2016-02-21 - Re: [GRASE-Hotspot] Re: Limit voucher login to single device

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: 5a0912fe6b9ad95fe4ac5f88fcfe8cb047cd4f6a55a7633c442324eec9f0d8d6
Message ID: <CAESLx0KxddgJwXdpjFHwSfD2WCJHDaZOfdzOVUu2+Yb+AJy7Rg@mail.gmail.com>
Reply To: <CAASt=XS4es_K1wP93L6pmsZD2LZz-OqprFfzr3vrJ1Od96=T3A@mail.gmail.com>
UTC Datetime: 2016-02-21 05:03:45 UTC
Raw Date: Sun, 21 Feb 2016 22:03:45 +1000

Raw message 

Hi Reflex

At login, the actual processing of whether a user is allowed to login or
not is handled by FreeRadius.

The login flow is as follows:

   - Coova Chilli checks if we have an active session, if not we redirect
   to the Captive Portal
   - From the captive portal, we either put a username and password in, or
   click free login
      - If doing a 'Free Login', we call a simple script that takes the
      users current MAC address, generates it a user account, then
sends back the
      encoded UAM challenge to the Captive Portal.
      - If we are doing a normal login, the javascript gets the username
      and password, hashes the password with the UAM challenge
   - Regardless of which flow, the browser now has a username and uam
   challenge and response, it submits these to Coova Chilli
   - Coova Chilli starts a Radius session with Free Radius, and passes the
   username and uam response/challenge to Freeradius
   - Freeradius looks up the user in the database, checks if the UAM
   challenge/response matches the password stored, then continues a number of
   checks before replying with either an Accept or Reject response, with a
   number of other attributes.
   - Coova Chilli takes the response, and either rejects the login, or
   starts a session that is bound by the attributes passed back (like time
   limit etc)

To do what you want to do, we'd need to hook in at the Freeradius level. We
currently have some of our own code in a Freeradius module. It's here you'd
need to add in the logic to reject new logins if the MAC address doesn't
match the previous one used.

Have a look at https://github.com/GraseHotspot/grase-conf-freeradius for
some of that code.

Hope that gives you a good idea of the flow.

Regards

Tim

On Sun, Feb 21, 2016 at 9:50 PM, Reflex INKY <re***y@gmail.com>
wrote:

> I submitted a ticket but could you help me understand the flow of the
> login process. When I looked at the hotspot.php file i see that the mac
> address is being captured. I wanted to know if that could then be used to
> search against the radius database and if it exists for another username
> then do not allow the login. If you could point me to the files and or
> variables that would be helpful.
>
> Thanks
>
> On Mon, Feb 15, 2016 at 7:10 AM, Timothy White <ti***8@gmail.com>
> wrote:
>
>> Hi Reflex
>>
>> In theory, this could be done with Calling-Station-Id as suggested
>> by Mohammed Farouk. Basically, it would need to be coded that on first
>> login, we'd insert a new radcheck item for the Calling-Station-Id for that
>> user, restricting future logins to that MAC address.
>>
>> Feel free to open a ticket (
>> https://github.com/GraseHotspot/grase-www-portal/issues) for this so it
>> can be worked on in the future. It's not Coova-Chilli that needs to be
>> modified, rather the FreeRadius modules that need to be modified.
>> Currently, the custom module is written in Perl, however I'm hoping to
>> write future modules in Python as I like it more.
>>
>> Regards
>>
>> Tim
>>
>> On Mon, Feb 15, 2016 at 8:41 PM, Reflex INKY <re***y@gmail.com>
>> wrote:
>>
>>> Thank you Tasyo. I figured that this is what I would have to do except I
>>> do not know how. I wanted to do this at the point of login as any other way
>>> would mean a cron job( I think). I am seeing the info in the radius
>>> database but don't know where in the code to modify. For example, I am
>>> seeing a dologin() function in config.local.sh that I want to change to
>>> check for the username-mac address combination. I would then do the steps
>>> in 2 outlined in your response but against the radius database. Now trying
>>> to go through the code to understand how chilli works.
>>>
>>> On Mon, Feb 15, 2016 at 4:45 AM, Pilosopong Tasyo <
>>> pi***7@gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> You can use *chilli_query* to extract the username-MAC address pair of
>>>> all logged-in users and make a comparison if each pair matches the one on
>>>> file.  A shell script should foot the bill nicely.  Basically, the script
>>>> does the following:
>>>>
>>>>
>>>>    1. Use *chilli_query list* to extract the username and MAC address
>>>>    of all logged-in users.  You'll need to filter the list using *grep*
>>>>     and *cut* (you only need *USERNAME* and *MAC_ADDRESS*) and save it
>>>>    *"ACTIVE_USERS_FILE"* for processing.
>>>>    2. For every USERNAME and MAC_ADDRESS in the *ACTIVE_USERS_FILE*,
>>>>    make a comparison:
>>>>       - *USERNAME* doesn't exist on file yet -> first time log-in,
>>>>       create *USERNAME* with *MAC_ADDRESS* as it's content
>>>>       - *USERNAME* already exist and *MAC_ADDRESS* matches the one on
>>>>       file -> no action, the credentials matches the one on file
>>>>       - *USERNAME* already exist but *MAC_ADDRESS* doesn't match the
>>>>       one on file -> unauthorized device (i.e., *USERNAME* is being
>>>>       used with another device that has a different *MAC_ADDRESS*),
>>>>       use *chilli_query logout* to kick out the *USER_NAME*
>>>>    3. Repeat the entire procedure.
>>>>
>>>> So even if the there's a successful login, it won't take long for the
>>>> user to get logged out.  Very effective in deterring users from sharing
>>>> their credentials with someone else (or preventing users from using their
>>>> credentials on another device even if they own it).
>>>>
>>>> Hope this helps.  Cheers.
>>>>
>>>> --
>>>> This mailing list is for the Grase Hotspot Project
>>>> http://grasehotspot.org
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to gr***e@grasehotspot.org.
>>>> To post to this group, send email to gr***t@grasehotspot.org.
>>>> Visit this group at
>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To post to this group, send email to gr***t@grasehotspot.org.
>>> Visit this group at
>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXQAFw%3DtFGv65RkH_2n6%2B%2BpkkASrT98NGHnFVVHrJ9T9nQ%40mail.gmail.com
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXQAFw%3DtFGv65RkH_2n6%2B%2BpkkASrT98NGHnFVVHrJ9T9nQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To post to this group, send email to gr***t@grasehotspot.org.
>> Visit this group at
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Kygo0NktdXnbjm%2BQ0EKYWO%3Dn0yQhU7yu0c%2BCaT1yKpBA%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Kygo0NktdXnbjm%2BQ0EKYWO%3Dn0yQhU7yu0c%2BCaT1yKpBA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXS4es_K1wP93L6pmsZD2LZz-OqprFfzr3vrJ1Od96%3DT3A%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAASt%3DXS4es_K1wP93L6pmsZD2LZz-OqprFfzr3vrJ1Od96%3DT3A%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread