I think I have build a working environment which looks like this:
RadiusDesk install following the manual instructions on Ubuntu 16.04.5
using Nginx.
Network controller is a MikroTik RB750gl updated to the latest RouterOS.
Voucher login is working.
User self registration is working.
Facebook Login is not working because they made https redirection URI's
mandatory.
So I installed certbot to obtain a SSL certificate and configured Nginx to
make use of it.
The admin backend is working on SSL without any problems (as far as I can
see).
When I updated the login.html on the MikroTik to https the redirect still
works but I receive an error saying:
"Hotspot is not responding to status queries".
I have seen some other user mention this same error but none of the
suggested solutions help me so far.
Also google was not much of help to resolve the issue to configure
RadiusDesk to use HTTPS instead of HTTP.
Does anybody got RadiusDesk to play nice with SSL?
Will also monitoring this thread. I also have the same problem currently, but using Ubuntu 14.04 and a self signed certificate
.
If I may know, what kind of troubleshooting that you have done?
Currently my problem is that everytime I tried to login, it gives "URL Blocked" error that said that the redirect URI isn't white listed. I've whitelisted every URL that might be the redirect, but still no avail. I've also tried to change the html.login to use https but it gives the same error as you. I also guessed this might be the main problem, since the URL in login.html is http but the whitelisted redirect URI are all https.
Last edit: Naraska 2019-03-20
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I use letsencrypt as well.
But what changes are necessary to make Radiusdesk play nice with SSL?
Would appreciate if you could give some hints for the correct settings.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Does anyone know how to get Coovachilli & RadiusDesk to work with SSL? I've followed just about everything on the net about it but still can't get it to work with the Dynamic Login pages. All I get when I try to login is 'Hotspot not responding' and 'Latest challenge could not be fetch from hotspot'. This is so frustrating... has it ever been working at any point for anyone? I looks like Dynamic Pages will not work by default with SSL so I've changed all 'http' to 'https' in rdConnect.js file but still no joy.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Have a look here: https://sourceforge.net/p/radiusdesk/discussion/help/thread/b053163d/
It's a very old post, but could help you in some way. Back then I managed to establish a "https" connection but my APs were with not enough memory and I had issues with my coova-chilli in openwrt.
Create apache config (I was using apache server):
Create the following:
vim /etc/httpd/conf.d/radiusdesk.conf →
NameVirtualHost :80
NameVirtualHost :443
and change all infoServer = http://some variables here to infoServer = https://some variables here
Hope U get the idea!
Stop the nodejs-socket-io service correction:
vim /etc/init.d/nodejs-socket-io →
forever stop $APPLICATION_START →
forever stopall
SSL in NodeJS application:
vim /var/www/html/cake2/rd_cake/Setup/Node.js/Logfile.node.js →
// Modules used _
//var http = require('http');
var https = require('https');
var url = require('url');
var io = require('socket.io');
var fs = require('fs');
var spawn = require('child_process').spawn;
var mysql = require('mysql');
var options = {
key: fs.readFileSync('/etc/httpd/ssl/example.com.key'),
cert: fs.readFileSync('/etc/httpd/ssl/example.com.crt')
};
// Variable decleration _
var filename= "/var/log/radius/radius.log";
var port = 8000;
// Socket.IO _
var server = https.createServer(options, function(req, res){});
//var server = http.createServer(function(req, res){});
server.listen(port, '0.0.0.0');
var io = io.listen(server);
//___ We need to do authorization
io.configure(function (){
io.set('match origin protocol', true);
io.set('log level', 3); //Prod = 1 ; Dev = 3
io.set('authorization', function (handshakeData, callback) {
if(handshakeData.query.token == undefined){
callback(null, false);
}else{
var token = handshakeData.query.token;
var connection = mysql.createConnection({
host : 'localhost',
user : 'rd',
password : 'rd',
database : 'rd'
});
connection.connect();
connection.query('SELECT count(username) AS count FROM users WHERE username=\'root\' AND token= ?',[token], function(err, results) {
var count = results[0].count;
if(count == 1){
callback(null, true); //Valid token for root
}else{
callback(null, false); //Not a valid token for root
}
//Query done; disconnect;
connection.end(function(err) {
// The connection is terminated now
});
});
}
});
});
// Feed it the log file if it pass the authorization _
io.on('connection', function(client){
Find all use of 'uamPort'
grep -Ril 'uamPort' ./ →
./desktop/CoovaChilli/app/controller/.svn/text-base/Desktop.js.svn-base
./desktop/CoovaChilli/app/controller/Desktop.js
./desktop/CoovaChilli/build/production/CoovaChilli/app.js
./simple_mobile/CoovaChilli/resources/js/.svn/text-base/rdConnect.js.svn-base
./simple_mobile/CoovaChilli/resources/js/rdConnect.js
./simple_mobile/Mikrotik/resources/js/.svn/text-base/rdConnect.js.svn-base
./simple_mobile/Mikrotik/resources/js/rdConnect.js
./jquery_mobile/CoovaChilli/resources/js/.svn/text-base/rdConnect.js.svn-base
./jquery_mobile/CoovaChilli/resources/js/rdConnect.js
./mobile/CoovaChilli/app/controller/.svn/text-base/cMain.js.svn-base
./mobile/CoovaChilli/app/controller/cMain.js
./mobile/CoovaChilli/build/production/CoovaChilli/app.js
Side Note:
This software was a perfect fun and experience to me. I begun witn YFi-Manager by the same developer, then he rewrote everyting and created radiusDesk and was pretty active in creating fixes and new features. Nowadays there is less activities, less fixes and features.
Great many thanks to Dirk van der Walt!
Cheers,
niko
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you for your reply. I have SSL working on the RadiusDesk side of things using Nginx. All of my configs look different from above. The version of CoovaChilli I'm using is the version with the 'new' type of OPTIONS config (https://openwrt.org/docs/guide-user/services/captive-portal/wireless.hotspot.coova-chilli). I am suspecting that the current CoovaChilli package that I installed via OPKG onto the OpenWrt device I'm using has not been built with SSL support. I'll try building a CoovaChilli package with SSL support later today and see if that fixes the issue. Thanks again.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Actually revisiting the very same thing this week.
So Facebook made some changes over the past year or so which caused things to break.
The latest SVN code should fix them. There was also not proper https support on the dynamic login pages and also that has been fixed in the latest SVN (R2274)
As for CoovaChilli to support HTTPS there's a few things have in place before https works well. Nico documented them, but I'm also going to see if I can supplement them with a dedicated Wiki page (Thats now if there's not a forgotten one somewhere already....) http://radiusdesk.com/docuwiki/user_guide/md_on_lede_https
There's a blast from the past :-)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Dirk.
I'll check out the updates, thanks.
At this point in time I think that HTTPS should be the only way forward, no traffic should be transmitted unprotected especially if it is on a public network. It would be a good idea to get this working properly. I think that the issue lies with Chilli and SSL support. I'll build and test packages and look deeper into this and post back. If anyone is using OpenWrt, here is the new type OpenWrt config options for chilli config file for HTTPS use.
Agree about https. In the past one used to get a blank screen if you happen to try and go to an https website through the captive portal. This could be quite confusing but I see the modern browsers and operating systems detect if there's a captive portal and will even notify you beforehand.
Also important is the uamaliasname. That goes together with the domain to match the value of the certificate's FQDN. I actually recently started to leave out the redirssl as that introduced more complications thant anything else. (Certs that does not match errors)
Also the very latest OpenWRT code (head/master to become 19.x) has two issues with Coova when you try to compile it with SSL support included so my advice for now is to stick with 18.06 branch until those issues are fixed / of how to fix it is properly documented.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes. I forgot - domian must match the cert. When I enabled HTTPS and tested uamaliasname adds its value as a subdomain to the SSL variable added to the login url and this could cause problems if it is not set as 'www' and the certificate does not support subdomain wildcard.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Update. I've built the latest package of CoovaChilli 1.4.0 with OpenWrt 18.06. I built with OPENSSL support enabled and still I can't get working. If anyone ever gets this working, please let me know. I suspect that CoovaChilli 1.4.0 is currently broken for use with RadiusDesk. The package that is installable from releases won't work with HTTP or HTTPS. Error message is 'Hotspot not responding'.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
plans to make some updates to correct errors and create a new virtual machine image
I see that several years ago there is no modification or simply the project is dead
I am barely learning programming but I would like to help as much as I can. For example with Spanish translations or anything I can help to keep this project active.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for this thread. It certainly sent me in the right direction.
With a custom compiled OpenWRT 19.07p4 using OpenSSL, I found chilli speaking https but on port 443, not 3390 or 3391. 3391 seems to be its default based on the ssl argument in the url it sends to the AAA but no response on that or the other port.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think I have build a working environment which looks like this:
RadiusDesk install following the manual instructions on Ubuntu 16.04.5
using Nginx.
Network controller is a MikroTik RB750gl updated to the latest RouterOS.
Voucher login is working.
User self registration is working.
Facebook Login is not working because they made https redirection URI's
mandatory.
So I installed certbot to obtain a SSL certificate and configured Nginx to
make use of it.
The admin backend is working on SSL without any problems (as far as I can
see).
When I updated the login.html on the MikroTik to https the redirect still
works but I receive an error saying:
"Hotspot is not responding to status queries".
I have seen some other user mention this same error but none of the
suggested solutions help me so far.
Also google was not much of help to resolve the issue to configure
RadiusDesk to use HTTPS instead of HTTP.
Does anybody got RadiusDesk to play nice with SSL?
If o, what are the required steps?
Thank in advance
Will also monitoring this thread. I also have the same problem currently, but using Ubuntu 14.04 and a self signed certificate
.
If I may know, what kind of troubleshooting that you have done?
Currently my problem is that everytime I tried to login, it gives "URL Blocked" error that said that the redirect URI isn't white listed. I've whitelisted every URL that might be the redirect, but still no avail. I've also tried to change the html.login to use https but it gives the same error as you. I also guessed this might be the main problem, since the URL in login.html is http but the whitelisted redirect URI are all https.
Last edit: Naraska 2019-03-20
I use letsencrypt its free
I use letsencrypt as well.
But what changes are necessary to make Radiusdesk play nice with SSL?
Would appreciate if you could give some hints for the correct settings.
Does anyone know how to get Coovachilli & RadiusDesk to work with SSL? I've followed just about everything on the net about it but still can't get it to work with the Dynamic Login pages. All I get when I try to login is 'Hotspot not responding' and 'Latest challenge could not be fetch from hotspot'. This is so frustrating... has it ever been working at any point for anyone? I looks like Dynamic Pages will not work by default with SSL so I've changed all 'http' to 'https' in rdConnect.js file but still no joy.
Have a look here: https://sourceforge.net/p/radiusdesk/discussion/help/thread/b053163d/
It's a very old post, but could help you in some way. Back then I managed to establish a "https" connection but my APs were with not enough memory and I had issues with my coova-chilli in openwrt.
Create apache config (I was using apache server):
Create the following:
vim /etc/httpd/conf.d/radiusdesk.conf →
NameVirtualHost :80
NameVirtualHost :443
<virtualhost *:80="">
ServerName radiusdesk.example.com
DocumentRoot /var/www/html/</virtualhost>
RewriteEngine On
This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
This rule will redirect users from their original location, to the same location but using HTTPS.
i.e. http://www.example.com/foo/ to https://www.example.com/foo/
The leading slash is made optional so that this will work either in httpd.conf
or .htaccess context
<virtualhost *:443="">
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/swu.bg.crt
SSLCertificateKeyFile /etc/httpd/ssl/example.com.key
SSLCertificateChainFile /etc/httpd/ssl/example._ca_bundle
ServerAdmin email@example.com
ServerName radiusdesk.example.com
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/radiusdesk/error.log
CustomLog /var/log/httpd/radiusdesk/access.log combined
Header set Access-Control-Allow-Origin "*"
</virtualhost>
One more thing edit this files:
/var/www/html/rd_login_pages/mobile/CoovaChilli/build/production/CoovaChilli/app.js
/var/www/html/rd_login_pages/mobile/CoovaChilli/app/config/Config.js
/var/www/html/rd_login_pages/desktop/CoovaChilli/build/production/CoovaChilli/app.js
/var/www/html/rd_login_pages/desktop/CoovaChilli/app.js
and change all infoServer = http://some variables here to infoServer = https://some variables here
Hope U get the idea!
Stop the nodejs-socket-io service correction:
vim /etc/init.d/nodejs-socket-io →
forever stop $APPLICATION_START →
forever stopall
SSL in NodeJS application:
vim /var/www/html/cake2/rd_cake/Setup/Node.js/Logfile.node.js →
// Modules used _
//var http = require('http');
var https = require('https');
var url = require('url');
var io = require('socket.io');
var fs = require('fs');
var spawn = require('child_process').spawn;
var mysql = require('mysql');
var options = {
key: fs.readFileSync('/etc/httpd/ssl/example.com.key'),
cert: fs.readFileSync('/etc/httpd/ssl/example.com.crt')
};
// Variable decleration _
var filename= "/var/log/radius/radius.log";
var port = 8000;
// Socket.IO _
var server = https.createServer(options, function(req, res){});
//var server = http.createServer(function(req, res){});
server.listen(port, '0.0.0.0');
var io = io.listen(server);
//___ We need to do authorization
io.configure(function (){
io.set('match origin protocol', true);
io.set('log level', 3); //Prod = 1 ; Dev = 3
io.set('authorization', function (handshakeData, callback) {
if(handshakeData.query.token == undefined){
callback(null, false);
}else{
var token = handshakeData.query.token; var connection = mysql.createConnection({ host : 'localhost', user : 'rd', password : 'rd', database : 'rd' }); connection.connect(); connection.query('SELECT count(username) AS count FROM users WHERE username=\'root\' AND token= ?',[token], function(err, results) { var count = results[0].count; if(count == 1){ callback(null, true); //Valid token for root }else{ callback(null, false); //Not a valid token for root } //Query done; disconnect; connection.end(function(err) { // The connection is terminated now }); }); }});
});
// Feed it the log file if it pass the authorization _
io.on('connection', function(client){
console.log('Client connected');var tail = spawn("tail", ["-f", filename]);
//client.send( { filename : filename } );
tail.stdout.on("data", function (data) { console.log(data.toString('utf-8')); //Show what is sent to client client.send( data.toString('utf-8') ) });});
console.log("Up and running on port "+port);
How to put uamport behind SSL?
[source] http://lists.coova.org/pipermail/chilli/2009-November/001045.html
HS_UAMUISSL=on
HS_REDIRSSL=on
HS_SSLKEYFILE='/etc/ssl/example.com.key'
HS_SSLCERTFILE='/etc/ssl/example.com.crt'
use UAMUIPORT with ssl support.
Find all use of 'uamPort'
grep -Ril 'uamPort' ./ →
./desktop/CoovaChilli/app/controller/.svn/text-base/Desktop.js.svn-base
./desktop/CoovaChilli/app/controller/Desktop.js
./desktop/CoovaChilli/build/production/CoovaChilli/app.js
./simple_mobile/CoovaChilli/resources/js/.svn/text-base/rdConnect.js.svn-base
./simple_mobile/CoovaChilli/resources/js/rdConnect.js
./simple_mobile/Mikrotik/resources/js/.svn/text-base/rdConnect.js.svn-base
./simple_mobile/Mikrotik/resources/js/rdConnect.js
./jquery_mobile/CoovaChilli/resources/js/.svn/text-base/rdConnect.js.svn-base
./jquery_mobile/CoovaChilli/resources/js/rdConnect.js
./mobile/CoovaChilli/app/controller/.svn/text-base/cMain.js.svn-base
./mobile/CoovaChilli/app/controller/cMain.js
./mobile/CoovaChilli/build/production/CoovaChilli/app.js
Side Note:
This software was a perfect fun and experience to me. I begun witn YFi-Manager by the same developer, then he rewrote everyting and created radiusDesk and was pretty active in creating fixes and new features. Nowadays there is less activities, less fixes and features.
Great many thanks to Dirk van der Walt!
Cheers,
niko
Thank you for your reply. I have SSL working on the RadiusDesk side of things using Nginx. All of my configs look different from above. The version of CoovaChilli I'm using is the version with the 'new' type of OPTIONS config (https://openwrt.org/docs/guide-user/services/captive-portal/wireless.hotspot.coova-chilli). I am suspecting that the current CoovaChilli package that I installed via OPKG onto the OpenWrt device I'm using has not been built with SSL support. I'll try building a CoovaChilli package with SSL support later today and see if that fixes the issue. Thanks again.
Hi guys,
Actually revisiting the very same thing this week.
So Facebook made some changes over the past year or so which caused things to break.
The latest SVN code should fix them. There was also not proper https support on the dynamic login pages and also that has been fixed in the latest SVN (R2274)
As for CoovaChilli to support HTTPS there's a few things have in place before https works well. Nico documented them, but I'm also going to see if I can supplement them with a dedicated Wiki page (Thats now if there's not a forgotten one somewhere already....)
http://radiusdesk.com/docuwiki/user_guide/md_on_lede_https
There's a blast from the past :-)
Hi Dirk.
I'll check out the updates, thanks.
At this point in time I think that HTTPS should be the only way forward, no traffic should be transmitted unprotected especially if it is on a public network. It would be a good idea to get this working properly. I think that the issue lies with Chilli and SSL support. I'll build and test packages and look deeper into this and post back. If anyone is using OpenWrt, here is the new type OpenWrt config options for chilli config file for HTTPS use.
Hi Stephen,
Agree about https. In the past one used to get a blank screen if you happen to try and go to an https website through the captive portal. This could be quite confusing but I see the modern browsers and operating systems detect if there's a captive portal and will even notify you beforehand.
Also important is the uamaliasname. That goes together with the domain to match the value of the certificate's FQDN. I actually recently started to leave out the redirssl as that introduced more complications thant anything else. (Certs that does not match errors)
Also the very latest OpenWRT code (head/master to become 19.x) has two issues with Coova when you try to compile it with SSL support included so my advice for now is to stick with 18.06 branch until those issues are fixed / of how to fix it is properly documented.
Yes. I forgot - domian must match the cert. When I enabled HTTPS and tested uamaliasname adds its value as a subdomain to the SSL variable added to the login url and this could cause problems if it is not set as 'www' and the certificate does not support subdomain wildcard.
A blast from the past indeed!
Nice work, as always.
Have a nice `echo $EVERYTHING
;-)
Update. I've built the latest package of CoovaChilli 1.4.0 with OpenWrt 18.06. I built with OPENSSL support enabled and still I can't get working. If anyone ever gets this working, please let me know. I suspect that CoovaChilli 1.4.0 is currently broken for use with RadiusDesk. The package that is installable from releases won't work with HTTP or HTTPS. Error message is 'Hotspot not responding'.
hi Dirk van der Walt
plans to make some updates to correct errors and create a new virtual machine image
I see that several years ago there is no modification or simply the project is dead
I am barely learning programming but I would like to help as much as I can. For example with Spanish translations or anything I can help to keep this project active.
Thanks for this thread. It certainly sent me in the right direction.
With a custom compiled OpenWRT 19.07p4 using OpenSSL, I found chilli speaking https but on port 443, not 3390 or 3391. 3391 seems to be its default based on the ssl argument in the url it sends to the AAA but no response on that or the other port.