Changes

From SME Server
Jump to navigationJump to search

CoovaChilli (view source)

Revision as of 10:43, 7 March 2012

772 bytes removed ,  10:43, 7 March 2012
m
→‎What authenticated users have access to ?
Line 96: Line 96:  
*'''net''': the network range to use. The server uses the first IP available from the network (and thus default 10.1.0.1) and provide clients with addresses in this range.
 
*'''net''': the network range to use. The server uses the first IP available from the network (and thus default 10.1.0.1) and provide clients with addresses in this range.
   −
*'''status''': there's no trap that defined the state of service, and whether it should be started when the server boots up.
+
*'''status''': there's no trap, this key defines the state of service, and whether it should be started when the server boots up.
    
*'''tundev''': defines the tun interface to use (chilli mask the real interface eth2 and the system sees the traffic as comming from a tun interface).
 
*'''tundev''': defines the tun interface to use (chilli mask the real interface eth2 and the system sees the traffic as comming from a tun interface).
 
By default, tun0, you can change if tun0 is already used for a VPN for example.
 
By default, tun0, you can change if tun0 is already used for a VPN for example.
 +
 +
*'''uamhomepage''': URL of homepage to redirect unauthenticated users to. If not specified this defaults to the login page
    
*'''uamallowed''': A list of host that will be accessible before authentication. It can be a simple list of host, or a list of the form host:port, or protocol:host, or protocol:host:port
 
*'''uamallowed''': A list of host that will be accessible before authentication. It can be a simple list of host, or a list of the form host:port, or protocol:host, or protocol:host:port
Line 123: Line 125:     
*'''noc2c''': can be enabled or disabled (default is enabled). If enabled, clients will get a /32 netmask, and a special route will be added so they can contact the gateway. This prevent direct client to client communication. Note that it's a layer 3 isolation, a better way to prevent client to client is a layer 2 isolation, some AP and switch provides this.
 
*'''noc2c''': can be enabled or disabled (default is enabled). If enabled, clients will get a /32 netmask, and a special route will be added so they can contact the gateway. This prevent direct client to client communication. Note that it's a layer 3 isolation, a better way to prevent client to client is a layer 2 isolation, some AP and switch provides this.
 +
 +
*'''macallowed''': A comma separated list of MAC addresses which won't need to authenticate
    
After you've changed the configuration, just run the command  
 
After you've changed the configuration, just run the command  
Line 225: Line 229:     
*AllowedOutgoing will allow more outgoing traffic. It's a list of proto/host/port clients will be able to contact on the internet (These rules only apply to forwarded traffic, nothing will be allowed to the private network). Wildcard '*' (or keyword 'any') can replace host or port. Eg:
 
*AllowedOutgoing will allow more outgoing traffic. It's a list of proto/host/port clients will be able to contact on the internet (These rules only apply to forwarded traffic, nothing will be allowed to the private network). Wildcard '*' (or keyword 'any') can replace host or port. Eg:
  db configuration setprop AllowedOutgoing tcp:56.23.41.1:25,udp:*:1194,tcp:4.5.6.7:any,tcp:any:123
+
  db configuration setprop chilli AllowedOutgoing tcp:56.23.41.1:25,udp:*:1194,tcp:4.5.6.7:any,tcp:any:123
    
This will allow:
 
This will allow:
Line 234: Line 238:     
{{ Note box|proto can be tcp or udp only for now, there's now way to add icmp rules with db commands.}}
 
{{ Note box|proto can be tcp or udp only for now, there's now way to add icmp rules with db commands.}}
  −
=== Bypass authentication for a list of Mac addresses ===
  −
  −
CoovaChilli has an interesting features which allow the authentication to be bypassed for a list of mac addresses. It can be useful if you want to connect devices without any browser (playstation etc...)
  −
To enable this feature, you'll have to create a custom template:
  −
  −
mkdir -p /etc/e-smith/templates-custom/etc/chilli.conf
  −
vim /etc/e-smith/templates-custom/etc/chilli.conf/99MacAuth
  −
  −
And put something like this
  −
macallowed 0022431665B3
  −
macallowed 0045EF1AF9CC
  −
macallowlocal
  −
  −
You can use one macallowed directive per mac address, or specify multiple mac addresses, separated by a comma.
  −
Once you saved this file, restart chilli with:
  −
signal-event chilli-update
  −
  −
Now the devices you've specified will be able to connect without authenticating. You should see a line like this one in /var/log/messages when one of this device is connecting:
  −
Jun 21 19:36:47 smetest coova-chilli[25483]: chilli.c: 2746: Granted MAC=00-22-47-16-29-AB with IP=10.1.0.10 access without radius auth
      
=== Troubleshoot ===
 
=== Troubleshoot ===
Line 285: Line 269:  
----
 
----
 
[[Category:Contrib]]
 
[[Category:Contrib]]
 +
[[Category:Administration:Remote Access]]
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/13130...16089"

Navigation menu