Comments (10)
f00b4r0
commented on May 30, 2024
Hi, can you provide the output of the following commands:
opkg list-installed | grep ucode
opkg list-installed | grep uspot
from uspot.
AMArefkhani
commented on May 30, 2024
Hi, Here is the output of mentioned commands:
opkg list-installed | grep ucode:
liblucihttp-ucode - 2023-03-15-9b5b683f-1
libucode20220812 - 2023-06-06-c7d84aae-1
libucode20230711 - 2023-11-07-a6e75e02-1
rpcd-mod-ucode - 2023-07-01-c07ab2f9-1
ucode - 2023-11-07-a6e75e02-1
ucode-mod-fs - 2023-06-06-c7d84aae-1
ucode-mod-html - 1
ucode-mod-log - 2023-11-07-a6e75e02-1
ucode-mod-math - 2023-06-06-c7d84aae-1
ucode-mod-nl80211 - 2023-06-06-c7d84aae-1
ucode-mod-rtnl - 2023-06-06-c7d84aae-1
ucode-mod-ubus - 2023-06-06-c7d84aae-1
ucode-mod-uci - 2023-06-06-c7d84aae-1
ucode-mod-uloop - 2023-06-06-c7d84aae-1
uhttpd-mod-ucode - 2023-06-25-34a8a74d-2
opkg list-installed | grep uspot:
uspot - 2024-01-09-c4b6f2f0-1
uspot-www - 2024-01-09-c4b6f2f0-1
uspotfilter - 2024-01-09-c4b6f2f0-1
from uspot.
f00b4r0
commented on May 30, 2024
uspot looks correct but you have multiple conflicting ucode module versions installed (2023-06-06 vs 2023-11-07) and two versions of libucode. Everything should be on 2023-11-07. Can you try to opkg update / opkg upgrade?
I suspect this is the cause of your problem.
This is what it should look like on e.g. 23.05.2:
liblucihttp-ucode - 2023-03-15-9b5b683f-1
libucode20230711 - 2023-11-07-a6e75e02-1
rpcd-mod-ucode - 2023-07-01-c07ab2f9-1
ucode - 2023-11-07-a6e75e02-1
ucode-mod-fs - 2023-11-07-a6e75e02-1
ucode-mod-html - 1
ucode-mod-log - 2023-11-07-a6e75e02-1
ucode-mod-math - 2023-11-07-a6e75e02-1
ucode-mod-nl80211 - 2023-11-07-a6e75e02-1
ucode-mod-rtnl - 2023-11-07-a6e75e02-1
ucode-mod-ubus - 2023-11-07-a6e75e02-1
ucode-mod-uci - 2023-11-07-a6e75e02-1
ucode-mod-uloop - 2023-11-07-a6e75e02-1
uhttpd-mod-ucode - 2023-06-25-34a8a74d-1
from uspot.
AMArefkhani
commented on May 30, 2024
and also here are the other configurations for uspot:
/etc/config/uspot:
#for auth mode 'credentials', add any number of the following config entry
#config credentials
# option uspot 'example'
# option username 'myuser'
# option password 'mypass'
## Values provided for the options below reflect the defaults used when the option is not set.
config uspot 'captive'
option auth_mode 'click-to-continue' # one of 'uam', 'radius', 'credentials', 'click-to-continue'
option idle_timeout '600' # client is kicked when idle for more than N seconds, defaults to 600, option used if not provided by radius
option session_timeout '1000' # client is kicked if connected for more than N seconds, defaults to 0, option used if not provided by radius
option interface 'captive' # network interface (from config/network) on which captive clients will be managed#
option setname 'uspot' # firewall ipset name for client management
option debug '0' # turn on debugging output in logs
# captive portal API (RFC8908) configuration:
# option cpa_can_extend '0' # 'can-extend-session' is true if this option is set to '1', false otherwise
# option cpa_venue_url '' # value is provided verbatim as 'venue-info-url'
# for auth mode 'uam' and 'radius':
# option auth_server '' # radius authentication server name or address
# option auth_port '1812' # radius authentication server port
# option auth_secret '' # radius authentication server password
# option auth_proxy '' # radius authentication server proxy
# option acct_server '' # radius accounting server name or address
# option acct_port '1813' # radius accounting server port
# option acct_secret '' # radius accounting server password
# option acct_proxy '' # radius accounting server proxy
# option acct_interval '' # radius accounting interim interval override
# option das_secret '' # radius DAS secret
# option das_port '3799' # radius DAS listen port
# option nasid '' # radius NAS-Identitifer, UAM '&nasid='
# option nasmac '' # radius Called-Station, UAM '&called='
# option mac_format '' # MAC format specifier: 'aabbccddeeff', 'aa-bb-cc-dd-ee-ff', 'aa:bb:cc:dd:ee:ff' or the equivalent uppercase
# option location_name '' # radius WISPr-Location-Name
# for auth_mode 'uam':
# option uam_port '3990' # local UAM server port
# option uam_secret '' # remote UAM server password
# option uam_server '' # remote UAM server base url, e.g. "https://server.example.com/" - NB: trailing slash
# option challenge '' # UAM CHAP shared challenge
# option final_redirect_url '' # URL the client will be redirected to upon login. Special value 'uam' enables UAM 'success/reject/logoff' redirections URLs.
# option mac_auth '0' # Attempt MAC-authentication first
# option mac_password '' # Password sent for MAC-auth, defaults to MAC address
# option mac_suffix '' # Optional suffix appended to username for MAC-auth
# option uam_sslurl '' # optional base url to local UAM SSL (requires valid SSL setup in uhttpd UAM config), e.g. "https://uspot.lan:3991/" - NB: trailing slash
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2d:2536:6255::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'captive'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.252.0'
option device 'phy1-ap0'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
# create a 'captive' zone for captive portal traffic
config zone
option name 'captive'
list network 'captive'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
# setup CPD hijacking for unauthenticated clients
config redirect
option name 'Redirect-unauth-captive-CPD'
option src 'captive'
option src_dport '80'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
option ipset '!uspot' # match with uspot option 'setname'
# allow DHCP for captive clients
config rule
option name 'Allow-DHCP-NTP-captive'
option src 'captive'
option proto 'udp'
option dest_port '67 123'
option target 'ACCEPT'
# prevent access to LAN-side services from captive interface
# Linux implements a weak host model and traffic crossing zone boundary isn't considered forwarding on the router:
# it must be explicitely denied - NB order matter: DHCP is broadcast that would be caught by this rule
config rule
option name 'Restrict-input-captive'
option src 'captive'
option dest_ip '!captive'
option target 'DROP'
# allow incoming traffic to CPD / web interface and local UAM server
config rule
option name 'Allow-captive-CPD-WEB-UAM'
option src 'captive'
option dest_port '80 443 3990'
option proto 'tcp'
option target 'ACCEPT'
# allow forwarding traffic to wan from authenticated clients
config rule
option name 'Forward-auth-captive'
option src 'captive'
option dest 'wan'
option proto 'any'
option target 'ACCEPT'
option ipset 'uspot' # match with uspot option 'setname'
# allow DNS for captive clients
config rule
option name 'Allow-DNS-captive'
option src 'captive'
list proto 'udp'
list proto 'tcp'
option dest_port '53'
option target 'ACCEPT'
# if using RFC5176 RADIUS DAE:
#config rule
# option name 'Allow-captive-DAE'
# option src 'wan'
# option proto 'udp'
# option family 'ipv4'
# option src_ip 'XX.XX.XX.XX' # adjust as needed
# option dest_port '3799' # match value for 'das_port' in config/uspot
# option target 'ACCEPT'
# create the ipset that will hold authenticated clients
config ipset
option name 'uspot' # match with uspot option 'setname'
list match 'src_mac'
# optional whitelist for e.g. remote UAM host and/or dynamic hosts via dnsmasq ipset functionality
config rule
option name 'Allow-Whitelist'
option src 'captive'
option dest 'wan'
option proto 'any'
option ipset 'wlist'
option target 'ACCEPT'
# associated whitelist ipset with prepopulated entries
config ipset
option name 'wlist'
list match 'dest_ip'
# list entry 'XX.XX.XX.XX' # adjust as needed for e.g. remote UAM server
# list entry 'XX.XX.XX.XX'
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'captive'
option interface 'captive'
option start '2'
option limit '1000'
option leasetime '2h'
# add the following for RFC8910 Captive Portal API - DNS name is setup below
#list dhcp_option '114,https://captive.example.org/api'
# optionally provide NTP server (if enabled on the device) - recommended for SSL cert validation
list dhcp_option_force '42,10.0.0.1'
# add a local domain name for HTTPS support, name must match TLS certificate
config domain
option name 'captive.example.org'
option ip '10.0.0.1'
# if using optional dynamic hosts whitelist
config ipset
list name 'wlist' # match value with whitelist ipset name in config/firewall
list domain 'my.whitelist1.domain'
list domain 'my.whitelist2.domain'
from uspot.
AMArefkhani
commented on May 30, 2024
Hi, The reported error solved by upgrading Openwrt to 23.05.2 while the previous version was 23.05.0. But I'm wondering does the uspot captive portal redirect any unauthenticated client traffic to the login page or does the client have to go to the login page itself?
from uspot.
f00b4r0
commented on May 30, 2024
But I'm wondering does the uspot captive portal redirect any unauthenticated client traffic to the login page or does the client have to go to the login page itself?
Unauthenticated HTTP traffic will be redirected. HTTPS however will not (it can't be), but most client devices perform so-called "Captive Portal Detection" (CPD) on HTTP for that very reason.
Enabling the Captive Portal API provides a smoother user experience.
from uspot.
AMArefkhani
commented on May 30, 2024
Many thanks for your help. Could you please tell me how to configure uspot to connect to the freeradius server. I also have another question, does uspot implement accounting for freeradius? I mean daily (or weekly, etc.) usage and rate limit.
from uspot.
f00b4r0
commented on May 30, 2024
For RADIUS configuration see this section:
Lines 21 to 36 in 53b8cb8
you will need at least auth_server and auth_secret.
uspot currently only implements session time accounting. Traffic accounting is on the TODO list (see end of README), it's coming hopefully soon.
from uspot.
AMArefkhani
commented on May 30, 2024
Thanks. I have problem with Radius authentication mode. The freeradius server is located in the wan side with ip address 192.168.205.161. When clients try to connect with username and password, the following error is shown in the logread.
Thu Feb 15 14:35:22 2024 user.err : radcli: rc_read_dictionary: rc_read_dictionary couldn't open dictionary /etc/radcli/dictionary: No such file or directory
The configuration for uspot, firewall and uhttpd is as below:
uspot:
config credentials
option uspot 'captive'
option username 'amirmohammad'
option password 'aref'
## Values provided for the options below reflect the defaults used when the option is not set.
config uspot 'captive'
option auth_mode 'radius' # one of 'uam', 'radius', 'credentials', 'click-to-continue'
option idle_timeout '600' # client is kicked when idle for more than N seconds, defaults to 600, option used if not provided by radius
option session_timeout '240' # client is kicked if connected for more than N seconds, defaults to 0, option used if not provided by radius
option interface 'captive' # network interface (from config/network) on which captive clients will be managed
option setname 'uspot' # firewall ipset name for client management
option debug '0' # turn on debugging output in logs
# captive portal API (RFC8908) configuration:
option cpa_can_extend '0' # 'can-extend-session' is true if this option is set to '1', false otherwise
option cpa_venue_url '' # value is provided verbatim as 'venue-info-url'
# for auth mode 'uam' and 'radius':
option auth_server '192.168.205.161' # radius authentication server name or address
option auth_port '1812' # radius authentication server port
option auth_secret 'xiaomi-router' # radius authentication server password
# option auth_proxy '' # radius authentication server proxy
# option acct_server '' # radius accounting server name or address
# option acct_port '1813' # radius accounting server port
# option acct_secret '' # radius accounting server password
# option acct_proxy '' # radius accounting server proxy
# option acct_interval '' # radius accounting interim interval override
# option das_secret '' # radius DAS secret
# option das_port '3799' # radius DAS listen port
# option nasid '' # radius NAS-Identitifer, UAM '&nasid='
# option nasmac '' # radius Called-Station, UAM '&called='
# option mac_format '' # MAC format specifier: 'aabbccddeeff', 'aa-bb-cc-dd-ee-ff', 'aa:bb:cc:dd:ee:ff' or the equivalent uppercase
# option location_name '' # radius WISPr-Location-Name
# for auth_mode 'uam':
# option uam_port '3990' # local UAM server port
# option uam_secret '' # remote UAM server password
# option uam_server '' # remote UAM server base url, e.g. "https://server.example.com/" - NB: trailing slash
# option challenge '' # UAM CHAP shared challenge
# option final_redirect_url '' # URL the client will be redirected to upon login. Special value 'uam' enables UAM 'success/reject/logoff' redirections URLs.
# option mac_auth '0' # Attempt MAC-authentication first
# option mac_password '' # Password sent for MAC-auth, defaults to MAC address
# option mac_suffix '' # Optional suffix appended to username for MAC-auth
# option uam_sslurl '' # optional base url to local UAM SSL (requires valid SSL setup in uhttpd UAM config), e.g. "https://uspot.lan:3991/" - NB: trailing slash
firewall:
config zone
option name 'captive'
list network 'captive'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config redirect
option name 'Redirect-unauth-captive-CPD'
option src 'captive'
option src_dport '80'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
option ipset '!uspot'
config rule
option name 'Allow-DHCP-NTP-captive'
option src 'captive'
option proto 'udp'
option dest_port '67 123'
option target 'ACCEPT'
config rule
option name 'Restrict-input-captive'
option src 'captive'
option dest_ip '!captive'
option target 'DROP'
config rule
option name 'Allow-captive-CPD-WEB-UAM'
option src 'captive'
option dest_port '80 443 3990'
option proto 'tcp'
option target 'ACCEPT'
config rule
option name 'Forward-auth-captive'
option src 'captive'
option dest 'wan'
option proto 'any'
option target 'ACCEPT'
option ipset 'uspot'
config rule
option name 'Allow-DNS-captive'
option src 'captive'
list proto 'udp'
list proto 'tcp'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-captive-DAE'
option src 'wan'
option proto 'udp'
option family 'ipv4'
option src_ip '192.168.205.161'
option dest_port '3799'
option target 'ACCEPT'
config ipset
option name 'uspot'
list match 'src_mac'
config rule
option name 'Allow-Whitelist'
option src 'captive'
option dest 'wan'
option proto 'any'
option ipset 'wlist'
option target 'ACCEPT'
config ipset
option name 'wlist'
list match 'dest_ip'
config rule
option name 'Allow ssh from wan'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
uhttpd:
config uhttpd 'uspot'
list listen_http '10.0.0.1:80'
option redirect_https '0'
option max_requests '5'
option no_dirlists '1'
option home '/www-uspot'
list ucode_prefix '/hotspot=/usr/share/uspot/handler.uc'
list ucode_prefix '/cpd=/usr/share/uspot/handler-cpd.uc'
option error_page '/cpd'
# if using TLS and/or supporting RFC8908 CapPort API:
#list listen_https '10.0.0.1:443'
#option cert '/usr/share/certs/captive.pem' # to be provided manually
#option key '/usr/share/certs/captive.key' # to be provided manually
# for RFC8908 support:
list ucode_prefix '/api=/usr/share/uspot/handler-api.uc'
# if using RADIUS UAM authentication:
config uhttpd 'uam3990'
list listen_http '10.0.0.1:3990'
option redirect_https '0'
option max_requests '5'
option no_dirlists '1'
option home '/www-uspot'
list ucode_prefix '/logon=/usr/share/uspot/handler-uam.uc'
list ucode_prefix '/logoff=/usr/share/uspot/handler-uam.uc'
list ucode_prefix '/logout=/usr/share/uspot/handler-uam.uc'
The information of nas in the database of freeradius is as below:
+----+-----------------+-----------+------+-------+---------------+--------+-----------+-------------+
| id | nasname | shortname | type | ports | secret | server | community | description |
+----+-----------------+-----------+------+-------+---------------+--------+-----------+-------------+
| 2 | 192.168.3.1 | NULL | NULL | NULL | xiaomi-router | NULL | NULL | NULL |
| 3 | 10.0.0.1 | NULL | NULL | NULL | xiaomi-router | NULL | NULL | NULL |
| 4 | 192.168.205.202 | NULL | NULL | NULL | xiaomi-router | NULL | NULL | NULL |
+----+-----------------+-----------+------+-------+---------------+--------+-----------+-------------+
from uspot.
f00b4r0
commented on May 30, 2024
Please don't use this closed issue to ask unrelated support questions.
Thanks. I have problem with Radius authentication mode. The freeradius server is located in the wan side with ip address 192.168.205.161. When clients try to connect with username and password, the following error is shown in the logread.
Thu Feb 15 14:35:22 2024 user.err : radcli: rc_read_dictionary: rc_read_dictionary couldn't open dictionary /etc/radcli/dictionary: No such file or directory
You need to provide your RADIUS dictionary files to libradcli (/etc/radcli/dictionary as indicated by the error message above), by default none are provided by the libradcli package.
Dictionary files are available from e.g. https://github.com/radcli/radcli/tree/master/etc
from uspot.
Related Issues (9)
- Let me create the first ticket :)
- Credentials auth_mode not working
- radius-clinet "failed to lookup attribute key 22" HOT 1
- MAC persistence? Are authorized MACs supposed to survive reboot?
- Traffic accounting HOT 4
- RADIUS/UAM flow not performing radius client authentication (Openwrt) HOT 3
- Whitelisted domains / walled garden not working HOT 2
- MAC authentication still performing captive portal popup HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from uspot.