Power Off and User Re-Login

[Eliot Ness]

At least one Pi2 comes yesterday in my hands, and ....grase run again.
Detailed tutorial steps install on next days.

As simple question : On power off or reboot, user have login again, except if admin store mac adr.

Is there any way on grase to remember users after reboot ? So no need user to login again....

Anyone?

[Timothy White]

Due to how Coova Chilli stores internal states, if you reboot you'll need to log back in. No way around it.

Sorry

Tim

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.
To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/a892365d-ce49-4a1f-b689-ab8f1520bdad%40grasehotspot.org.

[Hotspotuser]

Not really :D You can make a PHP script to read output from chilli_query, and cross that list with radactt sessions, and for each MAC ADDRESS that has a match try to "authorize" them in chilli_query command line.

[Eliot Ness]

A kind of help on that script will be awesome....

[Hotspotuser]

Look at the chilli_query man page here: http://www.manualpages.de/FreeBSD/FreeBSD-ports-9.0-RELEASE/man1/chilli_query.1.html 

execute in PHP the command "chilli_query list | grep dnat" grab that output and parse it to have an array of mac address (you can use awk for that too). so that the command executed already provides you with only the mac address of the users in DNAT mode (connected to the wifi hotspot but without login).

Cross that list with a query to the radius.radactt table and where you find matchs between the MAC ADDRESSES you try to use the command "chilli_query authorize mac XX-XX-XX-XX-XX" syntax and if the user voucher is still valid, it will auto-reconnect and keep the session history (time/data limits/usage), otherwise freeradius refuses the connection and they are still logged out.

We made a custom script for this, integrated with our own solution, but those are the exact steps we did.

[Eliot Ness]

I cant make it work, i see the example

# chilli_query list
       00:0D:XX:XX:XX:XX 10.1.0.3 dnat 46c83f70000 0 - 0/0 0/0 http://url.com
       # chilli_query authorize ip 10.1.0.3 sessiontimeout 60 username me
       # chilli_query list
       00:0D:XX:XX:XX:XX 10.1.0.3 pass 46c83f70000 1 me 2/0 2/0 http://url.com
       # chilli_query logout 00:0D:XX:XX:XX:XX

Need an extra routine or something else

On Thursday, June 2, 2016 at 9:40:51 AM UTC+3, Eliot Ness wrote:

[Hotspotuser]

Your best option, at least it's what i recomend is:

Capture in PHP the output of this linux command, which gives you the users that are currently connected to your hotspot but have not yet login in (after you reboot/power-on):

chilli_query list | grep "dnat" | awk '{print $1}'

Then query your radius radacct database table to get the sessions that where not closed by the hotspot:

SELECT CallingStationId, UserName, FramedIpAddress, AcctStopTime FROM radius.radacct WHERE UserName != 'CoovaChilli' and AcctStopTime is null Group BY CallingStationId

This will list of all the hotspot logins that had no StopTime, which usually means the hotspot rebooted without shutting down. When you issue the shutdown command freeradius closes all the active sessions.

You can change the query to get for instance the sessions that were created in the last day. Change the query as needed.

Cross that list of MAC addresses with the one you got from the chilli_query and for each match run the command:

chilli_query authorize mac XX-XX-XX-XX-XX-XX username USERNAME

Replacing XX-XX-XX-XX-XX-XX and USERNAME with the values you got from the chilli_query.

All connected users with data/time available will automatically connect, without user intervension. All that are already expired will still be logged out.

Note that im using the MAC parameter instead of IP on the chilli_query authorize.

This is what i use in our solution, and i call this script at every hotspot boot, you can off course have a link on your hotspot solution to run this PHP Script manually.

[Edward Allen]

I like the direction of this discussion,  will attempt asap,  this is much needed.

--

This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.
To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/29256f5f-631c-4037-86c4-deb336f9b6b6%40grasehotspot.org.

[Eliot Ness]

I have to install phpmyadmin to make my life easier.
So, lets see 1 more time :

chilli_query list | grep "dnat" | awk '{print $1}' 

It print out all connected users in this time....ok till now

Then,

SELECT CallingStationId, UserName, FramedIpAddress, AcctStopTime FROM radius.radacct WHERE UserName != 'CoovaChilli' and AcctStopTime is null Group BY CallingStationId

I have to search the above records on phpmyadmin or there is a command that i can extend ?

chilli_query authorize mac XX-XX-XX-XX-XX-XX username USERNAME

Last step is to call this on every boot....crontab or init,d actions ?

Beta tests made on Pi2 as i write on a previous post

On Thursday, June 2, 2016 at 9:40:51 AM UTC+3, Eliot Ness wrote:

[Hotspotuser]

Wheres one possible implementation that i did just to show that it's possible:

<?php
 
 # GET ALL DEVICES CONNECTED TO HOTSPOT WITHOUT LOGIN
 $result = str_replace("\n", "|", trim(shell_exec("sudo chilli_query list | grep 'dnat' | awk '{print $1}'")));
 $macs_connected = explode("|",$result);
 echo "<h1>Connected devices without login</h1>";
 echo "<pre>";
 print_r($macs_connected);
 echo "</pre>";
 
 # GET ALL UNCLOSED SESSIONS FROM DATABASE THAT MATCH THE CURRENTLY CONNECTED DEVICES WITHOUT LOGIN
 $link = mysqli_connect("127.0.0.1", "YOUR_MYSQL_PASSWORD", "YOUR_MYSQL_PASSWORD", "radius");
 $query = "SELECT CallingStationId, UserName, FramedIpAddress, AcctStopTime FROM radius.radacct WHERE UserName != 'CoovaChilli' and AcctStopTime is null and CallingStationId in ('".implode("','",$macs_connected)."') Group BY CallingStationId ORDER by RadAcctId DESC";
 if ($result = $link->query($query))
 {
    $loggedin = array();
    while ($device= $result->fetch_assoc()) {
        shell_exec("sudo chilli_query authorize mac ".$device['CallingStationId']." username ".$device['UserName']);

        $loggedin[]=$row['CallingStationId'];
    }
    $result->free();
    echo "<h1>Devices we auto-logged in</h1>";
    var_dump($loggedin);
 }
 $mysqli->close();
?>

[Eliot Ness]

I see that on examples they use freebsd, and file that content the params is on /var/run/chilli.sock
On ubuntu 14.04 this file does not exist, and im afraid that there is not chilli.sock at all

Your example is great but which file to modify? Confused

On Thursday, June 2, 2016 at 9:40:51 AM UTC+3, Eliot Ness wrote:

[Hotspotuser]

Eliot

you dont need to edit ANY chilli file.

You only have to make a new PHP file, for instance "reconnect.php", with the code I provided before

and save it to the following directory /usr/share/grase/www/radmin/scripts

Then edit the /etc/rc.local file, for instance; nano /etc/rc.local and add the following line (BEFORE) the line with exit 0 

    wget "http://127.0.0.1/radmin/script/reconnect.php"

And reboot the machine... 

You should now have a fully working solution... try it!

[Eliot Ness]

I already try but its not working.
I create the file "reconect.php" chmod it 775 and add mysql pass.
Also rc.local add line, reboot and try to open a webpage......its going to grase login page again.

I just thinking of change the default localhost 127.0.0.1 to internal dedicated ip to see if it works, but no.
Im sure that its possible...but i cant make it work!

On Thursday, June 2, 2016 at 9:40:51 AM UTC+3, Eliot Ness wrote:

[Eliot Ness]

Let's have a detailed review :

<?php
 
 # GET ALL DEVICES CONNECTED TO HOTSPOT WITHOUT LOGIN
 $result = str_replace("\n", "|", trim(shell_exec("sudo chilli_query list | grep 'dnat' | awk '{print $1}'")));
 $macs_connected = explode("|",$result);
 echo "<h1>Connected devices without login</h1>";
 echo "<pre>";
 print_r($macs_connected);
 echo "</pre>";
 
 # GET ALL UNCLOSED SESSIONS FROM DATABASE THAT MATCH THE CURRENTLY CONNECTED DEVICES WITHOUT LOGIN

 $link = mysqli_connect("127.0.0.1", "root", "password", "radius");

 $query = "SELECT CallingStationId, UserName, FramedIpAddress, AcctStopTime FROM radius.radacct WHERE UserName != 'CoovaChilli' and AcctStopTime is null and CallingStationId in ('".implode("','",$macs_connected)."') Group BY CallingStationId ORDER by RadAcctId DESC";
 if ($result = $link->query($query))
 {
    $loggedin = array();
    while ($device= $result->fetch_assoc()) {
        shell_exec("sudo chilli_query authorize mac ".$device['CallingStationId']." username ".$device['UserName']);
        $loggedin[]=$row['CallingStationId'];
    }
    $result->free();
    echo "<h1>Devices we auto-logged in</h1>";
    var_dump($loggedin);
 }

 mysqli_close($link);
?>

The above script seems that running ok.
I cant run with wget, but i test it on var/www/html and call it via web browser.

So if i call it on http://grase-ip/reconnect.php  results are ( where xx is the device mac address )

Connected devices without login

Array
(
    [0] => xx-xx-xx-xx-xx-xx 
)

Devices we auto-logged in
array(0) { }

So on reboot it does not reconnect any device and result is
Devices we auto-logged in
array(0) { }

This script need an extra param to re-auth users....but i dont know what.
Any php expert can help?

On Thursday, June 2, 2016 at 9:40:51 AM UTC+3, Eliot Ness wrote:

[Timothy White]

Just an observation:

... WHERE UserName != 'CoovaChilli' and AcctStopTime is null ...

After a reboot, you shouldn't have any session with AcctStopTime as null unless they are new sessions. The reason is that when Freeradius is cleanly shutdown, it ends all sessions. You should see the session stop reason as one of the reasons listed at http://www.juniper.net/techpubs/en_US/junos16.1/topics/concept/radius-terminate-code-app-terminate-reasons-mapping.html. I believe it'll be "Admin Reboot" or "NAS Reboot". So you'd want to look for sessions that have recently ended with a stop reason like that.

Not sure why this script was working for other people, but in my experience the only reason you'd have a Null AcctStopTime after a reboot would be an unclean shutdown.

Regards

Tim

--

This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.

To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspot+unsubscribe@grasehotspot.org.

To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/8a5dc0cf-a32a-4c4f-8df8-9ceadbc21922%40grasehotspot.org.

[Hotspotuser]

Yes... we only use this script on UNCLEAN power off... As a matter of fact, we have it on a cronjob, to give time for devices to reconnect to the wifi. Until now, it has been working great (with "AcctStopTime is null") but you can change have it also the way Tim mentions.

sábado, 10 de Setembro de 2016 às 11:33:17 UTC+1, timwhite88 escreveu:

Just an observation:

... WHERE UserName != 'CoovaChilli' and AcctStopTime is null ...

After a reboot, you shouldn't have any session with AcctStopTime as null unless they are new sessions. The reason is that when Freeradius is cleanly shutdown, it ends all sessions. You should see the session stop reason as one of the reasons listed at http://www.juniper.net/techpubs/en_US/junos16.1/topics/concept/radius-terminate-code-app-terminate-reasons-mapping.html. I believe it'll be "Admin Reboot" or "NAS Reboot". So you'd want to look for sessions that have recently ended with a stop reason like that.

Not sure why this script was working for other people, but in my experience the only reason you'd have a Null AcctStopTime after a reboot would be an unclean shutdown.

Regards

Tim

To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.

To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.

[Eliot Ness]

On cron, what have to call and how often? 5'

On Thursday, June 2, 2016 at 9:40:51 AM UTC+3, Eliot Ness wrote:

[Hotspotuser]

For testing call it every minute, then adjust to your needs.

[Eliot Ness]

The main problem is that wget cant find path to run, except if i put it on var/www/html ( the default apache web dir ) and chmod it to 755 to run
If it run it generate a new file ( reconnect.php.1 )
But the above  on manual run by putty.

On boot via rc.local and wget "http://127.0.0.1/reconnect.php"  it does not
Final on grase monitor sessions, user, there is no reason of disconnect at all, if this script is active
If this script removed, it can advertise disconnect reasons, so this script works but not configured well

Confused or what - Can i have a start over description to make it work?

On Thursday, June 2, 2016 at 9:40:51 AM UTC+3, Eliot Ness wrote:

[Hotspotuser]

This is what i use and it simply works :D

 wget -q http://127.0.0.1/cron/AutoTryToReconnectMACS.php -O -  

as a cron job

[Hotspotuser]

Try to use

wget -q http://127.0.0.1/reconnect.php -O -

[Eliot Ness]

Yes, the last wget one works.
But still devices do not reconnect.
Even without a normal shutdown, login screen comes up.
It must be something with AcctStopTime

On Thursday, June 2, 2016 at 9:40:51 AM UTC+3, Eliot Ness wrote:

[Hotspotuser]

This script only works for connections that did not end, i.e. dont have a AcctStopTime (a server unwanted poweroff, not a normal shutdown/reboot).

If you want to enable the autoreconnect, you will have to change the SQL query to search for a different status as Tim rightly mentioned in his post.

something in the lines of...

$query = "SELECT CallingStationId, UserName, FramedIpAddress, AcctStopTime FROM radius.radacct WHERE UserName != 'CoovaChilli' and AcctStopTime is null or month(AcctStopTime) = month(now()) and CallingStationId in ('".implode("','",$macs_connected)."') Group BY CallingStationId ORDER by RadAcctId DESC";

Notice the new filter : or month(AcctStopTime) = month(now())

This will not only give you the ones that are already connected but also the ones that have had a session in the current month.

[Hotspotuser]

As another simplier solution... how long is your Default Session Idle Timeout set to be in the Grase "Coova Chilli Settings" page? If you have like one year (in seconds), do they have to type the password once again, once the server reboots? What about the  DHCP Lease time  setting? have you tried that?

[Hotspotuser]

If you dont have that match itens in radacct table, why not go for:

$query = "SELECT CallingStationId, UserName, FramedIpAddress, AcctStopTime FROM radius.radacct WHERE UserName != 'CoovaChilli' Group BY CallingStationId ORDER by RadAcctId DESC";

Which gets all the unique MACs in the radacct table, which you problably clean every 2 months right?

And try to reconnect everyone?

[Hotspotuser]

I trully cant see how i can help you out more than I already have.

For me, the given solutions works very well.

quinta-feira, 15 de Setembro de 2016 às 13:18:15 UTC+1, Eliot Ness escreveu:

[Eliot Ness]

Yes, it works great, as you describe.
The missing step is the cron, cause after check cronjobs and make it every minute it make the job
Thank you for your help. Simply Awesome!

[Hotspotuser]

Your welcome.

[Eliot Ness]

Just what i notice....
If you add a user in a group and make it expire +1 days after first login, create a group (1day for example) and add limits on download and upload speed, simple group speed does not working.
On simple speedtest user get all the bandwidth that is available and bypass the group speed limit.
Is any add on parameter that solve it?