2016-05-14 - Re: [GRASE-Hotspot] Re: UAM redirection

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: e59bf82b4d27e8dcbdd9c4a948ef3af469c477fb4e9b9837908e95f45d562bc4
Message ID: <CAESLx0LFwVp2x_X8o52AsOe7F-Mer8rZKbEYsHi57-Z+wVaXtA@mail.gmail.com>
Reply To: <CAESLx0JUS9j=MOwL_nc0TvCzxJnWNZ5pUyobRm4eOx79JtM_=g@mail.gmail.com>
UTC Datetime: 2016-05-14 04:43:25 UTC
Raw Date: Sat, 14 May 2016 21:43:25 +1000

Raw message 

And just like that, I've found the issue.
At some point the coova project moved to Github, and appear to maybe use
Google domains to redirect www.coova.org to the new url. www.coova.org is
in the uamallowed list. Sometimes to connectivitycheck.gstatic.com address
resolves to the same IP as www.coova.org, which means that the generate_204
is allowed through!

Why is www.coova.org in the uamallowed list? It's been there for years
because it's part of the defaults of coova chilli.

I'll aim to get an updated coovachilli package built in the next few days
and into the nighlies so people can test it. At some point I do need to
update to the latest version, but I'll do that as a separate package.

That was pure luck discovering the reason!

On Sat, May 14, 2016 at 9:38 PM, Timothy White <ti***8@gmail.com> wrote:

> Hi José
>
> Finally replicated this. And it hints of a big bug somewhere, just got to
> work out where. Figured I'd do a scientific test to only change 1 thing at
> a time to work out the issue. Finally got it after about the 12th time of
> connecting/disconnect. And looking at the packet captures there is
> something disturbing. The request to
> http://connectivitycheck.gstatic.com/generate_204 to check for
> connectivity gets through.
> I tested further, and even though that request got through, seconds later
> attempting to connect to yahoo.com fails.
>
> I only have Android Nexus5X running marshmallow to test. I assume the
> reason this works for iPhones is that they use a different mechanism for
> checking if the internet works.
>
> I'll keep digging and see if I can work out what causes it. At this stage
> it appears to be a Coova Chilli bug, where, I have no idea.
>
> Tim
>
> On Sat, May 14, 2016 at 1:21 AM, José Borges <jo***s@algardata.pt>
> wrote:
>
>> It applied to ALL DEVICES prior to me adding this:
>>
>> "I use this HS_REDIRDNSREQ=on on /etc/chilli/config, but sometimes it
>> works sometimes it doesnt."
>>
>> Before none opened the Browser, now ONLY iphones open always. Android
>> only opens on first connection to WIFI.
>>
>> quinta-feira, 12 de Maio de 2016 às 18:36:51 UTC+1, Henry Terkura Swende
>> escreveu:
>>>
>>> Ok, I think I didn't get the full  picture, thought the problem applied
>>> to all devices you were using .....but now I think it's device specific.
>>> On May 12, 2016 6:12 PM, "José Borges" <jo***.@algardata.pt> wrote:
>>>
>>> Ooookkkk... Testing time then...
>>>
>>> I did what you mention...
>>>
>>> Made chilli *local.conf* with* lease=10* and then tested.
>>>
>>> I was given the same IP address even after *chilli_query *stopped
>>> listing me in *chilli_query dhcp-list*
>>>
>>> Meaning, that 5 minutes after i had my DCHP release, the IP i was given
>>> again was the same, and i did try to conect another device prior, to see if
>>> i was given the first available ip from the ippool...
>>>
>>> So no luck there... No Browser was open again (on second connection to
>>> wifi, which was 5 minutes after i disconected the wireless).
>>>
>>> my chilli.conf
>>>
>>> interval=60
>>> nousergardendata
>>> defidletimeout=604800
>>> dhcpstart=2
>>> lease=10
>>>
>>> output of chilli_query dhcp-list (theres a 60 seconds lease grace
>>> period, that why the 19/10 on bold line).
>>>
>>> 18-1E-B0-BE-68-2B 10.1.0.6 dnat 1/10
>>> *80-65-6D-2C-BE-49 10.1.0.2 dnat 19/10*
>>> 00-90-FB-42-65-4D 10.1.0.5 dnat 9/10
>>>
>>> Im tearing my hair out... since i tried with three diferent versions of
>>> android (5, 5.1.1, 4) but only the iphones worked!!! connect /disconnect /
>>> connect / disconnect ... it always shows the UAM on the iphones (i cant
>>> believe i am saying this).
>>>
>>>
>>>
>>> quinta-feira, 12 de Maio de 2016 às 15:33:59 UTC+1, Henry Terkura Swende
>>> escreveu:
>>>
>>>> I think the reason it gives you the uam login page first time is
>>>> because dhcp lease for that IP had expired and was assigned as new dhcp
>>>> request... Hence when you disconnect from wifi and reconnect before the
>>>> dhcp lease expires you'll have to navigate to a non HTTPS website to get
>>>> the uam login page. I think it has a lot to do with how coovachilli works
>>>> .....you get blocked when you try to access services not allowed without
>>>> authentication and authorization..... My observations over time
>>>> On May 12, 2016 3:14 PM, "José Borges" <jo***.@algardata.pt> wrote:
>>>>
>>>>> Unfortunately this does bother me and i have been searching for an
>>>>> answer for months... because mobile clients fire up they wifi, connect to
>>>>> the open wifi hotspot and launch facebook... and they dont understand they
>>>>> have to go to http://10.1.0.1 and do a login... i keep getting asked
>>>>> why doesnt it show the UAM login when i connect to the wifi as other
>>>>> solutions do. I did a fresh install of grase hotspot and it happens the
>>>>> same thing, so it isn't anything i changed by myself.
>>>>>
>>>>> Everyone has this behaviour or could it be a hardware (hotspot server)
>>>>> issue?
>>>>>
>>>>> quinta-feira, 12 de Maio de 2016 às 12:30:05 UTC+1, Emmanuel Nyachoke
>>>>> escreveu:
>>>>>>
>>>>>> I think I noticed this even with windows clients but it seemed
>>>>>> irregular in my case the very first time I connected the client I got the
>>>>>> message 'additional login my be required' but did not see the message
>>>>>> subsequently. This does not bother me  much but other hotspot management
>>>>>> systems do this consistently.
>>>>>>
>>>>>> On Wednesday, 11 May 2016 19:38:40 UTC+3, José Borges wrote:
>>>>>>>
>>>>>>>
>>>>>>> How on earth i make the browser open the UAM upon the user
>>>>>>> connecting to the wireless network?
>>>>>>>
>>>>>>>    1. User turns on WIFI on the smartphone (android/ios)
>>>>>>>    2. User selects correct WIFI SSID
>>>>>>>    3. User taps LOGIN to connect to WIFI
>>>>>>>    4. ... Chilli/FreeRadius/Chilli do their stuff ...
>>>>>>>    5. Browser open with the UAM url in it
>>>>>>>    6. User can then type his username/password to access internet.
>>>>>>>
>>>>>>> I'm only missing step 5... The browser wont open... :(
>>>>>>>
>>>>>>>
>>>>>>> I use this HS_REDIRDNSREQ=on on /etc/chilli/config, but sometimes
>>>>>>> it works sometimes it doesnt.
>>>>>>>
>>>>>>>
>>>>>>> Any advise?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Here's my /etc/chilli/config
>>>>>>>
>>>>>>> GRASE_VARS=$(cat /etc/dnsmasq.d/01-grasehotspot | grep #)
>>>>>>> HS_NETWORK=$(echo "$GRASE_VARS" |grep chilli_network|awk '{print
>>>>>>> $2}');
>>>>>>> HS_NETMASK=$(echo "$GRASE_VARS" |grep chilli_netmask|awk '{print
>>>>>>> $2}');
>>>>>>> HS_UAMLISTEN=$(echo "$GRASE_VARS" |grep chilli_lanip|awk '{print
>>>>>>> $2}');
>>>>>>> HS_WANIF=$(echo "$GRASE_VARS" |grep chilli_wanif|awk '{print $2}');
>>>>>>> HS_LANIF=$(echo "$GRASE_VARS" |grep chilli_lanif|awk '{print $2}');
>>>>>>> HS_REDIRDNSREQ=on
>>>>>>> HS_WANIF=${HS_WANIF:-eth0}
>>>>>>> HS_LANIF=${HS_LANIF:-eth1}
>>>>>>> HS_NETWORK=${HS_NETWORK:-10.1.0.0}
>>>>>>> HS_NETMASK=${HS_NETMASK:-255.255.255.0}
>>>>>>> HS_UAMLISTEN=${HS_UAMLISTEN:-10.1.0.1}
>>>>>>> HS_UAMPORT=3990
>>>>>>> HS_UAMUIPORT=4990
>>>>>>> HS_DNS_DOMAIN=hotspot.lan
>>>>>>> HS_DNS1=$HS_UAMLISTEN
>>>>>>> HS_DNS2=$HS_UAMLISTEN
>>>>>>> HS_MAXCLIENTS=65000
>>>>>>> HS_NASID=nas01
>>>>>>> HS_RADIUS=localhost
>>>>>>> HS_RADIUS2=localhost
>>>>>>> HS_UAMALLOW=$HS_UAMLISTEN
>>>>>>> HS_RADSECRET=SuperSpecialSecret
>>>>>>> HS_UAMALIASNAME=grase
>>>>>>> HS_UAMDOMAINS=".google-analytics.com,.googletagmanager.com,.
>>>>>>> gstatic.com,.googleapis.com"
>>>>>>> HS_UAMSERVER=$HS_UAMLISTEN
>>>>>>> HS_UAMFORMAT=http://\$HS_UAMSERVER/grase/uam/hotspot
>>>>>>> HS_UAMHOMEPAGE=http://\$HS_UAMSERVER/grase/uam/hotspot
>>>>>>> HS_MACAUTH=on
>>>>>>>
>>>>>>> HS_TCP_PORTS="80 443 22 2812 53 3990 3128"
>>>>>>> HS_MODE=hotspot
>>>>>>> HS_TYPE=chillispot
>>>>>>> HS_ADMUSR=CoovaChilli
>>>>>>> HS_ADMPWD=radmin
>>>>>>> HS_DEFINTERIMINTERVAL=150
>>>>>>> HS_WWWDIR=/etc/chilli/www
>>>>>>> HS_WWWBIN=/etc/chilli/wwwsh
>>>>>>> HS_PROVIDER=Grase
>>>>>>> HS_PROVIDER_LINK=http://hotspot.purewhite.id.au/
>>>>>>> HS_LOC_NAME="GRASE HotSpot"
>>>>>>>
>>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***.@grasehotspot.org.
>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>>
>>>>> Visit this group at
>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f09a37e-45b1-47e4-a3dc-69dbcb114d2b%40grasehotspot.org
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f09a37e-45b1-47e4-a3dc-69dbcb114d2b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***.@grasehotspot.org.
>>> To post to this group, send email to gr***.@grasehotspot.org.
>>> Visit this group at
>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/6e988722-0fe6-4488-958e-b9512a1a5b85%40grasehotspot.org
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/6e988722-0fe6-4488-958e-b9512a1a5b85%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To post to this group, send email to gr***t@grasehotspot.org.
>> Visit this group at
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1de8672c-5834-4502-8014-7205a69b647d%40grasehotspot.org
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1de8672c-5834-4502-8014-7205a69b647d%40grasehotspot.org?utm_medium=email&utm_source=footer>
>> .
>>
>
>

Thread