need your assistance, im trying to authenticate a user stored in my freeradius+mysql in pfsense (acts as captive portal for wifi users)
AP+-----+PFsense+-----+Internet
+
|
+
FreeRadius
im pretty sure that my shared secret/ip of my radius is correctly defined in pfsense system. but im not quite sure if my radius allows authentication coming from other systems.
in /etc/raddb/clients.conf
i defined my pfsense as my NAS
client 192.168.1.1 {
secret = testing123
shortname = pfsense
}
selinux is already disabled.
maybe theres a parameter i needed to change or allow,
can you think what else i missed here? thanks.
You need to run the server in debugging mode (-X) it will complain if it receives a packet from an unknown client and tell you definitively which IP is being used as the SRC address.
You can then add a client entry with that IP.
Please refer to the following links, as they describe the process of using captive portal along with local FreeRADIUS.
https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#HOW-TO_-FreeRADIUS.2B_Captive_Portal_configuration
http://pheriko.blogspot.mx/2013/01/pfsense-2-captive-portalfreeradius2.html
After successfully implementing the process you can find local clients.conf in order to rectify your client configuration.
Related
I am using openwrt and coovachilli for registration purpose, when there is presence of internet connection to router then chilli starts and popup page appears after connect to WiFi.
But I want popup page without presence of internet. Router should popup after connect to WiFi using coovachilli without internet. Please help me out in this situation.
Thanks in advance.
OpenWrt Version:- 15.05
CoovaChilli Version:- 1.3.0
It's not possible technically due to the way Coova Chilli (and other hotspot software systems) works.
Without Internet connection, your DNS server will return failures so no DNS query will work. Without DNS queries (and IP addresses as result), there won't be a HTTP request for Coova to hijack. Your device (eg. iPhone) won't even trigger a CNA window
There are possibilities (workarounds) of course - eg. make your DNS resolver (dnsmasq?) resolve to some dummy/hardcoded IP address while the connection is down. You would have to write a script yourself that detects connection and swaps configs
It is possible with a workaround.
You have to use a local UAM server (on the same host or LAN) and authenticate with local users file or local RADIUS server. For using local users file, without RADIUS server, you must specify a dummy RADIUS server IP:
radiusserver1 127.0.0.1
localusers /etc/chilli/localusers
Then, you can add a dummyuser:dummypass to your localusers file and use it for the authentication as usual:
http://${uam_ip}:${uam_port}/logon?username=dummyuser&password=${chap_password}
How can i host a website through my computer using server softwares?
I tried to host a website through my own computer using apache tomcat server but it didnt work ( please briefly explain every point )
The main issue that you need to deal with is getting the clients to your computer.
Yes, it is possible and yes I have done it, albeit a while ago.
You need to see if you can browse to your computers website from another device on your network, this will ensure that apache is working. Try another computer/laptop/tablet/whatever to see if this site reachable by other computers using the IP Address and possibly port number. If you cannot get to the site, there are settings in apache to deny certain ip's, google it to get the exact steps for your version. If it works, move on to step 2.
You will need a static IP Address to ensure that all further steps stay working, google this if you are not sure how to do it
You need to have the external IP address of your router(whatsmyip.org) or use Dynamic DNS to route traffic from an address to your ip and there are services that allow this. I can recommend no-ip.com - This is all assuming that you have access to the router.
You would be required to set up port forwarding on your router. This will direct the internet traffic to your computer. You will need to get the exact instructions for your specific model of router.
Please be aware that you need to have proper firewalls and systems in place to prevent attacks. I am sure that you are just testing at this point though...
All the best!
I've recently purchased a cloud server which has public IP and I am using it to host an xmpp server.
My first task was to ensure my users connected using my subdomain - as an example m.chat.com.
In my configuration I have the following:
%% Hostname
{hosts, ["m.chat.com"]}.
I then created an admin user with that domain.
In parrellel I have created the following DNS record with my host provider, hostgator for my subdomain m.chat.com
Name TTL Class Type Record
m.chat.com 14400 IN A [IP of the server]
One thing that puzzled me was my ability to access the ejabberd web admin console. This was achieved via: [IP of the server]:5280/admin however I could not access it via m.chat.com:5280/admin
That aside, inside the web console, under "Virtual Hosts" I could see the host "m.chat.com". I created a user "user#m.chat.com" and tried to connect via Adium.
Inside Adium, simply typing in user#m.chat.com with the password did not work. Instead I had to also specify the "Connect server" which in this case was the [IP of the server].
It has connected fine and I have registered other users to check everything is working and it is.
Then I thought I'd go back to the ejabberd configuration and start messing around. I changed the hostname to the following:
%% Hostname
{hosts, ["m.chat.com", "facebook.com"]}.
I registered a user with that domain and restarted ejabberd. Upon checking the web console, to my surprise, I could see the Virtual host "facebook.com". I tested this user in Adium with the [IP of the server] defined in the "Connect server" section and it connected fine. I asked other people with their own internet connections to use this account on their PCs and they were able to connect too.
Story over - my question to everyone is how is this possible? Am I missing something? Is there no domain authentication. After searching online, it seems you can even use fake domains.
If I am to operate my own service in the future (iOS chat app) I do not want anyone using my domain names with their own public servers.
Can someone shine some light.
Thanks!
Edit: A second question - Preferably I do not want to have to define the "Connect Server" upon using a client. I would like the client to recognise the #m.chat.com domain and establish a connection to the Servers IP automatically. Have I configured my DNS record correctly? For anyone else using Hostgator, is there an additional task I must do?
Edit: I can now access the web console via m.chat.com:5280/admin and I no longer have to specify the Connect server when using a client. I didnt do anything, I think it was a case of Hostgater updating the DNS or something, they say it usually takes 4 hours. However I am still slightly puzzled as to why I can create accounts with the facebook.com domain. I understand that because I can not access the DNS admin for this domain I can not create any records but that does not prevent me from using the domain and just specifying a Connect server.
Your initial problems (unable to access the server by using m.chat.com) were almost certainly DNS issues, and it seems you have isolated that down to the time taken to update the record.
Your second question - about the fact that you can name virtual hosts without restriction, is simple but interesting. What makes you think there should be any kind of restriction? It would be like you dictating that I can't save "m.chat.com" in a file on my disk, or that I can't send "m.chat.com" in a message across the internet.
This is why DNS exists and is structured the way it is. Although I can tell my server that it hosts facebook.com, nobody will connect to it because the DNS record for facebook.com does not point at my server (users generally don't set the "connect host" manually). Which begs the question... why would I want to tell my server it hosts facebook.com, and if I did, why should Facebook care?
An additional, but relevant, identity layer on top of DNS are certificates - which clients should validate for the virtual host name in spite of any "connect host" set. Since it's not possible to have a certificate for facebook.com, clients should generally pop up warnings or fail to connect at all. If they don't, they're probably not validating the certificate correctly.
I have a development server (Java servlet container) running on my computer inside my private network (IP range 192.168.0.0 to 192.168.255.255). This development server executes my integration testing environment. This testing environment has its own Facebook App ID. Having the server run in the 192.168.x.y range allows my colleagues to test the website, login to my local website with their Facebook accounts etc..
At https://developers.facebook.com -> in the Facebook Apps settings -> located under "Basic settings" -> in the "Website with Facebook Login" field, I have set http://192.168.2.106:8080, as this is the address-port combination that my development server binds to.
Due to DHCP, my computer now has a slightly different IP address, namely 192.168.2.109. Whenever I start up my server and then try to do anything Facebook-API related (e.g. Facebook Login), I get the following error message from Facebook
{
"error": {
"message": "Invalid redirect_uri: Given URL is not allowed by the Application configuration.",
"type": "OAuthException",
"code": 191
}
}
Is there a way to have a Facebook App allow a "range of IP address websites with Facebook Login"? What other solutions can you suggest?
My colleagues shall be able to also start up the development server on their own machines, with their own private network addresses. Therefore, the same Facebook App ID shall work on different machines with different IP addresses and still be accessible to everybody inside the private network.
Notice that setting "Website with Facebook Login" to localhost makes the development server only available to the same machine it is running on. This unfortunately prevents colleagues from accessing this development server instance.
Update
Filed bug: https://developers.facebook.com/bugs/606277079382609
If you could get away of using localhost, then there is a very simple way:
Make the facebook app redirect to http://lvh.me:3000/ (or whatever port your server is listening on localhost). A benevolent developer owns the lvh.me domain and had the DNS setup to point to localhost. I've tried this and that's what I used for development testing.
Similarly, you could do stuff like that and points a DNS record of a domain you own to a range of local ip. I am not familiar with DNS so I am not sure how to set it up or if it's possible.
If you're running on Windows you could try changing your hosts file in C:\Windows\System32\drivers\etc
and add your IP to an imaginary domain (your colleagues should do it too) and put that domain in Facebook Settings panel.
I'm not sure about this so tell me if it works :)
As far as i know you cannot setup an IP range in your application setting, the redirect_uri is typically meant to handle urls with domain names, which is usually the case with with public websites.
The best way to avoid this problem is to make sure you local development server has always gets the same IP, which is generally a good practice if you are writing a server.
there are several ways to do it depending on the network setup, here are two option:
Setup your DHCP server to always assign the same IP to your dev server MAC address
Bend the rules a little bit and setup your computer to claim an unused IP address. DHCP servers typically assign IPs in order (will start from 192.168.1.1 and work up to 192.168.254.254) so have your computer claim an IP in the higher part of the range (Ping the IP first to make sure it's not being used)
Instead of using an IP address, use localhost.
So hxxp://192.168.1.20 would become hxxp://localhost
(replace xx with tt)
This resolves back to the local machine, whatever its IP address is. I am assuming that your development server is running on your PC, using WAMP or something similar. I draw this assumption because you state that it must run on any laptop in any network environment.
If you own a domain you could create a subdomain test.mydomain.com pointing to 192.168.2.109.
When your address should change again, you can change the entry accordingly.
There is no reason why a DNS entry could not point to a IP address from the 192.168 range. For someone outside your network it will not be of much use, because he can't access your IP address from the outside, but for your co-workers within the network it will work.
If a coworker wants to run the web app on his own PC, he can of course override this setting using his own hosts file.
I have my app up in canvas but am at somewhat of a loss as to how I can test locally. I'm building my app on top of nodeJs to give it a try. I have a dev app that hasn't been deployed to heroku so I'm all set there, save some details to follow. I know my computers IP address but I'm not sure if that's the one I need. How do I find the correct IP. Something like: 0.0.0.124:5000 is the example that's given. To summarize what I need to know:
A) how to find the correct local IP
B) how and where to configure apache server (I have the code from heroku just need to know what file it goes into and where to find it).
C) How to export port 80
D) find out if I need access to my local dsl router admin area to set static ip or use dynamic one
Thanks in advance
From the Heroku documentation:
https://devcenter.heroku.com/articles/facebook#1-creating-a-development-facebook-app
Do you need the IP address for a callback URL? If so, I recommend signing up with a dynamic DNS service so your home Internet connection has a consistent domain name even if your home IP address changes.
You'll also need to forward the appropriate port from your home router to your development machine.