centralized coova

wlan at mac.com wlan at mac.com
Wed Jan 9 16:26:49 UTC 2008


Actually, each of my hotspot has a DHCP server. And I have in my AAA  
server the list of the subnets. when a user connects, I retrieve the  
connection place using the Framed-IP-Address (which I use to find the  
subnet and then the exact location).


Is it chilli that is currently sending you the Framed-IP-Address or  
something else? Are you able to relay the AP DHCP to chilli?

Actually, we want a centralised architecture: each hotspot sets up a  
tunnel to the central site, and IP connectivity is ensured for users,  
up to the centralized access gateway - that can be coova.


When you say coova, I assume you really mean coova-chilli (or just  
"chilli").

 > What do you mean with "External transparent web proxy for  
unauthenticatd
 > users"?

What we also would like is the possibility for coova to redirect at  
TCP/IP level unauthorised traffic, and not only sending a 302  
redirect to the device.

Actually, what I want to do is (I'm not strong at ASCCI-art ;)):

Hotspot-1-----+     AAA
               |      |
    ...        +----Coova------(NAT)------INTERNET
               |      |
Hotspot-N-----+      +-Squid Proxy
                      |
                                       +-Login portal
                      |
                      +-DNS

Correct me if I'm wrong. For a standard Coova deployement, when a  
user opens a browser and requests www.google.com:
- He gets a HTTP-302 that redirects its browser to Coova login page  
(either on coova or on the back-end).
- Once on the login page, the user enter login and password, and they  
are posted to Coova
- Coova sends RADIUS requests to the AAA
- AAA Accepts the connection
- Coova opens the connection


Yeah, that's right.

What I would like to do is:
- User requests www.google.com
- Coova redirects (changes dest IP and TCP port) to Squid
- Squid, with a redirector chooses :
    + to server the page (free web site)
    + to send a 302 redirect to the user
- The workflow described above goes on.


There is already an option for 'post-auth proxy' in coova-chilli that  
does this for authorized traffic. What you describe is not that  
different.

I wonder if this is possible with IP tables rules?


You can easily make an IP tables rule for all traffic to go through  
the proxy. There are conup/condown scripts possible in chilli if you  
want to change firewall settings based on login/logout.

Furthermore, I would like to do prepaid (volume and/or time based). ie:
- User connects
- AAA allocates 10 Mb and 1 hour
- Allocated volume is elapsed
- Coova requests more volume to the AAA - wihtout disconnecting the user
- AAA provides 10Mb
- Session geos on


"Without disconnecting the user" meaning no redirect, just a RADIUS  
re-auth? not sure I see the value in that...

Would it be difficult to implement?

Thanks

Geoff.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20080109/c77c94c5/attachment.htm>


More information about the Chilli mailing list