UAM authentication (Bridge mode)
From wiliGear wiki
Description
Device configured to work as network bridge. Client associates to the wireless interface. When user starts web browser and tries to surf internet, he get redirected to the UAM login page. User can browse internet only after successful authentication with RADIUS server.
Network topology
Configuration sample
###################################################### # Configuration file created by WILIBOX UAB # HW: XScale family (Lanready AP1000, Gateworks AVILA) # Authentication: Internal UAM login page # Updated: 2007-10-18 ###################################################### # Section: aaa aaa.status=enabled aaa.1.status=enabled aaa.1.devname=br0 aaa.1.name=UAM_ON_BR0 aaa.1.nas.1.status=enabled aaa.1.nas.1.profile=NAS_UAM_PROFILE aaa.1.wan.1.status=enabled aaa.1.wan.1.devname=ixp1 aaa.auth.1.status=enabled aaa.auth.1.authtype=PAP # USE YOUR RADIUS SERVER IP ADDRESS aaa.auth.1.host=192.168.2.182 aaa.auth.1.name=AUTH_SERVER # USE YOUR RADIUS SERVER SERCRET aaa.auth.1.secret=testing123 aaa.auth.1.stripdomain=disabled aaa.domain.1.status=enabled aaa.domain.1.name=DOMAIN_PROFILE aaa.domain.1.auth.1.status=enabled aaa.domain.1.auth.1.profile=AUTH_SERVER aaa.nas.1.status=enabled aaa.nas.1.acct.status=enabled aaa.nas.1.auth.status=enabled aaa.nas.1.auth.1.status=enabled aaa.nas.1.auth.1.type=uam aaa.nas.1.auth.1.profile=LOCAL_PAGES_PROFILE aaa.nas.1.devname=ath0 aaa.nas.1.domain.1.status=enabled aaa.nas.1.domain.1.profile=DOMAIN_PROFILE aaa.nas.1.domain.default=1 aaa.nas.1.maxclients=12 aaa.nas.1.name=NAS_UAM_PROFILE aaa.nas.1.security.type=none aaa.nas.1.verbose=enabled aaa.uam.1.status=enabled aaa.uam.1.name=LOCAL_PAGES_PROFILE aaa.uam.1.loginurl=https://%lanip/uam/login.cgi # Section: netconf netconf.status=enabled netconf.1.status=enabled netconf.1.alias.status=disabled netconf.1.devname=ixp1 netconf.1.ip=0.0.0.0 netconf.1.mode=wan netconf.1.netmask=255.255.255.0 netconf.1.promisc=disabled netconf.1.type=ethernet netconf.1.up=enabled netconf.2.status=enabled netconf.2.alias.status=disabled netconf.2.devname=ixp0 netconf.2.ip=0.0.0.0 netconf.2.mode=lan netconf.2.netmask=255.255.255.0 netconf.2.promisc=disabled netconf.2.type=ethernet netconf.2.up=enabled netconf.3.status=enabled netconf.3.alias.status=disabled netconf.3.devname=ath0 netconf.3.ip=0.0.0.0 netconf.3.mode=lan netconf.3.netmask=255.255.255.0 netconf.3.promisc=disabled netconf.3.type=wireless netconf.3.up=enabled netconf.4.status=enabled netconf.4.alias.status=disabled netconf.4.devname=br0 # USE YOUR STATIC IP ADDRESS netconf.4.ip=192.168.30.50 netconf.4.netmask=255.255.255.0 netconf.4.promisc=disabled netconf.4.up=enabled # Section: radio radio.status=enabled radio.1.status=enabled radio.1.autochannel.status=disabled radio.1.channel=6 radio.1.devname=ath0 radio.1.frag=off radio.1.ieee_mode=G radio.1.mode=Master radio.1.rate.auto=enabled radio.1.rate.max=54M radio.1.rts=off radio.1.txpower=5 radio.countrycode=LT # Section: wireless wireless.status=enabled wireless.1.security=none wireless.1.ssid=2_slimtest wireless.1.ssid_broadcast=enabled wireless.1.status=enabled wireless.1.devname=ath0 wireless.1.l2_isolation=disabled wireless.1.max_clients=16 # Section: route route.status=enabled route.1.status=enabled route.1.devname=br0 # USE YOUR GATEWAY IP ADDRESS route.1.gateway=192.168.30.100 route.1.ip=0.0.0.0 route.1.netmask=0 # Section: httpd httpd.status=enabled httpd.backlog=100 httpd.external.status=disabled httpd.max.connections=50 httpd.max.request=51200 httpd.port.admin=444 httpd.port.https=443 # Section: bridge bridge.status=enabled bridge.1.status=enabled bridge.1.devname=br0 bridge.1.fd=1 bridge.1.port.1.status=enabled bridge.1.port.1.devname=ath0 bridge.1.port.2.status=enabled bridge.1.port.2.devname=ixp0 bridge.1.port.3.status=enabled bridge.1.port.3.devname=ixp1 bridge.1.stp.status=disabled # Section: dhcpc # CHANGE TO DISABLED IF NO DHCP CLIENT IS USED dhcpc.status=disabled dhcpc.1.status=enabled dhcpc.1.devname=br0 # Section: resolv resolv.status=enabled resolv.nameserver.1.status=enabled # USE YOUR DNS SERVER IP ADDRESS resolv.nameserver.1.ip=193.189.87.121 # Section: sshd sshd.status=enabled sshd.port=22 # Section: syslog syslog.status=enabled syslog.file=/var/log/messages syslog.file.msg.level=debug syslog.file.umask=077 syslog.fwd.status=disabled syslog.fwd.msg.level=info syslog.rcms.alarm.status=disabled syslog.rcms.alarm.level=info syslog.rotate.status=enabled syslog.rotate.at.size=102400 # Section: users users.status=enabled users.1.status=enabled users.1.name=admin users.1.password=oHSl3yqR.t1uQ # Section: firewall firewall.status=enabled firewall.filter.FORWARD.policy=DROP firewall.rule.1.table=nat firewall.rule.1.chain=PREROUTING firewall.rule.1.protocol=TCP firewall.rule.1.dport=53 firewall.rule.1.target=ACCEPT firewall.rule.2.table=nat firewall.rule.2.chain=PREROUTING firewall.rule.2.protocol=UDP firewall.rule.2.dport=53 firewall.rule.2.target=ACCEPT firewall.rule.3.table=nat firewall.rule.3.chain=PREROUTING firewall.rule.3.protocol=TCP firewall.rule.3.dport=67:68 firewall.rule.3.target=ACCEPT firewall.rule.4.table=nat firewall.rule.4.chain=PREROUTING firewall.rule.4.protocol=UDP firewall.rule.4.dport=67:68 firewall.rule.4.target=ACCEPT firewall.rule.5.table=nat firewall.rule.5.chain=PREROUTING firewall.rule.5.protocol=TCP firewall.rule.5.in=br0 firewall.rule.5.dport=443:444 #If static IP is used and no DHCP client enabled then uncomment this line firewall.rule.5.dst=192.168.30.50 firewall.rule.5.target=ACCEPT firewall.rule.6.table=nat firewall.rule.6.chain=PREROUTING firewall.rule.6.protocol=TCP firewall.rule.6.in=br0 firewall.rule.6.auth=not-auth firewall.rule.6.auth.in=br0 firewall.rule.6.target=REDIRECT firewall.rule.6.t.redirect.port=38080 firewall.rule.7.table=mangle firewall.rule.7.chain=PREROUTING firewall.rule.7.acct.in=br0 firewall.rule.8.table=mangle firewall.rule.8.chain=POSTROUTING firewall.rule.8.acct.out=br0 #If static IP is used and no DHCP client enabled then comment these lines #firewall.rule.9.table=nat #firewall.rule.9.chain=POSTROUTING #firewall.rule.9.protocol=TCP #firewall.rule.9.out=br0 #firewall.rule.9.dport=443:444 #firewall.rule.9.auth=not-auth #firewall.rule.9.auth.out=br0 #firewall.rule.9.target=DROP ## FORWARD chain allows packets between bridge interfaces IFF sta ## was authenticated. Otherwise does 'DROP' as per default FORWARD ## chain policy. ## firewall.rule.10.table=filter firewall.rule.10.chain=FORWARD firewall.rule.10.auth.in=br0 firewall.rule.10.target=ACCEPT firewall.rule.11.table=filter firewall.rule.11.chain=FORWARD firewall.rule.11.auth.out=br0 firewall.rule.11.target=ACCEPT firewall.rule.12.table=filter firewall.rule.12.chain=FORWARD firewall.rule.12.protocol=UDP firewall.rule.12.dport=67:68 firewall.rule.12.target=ACCEPT firewall.rule.13.table=filter firewall.rule.13.chain=FORWARD firewall.rule.13.protocol=TCP firewall.rule.13.dport=67:68 firewall.rule.13.target=ACCEPT firewall.rule.14.table=filter firewall.rule.14.chain=FORWARD firewall.rule.14.protocol=UDP firewall.rule.14.dport=53 firewall.rule.14.target=ACCEPT firewall.rule.15.table=filter firewall.rule.15.chain=FORWARD firewall.rule.15.protocol=UDP firewall.rule.15.sport=53 firewall.rule.15.target=ACCEPT firewall.rule.16.table=filter firewall.rule.16.chain=FORWARD firewall.rule.16.protocol=TCP firewall.rule.16.dport=53 firewall.rule.16.target=ACCEPT firewall.rule.17.table=filter firewall.rule.17.chain=FORWARD firewall.rule.17.protocol=TCP firewall.rule.17.sport=53 firewall.rule.17.target=ACCEPT
