Topic: Guest Signup Period followed by login only.

Using a series of hacks to the UAM server our free network now works on the following rules:

Users must register to use the system.
Users must confrim their email address
However if they just chance on the hotspot they're  allowed limited "trial period" to recieve the confrim email address message.
Usage limits are applied to prevent overuse of the sytem and to irritate fileshares (its bloody hard to block them).

My codes kind of a mess at the minute but if anyones interested I'll share it with some instructions.

In basic it goes something like this:
UAM and Radius are on same server, radius is using MySQL to store usernames etc.

Customised splash screen reads the mac=ADDRESS attribute that chilli helpfully sents it.
Then it looks for that mac address as a username in the Raduis users
If its not there it creats a radius user with name of ADDRESS. Now there is a unique "Guest" account specific to that computer.
If it is there then it looks that MAC (also a username in radius) up in the Radius Accounting table. If its been used more than reasonable to retrieve and email. It moves it to a different radius group, wich is no longer allowed to log in.

The splash screen has an extra form, identical to the normal login one, except the username field is hidden and preset to the MAC address of the PC.

Voila, free acess, with Identifiable users with no pre-registration required.

PART 2 Fair usage.

This one's script is easier, this is a PHP script I run off cron every hour. Punishes people who download too much stay online too long, or upload to much. Works by moving group membership around.

My Groups:
[pre]
+----+-----------+-----------+----+--------+
| id | GroupName | Attribute | op | Value  |
+----+-----------+-----------+----+--------+
|  1 | device    | Auth-Type | := | Local  | mac authed devices
|  2 | user      | Auth-Type | := | Local  | "normal" users
|  3 | guest     | Auth-Type | := | Local  | "guest's with registraition period remaining"
|  4 | expGuest  | Auth-Type | := | Reject | guest registration preriod expired
|  5 | mates     | Auth-Type | := | Local  | my mates (extra privalges)
|  6 | punish    | Auth-Type | := | Reject | people temporally punihed.
+----+-----------+-----------+----+--------+
[/pre]
My Group Reply (big fat warning, unless its been changed hotspotlogin.php's reply feature is broken)
[pre]
+----+-----------+--------------------------+----+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------+
| id | GroupName | Attribute                | op | Value                                                                                                                                                                                                          | prio |
+----+-----------+--------------------------+----+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------+
|  1 | guest     | WISPr-Bandwidth-Max-Down | := | 512000                                                                                                                                                                                                         |    0 |
|  2 | guest     | WISPr-Bandwidth-Max-Up   | := | 128000                                                                                                                                                                                                         |    0 |
|  3 | guest     | Session-Timeout          | := | 1800                                                                                                                                                                                                           |    0 |
|  4 | user      | WISPr-Bandwidth-Max-Down | := | 512000                                                                                                                                                                                                         |    0 |
|  5 | user      | WISPr-Bandwidth-Max-Up   | := | 128000                                                                                                                                                                                                         |    0 |
|  6 | user      | Session-Timeout          | := | 7200                                                                                                                                                                                                           |    0 |
|  7 | guest     | Reply-Message            | := | This is a GUEST login - you have 20 minutes to register! before this is permantly disabled. WE ARE NOT KIDDING! It will stop working VERY SOON!                                                                |    0 |
| 12 | punish    | Reply-Message            | := | You've over used one of our our quotas. either by downloading or uploading to much or staying online too long. Wait a while and your access will be restored. The PierToPier.net Team.                         |    0 |
| 11 | expGuest  | Reply-Message            | := | Your Guest Access has expired. You need to register. Since you're going to need to confim your email, your going to have to get some internet somewhere else! Register Now, reply to the confirm email latter! |    0 |
+----+-----------+--------------------------+----+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------+
9 rows in set (0.00 sec)
[/pre]
Bit difficult to read, but they set the bandwidth for the various groups and the reply messages for guests and expired guests and punished people.
[pre]

anyway heres the code
#!/usr/bin/php -q
<?php
$hostname = "localhost";
$database = "radius"; //your radius database name
$username = "MySQLUserWithAccessToRadius"; //MySQL username
$password = "PasswordForAbove"; //MySQL password

// LIMITS of aceptability
$timeOn=21600; //minutes 6 hours = 21600
$inData=1000000000; //bytes
$outData=500000000; //bytes
// Punishament Adjusters.
$timePen=7200; //don't re-enable till ther'es 2 hours in hand
$inPen=100000000; //make a 10 percent leway
$out=50000000; //make a 10 percent leway
$p2pdb = mysql_pconnect($hostname, $username, $password) or die(mysql_error());
mysql_select_db($database, $p2pdb);
$query_day = "SELECT radacct.UserName, SUM(acctSessionTime) as timeOn, SUM(AcctInputOctets) AS inData, SUM(AcctOutputOctets) AS outData, NOW() as now
FROM radacct LEFT JOIN usergroup ON radacct.UserName=usergroup.UserName
WHERE AcctStopTime >= DATE_SUB(NOW(),INTERVAL 1 DAY) AND GroupName='user'
GROUP BY UserName";
$day = mysql_query($query_day, $p2pdb) or die(mysql_error());
$row_day = mysql_fetch_assoc($day);
$totalRows_day = mysql_num_rows($day);
$flag=0;
echo "Normal Users's on last 24 hours, looking for evildoers\n";
do{
        echo $row_day['UserName']."\tTime: ".round($row_day['timeOn']/3600,3)."\tIn: ".round($row_day['inData']/1000000)."Meg\tOut: ".round($row_day['outData']/1000000)."Meg\n";
        if($row_day['timeOn']>=$timeOn) {$flag=1; echo "Time On Flagged\n";}
        if($row_day['inData']>=$inData) {$flag=1; echo "data In  Flagged\n";}
        if($row_day['outData']>=$outData) {$flag=1; echo "data Out Flagged\n";}
        if($flag==1) { //got our self a scumbag
                $moveGroup = "update usergroup SET GroupName='punish' WHERE UserName='".$row_day['UserName']."'";
                if (@mysql_query($moveGroup)) {
                        echo "Moved ".$row_day['UserName']." to punishment cell\n";
                } else { $mess=($mess. "Oops, something nasty happened updating the Radius Server Group membership");
                }
        }
} while ($row_day = mysql_fetch_assoc($day));
$flag=0; //Re-set flag
// put them back if they've droped below the levels
$query_ret = "SELECT radacct.UserName, SUM(acctSessionTime) as timeOn, SUM(AcctInputOctets) AS inData, SUM(AcctOutputOctets) AS outData
FROM radacct LEFT JOIN usergroup ON radacct.UserName=usergroup.UserName
WHERE AcctStopTime >= DATE_SUB(NOW(),INTERVAL 1 DAY) AND GroupName='punish'
GROUP BY UserName";
$ret = mysql_query($query_ret, $p2pdb) or die(mysql_error());
$row_ret = mysql_fetch_assoc($ret);
$totalRows_ret = mysql_num_rows($ret);
//re caulcuate for re-enable
$timeOn=$timeOn-$timePen;
$inData=$inData-$inPen;
$outData=$outData-$outPen;
echo "\n";
echo "      Looking for people to move back\n";
do{
        echo "Time: ".round($row_ret['timeOn']/3600,3)."\tIn: ".round($row_ret['inData']/1000000)."Meg\tOut: ".round($row_ret['outData']/1000000)."Meg";
        if($row_ret['timeOn']<=$timeOn && $row_ret['inData']<=$inData && $row_ret['outData']<=$outData) {
                $moveGroup = "update usergroup SET GroupName='user' WHERE UserName='".$row_ret['UserName']."'";
                if (@mysql_query($moveGroup)) {
                        echo "\tMoving ".$row_ret['UserName']." back to the General Population\n";
                } else { $mess=($mess. "Oops, something nasty happened updating the Radius Server Group membership");
                }
        } else { echo "\tLeaving ".$row_ret['UserName']." in punish\n"; }
} while ($row_ret = mysql_fetch_assoc($ret));

?>

[/pre]
you will need command line php to run this one.

Have fun Tom http://www.oceanhippie.net/cat.php?Cat=1

2 (edited by oceanhippie 2009-05-23 11:17:18)

Re: Guest Signup Period followed by login only.

I've cleaned up the above and inculded the code to be added to hotspotlogin.php and put it on my site.

its here: http://www.oceanhippie.net/content.php? … p;Res=1190

The above could be adapted to provide a trial period.

Re: Guest Signup Period followed by login only.

Could you help me?

I have a lot of questions here:

1) How did you set which user to which group? I dont see any sql table that could connect radcheck? 

2) How did you force the user to disconnect?

Re: Guest Signup Period followed by login only.

need more help on this. Can seem to use the radusergroup table still. Am i doing something wrong? or is there a special configuration?

Re: Guest Signup Period followed by login only.

Err not sure, enable groups as the guy above says and create the table. Then Restart Radius.

As to the loging off - I didn't disconnect them I mearly set a login time in radgroupreply, guests get logged off after half an hour any way. Users after a n Hour I think. Stops the little B****ers leaving filesharing apps on all night.

For the observant of you who spotted I'd ballesd up the full version of this post on my website, I've fixed it.....

http://www.oceanhippie.net/content.php?Cat=1&Res=1190

Tom