2016-05-16 - Re: [GRASE-Hotspot] Re: UAM redirection

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: cbc176f77ece466bcd29c9e1ff707c0d539facc70178f12a1d75d562f485a5c4
Message ID: <CAESLx0JcL7Bjcg2q4VdWkDT3YbHM6yqZVwqv2-Q6se1nc=KFeg@mail.gmail.com>
Reply To: <7715d020-3bf1-4be1-a1ae-02e1608064d4@grasehotspot.org>
UTC Datetime: 2016-05-16 13:54:44 UTC
Raw Date: Tue, 17 May 2016 06:54:44 +1000

Raw message

Hi José

You'll need to make sure you don't remove the uamallowed line completely.
The url used by different Android versions won't have made a difference, as
it's the IP it resolves to that causes the issue.

Can you post your complete uamallowed list? It may be that something in
your list is resolving to the same IP as one of the checks, and it may only
resolve the same sometimes.

Also, I didn't find DHCP release made any difference. Watching the packet
dumps, the Android devices do the captive portal check everytime they
connect, regardless of the existing DHCP lease or not. As long as it can
"reach" the generate_204 url it's checking with, the uam won't be displayed.

Tim

On Tue, May 17, 2016 at 12:54 AM, José Borges <jo***s@algardata.pt>
wrote:

> Hi Tim
>
> First of all, thank you for taking up your time with this.
>
> After checking your nightly, on a new grase install, I double checked
> what's changed and applied those changes to my box.
>
> I only noticed a change in the functions chilli file (should there be more
> please let me know):
>
> FROM MINE
>
> *uamallowed "www.coova.org
> <http://www.coova.org>${HS_UAMSERVER:+,$HS_UAMSERVER}$webadmin$uamallow"*
>
>
>
> TO YOURS
>
> *uamallowed "${HS_UAMSERVER:+$HS_UAMSERVER}$webadmin$uamallow"*
>
>
>
> What im guessing, no time to test yet, is that the DHCP RELEASE time is
> also important.
>
> What i noticed, based on your feedback, about the CAPTIVE PORTAL checking
> url... im our android (v5) the url is
> connectivitycheck.android.com/generate_204 (for instance on my Samsung
> Note 4) and not connectivitycheck.gstatic.com as you mention on your
> NEXUS 5X. Probably, it has to do with the android version of the device.
> removing the gstatic.com domain from the uamallowed started to show the
> UAM consistently, but on older android versions like 4 the url is
> http://clients3.google.com/generate_204, but no UAM is shown still.
>
> Apple has its own captivel portal url, doing a simple google search is
> easy to figure out which.
>
> To test everything i commented the HS_UAMDOMAINS line in Chilli config
> file.
>
> But better results no doubt... still not perfect... but better.
>
>
>
> sábado, 14 de Maio de 2016 às 13:25:15 UTC+1, timwhite88 escreveu:
>>
>> Please test the coova packages in nightly.
>>
>> http://nightly.packages.grasehotspot.org/pool/main/c/coova-chilli/coova-chilli_1.3.0-22-g39df09b_i386.deb
>> or
>> http://nightly.packages.grasehotspot.org/pool/main/c/coova-chilli/coova-chilli_1.3.0-22-g39df09b_amd64.deb
>> I've not built the ARM packages. Let me know if these work before I spend
>> time building the arm ones. If they are good I'll promote them to stable!
>>
>> Regards
>>
>> On Sat, May 14, 2016 at 9:43 PM, Timothy White <ti***.@gmail.com>
>> wrote:
>>
>>> And just like that, I've found the issue.
>>> At some point the coova project moved to Github, and appear to maybe use
>>> Google domains to redirect www.coova.org to the new url. www.coova.org
>>> is in the uamallowed list. Sometimes to connectivitycheck.gstatic.com
>>> address resolves to the same IP as www.coova.org, which means that the
>>> generate_204 is allowed through!
>>>
>>> Why is www.coova.org in the uamallowed list? It's been there for years
>>> because it's part of the defaults of coova chilli.
>>>
>>> I'll aim to get an updated coovachilli package built in the next few
>>> days and into the nighlies so people can test it. At some point I do need
>>> to update to the latest version, but I'll do that as a separate package.
>>>
>>> That was pure luck discovering the reason!
>>>
>>> On Sat, May 14, 2016 at 9:38 PM, Timothy White <ti***.@gmail.com>
>>> wrote:
>>>
>>>> Hi José
>>>>
>>>> Finally replicated this. And it hints of a big bug somewhere, just got
>>>> to work out where. Figured I'd do a scientific test to only change 1 thing
>>>> at a time to work out the issue. Finally got it after about the 12th time
>>>> of connecting/disconnect. And looking at the packet captures there is
>>>> something disturbing. The request to
>>>> http://connectivitycheck.gstatic.com/generate_204 to check for
>>>> connectivity gets through.
>>>> I tested further, and even though that request got through, seconds
>>>> later attempting to connect to yahoo.com fails.
>>>>
>>>> I only have Android Nexus5X running marshmallow to test. I assume the
>>>> reason this works for iPhones is that they use a different mechanism for
>>>> checking if the internet works.
>>>>
>>>> I'll keep digging and see if I can work out what causes it. At this
>>>> stage it appears to be a Coova Chilli bug, where, I have no idea.
>>>>
>>>> Tim
>>>>
>>>> On Sat, May 14, 2016 at 1:21 AM, José Borges <jo***.@algardata.pt>
>>>> wrote:
>>>>
>>>>> It applied to ALL DEVICES prior to me adding this:
>>>>>
>>>>> "I use this HS_REDIRDNSREQ=on on /etc/chilli/config, but sometimes it
>>>>> works sometimes it doesnt."
>>>>>
>>>>> Before none opened the Browser, now ONLY iphones open always. Android
>>>>> only opens on first connection to WIFI.
>>>>>
>>>>> quinta-feira, 12 de Maio de 2016 às 18:36:51 UTC+1, Henry Terkura
>>>>> Swende escreveu:
>>>>>>
>>>>>> Ok, I think I didn't get the full  picture, thought the problem
>>>>>> applied to all devices you were using .....but now I think it's device
>>>>>> specific.
>>>>>> On May 12, 2016 6:12 PM, "José Borges" <jo***.@algardata.pt> wrote:
>>>>>>
>>>>>> Ooookkkk... Testing time then...
>>>>>>
>>>>>> I did what you mention...
>>>>>>
>>>>>> Made chilli *local.conf* with* lease=10* and then tested.
>>>>>>
>>>>>> I was given the same IP address even after *chilli_query *stopped
>>>>>> listing me in *chilli_query dhcp-list*
>>>>>>
>>>>>> Meaning, that 5 minutes after i had my DCHP release, the IP i was
>>>>>> given again was the same, and i did try to conect another device prior, to
>>>>>> see if i was given the first available ip from the ippool...
>>>>>>
>>>>>> So no luck there... No Browser was open again (on second connection
>>>>>> to wifi, which was 5 minutes after i disconected the wireless).
>>>>>>
>>>>>> my chilli.conf
>>>>>>
>>>>>> interval=60
>>>>>> nousergardendata
>>>>>> defidletimeout=604800
>>>>>> dhcpstart=2
>>>>>> lease=10
>>>>>>
>>>>>> output of chilli_query dhcp-list (theres a 60 seconds lease grace
>>>>>> period, that why the 19/10 on bold line).
>>>>>>
>>>>>> 18-1E-B0-BE-68-2B 10.1.0.6 dnat 1/10
>>>>>> *80-65-6D-2C-BE-49 10.1.0.2 dnat 19/10*
>>>>>> 00-90-FB-42-65-4D 10.1.0.5 dnat 9/10
>>>>>>
>>>>>> Im tearing my hair out... since i tried with three diferent versions
>>>>>> of android (5, 5.1.1, 4) but only the iphones worked!!! connect /disconnect
>>>>>> / connect / disconnect ... it always shows the UAM on the iphones (i cant
>>>>>> believe i am saying this).
>>>>>>
>>>>>>
>>>>>>
>>>>>> quinta-feira, 12 de Maio de 2016 às 15:33:59 UTC+1, Henry Terkura
>>>>>> Swende escreveu:
>>>>>>
>>>>>>> I think the reason it gives you the uam login page first time is
>>>>>>> because dhcp lease for that IP had expired and was assigned as new dhcp
>>>>>>> request... Hence when you disconnect from wifi and reconnect before the
>>>>>>> dhcp lease expires you'll have to navigate to a non HTTPS website to get
>>>>>>> the uam login page. I think it has a lot to do with how coovachilli works
>>>>>>> .....you get blocked when you try to access services not allowed without
>>>>>>> authentication and authorization..... My observations over time
>>>>>>> On May 12, 2016 3:14 PM, "José Borges" <jo***.@algardata.pt>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Unfortunately this does bother me and i have been searching for an
>>>>>>>> answer for months... because mobile clients fire up they wifi, connect to
>>>>>>>> the open wifi hotspot and launch facebook... and they dont understand they
>>>>>>>> have to go to http://10.1.0.1 and do a login... i keep getting
>>>>>>>> asked why doesnt it show the UAM login when i connect to the wifi as other
>>>>>>>> solutions do. I did a fresh install of grase hotspot and it happens the
>>>>>>>> same thing, so it isn't anything i changed by myself.
>>>>>>>>
>>>>>>>> Everyone has this behaviour or could it be a hardware (hotspot
>>>>>>>> server) issue?
>>>>>>>>
>>>>>>>> quinta-feira, 12 de Maio de 2016 às 12:30:05 UTC+1, Emmanuel
>>>>>>>> Nyachoke escreveu:
>>>>>>>>>
>>>>>>>>> I think I noticed this even with windows clients but it seemed
>>>>>>>>> irregular in my case the very first time I connected the client I got the
>>>>>>>>> message 'additional login my be required' but did not see the message
>>>>>>>>> subsequently. This does not bother me  much but other hotspot management
>>>>>>>>> systems do this consistently.
>>>>>>>>>
>>>>>>>>> On Wednesday, 11 May 2016 19:38:40 UTC+3, José Borges wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> How on earth i make the browser open the UAM upon the user
>>>>>>>>>> connecting to the wireless network?
>>>>>>>>>>
>>>>>>>>>>    1. User turns on WIFI on the smartphone (android/ios)
>>>>>>>>>>    2. User selects correct WIFI SSID
>>>>>>>>>>    3. User taps LOGIN to connect to WIFI
>>>>>>>>>>    4. ... Chilli/FreeRadius/Chilli do their stuff ...
>>>>>>>>>>    5. Browser open with the UAM url in it
>>>>>>>>>>    6. User can then type his username/password to access
>>>>>>>>>>    internet.
>>>>>>>>>>
>>>>>>>>>> I'm only missing step 5... The browser wont open... :(
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I use this HS_REDIRDNSREQ=on on /etc/chilli/config, but
>>>>>>>>>> sometimes it works sometimes it doesnt.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Any advise?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Here's my /etc/chilli/config
>>>>>>>>>>
>>>>>>>>>> GRASE_VARS=$(cat /etc/dnsmasq.d/01-grasehotspot | grep #)
>>>>>>>>>> HS_NETWORK=$(echo "$GRASE_VARS" |grep chilli_network|awk '{print
>>>>>>>>>> $2}');
>>>>>>>>>> HS_NETMASK=$(echo "$GRASE_VARS" |grep chilli_netmask|awk '{print
>>>>>>>>>> $2}');
>>>>>>>>>> HS_UAMLISTEN=$(echo "$GRASE_VARS" |grep chilli_lanip|awk '{print
>>>>>>>>>> $2}');
>>>>>>>>>> HS_WANIF=$(echo "$GRASE_VARS" |grep chilli_wanif|awk '{print
>>>>>>>>>> $2}');
>>>>>>>>>> HS_LANIF=$(echo "$GRASE_VARS" |grep chilli_lanif|awk '{print
>>>>>>>>>> $2}');
>>>>>>>>>> HS_REDIRDNSREQ=on
>>>>>>>>>> HS_WANIF=${HS_WANIF:-eth0}
>>>>>>>>>> HS_LANIF=${HS_LANIF:-eth1}
>>>>>>>>>> HS_NETWORK=${HS_NETWORK:-10.1.0.0}
>>>>>>>>>> HS_NETMASK=${HS_NETMASK:-255.255.255.0}
>>>>>>>>>> HS_UAMLISTEN=${HS_UAMLISTEN:-10.1.0.1}
>>>>>>>>>> HS_UAMPORT=3990
>>>>>>>>>> HS_UAMUIPORT=4990
>>>>>>>>>> HS_DNS_DOMAIN=hotspot.lan
>>>>>>>>>> HS_DNS1=$HS_UAMLISTEN
>>>>>>>>>> HS_DNS2=$HS_UAMLISTEN
>>>>>>>>>> HS_MAXCLIENTS=65000
>>>>>>>>>> HS_NASID=nas01
>>>>>>>>>> HS_RADIUS=localhost
>>>>>>>>>> HS_RADIUS2=localhost
>>>>>>>>>> HS_UAMALLOW=$HS_UAMLISTEN
>>>>>>>>>> HS_RADSECRET=SuperSpecialSecret
>>>>>>>>>> HS_UAMALIASNAME=grase
>>>>>>>>>> HS_UAMDOMAINS=".google-analytics.com,.googletagmanager.com,.
>>>>>>>>>> gstatic.com,.googleapis.com"
>>>>>>>>>> HS_UAMSERVER=$HS_UAMLISTEN
>>>>>>>>>> HS_UAMFORMAT=http://\$HS_UAMSERVER/grase/uam/hotspot
>>>>>>>>>> HS_UAMHOMEPAGE=http://\$HS_UAMSERVER/grase/uam/hotspot
>>>>>>>>>> HS_MACAUTH=on
>>>>>>>>>>
>>>>>>>>>> HS_TCP_PORTS="80 443 22 2812 53 3990 3128"
>>>>>>>>>> HS_MODE=hotspot
>>>>>>>>>> HS_TYPE=chillispot
>>>>>>>>>> HS_ADMUSR=CoovaChilli
>>>>>>>>>> HS_ADMPWD=radmin
>>>>>>>>>> HS_DEFINTERIMINTERVAL=150
>>>>>>>>>> HS_WWWDIR=/etc/chilli/www
>>>>>>>>>> HS_WWWBIN=/etc/chilli/wwwsh
>>>>>>>>>> HS_PROVIDER=Grase
>>>>>>>>>> HS_PROVIDER_LINK=http://hotspot.purewhite.id.au/
>>>>>>>>>> HS_LOC_NAME="GRASE HotSpot"
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>>> http://grasehotspot.org
>>>>>>>> ---
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "Grase Hotspot" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to gr***.@grasehotspot.org.
>>>>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>>>>>
>>>>>>>> Visit this group at
>>>>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>>>>> To view this discussion on the web visit
>>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f09a37e-45b1-47e4-a3dc-69dbcb114d2b%40grasehotspot.org
>>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f09a37e-45b1-47e4-a3dc-69dbcb114d2b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>>>> .
>>>>>>>>
>>>>>>> --
>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>> http://grasehotspot.org
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Grase Hotspot" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to gr***.@grasehotspot.org.
>>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>>> Visit this group at
>>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/6e988722-0fe6-4488-958e-b9512a1a5b85%40grasehotspot.org
>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/6e988722-0fe6-4488-958e-b9512a1a5b85%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***.@grasehotspot.org.
>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>> Visit this group at
>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1de8672c-5834-4502-8014-7205a69b647d%40grasehotspot.org
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1de8672c-5834-4502-8014-7205a69b647d%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>>
>>>
>> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/7715d020-3bf1-4be1-a1ae-02e1608064d4%40grasehotspot.org
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/7715d020-3bf1-4be1-a1ae-02e1608064d4%40grasehotspot.org?utm_medium=email&utm_source=footer>
> .
>

Thread