2016-02-17 - Re: [GRASE-Hotspot] Re: Limit voucher login to single device

Header Data

From: Reflex INKY <re***y@gmail.com>
Message Hash: 43662b731f8194812717029d9e7190ba3a8e53137429464eb318662c632f9a01
Message ID: <CAASt=XR46dcBe05gsah-66Ue5pgseAs0zcaPJ-by-kLRW5EfOw@mail.gmail.com>
Reply To: <CAESLx0Kygo0NktdXnbjm+Q0EKYWO=n0yQhU7yu0c+CaT1yKpBA@mail.gmail.com>
UTC Datetime: 2016-02-17 04:24:36 UTC
Raw Date: Wed, 17 Feb 2016 07:24:36 -0400

Raw message

Sorry about the last mail. I got the info and am now testing this
workaround.


On Mon, Feb 15, 2016 at 7:10 AM, Timothy White <ti***8@gmail.com> wrote:

> Hi Reflex
>
> In theory, this could be done with Calling-Station-Id as suggested
> by Mohammed Farouk. Basically, it would need to be coded that on first
> login, we'd insert a new radcheck item for the Calling-Station-Id for that
> user, restricting future logins to that MAC address.
>
> Feel free to open a ticket (
> https://github.com/GraseHotspot/grase-www-portal/issues) for this so it
> can be worked on in the future. It's not Coova-Chilli that needs to be
> modified, rather the FreeRadius modules that need to be modified.
> Currently, the custom module is written in Perl, however I'm hoping to
> write future modules in Python as I like it more.
>
> Regards
>
> Tim
>
> On Mon, Feb 15, 2016 at 8:41 PM, Reflex INKY <re***y@gmail.com>
> wrote:
>
>> Thank you Tasyo. I figured that this is what I would have to do except I
>> do not know how. I wanted to do this at the point of login as any other way
>> would mean a cron job( I think). I am seeing the info in the radius
>> database but don't know where in the code to modify. For example, I am
>> seeing a dologin() function in config.local.sh that I want to change to
>> check for the username-mac address combination. I would then do the steps
>> in 2 outlined in your response but against the radius database. Now trying
>> to go through the code to understand how chilli works.
>>
>> On Mon, Feb 15, 2016 at 4:45 AM, Pilosopong Tasyo <
>> pi***7@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> You can use *chilli_query* to extract the username-MAC address pair of
>>> all logged-in users and make a comparison if each pair matches the one on
>>> file.  A shell script should foot the bill nicely.  Basically, the script
>>> does the following:
>>>
>>>
>>>    1. Use *chilli_query list* to extract the username and MAC address
>>>    of all logged-in users.  You'll need to filter the list using *grep*
>>>     and *cut* (you only need *USERNAME* and *MAC_ADDRESS*) and save it
>>>    *"ACTIVE_USERS_FILE"* for processing.
>>>    2. For every USERNAME and MAC_ADDRESS in the *ACTIVE_USERS_FILE*,
>>>    make a comparison:
>>>       - *USERNAME* doesn't exist on file yet -> first time log-in,
>>>       create *USERNAME* with *MAC_ADDRESS* as it's content
>>>       - *USERNAME* already exist and *MAC_ADDRESS* matches the one on
>>>       file -> no action, the credentials matches the one on file
>>>       - *USERNAME* already exist but *MAC_ADDRESS* doesn't match the
>>>       one on file -> unauthorized device (i.e., *USERNAME* is being
>>>       used with another device that has a different *MAC_ADDRESS*), use *chilli_query
>>>       logout* to kick out the *USER_NAME*
>>>    3. Repeat the entire procedure.
>>>
>>> So even if the there's a successful login, it won't take long for the
>>> user to get logged out.  Very effective in deterring users from sharing
>>> their credentials with someone else (or preventing users from using their
>>> credentials on another device even if they own it).
>>>
>>> Hope this helps.  Cheers.
>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To post to this group, send email to gr***t@grasehotspot.org.
>>> Visit this group at
>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To post to this group, send email to gr***t@grasehotspot.org.
>> Visit this group at
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXQAFw%3DtFGv65RkH_2n6%2B%2BpkkASrT98NGHnFVVHrJ9T9nQ%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXQAFw%3DtFGv65RkH_2n6%2B%2BpkkASrT98NGHnFVVHrJ9T9nQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Kygo0NktdXnbjm%2BQ0EKYWO%3Dn0yQhU7yu0c%2BCaT1yKpBA%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Kygo0NktdXnbjm%2BQ0EKYWO%3Dn0yQhU7yu0c%2BCaT1yKpBA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread