Open-Source HotSpot Anatomy – ChilliSpot, Radius and Postgres

Preface

This is the most comprehensive material that you fill find in the “!wild net!” , it will explain in theory how stuff works and how components fit with each-other.
For a techical aproach and “how to make an hostpost” you must wait.

 

 HotSpot

So what is an hotspot first?
Most people know what this is , but for the people that don’t know I will give a simple answer.
If you go to an airport or an hotel you find the “free access point”, you connect to it and you think that now you gona surf the web free of charge.
Well, then you open your browser and an redirect gives you an login/password page with option to buy traffic and access.
This is a hotspot    [ :/ ]
A normal open-source Hotspot is made of 3 components:

• ChilliSpot (acting as NAS) [Network Access Server]
• FreeRadius (acting as AAA) [An AAA Server is a server or servers that provide authentication, authorization and accounting services.]
• Postgressql (responsible for the Accounts data)

NAS / ChilliSpot

NAS stands for Network Access Server. The term network access server refer to a server devoted entirely to managing network access, ChilliSpot is meant to act as a gateway to guard access to a protected network. So, ChilliSpot is the initial entry point to the network, it is the first “device” in the network to provide services to an end user. After the client is connected ChilliSpot redirect the user on the authentication page requesting Username & Password credentials, and acts as a gateway for all further services. Typical Chillispot Operation Sequence:

• Call arrival on tcp 0 0 192.168.10.15:3990 0.0.0.0:* LISTEN
• Prompt for username and password
• Request authentication from AAA server
• Confirm authentication information with AAA server
• If the authentication is OK, proceed to service.

AAA is responsible for handling :

• User authentication (first A)
• User authorization (second A)
• Accounting (last A)

What AAA do?
Freeradius provides:

• authentication services; checks passwords (static or dynamic)
• provides authorization information to Chillispot

The process of providing a service leads to requests for additional information like date based, time based, variable cost debits ,etc and this requires real-time enforcement session accounting information is tallied by the Chillispot and reported to Freeradius.
All communications regarding RADIUS accounting are done with an Accounting-Request packet. Chillispot that is participating in the RADIUS accounting process will generate an Accounting Start packet, which is a specific kind of Accounting-Request packet. This packet includes information on which service has been provisioned and on the user for which these services are provided. The packet is sent to the RADIUS accounting server, which will then acknowledge receipt of the data. When the client is finished with the network services, it will send to the accounting server an Accounting Stop packet (again, a specialized Accounting-Request packet), which will include the service delivered; usage statistics such as time elapsed, amount transferred, average speed; and other details. The accounting server acknowledges receipt of the stop packet, and all is well.

• Packet Types

Access-Request
The Access-Request packet is used by the service consumer when it is requesting a particular service from a network. The client sends a Request packet to the RADIUS server with a list of the requested services
Access-Accept
Packets sent by the RADIUS server to the client to acknowledge that the client’s request is granted.
Access-Reject
The RADIUS server is required to send an Access-Reject packet back to the client if it must deny any of the services requested in the Access-Request packet.
Access-Challenge
If a server receives conflicting information from a user, requires more information, or simply wishes to decrease the risk of a fraudulent authentication, it can issue an Access-Challenge packet to the client. The client, upon receipt of the Access-Challenge packet, must then issue a new Access-Request with the appropriate information included.
Accounting-Request
Accounting-Request packets are sent from the client to the server. When the server receives this request packet, it is required to transmit an acknowledgment to the client unless it cannot handle or process the packet.
Accounting-Response
The Accounting-Response packets are primarily designed as acknowledgment packets to be sent from the accounting server to the client, indicating that the request from the client has been received and logged.

• Packet Attributes

This 2 general packets, have many attributes (currently RADIUS can specify 92 different attributes) , able to control the connections made by the clients, here we can find some of them:

• User-Name

This attribute carries the distinguished name of the client requesting access to services on the network

• User-Password

This attribute is designed to carry authentication information that a user provides in order to gain access to network services. Primarily, the content of this value will be an encrypted password, but sometimes it can be the response from an Access-Challenge packet sent to the client from the RADIUS server.

• Chap password

CHAP-Password indicates to the RADIUS client gear that CHAP, instead of PAP, is going to be used for the transaction.

• Session-Timeout

It indicates the maximum length of time in seconds that a user may remain connected to the network before the RADIUS client will kick him off.

• Acct-Status-Type

This attribute indicates whether the Accounting-Request packet is being sent upon the user first authenticating and connecting to the network or upon the user finishing use of the services and disconnecting.

• Idle-Timeout

The user is logged out after this amount of time of inactivity (no traffic).

• NAS-IP-Address

This attribute specifies the IP address of the NAS gear that requests service on behalf of the client computer.

• Terminate-Action

This is the SIG-Term of Radius, it means that the client should be disconnected.

• Acct-Session-ID

This attribute is used to uniquely identify a session so that accounting stop and start records can be collated and recorded accurately.

• Acct-Authentic

This optional attribute indicates the method with which the user’s declared identity was verified.

• Acct-Session-Time

This attribute, found in Accounting-Request packets and interim records, indicates the time in seconds that a user has been connected.

• Acct-Terminate-Cause indicates the reason, if possible and applicable, that a user’s session was ended

PostgreSql

Responsible for data management.
Here is the place where data is stored end this is the end point of the data.
Here we go , let’s see our database.

su - postgres

 psql radius

radius=# \l
       List of databases
  Name    |  Owner   | Encoding
-----------+----------+----------
postgres  | postgres | UTF8
radius    | postgres | UTF8
template0 | postgres | UTF8
template1 | postgres | UTF8

                      List of relations
Schema |               Name               |   Type   | Owner
--------+----------------------------------+----------+--------
public | hotspot_account                  | table    | radius
public | hotspot_account_generator        | table    | radius
public | hotspot_account_generator_id_seq | sequence | radius
public | hotspot_account_id_seq           | sequence | radius
public | hotspot_db_version               | table    | radius
public | hotspot_db_version_id_seq        | sequence | radius
public | hotspot_rate                     | table    | radius
public | hotspot_rate_id_seq              | sequence | radius
public | hotspot_setting                  | table    | radius
public | hotspot_setting_id_seq           | sequence | radius
public | hotspot_ticket                   | table    | radius
public | hotspot_ticket_accounting        | table    | radius
public | hotspot_ticket_accounting_id_seq | sequence | radius
public | hotspot_ticket_id_seq            | sequence | radius
public | nas                              | table    | radius
public | radacct                          | table    | radius
public | radacct_radacctid_seq            | sequence | radius
public | radcheck                         | table    | radius
public | radcheck_id_seq                  | sequence | radius
public | radgroupcheck                    | table    | radius
public | radgroupcheck_id_seq             | sequence | radius
public | radgroupreply                    | table    | radius
public | radgroupreply_id_seq             | sequence | radius
public | radpostauth                      | table    | radius
public | radpostauth_id_seq               | sequence | radius
public | radreply                         | table    | radius
public | radreply_id_seq                  | sequence | radius
public | realmgroup                       | table    | radius
public | realmgroup_id_seq                | sequence | radius
public | realms                           | table    | radius
public | realms_id_seq                    | sequence | radius
public | usergroup                        | table    | radius
public | usergroup_id_seq                 | sequence | radius
(33 rows)

radius-# \c postgres
You are now connected to database "postgres".
postgres-# \d
No relations found. 

source : http://albanianwizard.org/tag/postgresql-freeradius