Using daloi, freeRADIUS and CoovaChilli in Cloud

[siliconhippy]

Hi there!

Just stumbled here looking for a solution ! 😛

I want to run a AAA and captive portal server in the Cloud ( AWS, GCE, Azure) to remote manage small Linux devices at home ( private IP only, multiple locations, independent ISPs.)

The clients can run Entware but not Debian.

1. Which client need I use on Entware? Search doesn't give me a custom link to paste here, but typing PAM and RADIUS bring up many entries that I can't tell about. I am not a good tech, just an enthusiast with a tech degree.

http://bin.entware.net/aarch64-k3.10/Packages.html

2. Is openvpn and/or SSH required or desirable for the devices to server connectivity?

3. I want to start with a couple dozen devices, then scale to hundreds or more if it works out.

Basic idea: All these devices are home clients with a Linux JeOS distro for Kodi, eg discourse.coreelec.org and have one Linux image burnt on all devices, including scripts and common config with SSH root/pwd same on all devices.

So any additional configuration/ updates need to occur at first boot time, or later. Home users only need to type in a userID/password for first time authentication. Then communication will be automated.

Admin will setup database on server with each device entry that has userID, other user profile fields, and a Points Quota.

The main function, Points Quota, will determine whether WiFi and a couple of device apps ( eg Kodi, VLC) are enabled or disabled over a given time period (weekly, monthly etc.)

MAC address is read automatically by server database upon first time user authentication. Of course admin can update database with changes anytime, requiring new user authentication.

So can I get some help here, assuming this all can be done with daloRadius + freeRADIUS+ Coova setup?

My preference is that the AWS or other cloud instance run all needed packages ( LAMP, daloRadius, freeRADIUS , others.) Distributed mode can be done later with scale. Or Windows server is fine with php- MySQL if that is easier.

4. FYI, I was originally looking at Zeroshell.org OS but the cloud setup is shaky ( requires nested virtualization) and there isn't much forum support !

So any help here I would really appreciate ...🙄😏

[mongramosjr]

On Fri, Oct 25, 2019 at 5:05 PM siliconhippy notifications@github.com wrote:

Hi there!

Just stumbled here looking for a solution ! 😛

I want to run a AAA and captive portal server in the Cloud ( AWS, GCE, Azure) to remote manage small Linux devices at home ( private IP only, multiple locations, independent ISPs.)

The clients can run Entware but not Debian.

1. Which client need I use on Entware? Search doesn't give me a custom link to paste here, but typing PAM and RADIUS bring up many entries that I can't tell about. I am not a good tech, just an enthusiast with a tech degree.

http://bin.entware.net/aarch64-k3.10/Packages.html

Im not familiar with the entware. Ill give it a try and will get back at you once I tried the entware.

1.

Is openvpn and/or SSH required or desirable for the devices to server connectivity?

Not a requirement for AAA and captive portal. But it can help you with in the administration of those remote devices/routers.

1. 2.

I want to start with a couple dozen devices, then scale to hundreds or more if it works out.

Basic idea: All these devices are home clients with a Linux JeOS distro for Kodi, eg discourse.coreelec.org and have one Linux image burnt on all devices, including scripts and common config with SSH root/pwd same on all devices.

So any additional configuration/ updates need to occur at first boot time, or later. Home users only need to type in a userID/password for first time authentication. Then communication will be automated.

Wait. Are you referring the home users to linux login account? or to internet users that will be authenticated by captive portal?

Admin will setup database on server with each device entry that has userID, other user profile fields, and a Points Quota.

The main function, Points Quota, will determine whether WiFi and a couple of device apps ( eg Kodi, VLC) are enabled or disabled over a given time period (weekly, monthly etc.)

Management of apps installed in the device is cannot be done with radius + Coova setup (captive portal) alone. You have to create an application that can enable or disable those apps over a period of time.

MAC address is read automatically by server database upon first time user authentication. Of course admin can update database with changes anytime, requiring new user authentication.

Im referring to internet users here. MAC address as a username is much easier for automatic authentication. for first time users, get the mac address of that device, save it to the database and apply your AAA rules like bandwidth limit, time limit, and download/upload speed.

So can I get some help here, assuming this all can be done with daloRadius

• freeRADIUS+ Coova setup?

My preference is that the AWS or other cloud instance run all needed packages ( LAMP, daloRadius, freeRADIUS , others.) Distributed mode can be done later with scale. Or Windows server is fine with php- MySQL if that is easier.

You can deploy your radius, web server and other PHP-based application at linux environment. And run the database on windows server. It that is easier for you, then do that.

1. FYI, I was originally looking at Zeroshell.org OS but the cloud setup is shaky ( requires nested virtualization) and there isn't much forum support !

If you wanna try a subscription based third-party system for AAA, I prefer you to try the hotspotsystem https://www.hotspotsystem.com and run the captive portal in mikrotik or any coovachili-based routers.

So any help here I would really appreciate ...🙄😏

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MME-Connections/wifi-hotspot/issues/1?email_source=notifications&email_token=AAEXO4BNE4ULWBUE6KXYVCDQQKZHBA5CNFSM4JFAT2X2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HUKQ5TQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEXO4GD62WYBAXBIEHIR7TQQKZHBANCNFSM4JFAT2XQ .

--

Mong Ramos Jr. 160 Lady Iza Village, Cawit Extension, Magallanes, Sorsogon 4705, Philippines Mobile: +63-926-0059201 <%2B63-922-8365231> Linkedin https://ph.linkedin.com/pub/dominador-ramos-jr/5/899/12 Twitter https://twitter.com/mongramosjr

[siliconhippy]

Mong,

Thanks much for your quick response!

A. So I will appreciate if you have a look at Entware.

B. The login refers to users of the Linux devices logging in for Internet and device applications access. The Linux access is via SSH and the user/pwd is always root/password ( fixed for all devices.)

C. The bash script in Entware for wifi and applications enable/disable is one line each. Can such simple scripts be added to freeRADIUS/daloRadius or Coova?

Also doesn't freeRADIUS allow to enable/disable application ports on the particular device ( equivalent to applications being enabled or disabled)?

D. My preference is to automatically read the device MAC address into server DB after user authentication as in B. This way we don't have to manually find MAC address for each device. Again can we integrate this one line script as above? My impression is that the captive portal does auto read MAC addresses, eg for customer devices showing up at a cafe.

E. I quickly looked at hotspotsystem. Can this run in a server?

What we need is remote permissions. We will not have access to routers or ISPs in between home devices ( flashed by us, then remotely managed) and the Cloud servers we will be running via remote admin SSH/vpn access.

Our task is more about setting up secure remote device permissions rather than control Internet access, provided by an ISP ( independent of us.) But looks like freeRADIUS and a Coova like package could be modified for our needs?

F. What do you think of Zeroshell for the task outlined here?

I really would appreciate your answers here! 😄

[mongramosjr]

On Fri, Oct 25, 2019 at 10:03 PM siliconhippy notifications@github.com wrote:

Mong,

Thanks much for your quick response!

A. So I will appreciate if you have a look at Entware.

I read the documents. It says it is similar to DDWRT and tomato.

B. The login refers to users of the Linux devices logging in for Internet and device applications access. The Linux access is via SSH and the user/pwd is always root/password ( fixed for all devices.)

Ok. login account in linux devices is different from the internet users logging in the captive portal of CoovaChilli hotspot system. Both can use the same freeradius. To have these users both can login in linux device and in CoovaChilli hotspot system, you must use a PAM radius authentication in linux.

C. The bash script in Entware for wifi and applications enable/disable is one line each. Can such simple scripts be added to freeRADIUS/daloRadius or Coova?

You can insert linux command using PHP exec/passthru to run a bash script when someone is trying to authenticate in the captive portal. take a look at the successful/failed result in the PHP script https://github.com/mongramosjr/hotspot-login/blob/master/hotspotlogin.php But managing remote devices is not the scope of this coovachilli. But you may take a look at cockpit https://cockpit-project.org for remote management of linux devices.

D. My preference is to automatically read the device MAC address into server DB after user authentication as in B. This way we don't have to manually find MAC address for each device. Again can we integrate this one line script as above? My impression is that the captive portal does auto read MAC addresses, eg for customer devices showing up at a cafe.

You can pass the MAC address to coovachilli. Please read the document in coovachilli regarding supported RADIUS attributes. coovachilli captive portal does auto read the mac address of the client.

E. I quickly looked at hotspotsystem. Can this run in a server?

Nope. It is a third party provider. The only thing you can do is to subscribe to them.

What we need is remote permissions. We will not have access to routers or ISPs in betwy home devices ( flashed by us, then remotely managed) and the Cloud servers we will be running via remote admin SSH/vpn access.

F. What do you think of Zeroshell for the task outlined here?

Maybe yes or maybe no. but you can use the builtin hotspot system in zeroshell. and yet you still have to create your own remote management of linux devices.

I really would appreciate your answers here! 😄

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MME-Connections/wifi-hotspot/issues/1?email_source=notifications&email_token=AAEXO4HWUNBXMLWUWEIVHSTQQL4CLA5CNFSM4JFAT2X2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECIOPOI#issuecomment-546367417, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEXO4F7OEZQIFFFNCOT5CDQQL4CLANCNFSM4JFAT2XQ .

--

Mong Ramos Jr. 160 Lady Iza Village, Cawit Extension, Magallanes, Sorsogon 4705, Philippines Mobile: +63-926-0059201 <%2B63-922-8365231> Linkedin https://ph.linkedin.com/pub/dominador-ramos-jr/5/899/12 Twitter https://twitter.com/mongramosjr

[siliconhippy]

Mong,

I really appreciate your taking this time and on a weekend 😊

1. Re: Entware, yes Openwrt also uses it.

A. Can you kindly have a look at the Entware repo link here and let me know if the PAM client package I need for Linux login is available? There are a dozen packages listed if I use top search Window for RADIUS and PAM.

http://bin.entware.net/aarch64-k3.10/Packages.html

B. Also someone mentioned the IPAM identity module. Is that useful here ( but apparently not in Entware repo)?

2. I quickly looked at Cockpit which looks general purpose and for server management:

https://youtu.be/qyAgjw-E0pg

Unluckily this is for Redhat and other full distros. Our client devices are tv boxes running a limited Linux distro that can install Entware only !

But is it possible to install alongside freeRADIUS, dalo GUI and CoovaChilli, a small firewall package on the server that can work with the Linux login /authentication information and enable/disable applications ports on the specific client device?

Alternatively is it simpler to write a bash script for client devices that can read the Points Quota from server database as conditionality ( $ if 200< x < 300 etc) and accordingly enable/disable applications or their ports on a particular client device?

3. Do you know if Zeroshell OS can be installed on the Microsoft Hyper V hypervisor ( Cloud installation on Microsoft Server 2016 VM) or on top of Xen or KVM?

I like Zeroshell ( from quick reading website and online comments) because it seems to have routing, firewall, freeRADIUS + GUI, captive portal and openVPN already installed, with the possibility of custom scripts and installation of additional packages via its menu ( premium features?)

Unluckily Fulvio ( the author) doesn't seem to reply much in forums or my email, but the Zeroshell version is current ( July 2019) and has added the LogMeIn Hamachi method too. daloRadius and CoovaChilli don't look that current?

I also exchanged a few emails with Liran Tal over last 2 days. He kindly sent me his free daloRadius PDF manual ( v.9-9, May 2011), but said he has been away from it for many years.

Again thanks 😊

[mongramosjr]

On Sat, Oct 26, 2019 at 7:56 PM siliconhippy notifications@github.com wrote:

Mong,

I really appreciate taking this time and on a weekend 😊

1. Re: Entware yes Openwrt also uses it.

A. Can you kindly have a look at the Entware repo link above and let me know if the PAM client packy I need for Linux login is available? There are a dozen packages listed.

I couldn't find the pam-radius authentication package. I think you should compile and build the pam-radius source package to the entware build system.

B. Also someone mentioned the IPAM identity module. Is that useful here ( but apparently not in Entware repo)?

1. I quickly looked at Cockpit which looks general purpose and for server management. I'll look more closely.

But is it possible to install alongside freeRADIUS, dalo GUI and CoovaChilli, a small firewall package on the server that can work with the Linux login /authentication information and enable/disable applications ports on the specific client device?

Managing internet users can be easily handle by coovachilli+freeradius. You can manage linux login account by using PAM+freeradius. From these, you can merge both the internet users and linux login account on the same freeradius.

However, managing linux applications can be thru the cockpit. Enabling/disbaling TCP/UDP ports can be manage by applying iptables rule, see iptables (netfilter).

Alternatively is it simpler to write a bash script for client devices that can read the Points Quota from server database as conditionality ( $ if 200< x > 300 etc) and accordingly enable/disable applications or their ports?

Yes you can do these. see preceding reply.

1. Do you know if Zeroshell OS can be installed on the Microsoft Hyper V hypervisor ( Cloud installation on Microsoft Server 2016 VM) or on top of Xen or KVM?

Zeroshell is just like other linux distros, you can run it as guest OS in Xen Hypervisor or KVM. Choose the 64-bit zeroshell as the host OS like Microsoft Server preferred 64 bit guest virtual machine nowadays.

I like Zeroshell ( from quick reading website and online comments) because it seems to have routing, firewall, freeRADIUS + GUI and openVPN already installed, with the possibility of custom scripts and installation of additional packages via its menu ( premium features?) Unluckily Fulvio ( the author) doesn't seem to reply much in forums or my email, but the Zeroshell version is current ( July 2019) and has added the LogMeIn Hamachi method too. daloRadius and CoovaChilli don't look that current?

I dont have an experience using zeroshell, but i tried pfsense and ddwrt way way back many years ago. And now im using microtik routerOS https://mikrotik.com/software for my router here in my house and for deployment of wifi with captive portal.

Again thanks 😊

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MME-Connections/wifi-hotspot/issues/1?email_source=notifications&email_token=AAEXO4ACLNTQMJ5RQGNBJBDQQQV5PA5CNFSM4JFAT2X2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECKGKHY#issuecomment-546596127, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEXO4HPWSRZCBN5ZJSI73TQQQV5PANCNFSM4JFAT2XQ .

--

Mong Ramos Jr. 160 Lady Iza Village, Cawit Extension, Magallanes, Sorsogon 4705, Philippines Mobile: +63-926-0059201 <%2B63-922-8365231> Linkedin https://ph.linkedin.com/pub/dominador-ramos-jr/5/899/12 Twitter https://twitter.com/mongramosjr

[mongramosjr]

Unluckily this is for Redhat and other full distros. Our client devices are tv boxes running a limited Linux distro that can install Entware only !

Since you are limited by the requirements of your client, you may compile and build cockpit in Entware build system, provided that those tv boxes are reachable remotely.

[mongramosjr]

I also exchanged a few emails with Liran Tal over last 2 days. He kindly sent me his free daloRadius PDF manual ( v.9-9, May 2011), but said he has been away from it for many years.

You can ommit daloradius from your project. Can yu check this web application that is based on laravel PHP framework freeradius-admin

[mongramosjr]

Shoot me an email here at mongramosjr@gmail.com.