yfi_explain_uam

WARNING: This page may NOT tell the truth, the whole truth and nothing but the truth!!!

Explain the UAM process in Coova Chilli Access Controller

Introduction

The UAM authentication process of the Coova Chilli Access Controller is sometimes a mysterious process.
This section will try and explain it as simple as possible.

How I get to the login page

• Coova Chilli listens on port 80 for any unauthorised traffic.This is typically when a client machine tries to access a website.
• The client machine tgets redirected to the IP and port that Coova Chilli Access Controller is configured to listen on. On this IP/port combination is a small web server running (under the www directory).
• Under this directory is a splash page that gets defined by the UAM Homepage (splash page) setting.
• Thus when I try and access iol.co.za, I get redirected to the following URL http://10.1.0.1:3660/www/coova.html
• This page gets passed a string which on my system includes the following

Attribute
Value

res
notyet

uamip
10.1.0.1

uamport
3660

challenge
532b80e14b14505accd24c79e35004e6

mac
00-0C-F1-5F-58-AA

ip
10.1.0.2

called
00-1D-7E-BC-02-AD

nasid
00-1D-7E-BC-02-AD

userurl
http%3a%2f%2fwww.iol.co.za%2f

md
FA73A5DCD979555E205699F8EF813F37

• This splash page takes the string passed to it, redirects you to the loging page defined by the UAM URL Format setting. The key/value pairs listed above will be in the http GET string.
• The GET parameters can be used to log a user in.

Very Simple PHP login page

• Coova Chilli features a nice JSON login page (JSON uses Java Script language to create the page).
• Unfortunately lots of people use handheld devices like cell phones whose browser's Javascrip engines are not always up to standard.

• A simple solution is to start of with a very simplistic login page but also offer the user the opportunaty to use the more feature rich JSON login page.

  <html>
  <?
          $challenge = $_REQUEST['challenge'];
          $userurl   = $_REQUEST['userurl'];
          $res       = $_REQUEST['res'];
          $qs        = $_SERVER["QUERY_STRING"];
  
          if($res == 'success'){
  
                  header("Location: $userurl");
                  print("\n</html>");
          }
  
          if($res == 'failed'){
  
                  header("Location: fail.php?".$qs);
                  print("\n</html>");
  
          }
  ?>
  
  <h3>Captive Portal</h3>
  <form action="login.php" method="post">
          <input type="hidden" name="challenge" value="<? echo($challenge) ?>" />
          <input type="hidden" name="userurl" value="<? echo($userurl) ?>" />
  <table>
          <tr>
                  <td><b>Username</b></td>
                  <td>
                  <input type="text" name="username" />
                  </td>
          </tr>
          <tr>
                  <td><b>Password</b></td>
                  <td>
                  <input type="password" name="password" />
                  </td>
          </tr>
          <tr>
                  <td></td>
                  <td>
                  <input type="submit" value="Login" />
                  </td>
          </tr>
  </table>
  </form>
  <a href="help.html">Help</a><br>
  <a href="index.html?<? echo($qs) ?>">JSON Login Page</a>
  </html>
  

Lets explain a few points:

• The value of res gives an indication of the status of the client. EG failed means they tried to connect but it was not successfull.
• notyet means the client is new, and haven't authenticated yet.
• success means the client logged in, and was successfull.
• Depending on the value of res, we make desicions where to direct the client to.
• In the above code we check for failure and success, if not that, we give them a simple form to supply their username and password.
• The form contains a challenge as a hidden field. This challenge needs to be 'deciphered' thus the form's target must use a program to decipher the challenge.
• The program and Coova Chilli Access Controller most both know a shared secret to handle the challenge correct. (UAM Secret)

• Lets look at the target php scrip used by the form

  <html>
  <?
  
          $username   = $_POST['username'];
          $password   = $_POST['password'];
          $challenge  = $_POST['challenge'];
          $redir      = $_POST['userurl'];
  
          $enc_pwd    = $return_new_pwd($password,$challenge);
          $server_ip      = '10.1.0.1';
          $port           = '3660';
          //$dir          = '/json/logon';
          $dir            = '/logon';
          $target     = "http://$server_ip".':'.$port.$dir."?username=$username&password=$enc_pwd&userurl=$redir";
          header("Location: $target");
  
          function return_new_pwd($pwd,$challenge){
                $uamsecret = 'greatsecret';    //Must be the same phrase coova chilli uses
                $hex_chal  = pack('H32', $challenge);
                $newchal    = pack('H*', md5($hex_chal.$uamsecret));    //Add it to with $uamsecret (shared between chilli an this script)
                $response   = md5("\0" . $pwd . $newchal);              //md5 the lot
                $newpwd     = pack('a32', $pwd);                //pack again
                $password   = implode ('', unpack('H32', ($newpwd ^ $newchal))); //unpack again
                return $password;
           }
  
   ?>
  </html>
  

• We call a function 'return_new_pwd' to do some manipulation of the password, challenge, and a shared secret between the UAM login page and Chillispot.

• We also send the userurl as argument that will be used to redirect upon success.

JSON page

Using the JSON page is a real pleasure but as stated before, not every browser on the mobile devices supports it.