UAM authentication (Router mode)
From wiliGear wiki
Description
Device configured to work as network router. Client associates to the wireless interface. When user starts web browser and tries to surf internet, he get redirected to the UAM login page. User can browse internet only after successful authentication with RADIUS server.
Network topology
Configuration sample
############################################################ # Configuration file created by WILIBOX UAB # HW: x86 family (Wrap2c, Wistron RDAT-81, Compex WP54(A)G) # Authentication: Internal UAM login page # Updated: 2007-10-18 ############################################################ # Section: aaa aaa.status=enabled aaa.1.status=enabled aaa.1.devname=ath0 aaa.1.name=UAM_ON_ath0 aaa.1.nas.1.status=enabled aaa.1.nas.1.profile=NAS_UAM_PROFILE aaa.1.wan.1.status=enabled aaa.1.wan.1.devname=eth0 aaa.auth.1.status=enabled aaa.auth.1.authtype=PAP # USE YOUR RADIUS SERVER IP ADDRESS # RADIUS server should be accessible from device aaa.auth.1.host=192.168.2.182 aaa.auth.1.name=AUTH_SERVER # USE YOUR RADIUS SERVER SERCRET aaa.auth.1.secret=testing123 aaa.auth.1.stripdomain=disabled aaa.domain.1.status=enabled aaa.domain.1.name=DOMAIN_PROFILE aaa.domain.1.auth.1.status=enabled aaa.domain.1.auth.1.profile=AUTH_SERVER aaa.nas.1.status=enabled aaa.nas.1.acct.status=enabled aaa.nas.1.auth.status=enabled aaa.nas.1.auth.1.status=enabled aaa.nas.1.auth.1.type=uam aaa.nas.1.auth.1.profile=LOCAL_PAGES_PROFILE aaa.nas.1.devname=ath0 aaa.nas.1.domain.1.status=enabled aaa.nas.1.domain.1.profile=DOMAIN_PROFILE aaa.nas.1.domain.default=1 aaa.nas.1.maxclients=12 aaa.nas.1.name=NAS_UAM_PROFILE aaa.nas.1.security.type=none aaa.nas.1.verbose=enabled aaa.uam.1.status=enabled aaa.uam.1.name=LOCAL_PAGES_PROFILE aaa.uam.1.loginurl=https://%lanip/uam/login.cgi # Section: netconf netconf.status=enabled # Device WAN interface settings netconf.1.status=enabled netconf.1.alias.status=disabled netconf.1.devname=eth0 netconf.1.ip=192.168.30.2 netconf.1.mode=wan netconf.1.netmask=255.255.255.0 netconf.1.promisc=disabled netconf.1.type=ethernet netconf.1.up=enabled # Device WLAN interface settings netconf.2.status=enabled netconf.2.alias.status=disabled netconf.2.devname=ath0 netconf.2.ip=192.168.199.1 netconf.2.mode=lan netconf.2.netmask=255.255.255.0 netconf.2.promisc=disabled netconf.2.type=wireless netconf.2.up=enabled # Section: radio radio.status=enabled # Radio is configured to work in B/G mode, channel 6 radio.1.status=enabled radio.1.autochannel.status=disabled radio.1.channel=6 radio.1.devname=ath0 radio.1.frag=off radio.1.ieee_mode=G radio.1.mode=Master radio.1.rate.auto=enabled radio.1.rate.max=54M radio.1.rts=off radio.1.txpower=5 radio.countrycode=LT # Section: wireless wireless.status=enabled # Wireless settings wireless.1.security=none wireless.1.ssid=2_tester wireless.1.ssid_broadcast=enabled wireless.1.status=enabled wireless.1.devname=ath0 wireless.1.l2_isolation=disabled wireless.1.max_clients=16 # Section: route route.status=enabled route.1.status=enabled route.1.devname=eth1 # USE YOUR GATEWAY IP ADDRESS route.1.gateway=192.168.30.100 route.1.ip=0.0.0.0 route.1.netmask=0 # Section: httpd httpd.status=enabled httpd.backlog=100 httpd.external.status=disabled httpd.max.connections=50 httpd.max.request=51200 httpd.port.admin=444 httpd.port.https=443 # Section: resolv resolv.status=enabled resolv.nameserver.1.status=enabled # USE YOUR DNS SERVER IP ADDRESS resolv.nameserver.1.ip=195.14.162.78 # Section: sshd sshd.status=enabled sshd.port=22 # Section: syslog syslog.status=enabled syslog.file=/var/log/messages syslog.file.msg.level=debug syslog.file.umask=077 syslog.fwd.status=disabled syslog.fwd.msg.level=info syslog.rcms.alarm.status=disabled syslog.rcms.alarm.level=info syslog.rotate.status=enabled syslog.rotate.at.size=102400 # Section: users users.status=enabled users.1.status=enabled users.1.name=admin users.1.password=oHSl3yqR.t1uQ # Section: firewall firewall.status=enabled # DNS firewall.rule.1.table=nat firewall.rule.1.chain=PREROUTING firewall.rule.1.protocol=TCP firewall.rule.1.dport=53 firewall.rule.1.target=ACCEPT firewall.rule.2.table=nat firewall.rule.2.chain=PREROUTING firewall.rule.2.protocol=UDP firewall.rule.2.dport=53 firewall.rule.2.target=ACCEPT # DHCP firewall.rule.3.table=nat firewall.rule.3.chain=PREROUTING firewall.rule.3.protocol=TCP firewall.rule.3.dport=67:68 firewall.rule.3.target=ACCEPT firewall.rule.4.table=nat firewall.rule.4.chain=PREROUTING firewall.rule.4.protocol=UDP firewall.rule.4.dport=67:68 firewall.rule.4.target=ACCEPT # Allows for wireless clients to see login page firewall.rule.5.table=nat firewall.rule.5.chain=PREROUTING firewall.rule.5.protocol=TCP firewall.rule.5.in=ath0 firewall.rule.5.dport=443:444 #If static IP is used and no DHCP client enabled then uncomment this line firewall.rule.5.dst=192.168.199.1 firewall.rule.5.target=ACCEPT # Not authenticated clients will be redirected to the login page firewall.rule.6.table=nat firewall.rule.6.chain=PREROUTING firewall.rule.6.protocol=TCP firewall.rule.6.in=ath0 firewall.rule.6.auth=not-auth firewall.rule.6.auth.in=ath0 firewall.rule.6.target=REDIRECT firewall.rule.6.t.redirect.port=38080 firewall.rule.7.table=mangle firewall.rule.7.chain=PREROUTING firewall.rule.7.acct.in=ath0 firewall.rule.8.table=mangle firewall.rule.8.chain=POSTROUTING firewall.rule.8.acct.out=ath0 firewall.rule.9.target=SNAT firewall.rule.9.table=nat firewall.rule.9.chain=POSTROUTING firewall.rule.9.t.snat.source=192.168.30.2 firewall.rule.9.out=eth0 #If static IP is used and no DHCP client enabled then comment these lines #firewall.rule.10.table=nat #firewall.rule.10.chain=POSTROUTING #firewall.rule.10.protocol=TCP #firewall.rule.10.out=ath0 #firewall.rule.10.dport=443:444 #firewall.rule.10.auth=not-auth #firewall.rule.10.auth.out=ath0 #firewall.rule.10.target=DROP
