2016-02-15 - Re: [GRASE-Hotspot] Re: Limit voucher login to single device

Header Data

From: Reflex INKY <re***y@gmail.com>
Message Hash: 5eaeba57a2ff7822d850daee38d002366062943f863aea262c608d70401ff980
Message ID: <CAASt=XQAFw=tFGv65RkH_2n6++pkkASrT98NGHnFVVHrJ9T9nQ@mail.gmail.com>
Reply To: <5dc932ed-0b56-43a5-82dc-ec8616c3cf50@grasehotspot.org>
UTC Datetime: 2016-02-15 03:41:36 UTC
Raw Date: Mon, 15 Feb 2016 06:41:36 -0400

Raw message 

Thank you Tasyo. I figured that this is what I would have to do except I do
not know how. I wanted to do this at the point of login as any other way
would mean a cron job( I think). I am seeing the info in the radius
database but don't know where in the code to modify. For example, I am
seeing a dologin() function in config.local.sh that I want to change to
check for the username-mac address combination. I would then do the steps
in 2 outlined in your response but against the radius database. Now trying
to go through the code to understand how chilli works.

On Mon, Feb 15, 2016 at 4:45 AM, Pilosopong Tasyo <
pi***7@gmail.com> wrote:

> Hi,
>
> You can use *chilli_query* to extract the username-MAC address pair of
> all logged-in users and make a comparison if each pair matches the one on
> file.  A shell script should foot the bill nicely.  Basically, the script
> does the following:
>
>
>    1. Use *chilli_query list* to extract the username and MAC address of
>    all logged-in users.  You'll need to filter the list using *grep* and
>    *cut* (you only need *USERNAME* and *MAC_ADDRESS*) and save it
>    *"ACTIVE_USERS_FILE"* for processing.
>    2. For every USERNAME and MAC_ADDRESS in the *ACTIVE_USERS_FILE*, make
>    a comparison:
>       - *USERNAME* doesn't exist on file yet -> first time log-in, create
>       *USERNAME* with *MAC_ADDRESS* as it's content
>       - *USERNAME* already exist and *MAC_ADDRESS* matches the one on
>       file -> no action, the credentials matches the one on file
>       - *USERNAME* already exist but *MAC_ADDRESS* doesn't match the one
>       on file -> unauthorized device (i.e., *USERNAME* is being used with
>       another device that has a different *MAC_ADDRESS*), use *chilli_query
>       logout* to kick out the *USER_NAME*
>    3. Repeat the entire procedure.
>
> So even if the there's a successful login, it won't take long for the user
> to get logged out.  Very effective in deterring users from sharing their
> credentials with someone else (or preventing users from using their
> credentials on another device even if they own it).
>
> Hope this helps.  Cheers.
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/5dc932ed-0b56-43a5-82dc-ec8616c3cf50%40grasehotspot.org?utm_medium=email&utm_source=footer>
> .
>

Thread