f00b4r0
commented
4 months ago Hi, can you provide the output of the following commands:
opkg list-installed | grep ucode
opkg list-installed | grep uspotClosed AMArefkhani closed 4 months ago
f00b4r0
commented
4 months ago Hi, can you provide the output of the following commands:
opkg list-installed | grep ucode
opkg list-installed | grep uspot
AMArefkhani
commented
4 months ago Hi, Here is the output of mentioned commands: opkg list-installed | grep ucode:
liblucihttp-ucode - 2023-03-15-9b5b683f-1
libucode20220812 - 2023-06-06-c7d84aae-1
libucode20230711 - 2023-11-07-a6e75e02-1
rpcd-mod-ucode - 2023-07-01-c07ab2f9-1
ucode - 2023-11-07-a6e75e02-1
ucode-mod-fs - 2023-06-06-c7d84aae-1
ucode-mod-html - 1
ucode-mod-log - 2023-11-07-a6e75e02-1
ucode-mod-math - 2023-06-06-c7d84aae-1
ucode-mod-nl80211 - 2023-06-06-c7d84aae-1
ucode-mod-rtnl - 2023-06-06-c7d84aae-1
ucode-mod-ubus - 2023-06-06-c7d84aae-1
ucode-mod-uci - 2023-06-06-c7d84aae-1
ucode-mod-uloop - 2023-06-06-c7d84aae-1
uhttpd-mod-ucode - 2023-06-25-34a8a74d-2opkg list-installed | grep uspot:
uspot - 2024-01-09-c4b6f2f0-1
uspot-www - 2024-01-09-c4b6f2f0-1
uspotfilter - 2024-01-09-c4b6f2f0-1uspot looks correct but you have multiple conflicting ucode module versions installed (2023-06-06 vs 2023-11-07) and two versions of libucode. Everything should be on 2023-11-07. Can you try to opkg update / opkg upgrade?
I suspect this is the cause of your problem.
This is what it should look like on e.g. 23.05.2:
liblucihttp-ucode - 2023-03-15-9b5b683f-1
libucode20230711 - 2023-11-07-a6e75e02-1
rpcd-mod-ucode - 2023-07-01-c07ab2f9-1
ucode - 2023-11-07-a6e75e02-1
ucode-mod-fs - 2023-11-07-a6e75e02-1
ucode-mod-html - 1
ucode-mod-log - 2023-11-07-a6e75e02-1
ucode-mod-math - 2023-11-07-a6e75e02-1
ucode-mod-nl80211 - 2023-11-07-a6e75e02-1
ucode-mod-rtnl - 2023-11-07-a6e75e02-1
ucode-mod-ubus - 2023-11-07-a6e75e02-1
ucode-mod-uci - 2023-11-07-a6e75e02-1
ucode-mod-uloop - 2023-11-07-a6e75e02-1
uhttpd-mod-ucode - 2023-06-25-34a8a74d-1and also here are the other configurations for uspot: /etc/config/uspot:
#for auth mode 'credentials', add any number of the following config entry
#config credentials
# option uspot 'example'
# option username 'myuser'
# option password 'mypass'
## Values provided for the options below reflect the defaults used when the option is not set.
config uspot 'captive'
option auth_mode 'click-to-continue' # one of 'uam', 'radius', 'credentials', 'click-to-continue'
option idle_timeout '600' # client is kicked when idle for more than N seconds, defaults to 600, option used if not provided by radius
option session_timeout '1000' # client is kicked if connected for more than N seconds, defaults to 0, option used if not provided by radius
option interface 'captive' # network interface (from config/network) on which captive clients will be managed#
option setname 'uspot' # firewall ipset name for client management
option debug '0' # turn on debugging output in logs
# captive portal API (RFC8908) configuration:
# option cpa_can_extend '0' # 'can-extend-session' is true if this option is set to '1', false otherwise
# option cpa_venue_url '' # value is provided verbatim as 'venue-info-url'
# for auth mode 'uam' and 'radius':
# option auth_server '' # radius authentication server name or address
# option auth_port '1812' # radius authentication server port
# option auth_secret '' # radius authentication server password
# option auth_proxy '' # radius authentication server proxy
# option acct_server '' # radius accounting server name or address
# option acct_port '1813' # radius accounting server port
# option acct_secret '' # radius accounting server password
# option acct_proxy '' # radius accounting server proxy
# option acct_interval '' # radius accounting interim interval override
# option das_secret '' # radius DAS secret
# option das_port '3799' # radius DAS listen port
# option nasid '' # radius NAS-Identitifer, UAM '&nasid='
# option nasmac '' # radius Called-Station, UAM '&called='
# option mac_format '' # MAC format specifier: 'aabbccddeeff', 'aa-bb-cc-dd-ee-ff', 'aa:bb:cc:dd:ee:ff' or the equivalent uppercase
# option location_name '' # radius WISPr-Location-Name
# for auth_mode 'uam':
# option uam_port '3990' # local UAM server port
# option uam_secret '' # remote UAM server password
# option uam_server '' # remote UAM server base url, e.g. "https://server.example.com/" - NB: trailing slash
# option challenge '' # UAM CHAP shared challenge
# option final_redirect_url '' # URL the client will be redirected to upon login. Special value 'uam' enables UAM 'success/reject/logoff' redirections URLs.
# option mac_auth '0' # Attempt MAC-authentication first
# option mac_password '' # Password sent for MAC-auth, defaults to MAC address
# option mac_suffix '' # Optional suffix appended to username for MAC-auth
# option uam_sslurl '' # optional base url to local UAM SSL (requires valid SSL setup in uhttpd UAM config), e.g. "https://uspot.lan:3991/" - NB: trailing slash/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2d:2536:6255::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'captive'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.252.0'
option device 'phy1-ap0'/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
# create a 'captive' zone for captive portal traffic
config zone
option name 'captive'
list network 'captive'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
# setup CPD hijacking for unauthenticated clients
config redirect
option name 'Redirect-unauth-captive-CPD'
option src 'captive'
option src_dport '80'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
option ipset '!uspot' # match with uspot option 'setname'
# allow DHCP for captive clients
config rule
option name 'Allow-DHCP-NTP-captive'
option src 'captive'
option proto 'udp'
option dest_port '67 123'
option target 'ACCEPT'
# prevent access to LAN-side services from captive interface
# Linux implements a weak host model and traffic crossing zone boundary isn't considered forwarding on the router:
# it must be explicitely denied - NB order matter: DHCP is broadcast that would be caught by this rule
config rule
option name 'Restrict-input-captive'
option src 'captive'
option dest_ip '!captive'
option target 'DROP'
# allow incoming traffic to CPD / web interface and local UAM server
config rule
option name 'Allow-captive-CPD-WEB-UAM'
option src 'captive'
option dest_port '80 443 3990'
option proto 'tcp'
option target 'ACCEPT'
# allow forwarding traffic to wan from authenticated clients
config rule
option name 'Forward-auth-captive'
option src 'captive'
option dest 'wan'
option proto 'any'
option target 'ACCEPT'
option ipset 'uspot' # match with uspot option 'setname'
# allow DNS for captive clients
config rule
option name 'Allow-DNS-captive'
option src 'captive'
list proto 'udp'
list proto 'tcp'
option dest_port '53'
option target 'ACCEPT'
# if using RFC5176 RADIUS DAE:
#config rule
# option name 'Allow-captive-DAE'
# option src 'wan'
# option proto 'udp'
# option family 'ipv4'
# option src_ip 'XX.XX.XX.XX' # adjust as needed
# option dest_port '3799' # match value for 'das_port' in config/uspot
# option target 'ACCEPT'
# create the ipset that will hold authenticated clients
config ipset
option name 'uspot' # match with uspot option 'setname'
list match 'src_mac'
# optional whitelist for e.g. remote UAM host and/or dynamic hosts via dnsmasq ipset functionality
config rule
option name 'Allow-Whitelist'
option src 'captive'
option dest 'wan'
option proto 'any'
option ipset 'wlist'
option target 'ACCEPT'
# associated whitelist ipset with prepopulated entries
config ipset
option name 'wlist'
list match 'dest_ip'
# list entry 'XX.XX.XX.XX' # adjust as needed for e.g. remote UAM server
# list entry 'XX.XX.XX.XX'/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'captive'
option interface 'captive'
option start '2'
option limit '1000'
option leasetime '2h'
# add the following for RFC8910 Captive Portal API - DNS name is setup below
#list dhcp_option '114,https://captive.example.org/api'
# optionally provide NTP server (if enabled on the device) - recommended for SSL cert validation
list dhcp_option_force '42,10.0.0.1'
# add a local domain name for HTTPS support, name must match TLS certificate
config domain
option name 'captive.example.org'
option ip '10.0.0.1'
# if using optional dynamic hosts whitelist
config ipset
list name 'wlist' # match value with whitelist ipset name in config/firewall
list domain 'my.whitelist1.domain'
list domain 'my.whitelist2.domain'
Hi, The reported error solved by upgrading Openwrt to 23.05.2 while the previous version was 23.05.0. But I'm wondering does the uspot captive portal redirect any unauthenticated client traffic to the login page or does the client have to go to the login page itself?
f00b4r0
commented
4 months ago But I'm wondering does the uspot captive portal redirect any unauthenticated client traffic to the login page or does the client have to go to the login page itself?
Unauthenticated HTTP traffic will be redirected. HTTPS however will not (it can't be), but most client devices perform so-called "Captive Portal Detection" (CPD) on HTTP for that very reason.
Enabling the Captive Portal API provides a smoother user experience.
AMArefkhani
commented
4 months ago Many thanks for your help. Could you please tell me how to configure uspot to connect to the freeradius server. I also have another question, does uspot implement accounting for freeradius? I mean daily (or weekly, etc.) usage and rate limit.
f00b4r0
commented
4 months ago For RADIUS configuration see this section: https://github.com/f00b4r0/uspot/blob/53b8cb88a94a21ab2a5c74122ee9e4a9f1ad4c9b/files/etc/config/uspot#L21-L36
you will need at least auth_server and auth_secret.
uspot currently only implements session time accounting. Traffic accounting is on the TODO list (see end of README), it's coming hopefully soon.
AMArefkhani
commented
4 months ago Thanks. I have problem with Radius authentication mode. The freeradius server is located in the wan side with ip address 192.168.205.161. When clients try to connect with username and password, the following error is shown in the logread.
Thu Feb 15 14:35:22 2024 user.err : radcli: rc_read_dictionary: rc_read_dictionary couldn't open dictionary /etc/radcli/dictionary: No such file or directory
The configuration for uspot, firewall and uhttpd is as below: uspot:
config credentials
option uspot 'captive'
option username 'amirmohammad'
option password 'aref'
## Values provided for the options below reflect the defaults used when the option is not set.
config uspot 'captive'
option auth_mode 'radius' # one of 'uam', 'radius', 'credentials', 'click-to-continue'
option idle_timeout '600' # client is kicked when idle for more than N seconds, defaults to 600, option used if not provided by radius
option session_timeout '240' # client is kicked if connected for more than N seconds, defaults to 0, option used if not provided by radius
option interface 'captive' # network interface (from config/network) on which captive clients will be managed
option setname 'uspot' # firewall ipset name for client management
option debug '0' # turn on debugging output in logs
# captive portal API (RFC8908) configuration:
option cpa_can_extend '0' # 'can-extend-session' is true if this option is set to '1', false otherwise
option cpa_venue_url '' # value is provided verbatim as 'venue-info-url'
# for auth mode 'uam' and 'radius':
option auth_server '192.168.205.161' # radius authentication server name or address
option auth_port '1812' # radius authentication server port
option auth_secret 'xiaomi-router' # radius authentication server password
# option auth_proxy '' # radius authentication server proxy
# option acct_server '' # radius accounting server name or address
# option acct_port '1813' # radius accounting server port
# option acct_secret '' # radius accounting server password
# option acct_proxy '' # radius accounting server proxy
# option acct_interval '' # radius accounting interim interval override
# option das_secret '' # radius DAS secret
# option das_port '3799' # radius DAS listen port
# option nasid '' # radius NAS-Identitifer, UAM '&nasid='
# option nasmac '' # radius Called-Station, UAM '&called='
# option mac_format '' # MAC format specifier: 'aabbccddeeff', 'aa-bb-cc-dd-ee-ff', 'aa:bb:cc:dd:ee:ff' or the equivalent uppercase
# option location_name '' # radius WISPr-Location-Name
# for auth_mode 'uam':
# option uam_port '3990' # local UAM server port
# option uam_secret '' # remote UAM server password
# option uam_server '' # remote UAM server base url, e.g. "https://server.example.com/" - NB: trailing slash
# option challenge '' # UAM CHAP shared challenge
# option final_redirect_url '' # URL the client will be redirected to upon login. Special value 'uam' enables UAM 'success/reject/logoff' redirections URLs.
# option mac_auth '0' # Attempt MAC-authentication first
# option mac_password '' # Password sent for MAC-auth, defaults to MAC address
# option mac_suffix '' # Optional suffix appended to username for MAC-auth
# option uam_sslurl '' # optional base url to local UAM SSL (requires valid SSL setup in uhttpd UAM config), e.g. "https://uspot.lan:3991/" - NB: trailing slashfirewall:
config zone
option name 'captive'
list network 'captive'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config redirect
option name 'Redirect-unauth-captive-CPD'
option src 'captive'
option src_dport '80'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
option ipset '!uspot'
config rule
option name 'Allow-DHCP-NTP-captive'
option src 'captive'
option proto 'udp'
option dest_port '67 123'
option target 'ACCEPT'
config rule
option name 'Restrict-input-captive'
option src 'captive'
option dest_ip '!captive'
option target 'DROP'
config rule
option name 'Allow-captive-CPD-WEB-UAM'
option src 'captive'
option dest_port '80 443 3990'
option proto 'tcp'
option target 'ACCEPT'
config rule
option name 'Forward-auth-captive'
option src 'captive'
option dest 'wan'
option proto 'any'
option target 'ACCEPT'
option ipset 'uspot'
config rule
option name 'Allow-DNS-captive'
option src 'captive'
list proto 'udp'
list proto 'tcp'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-captive-DAE'
option src 'wan'
option proto 'udp'
option family 'ipv4'
option src_ip '192.168.205.161'
option dest_port '3799'
option target 'ACCEPT'
config ipset
option name 'uspot'
list match 'src_mac'
config rule
option name 'Allow-Whitelist'
option src 'captive'
option dest 'wan'
option proto 'any'
option ipset 'wlist'
option target 'ACCEPT'
config ipset
option name 'wlist'
list match 'dest_ip'
config rule
option name 'Allow ssh from wan'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'uhttpd:
config uhttpd 'uspot'
list listen_http '10.0.0.1:80'
option redirect_https '0'
option max_requests '5'
option no_dirlists '1'
option home '/www-uspot'
list ucode_prefix '/hotspot=/usr/share/uspot/handler.uc'
list ucode_prefix '/cpd=/usr/share/uspot/handler-cpd.uc'
option error_page '/cpd'
# if using TLS and/or supporting RFC8908 CapPort API:
#list listen_https '10.0.0.1:443'
#option cert '/usr/share/certs/captive.pem' # to be provided manually
#option key '/usr/share/certs/captive.key' # to be provided manually
# for RFC8908 support:
list ucode_prefix '/api=/usr/share/uspot/handler-api.uc'
# if using RADIUS UAM authentication:
config uhttpd 'uam3990'
list listen_http '10.0.0.1:3990'
option redirect_https '0'
option max_requests '5'
option no_dirlists '1'
option home '/www-uspot'
list ucode_prefix '/logon=/usr/share/uspot/handler-uam.uc'
list ucode_prefix '/logoff=/usr/share/uspot/handler-uam.uc'
list ucode_prefix '/logout=/usr/share/uspot/handler-uam.uc'The information of nas in the database of freeradius is as below:
+----+-----------------+-----------+------+-------+---------------+--------+-----------+-------------+
| id | nasname | shortname | type | ports | secret | server | community | description |
+----+-----------------+-----------+------+-------+---------------+--------+-----------+-------------+
| 2 | 192.168.3.1 | NULL | NULL | NULL | xiaomi-router | NULL | NULL | NULL |
| 3 | 10.0.0.1 | NULL | NULL | NULL | xiaomi-router | NULL | NULL | NULL |
| 4 | 192.168.205.202 | NULL | NULL | NULL | xiaomi-router | NULL | NULL | NULL |
+----+-----------------+-----------+------+-------+---------------+--------+-----------+-------------+Please don't use this closed issue to ask unrelated support questions.
Thanks. I have problem with Radius authentication mode. The freeradius server is located in the wan side with ip address 192.168.205.161. When clients try to connect with username and password, the following error is shown in the logread.
Thu Feb 15 14:35:22 2024 user.err : radcli: rc_read_dictionary: rc_read_dictionary couldn't open dictionary /etc/radcli/dictionary: No such file or directory
You need to provide your RADIUS dictionary files to libradcli (/etc/radcli/dictionary as indicated by the error message above), by default none are provided by the libradcli package.
Dictionary files are available from e.g. https://github.com/radcli/radcli/tree/master/etc
Hello. My configuration for uhttpd is as below :
when I start uhttpd service, it returns "daemon.err uhttpd[6084]: Error: Unable to open ucode handler: No such file or directory".