<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta content="text/html; charset=utf-8">
</head>
<body>
<div>Go for it. Is it possible to use coova for dhcpd even if captive is off?</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div id="composer_signature">
<div dir="auto" style="font-size:85%; color:#575757">Sent from my Samsung Galaxy smartphone.</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>-------- Original message --------</div>
<div>From: Anish Mangal <anishmg@umich.edu> </div>
<div>Date: 9/25/16 8:42 AM (GMT-08:00) </div>
<div>To: xsce-devel <xsce-devel@googlegroups.com> </div>
<div>Cc: George Hunt <georgejhunt@gmail.com>, A Holt <holt@unleashkids.org>, server-devel <server-devel@lists.laptop.org>
</div>
<div>Subject: Re: [XSCE] Re: Captive portal updates </div>
<div><br>
</div>
<div>
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Sep 25, 2016 at 8:52 PM, Tim Moody <span dir="ltr">
<<a target="_blank" href="mailto:tim@timmoody.com">tim@timmoody.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt; color:rgb(0,0,0); font-family:calibri,arial,helvetica,sans-serif">
<p>In the radius+ solution am I required to create users? Seems like overkill if all I want is a redirect to the home page when I first connect. If I want named accounts then it is a good approach.</p>
<p><br>
</p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>You are not necessarily required to create accounts *per* user, but an account is needed. It is easy enough to create a default account (during initial installation/setup itself). The default login/captive portal page can have the details prefilled. For
example, take a look at the video:<br>
<br>
<a href="http://people.sugarlabs.org/anish/captive.webm">http://people.sugarlabs.org/anish/captive.webm</a><br>
<br>
</div>
<div>In this case, I just require the user to press the "accept and login" button and get redirected to school.lan from there (the last bit is not in the video).<br>
</div>
<div> <br>
<br>
</div>
<div>You _can_ have named accounts if you want. You can have bandwidth control per account as well if needed (this would obsolete wondershaper). This can be useful if some users have fast access and others have limited bandwidth access to your server (can happen
in a mesh setup). <br>
<br>
</div>
<div>So, in sum, it is easy to have the default redirect without requiring the user to enter credentials, but it is possible to have credentials as well.<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt; color:rgb(0,0,0); font-family:calibri,arial,helvetica,sans-serif">
<p></p>
<p>I think the answer to br0 is yes.</p>
<p><br>
</p>
</div>
</div>
</blockquote>
<div>Wonderful :-)<br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt; color:rgb(0,0,0); font-family:calibri,arial,helvetica,sans-serif">
<p></p>
<p>I worry that switching dhcp providers could get tricky.</p>
<br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Why? In my testing so far, I havent faced any issues. <br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt; color:rgb(0,0,0); font-family:calibri,arial,helvetica,sans-serif">
<br>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block; width:98%">
<div dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Anish Mangal <<a target="_blank" href="mailto:anishmg@umich.edu">anishmg@umich.edu</a>><br>
<b>Sent:</b> Sunday, September 25, 2016 4:07 AM<br>
<b>To:</b> Tim Moody; George Hunt; A Holt; xsce-devel; server-devel<br>
<b>Subject:</b> Re: Captive portal updates</font>
<div> </div>
</div>
<div>
<div dir="ltr"><span class="gmail-">
<div>
<div>
<div>
<div>
<div>
<div>Hi,<br>
<br>
</div>
I wanted to ask whether a captive portal + radius server + radius server gui would be a useful feature and wanted to discuss possible implementation routes as this affects other services on the XSCE.
<br>
<br>
</div>
A radius server allows to have controlled access to server resources, internet connectivity, and allows one to create users, groups, and set aside network bandwidth. i.e. it is quite useful in a medium to large setup. A captive portal alongside it allows for
good UX with notifications in phones, tablets and not having users to type <a target="_blank" href="http://school.lan">
http://school.lan</a>. <br>
<br>
</div>
The existing captive portal PR (#771) is a very good step in that direction, but I believe we will eventually need to use some kind of standard implementations - radius + captive portal setups.<br>
<br>
</div>
Now that 6.1 is out of the door, I would like to propose a captive portal feature for 6.2.<br>
<br>
</div>
In the current setup I am testing, I am using freeradius[1] as the radius server, and CoovaChilli [2] as the captive portal. Coova does it's own dhcp so it will have to replace dhcpd if it is used. Also, starting/stopping the coova services affects iptables,
so initially, having it run in conjunction with dansguardian and squid might be a little tricky (though it is certainly possible, just needs more time to test/develop). Also, while freeradius is available as a rpm package, coova, and a dependency needs to
be complied from source. I can create the packages for it though - it did not seem complicated.
<br>
<br>
</div>
<div>So, the current approach I am proposing is:<br>
</div>
<div>1. If captive + radius is enabled, dhcpd is disabled, squid and dansguardian are disabled. Later, we can just have dhcpd disabled and the other two enabled if need be<br>
</div>
<div>2. If captive + radius is enabled, either we include a few knobs and levers to manage radius in our admin console (more difficult), or include a radius admin console (easier)<br>
<br>
</div>
</span>
<div><span class="gmail-">At the same time I have a question, since my understanding of xsce networking is limited. When setup in LANcontroller mode with both the internal wifi + LAN being controlled by XSCE, does all the LAN side traffic flow through br0?
Is it always the case? (in gateway mode too). If that is so, then I will configure coova to work on br0.<br>
<br>
[1] <a target="_blank" href="http://freeradius.org/">http://freeradius.org/</a> </span>
<div style="margin-bottom:20px; overflow:auto; width:100%; text-indent:0px">
<table cellspacing="0" style="width:90%; background-color:rgb(255,255,255); overflow:auto; padding-top:20px; padding-bottom:20px; margin-top:20px; border-top:1px dotted rgb(200,200,200); border-bottom:1px dotted rgb(200,200,200)">
<tbody>
<tr valign="top" style="border-spacing:0px">
<td colspan="2" style="vertical-align:top; padding:0px; display:table-cell">
<div></div>
<div style="color:rgb(0,120,215); font-weight:normal; font-size:21px; font-family:wf_segoe-ui_light,"segoe ui light","segoe wp light","segoe ui","segoe wp",tahoma,arial,sans-serif; line-height:21px">
<a target="_blank" href="http://freeradius.org/" style="text-decoration:none">FreeRADIUS: The world's most popular RADIUS Server</a></div>
<div style="margin:10px 0px 16px; color:rgb(102,102,102); font-weight:normal; font-family:wf_segoe-ui_normal,"segoe ui","segoe wp",tahoma,arial,sans-serif; font-size:14px; line-height:14px">
<a target="_blank" href="http://freeradius.org">freeradius.org</a></div>
<div style="display:block; color:rgb(102,102,102); font-weight:normal; font-family:wf_segoe-ui_normal,"segoe ui","segoe wp",tahoma,arial,sans-serif; font-size:14px; line-height:20px; max-height:100px; overflow:hidden">
The FreeRADIUS Project. FreeRADIUS includes a RADIUS server, a BSD licensed client library, a PAM library, and an Apache module. In most cases, the word FreeRADIUS ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
[2] <a target="_blank" href="http://coova.github.io/CoovaChilli/">http://coova.github.io/<wbr>CoovaChilli/</a>
<div style="margin-bottom:20px; overflow:auto; width:100%; text-indent:0px">
<table cellspacing="0" style="width:90%; background-color:rgb(255,255,255); overflow:auto; padding-top:20px; padding-bottom:20px; margin-top:20px; border-top:1px dotted rgb(200,200,200); border-bottom:1px dotted rgb(200,200,200)">
<tbody>
<tr valign="top" style="border-spacing:0px">
<td colspan="2" style="vertical-align:top; padding:0px; display:table-cell">
<div></div>
<div style="color:rgb(0,120,215); font-weight:normal; font-size:21px; font-family:wf_segoe-ui_light,"segoe ui light","segoe wp light","segoe ui","segoe wp",tahoma,arial,sans-serif; line-height:21px">
<a target="_blank" href="http://coova.github.io/CoovaChilli/" style="text-decoration:none">CoovaChilli, an open source captive portal access controller</a></div>
<div style="margin:10px 0px 16px; color:rgb(102,102,102); font-weight:normal; font-family:wf_segoe-ui_normal,"segoe ui","segoe wp",tahoma,arial,sans-serif; font-size:14px; line-height:14px">
<a target="_blank" href="http://coova.github.io">coova.github.io</a></div>
<div style="display:block; color:rgb(102,102,102); font-weight:normal; font-family:wf_segoe-ui_normal,"segoe ui","segoe wp",tahoma,arial,sans-serif; font-size:14px; line-height:20px; max-height:100px; overflow:hidden">
CoovaChilli. CoovaChilli is an open-source software access controller, based on the popular, but now defunct, ChilliSpot project, and is actively maintained by an ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
<br>
</div>
<span class="gmail-">
<div>Best,<br>
</div>
<div>Anish<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Sep 20, 2016 at 7:36 AM, Anish Mangal <span dir="ltr">
<<a target="_blank" href="mailto:anishmg@umich.edu">anishmg@umich.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div>
<div>I believe I am able to get the captive portal working as intended<br>
<br>
<a target="_blank" href="http://people.sugarlabs.org/anish/captive.webm">http://people.sugarlabs.org/an<wbr>ish/captive.webm</a><br>
<br>
</div>
Now will need to work in a branch on a playbook.<br>
<br>
</div>
Another idea would be to have a web ui for radius to show all kids of user stats, control per user/group bandwidth, and accounting.<br>
</div>
<div class="gmail_extra">
<div>
<div><br>
<div class="gmail_quote">On Mon, Sep 19, 2016 at 8:54 PM, Anish Mangal <span dir="ltr">
<<a target="_blank" href="mailto:anishmg@umich.edu">anishmg@umich.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra">
<div>
<div><br>
<div class="gmail_quote">On Mon, Sep 19, 2016 at 8:54 PM, Anish Mangal <span dir="ltr">
<<a target="_blank" href="mailto:anishmg@umich.edu">anishmg@umich.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi,<br>
<br>
</div>
So I was able to setup freeradius and coovachilli on a centos x86 machine to setup a captive portal using the method below:<br>
<a target="_blank" href="https://www.howtoforge.com/tutorial/how-to-install-a-wireless-hotspot-with-captive-page-in-linux-using-coovachilli/">https://www.howtoforge.com/tut<wbr>orial/how-to-install-a-wireles<wbr>s-hotspot-with-captive-page-in<wbr>-linux-using-coovachilli/</a><br>
<br>
</div>
Now, this is progress since the user experience is exactly how you would see in a coffee shop. Upon connecting, you will see a notification in your phone, and be prompted by a login prompt (where we can redirect the user to school.lan) or whatever afterwards.
<br>
<br>
</div>
However, there are some notes:<br>
</div>
1. Coovachili does its own dhcp, so probably we might have to use that, if the captive portal is being enabled.
<br>
</div>
2. By default it does dhcp on a different subnet. and _maybe_ because of that, a bunch of iptables rules dont work. name resolution doesnt work. Will change the default subnet to what we currently use and disable dhcpd and see what happens<br>
<br>
</div>
To setup coova and freeradius, they have to be compiled from source. The compiling was pretty straightforward on centos, so either the same can be done for ARM, but long term i think packages would be wonderful :-)
<br>
<br>
</div>
All in all, this definitely looks like an approach worth pursuing :) <br>
<br>
</div>
Cheers,<br>
</div>
Anish<br>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div dir="ltr">
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
</div>
</div>
<span><font color="#888888">-- <br>
<div>
<div dir="ltr">
<div>Anish<br>
</div>
<div><br>
<br>
</div>
</div>
</div>
</font></span></div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
</div>
</div>
<span><font color="#888888">-- <br>
<div>
<div dir="ltr">
<div>Anish<br>
</div>
<div><br>
<br>
</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<div>
<div dir="ltr">
<div><br>
</div>
</div>
</div>
</div>
</span></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>Anish<br>
</div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>