Hi, I set the auth_mode to credentials but when I enter the 10.0.0.1 in my browser it redirects me to the click-to-continue mode? My configuration files are as following.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdae:8325:dd31::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'captive'
option proto 'static'
list ipaddr '10.0.0.1/22'
option device 'phy1-ap0'
/etc/config/uspot:
#for auth mode 'credentials', add any number of the following config entry
config credentials
option uspot 'captive'
option username 'amirmohammad'
option password 'arefkhani'
## Values provided for the options below reflect the defaults used when the option is not set.
config uspot 'captive'
option auth_mode 'credentials' # one of 'uam', 'radius', 'credentials', 'click-to-continue'
option idle_timeout '60' # client is kicked when idle for more than N seconds, defaults to 600, option used if not provided by radius
option session_timeout '120' # client is kicked if connected for more than N seconds, defaults to 0, option used if not provided by radius
option interface 'captive' # network interface (from config/network) on which captive clients will be managed
option setname 'uspot' # firewall ipset name for client management
option debug '0' # turn on debugging output in logs
# captive portal API (RFC8908) configuration:
# option cpa_can_extend '0' # 'can-extend-session' is true if this option is set to '1', false otherwise
# option cpa_venue_url 'mci.lab.captive.portal' # value is provided verbatim as 'venue-info-url'
# for auth mode 'uam' and 'radius':
# option auth_server '192.168.1.108' # radius authentication server name or address
# option auth_port '1812' # radius authentication server port
# option auth_secret 'xiaomi-router' # radius authentication server password
# option auth_proxy '' # radius authentication server proxy
# option acct_server '' # radius accounting server name or address
# option acct_port '1813' # radius accounting server port
# option acct_secret '' # radius accounting server password
# option acct_proxy '' # radius accounting server proxy
# option acct_interval '' # radius accounting interim interval override
# option das_secret '' # radius DAS secret
# option das_port '3799' # radius DAS listen port
# option nasid '' # radius NAS-Identitifer, UAM '&nasid='
# option nasmac '' # radius Called-Station, UAM '&called='
# option mac_format '' # MAC format specifier: 'aabbccddeeff', 'aa-bb-cc-dd-ee-ff', 'aa:bb:cc:dd:ee:ff' or the equivalent uppercase
# option location_name '' # radius WISPr-Location-Name
# for auth_mode 'uam':
# option uam_port '3990' # local UAM server port
# option uam_secret '' # remote UAM server password
# option uam_server '' # remote UAM server base url, e.g. "https://server.example.com/" - NB: trailing slash
# option challenge '' # UAM CHAP shared challenge
# option final_redirect_url '' # URL the client will be redirected to upon login. Special value 'uam' enables UAM 'success/reject/logoff' redirections URLs.
# option mac_auth '0' # Attempt MAC-authentication first
# option mac_password '' # Password sent for MAC-auth, defaults to MAC address
# option mac_suffix '' # Optional suffix appended to username for MAC-auth
# option uam_sslurl '' # optional base url to local UAM SSL (requires valid SSL setup in uhttpd UAM config), e.g. "https://uspot.lan:3991/" - NB: trailing slash
/etc/config/firewall:
# create a 'captive' zone for captive portal traffic
config zone
option name 'captive'
list network 'captive'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
# setup CPD hijacking for unauthenticated clients
config redirect
option name 'Redirect-unauth-captive-CPD'
option src 'captive'
option src_dport '80'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
option ipset 'uspot' # match with uspot option 'setname'
# allow DHCP for captive clients
config rule
option name 'Allow-DHCP-NTP-captive'
option src 'captive'
option proto 'udp'
option dest_port '67 123'
option target 'ACCEPT'
# prevent access to LAN-side services from captive interface
# Linux implements a weak host model and traffic crossing zone boundary isn't considered forwarding on the router:
# it must be explicitely denied - NB order matter: DHCP is broadcast that would be caught by this rule
config rule
option name 'Restrict-input-captive'
option src 'captive'
option dest_ip '!captive'
option target 'DROP'
# allow incoming traffic to CPD / web interface and local UAM server
config rule
option name 'Allow-captive-CPD-WEB-UAM'
option src 'captive'
option dest_port '80 443 3990'
option proto 'tcp'
option target 'ACCEPT'
# allow forwarding traffic to wan from authenticated clients
config rule
option name 'Forward-auth-captive'
option src 'captive'
option dest 'wan'
option proto 'any'
option target 'ACCEPT'
option ipset 'uspot' # match with uspot option 'setname'
# allow DNS for captive clients
config rule
option name 'Allow-DNS-captive'
option src 'captive'
list proto 'udp'
list proto 'tcp'
option dest_port '53'
option target 'ACCEPT'
# if using RFC5176 RADIUS DAE:
#config rule
# option name 'Allow-captive-DAE'
# option src 'wan'
# option proto 'udp'
# option family 'ipv4'
# option src_ip 'XX.XX.XX.XX' # adjust as needed
# option dest_port '3799' # match value for 'das_port' in config/uspot
# option target 'ACCEPT'
# create the ipset that will hold authenticated clients
config ipset
option name 'uspot' # match with uspot option 'setname'
list match 'src_mac'
# optional whitelist for e.g. remote UAM host and/or dynamic hosts via dnsmasq ipset functionality
config rule
option name 'Allow-Whitelist'
option src 'captive'
option dest 'wan'
option proto 'any'
option ipset 'wlist'
option target 'ACCEPT'
# associated whitelist ipset with prepopulated entries
config ipset
option name 'wlist'
list match 'dest_ip'
# list entry 'XX.XX.XX.XX' # adjust as needed for e.g. remote UAM server
# list entry 'XX.XX.XX.XX'
/etc/config/uhttpd:
config uhttpd 'uspot'
list listen_http '10.0.0.1:80'
option redirect_https '0'
option max_requests '5'
option no_dirlists '1'
option home '/www-uspot'
list ucode_prefix '/hotspot=/usr/share/uspot/handler.uc'
list ucode_prefix '/cpd=/usr/share/uspot/handler-cpd.uc'
option error_page '/cpd'
# if using TLS and/or supporting RFC8908 CapPort API:
#list listen_https '10.0.0.1:443'
#option cert '/usr/share/certs/captive.pem' # to be provided manually
#option key '/usr/share/certs/captive.key' # to be provided manually
# for RFC8908 support:
#list ucode_prefix '/api=/usr/share/uspot/handler-api.uc'
/etc/config/dhcp:
config dhcp 'captive'
option interface 'captive'
option start '2'
option limit '1000'
option leasetime '2h'
# add the following for RFC8910 Captive Portal API - DNS name is setup below
#list dhcp_option '114,https://captive.example.org/api'
# optionally provide NTP server (if enabled on the device) - recommended for SSL cert validation
#list dhcp_option_force '42,10.0.0.1'
# add a local domain name for HTTPS support, name must match TLS certificate
config domain
option name 'captive.example.org'
option ip '10.0.0.1'
# if using optional dynamic hosts whitelist
config ipset
list name 'wlist' # match value with whitelist ipset name in config/firewall
list domain 'my.whitelist1.domain'
list domain 'my.whitelist2.domain'
Hi, I set the auth_mode to credentials but when I enter the 10.0.0.1 in my browser it redirects me to the click-to-continue mode? My configuration files are as following. /etc/config/network:
/etc/config/uspot:
/etc/config/firewall:
/etc/config/uhttpd:
/etc/config/dhcp: