Menu
▾
▴
[Pepperspot-users] How to write pepper.conf for FreeRADIUS authentication ?
|
From: Masashi H. <ho...@ic...> - 2010-03-08 07:36:44
|
Hello.
Thank you for teaching me how to build. I could build and install it.
I configure /etc/pepper.conf and I could see PepperSpot Login site.
(I replaced line 55 of hotspotlogin.cgi to "if (0) {" because I want
to use HTTP for testing.)
But after I typed in username and password, no response returned.
It looks like NAT problem. What more configuration do I need ?
<<My environment>>
PC1 (Windows XP) [192.168.182.2]
|
| IEEE 802.11 connection
|
[wlan1 : 192.168.182.1]
PC2 (Debian Linux) with PepperChilli svn and FreeRADIUS 2.1.8
[eth0 : 192.168.1.33]
|
| Ethernet connection
|
PC3 (Router) [192.168.1.1]
/proc/sys/net/ipv4/ip_forward=1
# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 564 packets, 47055 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
230 11940 MASQUERADE all -- any eth0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 4 packets, 314 bytes)
pkts bytes target prot opt in out source destination
<<My /etc/pepper.conf>>
##############################################################################
#
# Sample PepperSpot configuration file
#
##############################################################################
# TAG: fg
# Include this flag if process is to run in the foreground
fg
# TAG: debug
# Include this flag to include debug information.
#debug
# TAG: interval
# Re-read configuration file at this interval. Will also cause new domain
# name lookups to be performed. Value is given in seconds.
#interval 3600
# TAG: pidfile
# File to store information about the process id of the program.
# The program must have write access to this file/directory.
#pidfile /var/run/pepper.pid
# TAG: statedir
# Directory to use for nonvolatile storage.
# The program must have write access to this directory.
# This tag is currently ignored
#statedir ./
# TAG: IP version
# Accepted version of IP protocol
# Can be 'ipv6', 'ipv4' or 'dual'
#ipversion dual
ipversion ipv4
# TUN parameters
# TAG: net
# IP network address of external packet data network
# Used to allocate dynamic IP addresses and set up routing.
# Normally you do not need to uncomment this tag.
net 192.168.182.0/24
# TAG: dynip
# Dynamic IP address pool
# Used to allocate dynamic IP addresses to clients.
# If not set it defaults to the net tag.
# Do not uncomment this tag unless you are an experienced user!
#dynip 192.168.182.0/24
# TAG: statip
# Static IP address pool
# Used to allocate static IP addresses to clients.
# Do not uncomment this tag unless you are an experienced user!
#statip 192.168.182.0/24
# TAG : staticipv6
# IPv6 address to listen to on TUN interface
#staticipv6 2001:db8:1::1234
# TAG: ipv6prefix
# IPv6 Prefix delegated to the Wi-Fi link
#ipv6prefix 2001:db8:1::/64
# TAG: dns1
# Primary DNS server.
# Will be suggested to the client.
# If omitted the system default will be used.
# Normally you do not need to uncomment this tag.
dns1 192.168.1.1
# TAG: dns2
# Secondary DNS server.
# Will be suggested to the client.
# If omitted the system default will be used.
# Normally you do not need to uncomment this tag.
#dns2 172.16.0.6
# TAG: domain
# Domain name
# Will be suggested to the client.
# Normally you do not need to uncomment this tag.
domain pepperspot.info
# TAG: ipup
# Script executed after network interface has been brought up.
# Executed with the following parameters: <devicename> <ip address>
# <mask>
# Normally you do not need to uncomment this tag.
#ipup /etc/pepper.ipup
# TAG: ipdown
# Script executed after network interface has been taken down.
# Executed with the following parameters: <devicename> <ip address>
# <mask>
# Normally you do not need to uncomment this tag.
#ipdown /etc/pepper.ipdown
# TAG: conup
# Script executed after a user has been authenticated.
# Executed with the following parameters: <devicename> <ip address>
# <mask> <user ip address> <user mac address> <filter ID>
# Normally you do not need to uncomment this tag.
#conup /etc/pepper.conup
# TAG: conup
# Script executed after a user has disconnected.
# Executed with the following parameters: <devicename> <ip address>
# <mask> <user ip address> <user mac address> <filter ID>
# Normally you do not need to uncomment this tag.
#conup /etc/pepper.condown
# Radius parameters
# TAG: radiuslisten
# IP address to listen to
# Normally you do not need to uncomment this tag.
#radiuslisten ::1
# TAG: radiusserver1
# IP address of radius server 1
# For most installations you need to modify this tag.
#radiusserver1 ::1
radiusserver1 192.168.182.1
# TAG: radiusserver2
# IP address of radius server 2
# If you have only one radius server you should set radiusserver2 to the
# same value as radiusserver1.
# For most installations you need to modify this tag.
radiusserver2 127.0.0.1
# TAG: radiusauthport
# Radius authentication port
# The UDP port number to use for radius authentication requests.
# The same port number is used for both radiusserver1 and radiusserver2.
# Normally you do not need to uncomment this tag.
#radiusauthport 1812
# TAG: radiusacctport
# Radius accounting port
# The UDP port number to use for radius accounting requests.
# The same port number is used for both radiusserver1 and radiusserver2.
# Normally you do not need to uncomment this tag.
#radiusacctport 1813
# TAG: radiussecret
# Radius shared secret for both servers
# For all installations you should modify this tag.
radiussecret test
# TAG: radiusnasid
# Radius NAS-Identifier
# Normally you do not need to uncomment this tag.
#radiusnasid debian-ipv6-pepperspot
# TAG: radiusnasip
# Radius NAS-IP-Address
# Normally you do not need to uncomment this tag.
#radiusnasip 127.0.0.1
# TAG: radiuscalled
# Radius Called-Station-ID
# Normally you do not need to uncomment this tag.
#radiuscalled 00133300
# TAG: radiuslocationid
# WISPr Location ID. Should be in the format: isocc=<ISO_Country_Code>,
# cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>
# Normally you do not need to uncomment this tag.
#radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport
#radiuslocationid isocc=fr,cc=33,ac=67000,network=portail_ipv6
# TAG: radiuslocationname
# WISPr Location Name. Should be in the format:
# <HOTSPOT_OPERATOR_NAME>,<LOCATION>
# Normally you do not need to uncomment this tag.
#radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport
# Radius proxy parameters
# TAG: proxylisten
# IP address to listen to
# Normally you do not need to uncomment this tag.
#proxylisten 10.0.0.1
# TAG: proxyport
# UDP port to listen to.
# If not specified a port will be selected by the system
# Normally you do not need to uncomment this tag.
#proxyport 1645
# TAG: proxyclient
# Client(s) from which we accept radius requests
# Normally you do not need to uncomment this tag.
#proxyclient 10.0.0.1/24
# TAG: proxysecret
# Radius proxy shared secret for all clients
# If not specified defaults to radiussecret
# Normally you do not need to uncomment this tag.
#proxysecret testing123
# Remote configuration management
# TAG: confusername
# If confusername is specified together with confpassword pepperspot
# will at regular intervals specified by the interval option query the
# radius server for configuration information.
# Normally you do not need to uncomment this tag.
#confusername conf
# TAG: confpassword
# If confusername is specified together with confpassword pepperspot
# will at regular intervals specified by the interval option query the
# radius server for configuration information.
# Normally you do not need to uncomment this tag.
#confpassword secret
# DHCP Parameters
# TAG: dhcpif
# Ethernet interface to listen to.
# This is the network interface which is connected to the access points.
# In a typical configuration this tag should be set to eth1.
dhcpif wlan1
# TAG: dhcpmac
# Use specified MAC address.
# An address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls
# within the IANA range of addresses and is not allocated for other
# purposes.
# Normally you do not need to uncomment this tag.
#dhcpmac 00:00:5E:00:02:00
# TAG: dhcplisten6
# Use specified IPv6 address.
#
# Normally you do not need to uncomment this tag.
#dhcplisten6 fe80::240:b5ff:fe80:ea50
# TAG: lease
# Time before DHCP lease expires
# Normally you do not need to uncomment this tag.
#lease 600
# Universal access method (UAM) parameters
# TAG: uamserver
# URL of web server handling authentication.
#uamserver https://radius.pepperspot.info/hotspotlogin
#uamserver https://192.168.182.1/cgi-bin/hotspotlogin.cgi
uamserver http://192.168.182.1/cgi-bin/hotspotlogin.cgi
# TAG: uamserver6
# URL of web server handling authentication for IPv6 client.
#uamserver6 https://[2001:db8:1::1234]/cgi-bin/hotspotlogin.cgi
# TAG: uamhomepage
# URL of welcome homepage.
# Unauthenticated users will be redirected to this URL. If not specified
# users will be redirected to the uamserver instead.
# Normally you do not need to uncomment this tag.
#uamhomepage http://192.168.182.1/welcome.html
# TAG: uamsecret
# Shared between pepper and authentication web server (PAP)
# Comment this line (and update login script) if you want to use CHAP
#uamsecret testing234
# TAG: uamlisten
# IP address to listen to for authentication requests
# Do not uncomment this tag unless you are an experienced user!
#uamlisten 192.168.182.1
# TAG: uamport
# TCP port to listen to for authentication requests
# Do not uncomment this tag unless you are an experienced user!
#uamport 3990
# TAG: uamallowed
# Comma separated list of domain names, IP addresses or network segments
# the client can access without first authenticating.
# It is possible to specify this tag multiple times.
# Normally you do not need to uncomment this tag.
#uamallowed www.pepperspot.info,10.11.12.0/24
#uamallowed cas.pepperspot.info,192.168.182.0/24
# TAG: uamanydns
# If this flag is given unauthenticated users are allowed to use
# any DNS server.
# Normally you do not need to uncomment this tag.
#uamanydns
# MAC authentication
# TAG: macauth
# If this flag is given users will be authenticated only on their MAC
# address.
# Normally you do not need to uncomment this tag.
#macauth
# TAG: macallowed
# List of MAC addresses.
# The MAC addresses specified in this list will be authenticated only on
# their MAC address.
# This tag is ignored if the macauth tag is given.
# It is possible to specify this tag multiple times.
# Normally you do not need to uncomment this tag.
#macallowed 00-0D-54-98-BC-29
# TAG: macpasswd
# Password to use for MAC authentication.
# Normally you do not need to uncomment this tag.
#macpasswd password
# TAG: macsuffix
# Suffix to add to MAC address in order to form the username.
# Normally you do not need to uncomment this tag.
#macsuffix suffix
<<PepperSpot log>>
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
DHCP packet received
dhcp_receive_ip
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:3990
portdest:1553
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:3990
portdest:1553
DHCP packet received
dhcp_receive_ip
DHCP packet received
dhcp_receive_ip
Calling redir_getreq()
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:3990
portdest:1553
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:3990
portdest:1553
The path is: logon
Looking for: userurl
p1:
http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.182.1:3990
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ja,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
p2
(null)
p3: HTTP/1.1
Host: 192.168.182.1:3990
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ja,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
The parameter is: http://192.168.1.1/
User URL: http://192.168.1.1/!
Looking for: username
p1:
ictecClient&password=e7ca84eeb5d991f28a4c4f742158a6fb&userurl=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.182.1:3990
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ja,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
p2
&password=e7ca84eeb5d991f28a4c4f742158a6fb&userurl=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.182.1:3990
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ja,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
p3: HTTP/1.1
Host: 192.168.182.1:3990
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ja,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
The parameter is: ictecClient
Looking for: response
Looking for: password
p1:
e7ca84eeb5d991f28a4c4f742158a6fb&userurl=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.182.1:3990
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ja,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
p2
&userurl=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.182.1:3990
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ja,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
p3: HTTP/1.1
Host: 192.168.182.1:3990
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ja,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
The parameter is: e7ca84eeb5d991f28a4c4f742158a6fb
Calling cb_getstate()
Processing received request
Calling radius
redir_accept: Sending radius request
NSEG: 1
C(0): [7551c33d5b8544b559843e83b4e03dd2]
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:3990
portdest:1553
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:3990
portdest:1553
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:3990
portdest:1553
DHCP packet received
dhcp_receive_ip
DHCP packet received
dhcp_receive_ip
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
dhcp_undoDNAT
source:192.168.182.1
dest:192.168.182.2
portsrc:80
portdest:1552
DHCP packet received
dhcp_receive_ip
Regards,
Masashi Honma.
|