Grase Hotspot working with DD-WRT routers in remote locations.

[Norberto Esteves]

Hi all,

I managed to get this configuration working.

Basically I have the Grase Hotspot installed in a machine (shuttle XPC DS6) in the office and one router (D-Link DIR-615) with DD-WRT in my house for testing.

The remote site (D-Link Router) uses the Coova Chilli included with the DD-WRT firmware to redirect users to the Grase authentication Portal, after that, the username, password, and other attributes are checked with the radius server. If the authentication is successful then the user is allowed to use the Internet and DD-WRT Coova Chilli takes care of the session even if the main site (Grase) goes down. DD-WRT Coova Chilli also sends periodical data (every 5 minutes) to Radius server to keep information up to date. 

So far I had to change a few things in the follwing files:

hotspot.php, nojsstatus.php, /includes/site.inc.php

I do not use VPN, so, there is a few ports that need forwarding:

In the main site: Radius (1812, 1813, 1814), UAM (3990) and HTTP (80) ports forward to Grase Hotspot machine.

The remote site only needs port forwarding for COA port 3779 if you are going to use the radclient to disconnect users.

Freeradius also needs to allow remote site to connect, to do this you need to add remote client to clients.conf, or use nas table.

  

So far I'am still testing and correcting some "bugs" i found.

The bad new is that this setup don't work with Javascript login, I did some tests and I think DD-WRT is not able to use the JSON interface for Coova Chilli. So if you want to use DD-WRT, Java script login should be disabled.

If anyone is interested in multi-location setup using DD-WRT I can make a document and share with the community.

Regards,

Norberto Esteves

[Michele Campanelli]

Great Job!

I am using Grase Hot Spot and i find it very very useful. 

Now i am waiting the new releases for some tests, but if you can work it remotely, i think this is a great day for us.

I am interested in the documentation, and i can try it in a large testing benchmark of hundreds of distribuited hotspots.

Thans for your time!

Have a nice day.

Michele Campanelli

+39 338 8335177 

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.
To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/fdecd37a-fa21-4d62-a6b5-50601889ecb6%40grasehotspot.org.

[António Chimuzu]

Norberto

You are a genius. I suck at fidling with any of this stuff but if you can make that work please share.

Im willing to have a setup like this:

remote router 1 (dd-wrt / tomato, etc) --\

                                                                \

                                                                  \

                                                                     - - - - - - - grase (on cloud virtualbox server)

                                                                 /

remote router 2 (same setup) -------------/

Cheers

[Dražen Žuvela]

I am joining  to Antonio.
Would be nice to see that solution documented.
Drazen

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.
To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c36d2e76-109d-401f-a8fa-f11ce7b974a8%40grasehotspot.org.

[Norberto Esteves]

Hi all!

António, that is the configuration I have right now. I moved Grase to a virtual machine. 

I plan to use this setup to replace an old server with the old version of Chillispot that we bought a few years ago and is used to manage several hotspots (arround 20). All the hotspots are already using DD-WRT, so I'm trying to adapt Grase to the DD-WRT configuration I already have.

Everything seams to work fine with non Java login. And I found a way to use the Javascipt login, the problem I still have with it is the pop up window not showing the information after login and the logout button not working, also some android phones with Opera mobile are not able to login.

Since I had a very busy week I hope I can do some more tests in the weekend and make a document on how to get this working. 

In order to make a document valid to every one I will have to setup a new machine with the nighttly build because mine has lots of modifications on the original code and I don't know anymore which files are original and which are modified by me...

Regards,

Norberto Esteves  

[Michele Campanelli]

Great Norberto!

For every support you need, ask if you need.

Good Job!

Michele

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.
To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org.

[Norberto Esteves]

Hi all,

As promised, here is the information you need to setup Grase Hotspot on Multiple-locationst (please Tim, feel free to move this to the wiki if you wish). 

I made several tests with the setup described below and everything seams to work fine, even the javascript login interface. 

Please note:

This procedure is not for beginners, you can damage your router if you flash a wrong file to it. Also you can break Grase if you place the wrong code when editing the files, please make backup of the original files before editing.

Do it at your own risk!

1 - Description:

The goal is to deploy multiple location Hotspots with one server in the main site (headquarters) and several routers in remote locations:

To make this work we need:

- One server running Grase Hotspot at the Headquarters.

- Static public IP address at the Headquarters. This wont work with dynamic ip address.

- Routers running DD-WRT at remote locations.

2 - Redirecting Ports 

First we need to allow remote routers to connect to our server, so we need to redirect the following ports to our Grase Server:

Radius: UDP: 1812, 1813 and 1814

UAM: TCP: 3990

HTTP: TCP: 80

COA: TCP: 3779 (this one is optional)

My Draytek Configuration:

1.	RADIUS1	All	UDP	1812	10.10.10.5	v
2.	RADIUS2	All	UDP	1813	10.10.10.5	v
3.	RADIUS3	All	UDP	1814	10.10.10.5	v
4.	UAM	All	TCP	3990	10.10.10.5	v
5.	HTTP	All	TCP	80	10.10.10.5	v
6.	COA	All	TCP	3779	10.10.10.5	v

 

3 - Freeradius configuration

At this point we need to edit /etc/freeradius/clients.conf to allow our remote routers to connect:

If the remote router has a static public IP you should add them right after the following code: 

#

#  You can now specify one secret for a network of clients.

#  When a client request comes in, the BEST match is chosen.

#  i.e. The entry from the smallest possible network.

#

If they have dynamic IPs (the most common case) you should either use the nas table and advanced freeradius configuration to add them dynamically or you can allow all to connect (Please note, this is not the best way because its less secure).

If you are ok with less security you can add the following;

client 0.0.0.0/1 {

secret = hotspotradius

shortname = NAS

nastype     = other

}

client 128.0.0.0/1 {

secret = hotspotradius

shortname = NAS

nastype     = other

}

This will allow any IP to connect to radius server as long as the secret is correct.

the default secret is hotspotradius its highly recommended to change this to a more complex password.

clients.conf will look like this after line 190:

...

#

#  You can now specify one secret for a network of clients.

#  When a client request comes in, the BEST match is chosen.

#  i.e. The entry from the smallest possible network.

#

client 0.0.0.0/1 {

secret = hotspotradius

shortname = NAS

nastype     = other

}

client 128.0.0.0/1 {

secret = hotspotradius

shortname = NAS

nastype     = other

}

#client 192.168.0.0/24 {

# secret = hotspotradius-1

# shortname = private-network-1

#}

#

#client 192.168.0.0/16 {

# secret = hotspotradius-2

# shortname = private-network-2

#}

...

 

We are done with freeradius, restart the server in order to load new configuration.

4 - Grase configuration and files editing

Go to grase admin interface -> Network settings and configure IP and netmask as follows:

Go to Cooova Chilli Settings ad configure:

We need to add different DHCP ranges for each remote router to avoid problems having same IP assigned to clients in the Grase server network and in the remote routers. In fact there are other ways to avoid it but that will include several modifications in the Grase structure. So , to keep it simple we use this method. Each site will have a different DHCP Start and End.

File editing:

we neeed to edit: /usr/share/grase/www/uam/hotspot.php beecause we need to capture the remote client IP address and pass it to the nojsstatus.php file to get the correct status information.

Edit hotspot.php and add: "session_start();" in the second line:

<?php

session_start();

require_once('includes/site.inc.php');

....

And the code:"$_SESSION['ipaddress'] = $_GET['ip'];" after line 30 to look like this:

...

$res = @$_GET['res'];

$userurl = @$_GET['userurl'];

$challenge = @$_GET['challenge'];

// add this line to store user IP address in session.

$_SESSION['ipaddress'] = $_GET['ip'];

if($userurl == 'http://logout/') $userurl = '';

if($userurl == 'http://1.0.0.0/') $userurl = '';

...

Then we need to edit 

/usr/share/grase/www/uam/nojsstatus.php

Also need to start the session so, add: "session_start();" in the second line:

<?php

session_start();

require_once('includes/site.inc.php');

...

Then we need to retrieve the IP address commenting out the code: "//$ipaddress = $_SERVER['REMOTE_ADDR'];"

and adding: "$ipaddress = $_SESSION['ipaddress'];" at line 12:

...

// Meta refresh to update

//$ipaddress = $_SERVER['REMOTE_ADDR'];

$ipaddress = $_SESSION['ipaddress'];

$username = DatabaseFunctions::getInstance()->getRadiusUserByCurrentSession($ipaddress);

...

Save both files and we are done with editing.

5 - DD-WRT

I'm not going to explain how to install DD-WRT, I will assume that you already have a router with DD-WRT firmware.

If you are already familiar with DD-WRT this is going to be piece of cake. If not, you should visit http://www.dd-wrt.com and check if your router is supported and follow the procedures to flash it. You can brick your router doing this, please be careful.

I use D-link DIR-615 for testing and Netgear WNDR3700 V4 at the remote sites since this are very reliable routers.

Configuration:

Configure Wan interface in order to get internet access:

 LAN IP Is not important, just configure something out of the chillispot range (10.1.0.0/16). Disable DHCP and make sure that you enable NTP Client and use the correct Server and Time Zone:

   Configure the Wireless interface:

Now the Coova Chilli configuration:

Go to Services -> Hotspot, enable Cillispot and configurre as follows:

Redirect url is: http://YOUR.GRASE.SERVER.IP/grase/uam/hotspot

You can add as many DD-WRT Routers as you want, just make sure to use different and non overlaping DHCP ranges on each. 

The changes made in the files may be replaced when updating Grase package. Hope this will be included in next releases.

Thats it!!

Hope this could help someone.

Regards,

Norberto Esteves

[Norberto Esteves]

Hi again,

Just a few extra information:

I forgot to tell you that after modifying Chillispot, or some other settings in DD-WRT configuration you will always need to reboot router.

The last image on the Chillispot configuration will work but is not 100% accurate (subnet mask is wrong and forgot to put YOUR.GRASE.SERVER.IP in UAM Allowed ...), this is the correct one:

The bad news, the things that will not work on Remote sites:

- They will not record session log (only normal session information, time, data, login, logout, etc..) since there is no squid3 to log locally. You can use some DD-WRT tools to log sessions but that is not relevant for this tutorial.

- DHCP Leases wont show remote assigned IP adresses, (thats obvious since each DHCP server is a different machine)

- After a few more testes I found out that some devices, (Android with opera mobile) wont work with javascript login, so I suggest to disable it in Grase configuration.

Other important information that is not directly related but will save you a couple of hours is that if you want to use the UAM Domains on DD-WRT routers they will not work if you just put the domains there (i.e. google.com facebook.com ...). I found out there is a bug (at least there is in the version I use) and you need to:

- Enable Hotspot System

- Select White Label Protocolhttp  

- Write the UAM Domains you want to use:

UAM Domains (space separated)

Save settings

- Then disable Hotspot System
- Enable Chillispot again and put there the same UAM Domains, Save and Reboot.

I will be testing this for the next days, if I found out some other bugs or things that need to be changed I will be updating this post.

Also if you found any bugs, please let me know.

Regards,

Norberto Esteves

[drazen]

Hi Norberto
This is great manual, and great solution for schools and companies local
wifi network.

Still I have some questions:
1. Which side of grase you have conneted to corporate router or network?
2. Assume Openwrt should also work.

Rgds,Drazen

[Norberto Esteves]

Hi Drazen,

Router is connected at WAN side, all remote sites connect to Grase trough the WAN interface:

  Remote hotspot users <=> DD-WRT <=> Internet <=> Router <=> (WAN) GRASE (LAN) <=>Local hotspot users

 

Yes, OpenWRT or other firmware with Coova Chilli built-in should work fine.

Best Regards,

Norberto 

[Norberto Esteves]

Other thing that was missing,

If you want to use computer accounts you need to add the option "macauth" to Advanced Chilispot Options:

defidletimeout 600

interval 600

macauth

macpasswd password

nousergardendata

uamlogoutip 1.0.0.0

coaport 3779

dhcpstart 200

dhcpend 299

Regards,

Norberto

[Edward Allen]

Hi Norberto

Let me get this correct.

This modification changes grase to work based off IP addresses instead of mac addresses right?

If so then technically and theoretically with proper routing then its possible to use regular AP routers(without chilli/coova) with Grase at master control in routed/vlan networks that's usually present in school networks. This as grase would now be seeing all the clients based on their ip and such be in a position to authenticate them individually.

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.
To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/fdecd37a-fa21-4d62-a6b5-50601889ecb6%40grasehotspot.org.

--

---

Edward Allen
Network/System/IT Solutions Provider/Consultant
Voice: 876-891-8982,  876-797-3226
ybe...@gmail.com
Kingston, Jamaica

[Norberto Esteves]

Hi Edward,

This is not the case. Grase will not work in routed networks, authentication is done with MAC address. If you put a regular router in the middle, Grase and Freeradius will authenticate the router MAC address, once router is authenticated, everybody else can access without entering username/password.

The difference here is that you can have multiple locations that share Grase Portal and Freeradius authentication. Each location must have a Coova Chilli Service that redirects users to Grase Portal and then check username, password, bandwith, data limit, time limit, etc.. with freeradius. This way each local Coova Chilli knows each user MAC address.

If you need to use a routed network then each network segment should have Coova chilli service running locally.

In my manual I use the same network in every location 10.1.0.0/16 (with different and non overlapping DHCP ranges). The reason for this is that Coova is always same IP 10.1.0.1 which is already hard coded in Grase portal. If you use different networks (like 192.168.1.0/24), Coova will have diferent IPs depending on the location, this IPs are send to Grase server in a field called UAMIP then we should change Grase code to recognise them. This solution is harder to do because involves several modifications in Grase code.

 

Regards,

Norberto

[Dražen Žuvela]

Hi Norberto,
I am just folowing your last year instructions and can get remote clients to authenticate to grase and get access.
Only thing what I didn't get working are machine accounts.
They are connected to DD-WRT, they get IP from belonging range, but soon login aplet will pop-up asking for username password.

I can't see yet what is wrong. I am trying to explore some grase logs. Found nothing clever yet.

Only difference from your setup, is that all my DD-WRTs are in same local network. They are not from other side of any router, so no ports redirecting was neceseary.

Do you have any advice.
Tnx!

Drazen

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/a81ce388-adb6-4a1e-bf9e-2b476b7359c1%40grasehotspot.org.

[Eliot Ness]

I try this on a 1043nd V2 but it does not work.
This router is only beta support like many others so look at ftp://ftp.dd-wrt.com/betas/2016/

The main problem is that WAN is not working with this firmware, but it works great with openwrt, gargoyle, or the default tp-link.
I try it manual, and auto, but same results.

On manual it says wan ip 0.0.0.0 but on terminal it can ping websites!!!

It must be a bug, or there is somewhere a setting that i cant find it out to separate lan from wan

If anyone got a solution i will be glad to test it again

[Giuseppe Clarizio]

Excellent Norberto, very good job!!! Awesome!!!!

thank you very much for your competences!

I adjusted the config chilli file to openwrt firmware, dd-wrt is very often unstable! It works like a charm for me!!... even If I spent some nights.

next step for me is to change the php order in order to integrate social logins.

thanks again and keep in touch.

Giuseppe

[chuen...@gmail.com]

hi Esteves

I really like this solution, it's been a long time since I'm trying to deploy it. i have followed your step by step tutorial however my remote site clients do not get any coovachilli ip address.

please help me.

[Dobot]

I tried the solutions as well using DIr-615 but i cant seem to get it to work. is there any specific port that i need to use to plug my network cable? should it plug into the lan port or the wan port?

[sunny.p.geronimo]

Hi  Norberto,

I would like to ask.  Is the connection between the remote router and grasehotspot server secure?

Regards,

Sunny