2016-05-16 - Re: [GRASE-Hotspot] Re: UAM redirection

Header Data

From: José Borges <jo***s@algardata.pt>
Message Hash: f6a05d8cbb9169f69d6e00182ea1ae76ab83d36ad76f2573144f79bd902722ed
Message ID: <7715d020-3bf1-4be1-a1ae-02e1608064d4@grasehotspot.org>
Reply To: <CAESLx0LQ68zTgq9r8Dgr_LWPacgGtrhzRM-t84Sqgiqb=ZLhfQ@mail.gmail.com>
UTC Datetime: 2016-05-16 07:54:04 UTC
Raw Date: Mon, 16 May 2016 07:54:04 -0700

Raw message

Hi Tim

First of all, thank you for taking up your time with this.

After checking your nightly, on a new grase install, I double checked 
what's changed and applied those changes to my box.
 
I only noticed a change in the functions chilli file (should there be more 
please let me know):

FROM MINE

*uamallowed 
"www.coova.org${HS_UAMSERVER:+,$HS_UAMSERVER}$webadmin$uamallow"*

 

TO YOURS

*uamallowed "${HS_UAMSERVER:+$HS_UAMSERVER}$webadmin$uamallow"*



What im guessing, no time to test yet, is that the DHCP RELEASE time is 
also important.

What i noticed, based on your feedback, about the CAPTIVE PORTAL checking 
url... im our android (v5) the url is 
connectivitycheck.android.com/generate_204 (for instance on my Samsung Note 
4) and not connectivitycheck.gstatic.com as you mention on your NEXUS 5X. 
Probably, it has to do with the android version of the device. removing the 
gstatic.com domain from the uamallowed started to show the 
UAM consistently, but on older android versions like 4 the url is 
http://clients3.google.com/generate_204, but no UAM is shown still. 

Apple has its own captivel portal url, doing a simple google search is easy 
to figure out which.

To test everything i commented the HS_UAMDOMAINS line in Chilli config file.

But better results no doubt... still not perfect... but better.



sábado, 14 de Maio de 2016 às 13:25:15 UTC+1, timwhite88 escreveu:
>
> Please test the coova packages in nightly.
>
> http://nightly.packages.grasehotspot.org/pool/main/c/coova-chilli/coova-chilli_1.3.0-22-g39df09b_i386.deb 
> or 
> http://nightly.packages.grasehotspot.org/pool/main/c/coova-chilli/coova-chilli_1.3.0-22-g39df09b_amd64.deb
> I've not built the ARM packages. Let me know if these work before I spend 
> time building the arm ones. If they are good I'll promote them to stable!
>
> Regards
>
> On Sat, May 14, 2016 at 9:43 PM, Timothy White <ti***.@gmail.com 
> <javascript:>> wrote:
>
>> And just like that, I've found the issue.
>> At some point the coova project moved to Github, and appear to maybe use 
>> Google domains to redirect www.coova.org to the new url. www.coova.org 
>> is in the uamallowed list. Sometimes to connectivitycheck.gstatic.com 
>> address resolves to the same IP as www.coova.org, which means that the 
>> generate_204 is allowed through!
>>
>> Why is www.coova.org in the uamallowed list? It's been there for years 
>> because it's part of the defaults of coova chilli.
>>
>> I'll aim to get an updated coovachilli package built in the next few days 
>> and into the nighlies so people can test it. At some point I do need to 
>> update to the latest version, but I'll do that as a separate package.
>>
>> That was pure luck discovering the reason!
>>
>> On Sat, May 14, 2016 at 9:38 PM, Timothy White <ti***.@gmail.com 
>> <javascript:>> wrote:
>>
>>> Hi José
>>>
>>> Finally replicated this. And it hints of a big bug somewhere, just got 
>>> to work out where. Figured I'd do a scientific test to only change 1 thing 
>>> at a time to work out the issue. Finally got it after about the 12th time 
>>> of connecting/disconnect. And looking at the packet captures there is 
>>> something disturbing. The request to 
>>> http://connectivitycheck.gstatic.com/generate_204 to check for 
>>> connectivity gets through.
>>> I tested further, and even though that request got through, seconds 
>>> later attempting to connect to yahoo.com fails.
>>>
>>> I only have Android Nexus5X running marshmallow to test. I assume the 
>>> reason this works for iPhones is that they use a different mechanism for 
>>> checking if the internet works.
>>>
>>> I'll keep digging and see if I can work out what causes it. At this 
>>> stage it appears to be a Coova Chilli bug, where, I have no idea.
>>>
>>> Tim
>>>
>>> On Sat, May 14, 2016 at 1:21 AM, José Borges <jo***.@algardata.pt 
>>> <javascript:>> wrote:
>>>
>>>> It applied to ALL DEVICES prior to me adding this:
>>>>
>>>> "I use this HS_REDIRDNSREQ=on on /etc/chilli/config, but sometimes it 
>>>> works sometimes it doesnt."
>>>>
>>>> Before none opened the Browser, now ONLY iphones open always. Android 
>>>> only opens on first connection to WIFI.
>>>>
>>>> quinta-feira, 12 de Maio de 2016 às 18:36:51 UTC+1, Henry Terkura 
>>>> Swende escreveu:
>>>>>
>>>>> Ok, I think I didn't get the full  picture, thought the problem 
>>>>> applied to all devices you were using .....but now I think it's device 
>>>>> specific.
>>>>> On May 12, 2016 6:12 PM, "José Borges" <jo***.@algardata.pt> wrote:
>>>>>
>>>>> Ooookkkk... Testing time then...
>>>>>
>>>>> I did what you mention...
>>>>>
>>>>> Made chilli *local.conf* with* lease=10* and then tested.
>>>>>
>>>>> I was given the same IP address even after *chilli_query *stopped 
>>>>> listing me in *chilli_query dhcp-list*
>>>>>
>>>>> Meaning, that 5 minutes after i had my DCHP release, the IP i was 
>>>>> given again was the same, and i did try to conect another device prior, to 
>>>>> see if i was given the first available ip from the ippool...
>>>>>
>>>>> So no luck there... No Browser was open again (on second connection to 
>>>>> wifi, which was 5 minutes after i disconected the wireless).
>>>>>
>>>>> my chilli.conf
>>>>>
>>>>> interval=60
>>>>> nousergardendata
>>>>> defidletimeout=604800
>>>>> dhcpstart=2
>>>>> lease=10
>>>>>
>>>>> output of chilli_query dhcp-list (theres a 60 seconds lease grace 
>>>>> period, that why the 19/10 on bold line).
>>>>>
>>>>> 18-1E-B0-BE-68-2B 10.1.0.6 dnat 1/10
>>>>> *80-65-6D-2C-BE-49 10.1.0.2 dnat 19/10*
>>>>> 00-90-FB-42-65-4D 10.1.0.5 dnat 9/10
>>>>>
>>>>> Im tearing my hair out... since i tried with three diferent versions 
>>>>> of android (5, 5.1.1, 4) but only the iphones worked!!! connect /disconnect 
>>>>> / connect / disconnect ... it always shows the UAM on the iphones (i cant 
>>>>> believe i am saying this).
>>>>>
>>>>>
>>>>>
>>>>> quinta-feira, 12 de Maio de 2016 às 15:33:59 UTC+1, Henry Terkura 
>>>>> Swende escreveu:
>>>>>
>>>>>> I think the reason it gives you the uam login page first time is 
>>>>>> because dhcp lease for that IP had expired and was assigned as new dhcp 
>>>>>> request... Hence when you disconnect from wifi and reconnect before the 
>>>>>> dhcp lease expires you'll have to navigate to a non HTTPS website to get 
>>>>>> the uam login page. I think it has a lot to do with how coovachilli works 
>>>>>> .....you get blocked when you try to access services not allowed without 
>>>>>> authentication and authorization..... My observations over time
>>>>>> On May 12, 2016 3:14 PM, "José Borges" <jo***.@algardata.pt> wrote:
>>>>>>
>>>>>>> Unfortunately this does bother me and i have been searching for an 
>>>>>>> answer for months... because mobile clients fire up they wifi, connect to 
>>>>>>> the open wifi hotspot and launch facebook... and they dont understand they 
>>>>>>> have to go to http://10.1.0.1 and do a login... i keep getting 
>>>>>>> asked why doesnt it show the UAM login when i connect to the wifi as other 
>>>>>>> solutions do. I did a fresh install of grase hotspot and it happens the 
>>>>>>> same thing, so it isn't anything i changed by myself. 
>>>>>>>
>>>>>>> Everyone has this behaviour or could it be a hardware (hotspot 
>>>>>>> server) issue?
>>>>>>>
>>>>>>> quinta-feira, 12 de Maio de 2016 às 12:30:05 UTC+1, Emmanuel 
>>>>>>> Nyachoke escreveu:
>>>>>>>>
>>>>>>>> I think I noticed this even with windows clients but it seemed 
>>>>>>>> irregular in my case the very first time I connected the client I got the 
>>>>>>>> message 'additional login my be required' but did not see the message 
>>>>>>>> subsequently. This does not bother me  much but other hotspot management 
>>>>>>>> systems do this consistently. 
>>>>>>>>
>>>>>>>> On Wednesday, 11 May 2016 19:38:40 UTC+3, José Borges wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> How on earth i make the browser open the UAM upon the user 
>>>>>>>>> connecting to the wireless network?
>>>>>>>>>
>>>>>>>>>    1. User turns on WIFI on the smartphone (android/ios)
>>>>>>>>>    2. User selects correct WIFI SSID
>>>>>>>>>    3. User taps LOGIN to connect to WIFI
>>>>>>>>>    4. ... Chilli/FreeRadius/Chilli do their stuff ...
>>>>>>>>>    5. Browser open with the UAM url in it
>>>>>>>>>    6. User can then type his username/password to access internet.
>>>>>>>>>
>>>>>>>>> I'm only missing step 5... The browser wont open... :(
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I use this HS_REDIRDNSREQ=on on /etc/chilli/config, but sometimes 
>>>>>>>>> it works sometimes it doesnt.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Any advise?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Here's my /etc/chilli/config
>>>>>>>>>
>>>>>>>>> GRASE_VARS=$(cat /etc/dnsmasq.d/01-grasehotspot | grep #)
>>>>>>>>> HS_NETWORK=$(echo "$GRASE_VARS" |grep chilli_network|awk '{print 
>>>>>>>>> $2}');
>>>>>>>>> HS_NETMASK=$(echo "$GRASE_VARS" |grep chilli_netmask|awk '{print 
>>>>>>>>> $2}');
>>>>>>>>> HS_UAMLISTEN=$(echo "$GRASE_VARS" |grep chilli_lanip|awk '{print 
>>>>>>>>> $2}');
>>>>>>>>> HS_WANIF=$(echo "$GRASE_VARS" |grep chilli_wanif|awk '{print $2}');
>>>>>>>>> HS_LANIF=$(echo "$GRASE_VARS" |grep chilli_lanif|awk '{print $2}');
>>>>>>>>> HS_REDIRDNSREQ=on
>>>>>>>>> HS_WANIF=${HS_WANIF:-eth0}
>>>>>>>>> HS_LANIF=${HS_LANIF:-eth1}
>>>>>>>>> HS_NETWORK=${HS_NETWORK:-10.1.0.0}
>>>>>>>>> HS_NETMASK=${HS_NETMASK:-255.255.255.0}
>>>>>>>>> HS_UAMLISTEN=${HS_UAMLISTEN:-10.1.0.1}
>>>>>>>>> HS_UAMPORT=3990
>>>>>>>>> HS_UAMUIPORT=4990
>>>>>>>>> HS_DNS_DOMAIN=hotspot.lan
>>>>>>>>> HS_DNS1=$HS_UAMLISTEN
>>>>>>>>> HS_DNS2=$HS_UAMLISTEN
>>>>>>>>> HS_MAXCLIENTS=65000
>>>>>>>>> HS_NASID=nas01
>>>>>>>>> HS_RADIUS=localhost
>>>>>>>>> HS_RADIUS2=localhost
>>>>>>>>> HS_UAMALLOW=$HS_UAMLISTEN
>>>>>>>>> HS_RADSECRET=SuperSpecialSecret 
>>>>>>>>> HS_UAMALIASNAME=grase
>>>>>>>>> HS_UAMDOMAINS=".google-analytics.com,.googletagmanager.com,.
>>>>>>>>> gstatic.com,.googleapis.com"
>>>>>>>>> HS_UAMSERVER=$HS_UAMLISTEN
>>>>>>>>> HS_UAMFORMAT=http://\$HS_UAMSERVER/grase/uam/hotspot
>>>>>>>>> HS_UAMHOMEPAGE=http://\$HS_UAMSERVER/grase/uam/hotspot
>>>>>>>>> HS_MACAUTH=on
>>>>>>>>>
>>>>>>>>> HS_TCP_PORTS="80 443 22 2812 53 3990 3128"
>>>>>>>>> HS_MODE=hotspot
>>>>>>>>> HS_TYPE=chillispot
>>>>>>>>> HS_ADMUSR=CoovaChilli
>>>>>>>>> HS_ADMPWD=radmin
>>>>>>>>> HS_DEFINTERIMINTERVAL=150
>>>>>>>>> HS_WWWDIR=/etc/chilli/www
>>>>>>>>> HS_WWWBIN=/etc/chilli/wwwsh
>>>>>>>>> HS_PROVIDER=Grase
>>>>>>>>> HS_PROVIDER_LINK=http://hotspot.purewhite.id.au/
>>>>>>>>> HS_LOC_NAME="GRASE HotSpot"
>>>>>>>>>
>>>>>>>> -- 
>>>>>>> This mailing list is for the Grase Hotspot Project 
>>>>>>> http://grasehotspot.org
>>>>>>> --- 
>>>>>>> You received this message because you are subscribed to the Google 
>>>>>>> Groups "Grase Hotspot" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it, 
>>>>>>> send an email to gr***.@grasehotspot.org.
>>>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>>>>
>>>>>>> Visit this group at 
>>>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>>>> To view this discussion on the web visit 
>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f09a37e-45b1-47e4-a3dc-69dbcb114d2b%40grasehotspot.org 
>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f09a37e-45b1-47e4-a3dc-69dbcb114d2b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>> -- 
>>>>> This mailing list is for the Grase Hotspot Project 
>>>>> http://grasehotspot.org
>>>>> --- 
>>>>> You received this message because you are subscribed to the Google 
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>>> an email to gr***.@grasehotspot.org.
>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>> Visit this group at 
>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>> To view this discussion on the web visit 
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/6e988722-0fe6-4488-958e-b9512a1a5b85%40grasehotspot.org 
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/6e988722-0fe6-4488-958e-b9512a1a5b85%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>> -- 
>>>> This mailing list is for the Grase Hotspot Project 
>>>> http://grasehotspot.org
>>>> --- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to gr***.@grasehotspot.org <javascript:>.
>>>> To post to this group, send email to gr***.@grasehotspot.org 
>>>> <javascript:>.
>>>> Visit this group at 
>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>> To view this discussion on the web visit 
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1de8672c-5834-4502-8014-7205a69b647d%40grasehotspot.org 
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1de8672c-5834-4502-8014-7205a69b647d%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>>>
>>
>

Thread