分类 wifidog流程 下的文章

wifidog简介

WiFidog简介
WIFIdog是一种新的认证方式,这种认证方式的优势在于安全性高,不容易被破解验证。

  1. 客户端发出初始化请求,比如访问www.baidu.com
  2. 网关的防火墙规则将这个请求重定向到本地网关的端口上。这个端口是Wifidog监听的端口。
  3. Wfidog提供一个HTTP重定向回复,重定向到Web认证页面,重定向的Url的Querystring中包含了Gateway的ID,Gateway的FQDN以及其他的信息。
  4. 用户向认证服务器发出认证请求。
  5. 网关返回一个(可以是自定义的)splash(也称作“登录”)页面。
  6. 用户提供他的凭据信息,比如用户名和密码。
  7. 成功认证的话,客户端将会被重定向到网关的自己的web页面上,并且带有一个认证凭据(一个一次性的token)
  8. 用户就是用获取到的凭据访问网关。
  9. 网关去认证服务器询问token的有效性。
  10. 认证服务器确认token的有效性。
  11. 网关发送重定向给客户端,以从认证服务器上获取 成功提示页面,重定向到
    http://portal_server:port/portal_script 这个位置。
  12. 认证服务器通知客户请求成功,可以上网了。

本文章由 http://www.wifidog.pro/2015/03/03/wifidog%E7%AE%80%E4%BB%8B-3.html 整理编辑,转载请注明出处

Debian Linux install wifidog auth server

Install prerequisites

Before we install anything lets be sure we have access to internet and that our apt database is updated

apt-get update

The authentification server require apache and php (we install the latest version)

apt-get install apache2 php5

Database server install

It also require a database server. PostgreSQL 8.1 is available. 8.1 is harder to configure but faster on current computer.

apt-get install postgresql-8.1

Configure PostgreSQL 8.1

If you selected postgresql-8.1, it will crash at install. You must configure postgresql.conf before being able to launch the services.

nano /etc/postgresql/8.1/main/postgresql.conf

This isn't a good security setting, you should make sure to configure the whole thing later on! Right now, you need, at least to change:

#listen_addresses='localhost'
SSL = true

for:

listen_addresse='*'
SSL = false

Install prerequisites - step2
We also need some specifics librairies

apt-get install xml-core gettext mcrypt libapache2-mod-php5 php5-cgi
apt-get install php5-mcrypt php5-mhash php5-pgsql php-pear php5-xmlrpc php5-curl

if you are using a current/2011 debian/ubuntu, you have to enable long variable names in suhosin - otherwise php will not work as expected:

vi /etc/php5/apache2/conf.d/suhosin.ini
-> add:  suhosin.post.max_name_length = 100
-> add:  suhosin.request.max_varname_length = 100

To get the latest version of wifidog-auth we will need subversion:

apt-get install subversion

If you want multi-locales support, you will have to install that packages (or configure every one of them).

apt-get install locales-all

Some more libs

pear install XML_RPC
cd /tmp
wget http://ovh.dl.sourceforge.net/sourceforge/phlickr/Phlickr-0.2.5.tgz
pear install Phlickr-0.2.5.tgz 
rm Phlickr-0.2.5.tgz

Some stuff that isn't needed for the install, but still nice to have on a server (and which won't be install by default). If you don't what these are, you might not need them ;-) Openssh-server will allow you to launch command remotly, very useful for the third screen of install.php

apt-get install openssh-server less

Install the auth server

svn checkout https://dev.wifidog.org/svn/trunk/wifidog-auth
mv wifidog-auth/ /var/www/

Apache 2 configuration file
We need to change the document root. We take for granted that this server will be of no other "web" use... if it is, guess you'll have to learn how to configure apache2.

nano /etc/apache2/sites-available/default

and change (at the fifth line):

DocumentRoot /var/www/

to:

DocumentRoot /var/www/wifidog-auth/wifidog

remove the rewrite rule around line 17

restart apache2:

cd /etc/init.d/
./apache2 restart

Configure locale in wifidog.conf

If you have installed locales-all and you want to keep the "French" default portal page, this step isn't needed. In other cases: you will have to change the file config.php

nano /var/www/wifidog-auth/wifidog/config.php

on line 208 (ctrl+w+enter, ctrl+t+enter, 208) remplace

define('DEFAULT_LANG', 'fr_CA');

by:

define('DEFAULT_LANG', 'en_US');

Configure mail server

You need to have a valid mailer in order to mail account confirmation!

Installing postfix

apt-get install postfix

Select the "internet site with smart host" configuration option and answer the next series of questions.

Configure the auth server

Go to http://your-domaine.com/install.php and follow the instructions. You can follow the following walk-though, under the install step: auth-server. It isn't updated though. Or you can follow the onscreen introduction ;-)

They will ask to :

1) First screen

create a wifidog user in postgres

su - postgres
createuser wifidog --pwprompt 

IF you have PostgreSQL 8.1 : answer no to the three questions

create a database owned by this new user

createdb wifidog --encoding=UTF-8 --owner=wifidog

you must then

cat /tmp/dog_cookie.txt

and click next in your browser (it will ask for the password in dog_cookie.txt)

2) Second screen: Verification of the installed software. If you followed this guide, you have everything install (except Radius support).

3) Third screen:

You will have to copy-paste the big serie of command, click refresh and next. The easiest way of doing that is if you have a ssh connection to your box (this is why I proposed openssh-server package earlier)

4) Fourth screen You may need to install Smarty. Let it do that. NEXT.

Click install for simplepie, (you may need to do this manually in your ssh session by changing /branches/ to /releases/ in the failed command from your web console session as the svn repo has changed structure at simplepie.org), then click NEXT.

Click install for feedpressreview, then next.

Click NEXT when asked to install Phlickr (it is already installed, even if the system doesn't see it).

5) Fill out your db information..

Remove installation files

Of course, the only one that should have access to the install.php file is you. You will need to move the file "install.php" out of public sight.

1) Go to your wifidog directory (/var/www/wifidog-auth/wifidog in our case).

cd /var/www/wifidog-auth/wifidog

2) Move "install.php" file to the parent directory which is not visible to the public:

mv install.php ../install.php

note that you can move it wherever you want, but make sure it's not public.

本文章由 http://www.wifidog.pro/2015/03/02/Debian-Linux-install-wifidog-auth-server.html 整理编辑,转载请注明出处

OpenWrt固件安装wifidog

1.系统需求
硬件

  • 已安装了OpenWrt固件的无线路由器(典型的有Linksys WRT54G系列)

软件

  • Wifidog

你可以尝试执行以下命令安装Wifidog:
opkg update # Optional
opkg install wifidog

将无线路由器接入Internet。
设置并启用无线网络,即,使用无线路由器创建一个可用的Access Point。

2.在Web控制面板中创建热点
登录到Web控制面板,访问http://cp.wiwiz.com/as/
点击“我的热点”,在接下来的页面中点击“创建热点”。根据页面的提示完成各项设置,点击保存。
你将会看到你刚创建热点的Hotspot ID。记下它,接下来的步骤将会用到它。

3.安装与设置HotSpot Builder Utility组件
将一台PC机连接至你的无线路由器,用SSH方式连接到无线路由器。执行以下命令:

cd; wget http://dl.wiwiz.com/hsbuilder-util-latest-OpenWrt.tar.gz
cd /; tar -zxf /root/hsbuilder-util-latest-OpenWrt.tar.gz
/usr/local/hsbuilder/hsbuilder_setup4openwrt.sh setup

然后按照提示完成设置。
特别地,你需要输入的Hotspot ID就是你在Web控制面板中创建的热点的Hotspot ID(不是热点的名称)。User Name是你在控制面板注册的用户名。

提示:
安装时你将会被提示输入External NIC 与 Internal NIC。External NIC 代表的是连接Internet的网络接口。Internal NIC 代表的是连接局域网的网络接口。如果你不确定,可以执行ifconfig命令,并从执行结果中找到它们。

现在,如果没有报错信息,那么安装已经完成了。

你可以使用一个Wi-Fi客户端(如带WLAN适配器的PC或者支持Wi-Fi的移动电话)测试一下你的热点:

  • 搜索可用Wi-Fi热点,并连接到你的热点。
  • 打开Web浏览器,输入任何一个HTTP开头的网址。如果你的热点的认证页面能够显示出来,就说明你的热点已经正常运转了。

本文章由 http://www.wifidog.pro/2015/02/28/openwrt%E5%AE%89%E8%A3%85WiFidog-3.html 整理编辑,转载请注明出处

openwrt Wifidog与AuthServer的交互

这里特别提一下,我发现在openwrt的download网站里,ar71xx有两个版本的wifidog,所以请根据需要确定好opkg的源,一个是2009版的wifidog,一个是2013版本的wifidog,我用的源是http://downloads.openwrt.org/snapshots/trunk/ar71xx.nand/packages/packages/,这个源的wifidog版本是wifidog_20130917-440445db60b0c3aff528ea703a828b0567293387_ar71xx,它们在login处有一个区别,后面会提。
先介绍一下wifidog与Auth服务器的交互协议:
1.首先是重定向,在首次登陆时,用户访问的url会被重定向到如下的地址:
login/?gw_address=%s&gw_port=%d&gw_id=%s&url=%s(2009版本的wifidog)
login/?gw_address=%s&gw_port=%d&gw_id=%s&mac=%s&url=%s(2013版本的wifidog)
这里有一个版本的问题,即2009的wifidog在重定向时不会在链接中带上mac参数,而2013版本的wifidog是会带上的,所以这里需要根据自己的应用特别注意。在用户首次连接路由上网时,它访问的url会被定向到login页面,并带上如上所述的参数,我们可以利用这些参数做生成token或其它一些判断等。而通常情况是在login中向用户返回通过wifi认证的方法,如带有用户名和密码的登录页面等。
2.用户认证协议:
auth_server:/auth/auth.php?stage=%s&ip=%s&mac=%s&token=%s&incoming=%s&outgoing=%s
一般情况下,认证服务器auth_server会根据用户输入的信息生成一个token,然后将用户重定向到wifidog的监听端口上,这个端口的默认地址为:192.168.1.1:2060/wifidog/auth?token=%s,wifidog得到这个token后,将其发送到auth_server认证服务器上进行认证。如果认证通过,auth_server返回“Auth: 1”,认证未通过则返回“Auth: 0”。具体参数如下。
0 - AUTH_DENIED - User firewall users are deleted and the user removed.6 - AUTH_VALIDATION_FAILED - User email validation timeout has occured and user/firewall is deleted1 - AUTH_ALLOWED - User was valid, add firewall rules if not present5 - AUTH_VALIDATION - Permit user access to email to get validation email under default rules-1 - AUTH_ERROR - An error occurred during the validation process
认证服务器通过获取以上链接的参数可以判断这个用户是否合法等。这个链接是认证服务器用来判断首次登陆的用户是否合法和正在连接的用户是否可以继续访问链接的方法。每隔一段时间,wifidog会向认证服务器发送信息,即通过如上所示的链接发送信息,通过这些参数,可以看到某个客户的上传流量、下载流量、mac地址、ip地址、token和、ip和stage。stage可能是两个参数,分别是counters或login。第一次登陆验证时,stage=login,其它时候stage=counters。
3.Ping协议
http://auth_sever/ping/?gw_id=%s&sys_uptime=%lu&sys_memfree=%u&sys_load=%.2f&wifidog_uptime=%lu
wifidog会向认证服务器发送一些信息,来报告wifidog现在的情况,这些信息是通过Http协议发送的,如上的链接所示,参数大概如字面意思,没仔细研究过,而作为认证服务器,auth_server应回应一个“Pong”。
4.认证成功后的跳转
portal/?gw_id=%s
在认证成功后,wifidog会将用户重定向至该页面。
5.若验证失败,则会根据失败原因跳转至如下页面
gw_message.php?message=denied
gw_message.php?message=activate
gw_message.php?message=failed_validation
注意一下,按照我对wifidog.conf的配置,在执行login时,相当于重定向至链接http://justyoung.com/wifidog/login.php?gw_id=XX....等等,其它执行的链接也是如此。

本文章由 http://www.wifidog.pro/2015/02/28/wifidog%E4%B8%8EAuth-Server%E4%BA%A4%E4%BA%92.html 整理编辑,转载请注明出处