2016-05-17 - Re: [GRASE-Hotspot] Re: UAM redirection

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: 397ee4bb0e37b49e12c0c2b25e2060a596bba37e237de9e10e0e3cc82c81853b
Message ID: <CAESLx0LZ5ZfBVmCJMjZ9_9GuTtLz9Z-oUCc-cPAS0cd4dO1MFg@mail.gmail.com>
Reply To: <12f9b895-8d6d-40bb-b50d-2252ba93cf31@grasehotspot.org>
UTC Datetime: 2016-05-17 03:26:10 UTC
Raw Date: Tue, 17 May 2016 20:26:10 +1000

Raw message 

Wow. That is a huge list. Are you modifying the config file directly, or
adding them via the web interface?
In theory, because uamdomains uses DNS packet inspection, it should work.
However, I'm not convinced. I wouldn't be surprised if once a *.
googleapis.com is allowed through, that other sites also on that IP would
then be allowed through as well.
In my quick check, DNS results for *.googleapis.com do resolve to similar
IP's to the clients3.google.com domain. I expect that are on the same
infrastructure and that's what's allowing the packets through. It may even
be the analytics IP's doing it.

I would look at all your uamdomains, and think of them more like
uamallowed, where we resolve the IP and allow that IP through. It's
certainly what appears to be happening, and it's probably more to do with
another client requesting a site, and then having that IP allowed for all
clients.

So basically, if a site is hosted in a companies massive cloud, expect that
other sites in that cloud will also be allowed through.

Tim

On Tue, May 17, 2016 at 6:33 PM, José Borges <jo***s@algardata.pt>
wrote:

> HS_UAMDOMAINS=".mobile-enterprise.com,.algardata.com,.unykapp.com,.unyk.tv
> ,.unykvis.com,.licdn.com,.linkedin.com,.twimg.com,.twitter.com,.
> facebook.com,.fbcdn.net,connect.facebook.net,.zendesk.com,.
> google-analytics.com,.googletagmanager.com,.googleapis.com,.addthis.com,.
> yandex.ru,.hotjar.com,.list-manage.com,.sumome.com,.yandex.com,.
> onesignal.com,.mixpanel.com,.intercom.io,.hellobar.com,.heapanalytics.com
> ,.messenger.com"
> segunda-feira, 16 de Maio de 2016 às 21:54:46 UTC+1, timwhite88 escreveu:
>>
>> Hi José
>>
>> You'll need to make sure you don't remove the uamallowed line completely.
>> The url used by different Android versions won't have made a difference, as
>> it's the IP it resolves to that causes the issue.
>>
>> Can you post your complete uamallowed list? It may be that something in
>> your list is resolving to the same IP as one of the checks, and it may only
>> resolve the same sometimes.
>>
>> Also, I didn't find DHCP release made any difference. Watching the packet
>> dumps, the Android devices do the captive portal check everytime they
>> connect, regardless of the existing DHCP lease or not. As long as it can
>> "reach" the generate_204 url it's checking with, the uam won't be displayed.
>>
>> Tim
>>
>> On Tue, May 17, 2016 at 12:54 AM, José Borges <jo***.@algardata.pt>
>> wrote:
>>
>>> Hi Tim
>>>
>>> First of all, thank you for taking up your time with this.
>>>
>>> After checking your nightly, on a new grase install, I double checked
>>> what's changed and applied those changes to my box.
>>>
>>> I only noticed a change in the functions chilli file (should there be
>>> more please let me know):
>>>
>>> FROM MINE
>>>
>>> *uamallowed "www.coova.org
>>> <http://www.coova.org>${HS_UAMSERVER:+,$HS_UAMSERVER}$webadmin$uamallow"*
>>>
>>>
>>>
>>> TO YOURS
>>>
>>> *uamallowed "${HS_UAMSERVER:+$HS_UAMSERVER}$webadmin$uamallow"*
>>>
>>>
>>>
>>> What im guessing, no time to test yet, is that the DHCP RELEASE time is
>>> also important.
>>>
>>> What i noticed, based on your feedback, about the CAPTIVE PORTAL
>>> checking url... im our android (v5) the url is
>>> connectivitycheck.android.com/generate_204 (for instance on my Samsung
>>> Note 4) and not connectivitycheck.gstatic.com as you mention on your
>>> NEXUS 5X. Probably, it has to do with the android version of the device.
>>> removing the gstatic.com domain from the uamallowed started to show the
>>> UAM consistently, but on older android versions like 4 the url is
>>> http://clients3.google.com/generate_204, but no UAM is shown still.
>>>
>>> Apple has its own captivel portal url, doing a simple google search is
>>> easy to figure out which.
>>>
>>> To test everything i commented the HS_UAMDOMAINS line in Chilli config
>>> file.
>>>
>>> But better results no doubt... still not perfect... but better.
>>>
>>>
>>>
>>> sábado, 14 de Maio de 2016 às 13:25:15 UTC+1, timwhite88 escreveu:
>>>>
>>>> Please test the coova packages in nightly.
>>>>
>>>> http://nightly.packages.grasehotspot.org/pool/main/c/coova-chilli/coova-chilli_1.3.0-22-g39df09b_i386.deb
>>>> or
>>>> http://nightly.packages.grasehotspot.org/pool/main/c/coova-chilli/coova-chilli_1.3.0-22-g39df09b_amd64.deb
>>>> I've not built the ARM packages. Let me know if these work before I
>>>> spend time building the arm ones. If they are good I'll promote them to
>>>> stable!
>>>>
>>>> Regards
>>>>
>>>> On Sat, May 14, 2016 at 9:43 PM, Timothy White <ti***.@gmail.com>
>>>> wrote:
>>>>
>>>>> And just like that, I've found the issue.
>>>>> At some point the coova project moved to Github, and appear to maybe
>>>>> use Google domains to redirect www.coova.org to the new url.
>>>>> www.coova.org is in the uamallowed list. Sometimes to
>>>>> connectivitycheck.gstatic.com address resolves to the same IP as
>>>>> www.coova.org, which means that the generate_204 is allowed through!
>>>>>
>>>>> Why is www.coova.org in the uamallowed list? It's been there for
>>>>> years because it's part of the defaults of coova chilli.
>>>>>
>>>>> I'll aim to get an updated coovachilli package built in the next few
>>>>> days and into the nighlies so people can test it. At some point I do need
>>>>> to update to the latest version, but I'll do that as a separate package.
>>>>>
>>>>> That was pure luck discovering the reason!
>>>>>
>>>>> On Sat, May 14, 2016 at 9:38 PM, Timothy White <ti***.@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi José
>>>>>>
>>>>>> Finally replicated this. And it hints of a big bug somewhere, just
>>>>>> got to work out where. Figured I'd do a scientific test to only change 1
>>>>>> thing at a time to work out the issue. Finally got it after about the 12th
>>>>>> time of connecting/disconnect. And looking at the packet captures there is
>>>>>> something disturbing. The request to
>>>>>> http://connectivitycheck.gstatic.com/generate_204 to check for
>>>>>> connectivity gets through.
>>>>>> I tested further, and even though that request got through, seconds
>>>>>> later attempting to connect to yahoo.com fails.
>>>>>>
>>>>>> I only have Android Nexus5X running marshmallow to test. I assume the
>>>>>> reason this works for iPhones is that they use a different mechanism for
>>>>>> checking if the internet works.
>>>>>>
>>>>>> I'll keep digging and see if I can work out what causes it. At this
>>>>>> stage it appears to be a Coova Chilli bug, where, I have no idea.
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On Sat, May 14, 2016 at 1:21 AM, José Borges <jo***.@algardata.pt>
>>>>>> wrote:
>>>>>>
>>>>>>> It applied to ALL DEVICES prior to me adding this:
>>>>>>>
>>>>>>> "I use this HS_REDIRDNSREQ=on on /etc/chilli/config, but sometimes
>>>>>>> it works sometimes it doesnt."
>>>>>>>
>>>>>>> Before none opened the Browser, now ONLY iphones open always.
>>>>>>> Android only opens on first connection to WIFI.
>>>>>>>
>>>>>>> quinta-feira, 12 de Maio de 2016 às 18:36:51 UTC+1, Henry Terkura
>>>>>>> Swende escreveu:
>>>>>>>>
>>>>>>>> Ok, I think I didn't get the full  picture, thought the problem
>>>>>>>> applied to all devices you were using .....but now I think it's device
>>>>>>>> specific.
>>>>>>>> On May 12, 2016 6:12 PM, "José Borges" <jo***.@algardata.pt>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Ooookkkk... Testing time then...
>>>>>>>>
>>>>>>>> I did what you mention...
>>>>>>>>
>>>>>>>> Made chilli *local.conf* with* lease=10* and then tested.
>>>>>>>>
>>>>>>>> I was given the same IP address even after *chilli_query *stopped
>>>>>>>> listing me in *chilli_query dhcp-list*
>>>>>>>>
>>>>>>>> Meaning, that 5 minutes after i had my DCHP release, the IP i was
>>>>>>>> given again was the same, and i did try to conect another device prior, to
>>>>>>>> see if i was given the first available ip from the ippool...
>>>>>>>>
>>>>>>>> So no luck there... No Browser was open again (on second connection
>>>>>>>> to wifi, which was 5 minutes after i disconected the wireless).
>>>>>>>>
>>>>>>>> my chilli.conf
>>>>>>>>
>>>>>>>> interval=60
>>>>>>>> nousergardendata
>>>>>>>> defidletimeout=604800
>>>>>>>> dhcpstart=2
>>>>>>>> lease=10
>>>>>>>>
>>>>>>>> output of chilli_query dhcp-list (theres a 60 seconds lease grace
>>>>>>>> period, that why the 19/10 on bold line).
>>>>>>>>
>>>>>>>> 18-1E-B0-BE-68-2B 10.1.0.6 dnat 1/10
>>>>>>>> *80-65-6D-2C-BE-49 10.1.0.2 dnat 19/10*
>>>>>>>> 00-90-FB-42-65-4D 10.1.0.5 dnat 9/10
>>>>>>>>
>>>>>>>> Im tearing my hair out... since i tried with three diferent
>>>>>>>> versions of android (5, 5.1.1, 4) but only the iphones worked!!! connect
>>>>>>>> /disconnect / connect / disconnect ... it always shows the UAM on the
>>>>>>>> iphones (i cant believe i am saying this).
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> quinta-feira, 12 de Maio de 2016 às 15:33:59 UTC+1, Henry Terkura
>>>>>>>> Swende escreveu:
>>>>>>>>
>>>>>>>>> I think the reason it gives you the uam login page first time is
>>>>>>>>> because dhcp lease for that IP had expired and was assigned as new dhcp
>>>>>>>>> request... Hence when you disconnect from wifi and reconnect before the
>>>>>>>>> dhcp lease expires you'll have to navigate to a non HTTPS website to get
>>>>>>>>> the uam login page. I think it has a lot to do with how coovachilli works
>>>>>>>>> .....you get blocked when you try to access services not allowed without
>>>>>>>>> authentication and authorization..... My observations over time
>>>>>>>>> On May 12, 2016 3:14 PM, "José Borges" <jo***.@algardata.pt>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Unfortunately this does bother me and i have been searching for
>>>>>>>>>> an answer for months... because mobile clients fire up they wifi, connect
>>>>>>>>>> to the open wifi hotspot and launch facebook... and they dont understand
>>>>>>>>>> they have to go to http://10.1.0.1 and do a login... i keep
>>>>>>>>>> getting asked why doesnt it show the UAM login when i connect to the wifi
>>>>>>>>>> as other solutions do. I did a fresh install of grase hotspot and it
>>>>>>>>>> happens the same thing, so it isn't anything i changed by myself.
>>>>>>>>>>
>>>>>>>>>> Everyone has this behaviour or could it be a hardware (hotspot
>>>>>>>>>> server) issue?
>>>>>>>>>>
>>>>>>>>>> quinta-feira, 12 de Maio de 2016 às 12:30:05 UTC+1, Emmanuel
>>>>>>>>>> Nyachoke escreveu:
>>>>>>>>>>>
>>>>>>>>>>> I think I noticed this even with windows clients but it seemed
>>>>>>>>>>> irregular in my case the very first time I connected the client I got the
>>>>>>>>>>> message 'additional login my be required' but did not see the message
>>>>>>>>>>> subsequently. This does not bother me  much but other hotspot management
>>>>>>>>>>> systems do this consistently.
>>>>>>>>>>>
>>>>>>>>>>> On Wednesday, 11 May 2016 19:38:40 UTC+3, José Borges wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> How on earth i make the browser open the UAM upon the user
>>>>>>>>>>>> connecting to the wireless network?
>>>>>>>>>>>>
>>>>>>>>>>>>    1. User turns on WIFI on the smartphone (android/ios)
>>>>>>>>>>>>    2. User selects correct WIFI SSID
>>>>>>>>>>>>    3. User taps LOGIN to connect to WIFI
>>>>>>>>>>>>    4. ... Chilli/FreeRadius/Chilli do their stuff ...
>>>>>>>>>>>>    5. Browser open with the UAM url in it
>>>>>>>>>>>>    6. User can then type his username/password to access
>>>>>>>>>>>>    internet.
>>>>>>>>>>>>
>>>>>>>>>>>> I'm only missing step 5... The browser wont open... :(
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I use this HS_REDIRDNSREQ=on on /etc/chilli/config, but
>>>>>>>>>>>> sometimes it works sometimes it doesnt.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Any advise?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Here's my /etc/chilli/config
>>>>>>>>>>>>
>>>>>>>>>>>> GRASE_VARS=$(cat /etc/dnsmasq.d/01-grasehotspot | grep #)
>>>>>>>>>>>> HS_NETWORK=$(echo "$GRASE_VARS" |grep chilli_network|awk
>>>>>>>>>>>> '{print $2}');
>>>>>>>>>>>> HS_NETMASK=$(echo "$GRASE_VARS" |grep chilli_netmask|awk
>>>>>>>>>>>> '{print $2}');
>>>>>>>>>>>> HS_UAMLISTEN=$(echo "$GRASE_VARS" |grep chilli_lanip|awk
>>>>>>>>>>>> '{print $2}');
>>>>>>>>>>>> HS_WANIF=$(echo "$GRASE_VARS" |grep chilli_wanif|awk '{print
>>>>>>>>>>>> $2}');
>>>>>>>>>>>> HS_LANIF=$(echo "$GRASE_VARS" |grep chilli_lanif|awk '{print
>>>>>>>>>>>> $2}');
>>>>>>>>>>>> HS_REDIRDNSREQ=on
>>>>>>>>>>>> HS_WANIF=${HS_WANIF:-eth0}
>>>>>>>>>>>> HS_LANIF=${HS_LANIF:-eth1}
>>>>>>>>>>>> HS_NETWORK=${HS_NETWORK:-10.1.0.0}
>>>>>>>>>>>> HS_NETMASK=${HS_NETMASK:-255.255.255.0}
>>>>>>>>>>>> HS_UAMLISTEN=${HS_UAMLISTEN:-10.1.0.1}
>>>>>>>>>>>> HS_UAMPORT=3990
>>>>>>>>>>>> HS_UAMUIPORT=4990
>>>>>>>>>>>> HS_DNS_DOMAIN=hotspot.lan
>>>>>>>>>>>> HS_DNS1=$HS_UAMLISTEN
>>>>>>>>>>>> HS_DNS2=$HS_UAMLISTEN
>>>>>>>>>>>> HS_MAXCLIENTS=65000
>>>>>>>>>>>> HS_NASID=nas01
>>>>>>>>>>>> HS_RADIUS=localhost
>>>>>>>>>>>> HS_RADIUS2=localhost
>>>>>>>>>>>> HS_UAMALLOW=$HS_UAMLISTEN
>>>>>>>>>>>> HS_RADSECRET=SuperSpecialSecret
>>>>>>>>>>>> HS_UAMALIASNAME=grase
>>>>>>>>>>>> HS_UAMDOMAINS=".google-analytics.com,.googletagmanager.com,.
>>>>>>>>>>>> gstatic.com,.googleapis.com"
>>>>>>>>>>>> HS_UAMSERVER=$HS_UAMLISTEN
>>>>>>>>>>>> HS_UAMFORMAT=http://\$HS_UAMSERVER/grase/uam/hotspot
>>>>>>>>>>>> HS_UAMHOMEPAGE=http://\$HS_UAMSERVER/grase/uam/hotspot
>>>>>>>>>>>> HS_MACAUTH=on
>>>>>>>>>>>>
>>>>>>>>>>>> HS_TCP_PORTS="80 443 22 2812 53 3990 3128"
>>>>>>>>>>>> HS_MODE=hotspot
>>>>>>>>>>>> HS_TYPE=chillispot
>>>>>>>>>>>> HS_ADMUSR=CoovaChilli
>>>>>>>>>>>> HS_ADMPWD=radmin
>>>>>>>>>>>> HS_DEFINTERIMINTERVAL=150
>>>>>>>>>>>> HS_WWWDIR=/etc/chilli/www
>>>>>>>>>>>> HS_WWWBIN=/etc/chilli/wwwsh
>>>>>>>>>>>> HS_PROVIDER=Grase
>>>>>>>>>>>> HS_PROVIDER_LINK=http://hotspot.purewhite.id.au/
>>>>>>>>>>>> HS_LOC_NAME="GRASE HotSpot"
>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>>>>> http://grasehotspot.org
>>>>>>>>>> ---
>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>> Google Groups "Grase Hotspot" group.
>>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>>> send an email to gr***.@grasehotspot.org.
>>>>>>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>>>>>>>
>>>>>>>>>> Visit this group at
>>>>>>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/
>>>>>>>>>> .
>>>>>>>>>> To view this discussion on the web visit
>>>>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f09a37e-45b1-47e4-a3dc-69dbcb114d2b%40grasehotspot.org
>>>>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f09a37e-45b1-47e4-a3dc-69dbcb114d2b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>>> http://grasehotspot.org
>>>>>>>> ---
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "Grase Hotspot" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to gr***.@grasehotspot.org.
>>>>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>>>>> Visit this group at
>>>>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>>>>> To view this discussion on the web visit
>>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/6e988722-0fe6-4488-958e-b9512a1a5b85%40grasehotspot.org
>>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/6e988722-0fe6-4488-958e-b9512a1a5b85%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>>>> .
>>>>>>>>
>>>>>>>> --
>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>> http://grasehotspot.org
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "Grase Hotspot" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to gr***.@grasehotspot.org.
>>>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>>>> Visit this group at
>>>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>>>> To view this discussion on the web visit
>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1de8672c-5834-4502-8014-7205a69b647d%40grasehotspot.org
>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1de8672c-5834-4502-8014-7205a69b647d%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***.@grasehotspot.org.
>>> To post to this group, send email to gr***.@grasehotspot.org.
>>> Visit this group at
>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/7715d020-3bf1-4be1-a1ae-02e1608064d4%40grasehotspot.org
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/7715d020-3bf1-4be1-a1ae-02e1608064d4%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/12f9b895-8d6d-40bb-b50d-2252ba93cf31%40grasehotspot.org
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/12f9b895-8d6d-40bb-b50d-2252ba93cf31%40grasehotspot.org?utm_medium=email&utm_source=footer>
> .
>

Thread