAC address, generates it a user account, then sends back the
> encoded UAM challenge to the Captive Portal.
> - If we are doing a normal login, the javascript gets the username
> and password, hashes the password with the UAM challenge
> - Regardless of which flow, the browser now has a username and uam
> challenge and response, it submits these to Coova Chilli
> - Coova Chilli starts a Radius session with Free Radius, and passes
> the username and uam response/challenge to Freeradius
> - Freeradius looks up the user in the database, checks if the UAM
> challenge/response matches the password stored, then continues a number of
> checks before replying with either an Accept or Reject response, with a
> number of other attributes.
> - Coova Chilli takes the response, and either rejects the login, or
> starts a session that is bound by the attributes passed back (like time
> limit etc)
>
> To do what you want to do, we'd need to hook in at the Freeradius level.
> We currently have some of our own code in a Freeradius module. It's here
> you'd need to add in the logic to reject new logins if the MAC address
> doesn't match the previous one used.
>
> Have a look at https://github.com/GraseHotspot/grase-conf-freeradius for
> some of that code.
>
> Hope that gives you a good idea of the flow.
>
> Regards
>
> Tim
>
> On Sun, Feb 21, 2016 at 9:50 PM, Reflex INKY <re***y@gmail.com>
> wrote:
>
>> I submitted a ticket but could you help me understand the flow of the
>> login process. When I looked at the hotspot.php file i see that the mac
>> address is being captured. I wanted to know if that could then be used to
>> search against the radius database and if it exists for another username
>> then do not allow the login. If you could point me to the files and or
>> variables that would be helpful.
>>
>> Thanks
>>
>> On Mon, Feb 15, 2016 at 7:10 AM, Timothy White <ti***8@gmail.com>
>> wrote:
>>
>>> Hi Reflex
>>>
>>> In theory, this could be done with Calling-Station-Id as suggested
>>> by Mohammed Farouk. Basically, it would need to be coded that on first
>>> login, we'd insert a new radcheck item for the Calling-Station-Id for that
>>> user, restricting future logins to that MAC address.
>>>
>>> Feel free to open a ticket (
>>> https://github.com/GraseHotspot/grase-www-portal/issues) for this so it
>>> can be worked on in the future. It's not Coova-Chilli that needs to be
>>> modified, rather the FreeRadius modules that need to be modified.
>>> Currently, the custom module is written in Perl, however I'm hoping to
>>> write future modules in Python as I like it more.
>>>
>>> Regards
>>>
>>> Tim
>>>
>>> On Mon, Feb 15, 2016 at 8:41 PM, Reflex INKY <re***y@gmail.com
>>> > wrote:
>>>
>>>> Thank you Tasyo. I figured that this is what I would have to do except
>>>> I do not know how. I wanted to do this at the point of login as any other
>>>> way would mean a cron job( I think). I am seeing the info in the radius
>>>> database but don't know where in the code to modify. For example, I am
>>>> seeing a dologin() function in config.local.sh that I want to change
>>>> to check for the username-mac address combination. I would then do the
>>>> steps in 2 outlined in your response but against the radius database. Now
>>>> trying to go through the code to understand how chilli works.
>>>>
>>>> On Mon, Feb 15, 2016 at 4:45 AM, Pilosopong Tasyo <
>>>> pi***7@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> You can use *chilli_query* to extract the username-MAC address pair
>>>>> of all logged-in users and make a comparison if each pair matches the one
>>>>> on file. A shell script should foot the bill nicely. Basically, the
>>>>> script does the following:
>>>>>
>>>>>
>>>>> 1. Use *chilli_query list* to extract the username and MAC address
>>>>> of all logged-in users. You'll need to filter the list using
>>>>> *grep* and *cut* (you only need *USERNAME* and *MAC_ADDRESS*) and
>>>>> save it *"ACTIVE_USERS_FILE"* for processing.
>>>>> 2. For every USERNAME and MAC_ADDRESS in the *ACTIVE_USERS_FILE*,
>>>>> make a comparison:
>>>>> - *USERNAME* doesn't exist on file yet -> first time log-in,
>>>>> create *USERNAME* with *MAC_ADDRESS* as it's content
>>>>> - *USERNAME* already exist and *MAC_ADDRESS* matches the one on
>>>>> file -> no action, the credentials matches the one on file
>>>>> - *USERNAME* already exist but *MAC_ADDRESS* doesn't match the
>>>>> one on file -> unauthorized device (i.e., *USERNAME* is being
>>>>> used with another device that has a different *MAC_ADDRESS*),
>>>>> use *chilli_query logout* to kick out the *USER_NAME*
>>>>> 3. Repeat the entire procedure.
>>>>>
>>>>> So even if the there's a successful login, it won't take long for the
>>>>> user to get logged out. Very effective in deterring users from sharing
>>>>> their credentials with someone else (or preventing users from using their
>>>>> credentials on another device even if they own it).
>>>>>
>>>>> Hope this helps. Cheers.
>>>>>
>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***e@grasehotspot.org.
>>>>> To post to this group, send email to gr***t@grasehotspot.org.
>>>>> Visit this group at
>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>> --
>>>> This mailing list is for the Grase Hotspot Project
>>>> http://grasehotspot.org
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to gr***e@grasehotspot.org.
>>>> To post to this group, send email to gr***t@grasehotspot.org.
>>>> Visit this group at
>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXQAFw%3DtFGv65RkH_2n6%2B%2BpkkASrT98NGHnFVVHrJ9T9nQ%40mail.gmail.com
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXQAFw%3DtFGv65RkH_2n6%2B%2BpkkASrT98NGHnFVVHrJ9T9nQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To post to this group, send email to gr***t@grasehotspot.org.
>>> Visit this group at
>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Kygo0NktdXnbjm%2BQ0EKYWO%3Dn0yQhU7yu0c%2BCaT1yKpBA%40mail.gmail.com
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Kygo0NktdXnbjm%2BQ0EKYWO%3Dn0yQhU7yu0c%2BCaT1yKpBA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To post to this group, send email to gr***t@grasehotspot.org.
>> Visit this group at
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXS4es_K1wP93L6pmsZD2LZz-OqprFfzr3vrJ1Od96%3DT3A%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXS4es_K1wP93L6pmsZD2LZz-OqprFfzr3vrJ1Od96%3DT3A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0KxddgJwXdpjFHwSfD2WCJHDaZOfdzOVUu2%2BYb%2BAJy7Rg%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0KxddgJwXdpjFHwSfD2WCJHDaZOfdzOVUu2%2BYb%2BAJy7Rg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
Thread
-
Return to February 2016
- Return to “wegejo <jo***r@jwer.de>”
- Return to “mohammed farouk <mf***g@gmail.com>”
- Return to “Pilosopong Tasyo <pi***7@gmail.com>”
- Return to “Reflex INKY <re***y@gmail.com>”
-
Return to “Timothy White <ti***8@gmail.com>”
- 2016-02-14 (Sun, 14 Feb 2016 12:46:38 -0800) - Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-14 (Sun, 14 Feb 2016 14:00:23 -0800) - Re: Limit voucher login to single device - wegejo <jo***r@jwer.de>
- 2016-02-14 (Sun, 14 Feb 2016 20:49:51 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-14 (Mon, 15 Feb 2016 08:34:22 +0200) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - mohammed farouk <mf***g@gmail.com>
- 2016-02-14 (Sun, 14 Feb 2016 20:49:51 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-15 (Mon, 15 Feb 2016 00:45:34 -0800) - Re: Limit voucher login to single device - Pilosopong Tasyo <pi***7@gmail.com>
- 2016-02-15 (Mon, 15 Feb 2016 06:41:36 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-15 (Mon, 15 Feb 2016 21:10:54 +1000) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Timothy White <ti***8@gmail.com>
- 2016-02-15 (Mon, 15 Feb 2016 21:16:09 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-17 (Wed, 17 Feb 2016 22:10:07 +1000) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Timothy White <ti***8@gmail.com>
- 2016-02-17 (Wed, 17 Feb 2016 05:06:35 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-17 (Wed, 17 Feb 2016 07:24:36 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-21 (Sun, 21 Feb 2016 07:50:30 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-21 (Sun, 21 Feb 2016 22:03:45 +1000) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Timothy White <ti***8@gmail.com>
- 2016-02-21 (Sun, 21 Feb 2016 08:09:08 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-21 (Sun, 21 Feb 2016 22:03:45 +1000) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Timothy White <ti***8@gmail.com>
- 2016-02-15 (Mon, 15 Feb 2016 21:16:09 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-15 (Mon, 15 Feb 2016 21:10:54 +1000) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Timothy White <ti***8@gmail.com>
- 2016-02-15 (Mon, 15 Feb 2016 06:41:36 -0400) - Re: [GRASE-Hotspot] Re: Limit voucher login to single device - Reflex INKY <re***y@gmail.com>
- 2016-02-14 (Sun, 14 Feb 2016 14:00:23 -0800) - Re: Limit voucher login to single device - wegejo <jo***r@jwer.de>