HowLoginWorks

From SOWNWiki
Jump to: navigation, search

logo-yellow.png

Update Needed
This page needs to be updated

How SOWN nodes allow uses to authenticate and gain Internet access has changed significantly since this page was last updated. Specifically Eduroam login uses RADIUS 802.1x authentication.

Each node has deployed on it our own client software which does not require a bridge to work, currently though all traffic depends on the sown OpenVPN tunnel but it doesn't have to. Note that the scripts called by this cause the nodes to self update their clients.list file including logins done on all other nodes after 4am that day (previous day if after midnight).

Very Pretty if I do say so myself - Dave T

DHCP-EVENT Script

Each node should have ct_root.pem and sureserverEDU.pem in '/etc/ssl/certs'

ct_root.pem should be symlinked to 4d654d1d.0 in the same directory.

sureserverEDU.pem should be symlinked to 7ffb3ace.0 in the same directory.

This forms the certificate chain for sown-auth's certificate.

You will need to be using the 'real' version of wget. Install using 'ipkg install -force-overwrite wget'.


Each node should have this dhcp-event script in /bin/

#!/bin/bash

# get client ip and mac
if [ ! $4 ]; then
	echo "Usage: $0 <action> <mac-addres> <ip-address> [hostname]";
fi;

ACTION=$1
MAC=$2
CLIENTIP=$3
CLIENTHOST=$4

SERVER="sown-auth.ecs.soton.ac.uk";

CHAIN=${CLIENTIP//./_}
CHAIN='CLIENT'$CHAIN

SERVER_STATUS=`/bin/cat /var/log/sown_server.status`

echo `/bin/date` "$ACTION $MAC" >> /var/log/commit-log

if [ "$ACTION" = "old" ]; then 
	/usr/sbin/iptables -F $CHAIN
	/usr/sbin/iptables -D FORWARD -s $CLIENTIP -m mac --mac-source $MAC -j $CHAIN
	/usr/sbin/iptables -t nat -D PREROUTING -s $CLIENTIP -j ACCEPT
	/usr/sbin/iptables -X $CHAIN
	ACTION="add"
fi

if [ "$SERVER_STATUS" = "1" ]; then
	/bin/rm -f /var/log/sown_clients.list
	/usr/bin/wget --ca-directory=/etc/ssl/certs --output-document=/var/log/sown_clients.list  "https://$SERVER/config/update.php?op=mac&ip=$CLIENTIP&mac=$MAC&host=$CLIENTHOST"
fi;

if [ "$ACTION" = "add" ]; then
	USERLINE=`/bin/cat /var/log/sown_clients.list | /bin/grep -i $MAC` 

	if [ "$USERLINE" = "" ]; then
		echo "no match for $MAC" >> /var/log/sown-event.log
	else 
		/usr/sbin/iptables -F $CHAIN
		/usr/sbin/iptables -D FORWARD -s $CLIENTIP -m mac --mac-source $MAC -j $CHAIN
		/usr/sbin/iptables -t nat -D PREROUTING -s $CLIENTIP -j ACCEPT
	
		/usr/sbin/iptables -N $CHAIN
		ARRAY=($USERLINE)
		for (( i = 1; i< ${#ARRAY[@]} ; i++ )) {
 			/usr/sbin/iptables -I $CHAIN 1 -j ${ARRAY[i]}
 		}
	
		/usr/sbin/iptables -I FORWARD 1 -s $CLIENTIP -m mac --mac-source $MAC -j $CHAIN
		/usr/sbin/iptables -t nat -I PREROUTING 1 -s $CLIENTIP -j ACCEPT
		if [ "$SERVER_STATUS" = "1" ]; then
			/bin/rm -f /var/log/sown_clients.list
			/usr/bin/wget --ca-directory=/etc/ssl/certs --output-document=/var/log/sown_clients.list "https://$SERVER/config/dns_update.php?op=add&ip=$CLIENTIP&host=$CLIENTHOST"
		fi
		echo "$MAC processed" >> /var/log/sown-event.log
	fi
fi

if [ "$ACTION" = "del" ]; then
	/usr/sbin/iptables -F $CHAIN
	/usr/sbin/iptables -D FORWARD -s $CLIENTIP -m mac --mac-source $MAC -j $CHAIN
	/usr/sbin/iptables -t nat -D PREROUTING -s $CLIENTIP -j ACCEPT
	/usr/sbin/iptables -X $CHAIN
	if [ "$SERVER_STATUS" = "1" ]; then
		/bin/rm -f /var/log/sown_clients.list
		/usr/bin/wget --ca-directory=/etc/ssl/certs --output-document=/var/log/sown_clients.list   "https://$SERVER/config/dns_update.php?op=del&ip=$CLIENTIP&host=$CLIENTHOST"
	fi
fi

Managing the Data

There is a crontab which ensures that the node does not get stuck if there is no route to the server. Old clients can still authenticate however new clients don't stand a chance.

This is the SERVER_STATUS variable in the above script.

The Script (/etc/sown/server_status_check)

 #!/bin/bash
 ping -c 1 10.13.0.252 > /var/log/sown_ping.res
 FOO=`cat /var/log/sown_ping.res | grep "1 received"`
 if [ "$FOO" = "" ]
 then
       `echo "0" > /var/log/sown_server.status`
       `echo "nameserver 208.67.222.222" > /etc/resolv.conf`
       `echo "nameserver 208.67.220.220" >> /etc/resolv.conf`
       ip route del 152.78.189.82
 else
       `echo "1" > /var/log/sown_server.status`
       `echo "nameserver 10.13.0.254" > /etc/resolv.conf
       `echo "search sown.org.uk" >> /etc/resolv.conf`
       ip route add 152.78.189.82 via 10.13.0.252
 fi

And the associated crontab file (/etc/sown/server_status.cron):

 * * * * * /etc/sown/server_status_check

In init.d you also need to run this crontab on startup by adding the following 2 commands to a startup script:

 /etc/sown/server_status_check
 crontab /etc/sown/server_status.cron
Facts about "HowLoginWorks"
Has reasonHow SOWN nodes allow uses to authenticate and gain Internet access has changed significantly since this page was last updated. Specifically Eduroam login uses RADIUS 802.1x authentication. +