CoovaRADIUS Server - Amazon Web Services

Transcription

Coova Technologies, LLC
CoovaRADIUS Server
www.coova.com
February 4, 2011
c Coova Technologies, LLC
Copyright CoovaRADIUS Server
Contents
1 Installing CoovaRAIUS Server
1.1
2
General Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
1.1.1
Server Setup Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
1.1.2
Install License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
1.1.3
Starting and Stopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
1.1.4
Change Admin Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
1.2
Installation on Ubuntu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
1.3
Installation on MacOS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
1.4
Installation on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
1.5
VMWare & LiveCD (openSUSE) Appliance Setup . . . . . . . . . . . . . . . . . . . . . . . .
13
1.6
Using with MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
1.7
Using with BIRT Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
1.8
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
1.9
Installation Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
2 Administration Web Interfaces
18
2.1
Setup Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
2.2
Main Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
2.3
JSON API Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
3 Embedded Captive Portal
19
3.1
Customizing the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
3.2
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
3.3
Auto-Login Redirection Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
3.4
Adding static content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
3.5
Using with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
4 External Captive Portals
4.1
22
Drupal Installation in openSUSE Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . .
c 2010 Coova Technologies, LLC
22
Page 1 of 119
CoovaRADIUS Server
4.2
Installing Drupal Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
4.3
CoovaRADIUS Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
4.4
Example configuration: Members only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
4.5
Example configuration: Selling access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
5 Data Model Overview
5.1
28
Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
5.1.1
Realm Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
5.2.1
Administrative-User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
5.3.1
Authorizing Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
5.3.2
Banning Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
5.4
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
5.5
Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
5.6
Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
5.7
Access Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
5.8
Network User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
5.9
Network Realm Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
5.10 Access Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
5.11 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
5.12 Named Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
5.13 X509 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
5.14 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
5.2
5.3
6 Testing with JRadiusSimulator
34
6.1
Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
6.2
Adding RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
6.3
Running Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
6.4
Testing against CoovaRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
Page 2 of 119
CoovaRADIUS Server
6.5
Testing EAP-TLS and RadSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
6.6
Example Session Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
7 Working with CoovaEWT, Firmware, and CoovaRADIUS
47
7.1
Using CoovaEWT in CoovaFX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
7.2
Switching to CoovaRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
8 Configuring Access Points
54
8.1
CoovaChilli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
8.2
CoovaAP 1.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
8.3
CoovaAP 2.x “Dashboard” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
8.4
Open-mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
8.5
Ubiquiti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
8.6
Colubris / HP Procurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
8.6.1
PPTP VPN Tunnel (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
8.6.2
RADIUS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
8.6.3
Virtual Service Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
8.6.4
Public Access Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
60
8.6.5
CoovaRADIUS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
62
MikroTik Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
8.7.1
Basic Network Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
8.7.2
PPTP VPN Tunnel (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
72
8.7.3
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
74
8.7.4
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
75
8.7.5
Installing SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
76
8.7.6
Hotspot Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
78
8.7.7
Hotspot Walled Garden . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
81
8.7
9 API, GUI, & Web Services
82
9.1
CoovaEWT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
82
9.2
EWT Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
82
Page 3 of 119
CoovaRADIUS Server
9.3
9.2.1
Searching Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
83
9.2.2
Adding Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84
9.2.3
Updating Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84
9.2.4
Deleting Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84
EWT Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
10 Data Services - API
85
10.1 Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
10.2 EWT Table Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
10.3 Other EWT Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
86
10.3.1 coova-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
86
10.3.2 coova-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
86
10.4 EWT PHP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
86
10.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
11 Google Maps
89
11.1 Configure API Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
89
11.2 Geo Coordinate Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
90
11.3 Administration in Drupal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
93
11.4 Public Map in Drupal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
95
11.5 Map Info Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
95
12 Other Topics
98
12.1 Working with iPass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
98
12.1.1 RADIUS VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
98
12.1.2 CoovaRADIUS Realm & Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
98
13 About Coova Technologies
100
14 Licensing
101
14.1 Coova Software License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
14.2 Third Party Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Page 4 of 119
CoovaRADIUS Server
14.3 Third Party Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Page 5 of 119
CoovaRADIUS Server
1
Installing CoovaRAIUS Server
The CoovaRADIUS Server is pure Java and is able to run on any popular operating system. If not listed now,
ask us and we will look into packaging a version for your system. In general, we suggest Ubuntu/Debian or
another popular Linux distribution, which will make installing Apache and Drupal a bit easier.
1.1
General Installation
The CoovaRADIUS Server has been packaged for easy installation onto several different operating systems.
There are some system dependent variations to where files are stored and how the server is started. In general,
you will find the application has a directory containing the Java jar files, a data directory where configuration
files and the embedded Derby database are stored, a launch script or program, and a directory containing
licensing information.
From the License Server, download the distribution for your operating system. Then cut-and-paste the license
key somewhere safe. You will need it during the installation process.
Page 6 of 119
CoovaRADIUS Server
1.1.1
Server Setup Web Interface
After installing CoovaRADIUS based on the operating specific instructions for Ubuntu (section 1.2), Mac OS
X (section 1.3), Windows (section 1.4), or VMWare/LiveCD (section 1.5), the setup is the same.
An administrative web interface is available on the “localhost” port 2080. Use the default administrator
username admin and password admin.
http://localhost:2080/
The first time you start CoovaRADIUS, it may take a few minutes longer as it creates the database. Click the
Refresh button to update the screen.
Page 7 of 119
CoovaRADIUS Server
1.1.2
Install License
Click on the License tab and enter in the license you saved from the License Server.
Click on Add License and your changes will be saved. Go back to the Database Setup tab to Stop and
Start the server for the license to take effect.
Page 8 of 119
CoovaRADIUS Server
1.1.3
Starting and Stopping
On the main tab in the setup interface, you have the options to Stop the running RADIUS services and to
Shutdown the entire server. When installing a new license key, you want to Stop the RADIUS services. With
the RADIUS service stopped, the database setup form is displayed. With the trial license, the only database
option is the embedded Java Derby database.
Click Start to have the RADIUS services start up. When running, a login form is shown. Use this form to
login to the CoovaRADIUS administrative interface. The default username / password is admin / admin.
After logging into the CoovaRADIUS interface, you can always return to this setup screen simply by reloading
the current page in your browser. This will end the login session and return you to this screen.
Page 9 of 119
CoovaRADIUS Server
Once logged in, if you are using a trial license, you will be promoted with a message with a link to where you
can update your license with a purchased license.
To purchased a license, where you can either set your own RADIUS shared secret or have one generated for
you, at:
https://license.coova.net/
The license is valid for the single RADIUS shared secret and on a single production server.
Page 10 of 119
CoovaRADIUS Server
1.1.4
Change Admin Password
Be sure to change the admin password. Do this under the Users tab. Select the admin user and click the
Edit button. Edit the user, only changing the password (do not delete this user or give it a Realm).
Click Save when done to commit your changes. Note: You will have to reload your browser at this point
since the password used to access the site has changed.
Page 11 of 119
CoovaRADIUS Server
1.2
Installation on Ubuntu
Download the Ubuntu version from the Licensing Server. Save the Debian package to your system and run the
following command:
sudo dpkg -i CoovaRADIUS_1.0.1.deb
The following directories and files are installed by the package:
File or Directory
Description
/etc/init.d/coova-radius
/usr/bin/coova-radius
/usr/bin/radius-simulator
/usr/share/java/com.coova/
/var/lib/coova-radius/
/usr/share/doc/coova-radius/
CoovaRADIUS init script
Script launches CoovaRADIUS and opens admin interface in browser
Script to launch the JRadius Simulator application
Directory where all Java jar files are placed
Directory where CoovaRADIUS puts all data (including Derby database)
Directory where all documentation and licenses
The /usr/bin/coova-radius script can be run from the command line. If the CoovaRADIUS server is not
currently running, and the script is being ran as the user root or coova, then the server is started. When the
server is already running, the coova-radius script will launch the administration program (which is a Firefox
/ XULRunner application).
Page 12 of 119
CoovaRADIUS Server
1.3
Installation on MacOS X
Download the Apple download option from the Licensing Server. Unzip the distribution file and it will create a
“Coova” directory containing two MacOS X applications.
Keep the application together in the same directory. To start the CoovaRADIUS service, launch the
CoovaRADIUS.app program. This will also bring up the localhost administration interface in your browser.
Page 13 of 119
CoovaRADIUS Server
To access the files on CoovaRADIUS.app, right click on the application icon and select Show Package
Contents.
The Data/ directory is where CoovaRADIUS will store the embedded Derby database and other files while the
Content directory contains the core applicaiton.
Page 14 of 119
CoovaRADIUS Server
1.4
Installation on Windows
Download the Windows version from the Licensing Server. Unzip the distribution file to your Desktop. The
archive will expand into a directory called “Coova” and will contain the following files and directories:
Keep all the files in the same directory, however you may move the entire parent directory. As show, this
directory contains two applications, a lib/ directory containing the core application, and a data/ directory for
the embedded Derby database and other files.
Page 15 of 119
CoovaRADIUS Server
Page 16 of 119
CoovaRADIUS Server
1.5
VMWare & LiveCD (openSUSE) Appliance Setup
We offer a variety of pre-built systems based on the openSUSE Linux distribution, which includes a VMWare
and LiveCD version.
The default users root and admin have password changeme. Change the default passwords as soon as
possible.
If you are using setting up Drupal, also see section 4.1.
Change System Passwords
The system is minimally configured and with default passwords in place to get things up and running quickly.
Take a minute now to change some of the default password for security reasons as soon as possible.
$ passwd
(change admin user password)
$ su
(current root password)
# passwd
(change root user password)
# mysqladmin -u root password "my-new-pwd"
Page 17 of 119
CoovaRADIUS Server
Change MySQL Passwords
Use the MySQL Administrator application on the desktop to access the running MySQL server using the
password you just defined.
Shown below, under User Administration (top left) you can select User Accounts (botton left) to change
their passwords. Once changed, click on Apply Changes (bottom right).
Page 18 of 119
CoovaRADIUS Server
1.6
Using with MySQL
MySQL is supported when used with a commercial license. To use MySQL, you also need to download the
MySQL Java JDBC driver and install the Jar file. Due to the license, we are unable to supply this file with our
distribution.
Download MySQL Connector/J JDBC Driver
Download the driver, place the jar file in the CoovaRADIUS “Lib” directory and completely restart the server.
On Ubuntu there is also a package that installs the MySQL driver, which allows for the following:
#
#
#
#
sudo apt-get install libmysql-java
mkdir -p /var/lib/coova-radius/lib/
cd /var/lib/coova-radius/lib/
ln -s /usr/share/java/mysql-connector-java.jar .
After installing the MySQL JDBC Driver, and with the RADIUS service stopped, you can change the database
configuration to use a MySQL server instead of the embedded Derby database. Save your changes and then
start up the RADIUS service after creating the database in your MySQL server.
For the MySQL server setup, create the database and user you wish to use for CoovaRADIUS. The first time
CoovaRADIUS starts up it will create the database tables for you.
Page 19 of 119
CoovaRADIUS Server
1.7
Using with BIRT Reporting
Download BIRT 2.5.2 Runtime
On Ubuntu:
cd /var/lib/coova-radius/
unzip /tmp/birt-runtime-2_5_2.zip
cp /usr/share/java/com.coova/mysql-connector*.jar \
/usr/share/java/com.coova/derby*.jar \
birt-runtime*/ReportEngine/plugins/org.eclipse.birt.report.data.oda.jdbc_*/drivers/
mkdir birt-log
chown -R coova birt-*
cat<<EOF >> coova_radius.properties
birt.runtime=/var/lib/coova-radius/birt-runtime-2_5_2/ReportEngine
birt.logdir=/var/lib/coova-radius/birt-log
EOF
Page 20 of 119
CoovaRADIUS Server
1.8
Virtual Private Network (VPN)
Server side, with the pptpd package installed.
On Ubuntu Linux:
# apt-get install pptpd
On openSUSE Linux:
# zypper install pptpd
In /etc/pptpd.conf you need the following:
option /etc/ppp/options.pptp
localip 10.0.0.1
remoteip 10.0.0.100-200
and the following in /etc/ppp/options.pptp:
lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
and the following in /etc/ppp/chap-secrets:
# username
coova-ap
mikrotik-1
colubris
myusername
# ...
1.9
service password
* myPptpPassword
* myPptpPassword
* myPptpPassword
* myPptpPassword
ip-address
*
*
*
*
Installation Notes
Dependency problems on a Debian system
Sometimes the names of dependencies change and dpkg might complain about an unavailable dependency.
You can get around this by editing the debian package itself to remove the offending dependency. Here is how:
#
#
#
#
#
#
#
#
#
#
#
apt-get install binutils
ar xf CoovaRADIUS-1.0.2.deb
rm -rf control
mkdir control
cd control/
tar xzvf ../control.tar.gz
gedit control
tar czvf ../control.tar.gz .
cd ..
ar -r coovaradius.deb debian-binary control.tar.gz data.tar.gz
dpkg -i coovaradius.deb
Page 21 of 119
CoovaRADIUS Server
2
2.1
Administration Web Interfaces
Setup Web Interface
The setup interface is ONLY available on the localhost of the server machine. From this interface, you can
Stop and Start the RADIUS server, Shutdown the entire server, and when Stopped, you can change the main
database settings of the RADIUS server.
http://localhost:2080/ewt/home.html
If you are installing CoovaRADIUS on a remote system, we recommend using SSH to tunnel a path to the
setup interface. Do not worry, you typically do not need to use this interface very often. See the next section
on how to access the administration interface remotely.
ssh -L 2080:localhost:2080 remote-host-name
2.2
Main Web Interface
In addition to the server setup interface, the CoovaRADIUS administrativion interface is available at:
http://hostname:1900/ewt/home.html
or securely at:
https://hostname :1800/ewt/home.html
In both cases, you will promoted for the admin user password.
2.3
JSON API Interface
The JSON API in CoovaRADIUS has these URLs:
http://hostname :1900/ewt/json https://hostname :1800/ewt/json
Page 22 of 119
CoovaRADIUS Server
3
Embedded Captive Portal
Note: This feature is still under development! If you are interested in using the embedded captive portal, let us
know your requirements.
The embedded captive portal (in pure Java) provides an easy to use alternative to setting up Drupal. For
many networks, this is all that might be required.
3.1
Customizing the Captive Portal
Customizing the embedded captive portal is done through defining Named Values under the System menu.
Named values are name/value pairs that can be defined based on network, access point, client device, or user.
To define a captive portal website, the named values below should be defined for the network. Leave the
access point, client device, and user all blank. Should you want to give a specific user, for example, a message,
then override some values by duplicating them and setting both the network and user.
Named Values that control the embedded captive portal:
portal.title
portal.top
portal.bottom
portal.box.box-name
portal.css
portal.favicon
portal.page.index
portal.page.page-name
portal.login.after
portal.login.before
portal.login.failure
portal.login.password
portal.login.submit
portal.login.success
portal.login.username
portal.login.welcome
portal.login.usingCode
portal.network.default
portal.free.realm
portal.free.prefix
portal.free.accessPolicy
portal.free.alwaysRenew
portal.free.remoteURL
portal.free.usingCode
The page title
The top portion of the page
The bottom portion of the page
A custom box of name box-name
The CSS for the site
The path to the favicon
The index page is the default page
A custom portal page
Message after / below login
Message before / above login box
Message displayed for login failure
Password field label
Submit button label
Message displayed upon successful login
Username field label
Welcome message after login
Replaces the login box when logged in using access code.
Default network (define without a Network)
The realm name to place the access codes under.
The username prefix before the client device MAC address.
The numeric ID of the access policy to use when allocating an access code.
Set to true when the access voucher should always be reset on initial
redirect.
The URL to redirect to, with the login URL appended.
Replaces the login link when logged in using access code.
Page 23 of 119
CoovaRADIUS Server
3.2
An Example
Named Values defined for the Global Network:
Name
portal.favicon
portal.title
portal.top
portal.bottom
portal.page.index
portal.page.support
portal.page.locations
portal.page.account
portal.page.about
portal.login.welcome
portal.css
Value
/com/coova/portal/static/favicon.ico
Coova Hotspot
<a href="/"><img border="0"
src="/com/coova/portal/static/coova.png"/></a>
<ul class="links">
<li><a href="/?page=about">about us</a>
<li><a href="/?page=locations">locations</a>
<li><a href="/?page=support">support</a>
</ul>
<div style="font-size: small; color: #666;">
Copyright (c) 2010 Coova Technologies, LLC.
</div>
boxes:intro,login,free
boxes:support
boxes:ewt-portal-map
boxes:ewt-menu-portal-menu
boxes:about
You are now logged in.
<ul>
<li><a href="?page=account">My account</a>
<li><a href="?page=logout">Logout</a>
</ul>
body { background-color: lightgrey; }
.box { width: 80%; border: 1px solid grey; -moz-border-radius:
10px; -webkit-border-radius: 10px; border-radius: 10px; padding:
10px; margin: auto; }
.portal-box-intro, .portal-box-login { width: 50%; float:left; }
.portal-box-free { clear: both; padding: 10px; }
ul.links { text-align: center; margin: 0; padding: 0; }
ul.links li { list-style: none; display: inline-block; padding: 0
10px; }
Page 24 of 119
CoovaRADIUS Server
3.3
Auto-Login Redirection Handler
The embedded portal URI /redirect.jsp provides an easy way to auto-login users based on their Client
Device MAC address. An access policy can optionally be set to limit access.
The following Named Values are avaialble to control this feature:
portal.redirect.style
portal.redirect.realm
portal.redirect.prefix
portal.redirect.accessPolicy
portal.redirect.alwaysRenew
portal.redirect.remoteURL
3.4
Only supports standard currently.
The realm name to place the access codes under.
The username prefix before the client device MAC address.
The numeric ID of the access policy to use when allocating an access code.
Set to true when the access voucher should always be reset on initial
redirect.
The URL to redirect to, with the login URL appended.
Adding static content
In the CoovaRADIUS data directory, /var/lib/coova-radius/ on Linux, do the following:
$ mkdir -p com/coova/portal/static/
$ echo "it works" > com/coova/portal/static/test.html
which is then accessible in the embedded portal with the URI /com/coova/portal/static/test.html. This
can be used for images, HTML, or any other resource file.
3.5
Using with SSL
The following openSSL command is helpful in creating a JKS keystore for use with the embedded Jetty web
server.
$ openssl pkcs12 -export -in www.crt -inkey www.key -out www.p12 -name "hotspot.wisp.com"
$ keytool -importkeystore -srckeystore www.p12 -srcstoretype PKCS12 -destkeystore www.keystore
Page 25 of 119
CoovaRADIUS Server
4
External Captive Portals
CoovaRADIUS has an API based on the JSON format. This API can be used to integrate with a wide variety
of external third party portals. We have provided an integration module to make it easier to integrate with the
Drupal content management system.
4.1
Drupal Installation in openSUSE Appliance
Always install the latest Drupal from drupal.org. At the time of this writing, the version was 6.19.
To install Drupal, execute the following commands:
$ su
(root password)
# cd /srv/www/
# rm -rf htdocs
# wget http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz
# tar xzf drupal-6.19.tar.gz
# mv drupal-6.19 htdocs
# cd htdocs/sites/default
# mkdir files
# chown wwwrun files
# mv default.settings.php settings.php
# gedit settings.php
(edit settings.php)
Page 26 of 119
CoovaRADIUS Server
Use the gedit program to edit the main Drupal settings, as shown in the previous example and also below.
$ su
(root password)
# gedit /srv/www/htdocs/sites/default/settings.php
(edit settings.php)
Edit the file, near the middle, changing db url variable with the correct information to access the database.
Use the username drupal, the password used in section 1.5, and the database name drupal.
Page 27 of 119
CoovaRADIUS Server
Now, use Firefox to finish the Drupal installation process:
$ firefox http://localhost/install.php
4.2
Installing Drupal Modules
Modules of interest:
◦
◦
◦
◦
The Coova integration modules that come with the distribution.
Ubercart shopping cart.
Token is required by Ubercart.
Always install the latest versions!
Installing Coova Hotspot and EWT Modules
#
#
#
#
#
#
mkdir /srv/www/htdocs/sites/all/modules/
cd /srv/www/htdocs/sites/all/modules/
tar xzf /usr/lib/coova-radius/drupal/hotspot-6.x-1.x-dev.tar.gz
tar xzf /usr/lib/coova-radius/drupal/ewt-6.x-1.x-dev.tar.gz
cd ewt/
tar xzf /usr/lib/coova-radius/drupal/com.coova.ewt.Drupal.tar.gz
Page 28 of 119
CoovaRADIUS Server
Installing Ubercart
#
#
#
#
#
#
#
cd /srv/www/htdocs/sites/all/modules/
wget http://ftp.drupal.org/files/projects/token-6.x-1.15.tar.gz
tar xzf token-6.x-1.15.tar.gz
rm token-6.x-1.15.tar.gz
wget http://ftp.drupal.org/files/projects/ubercart-6.x-2.4.tar.gz
tar xzf ubercart-6.x-2.4.tar.gz
rm ubercart-6.x-2.4.tar.gz
4.3
CoovaRADIUS Integration
Enable Drupal modules CoovaEWT and CoovaRADIUS.
Edit CoovaEWT settings under Administer / Site configuration / CoovaEWT (q=admin/settings/ewt):
◦ Enable the API
◦ Change the API password for the admin user, see section 1.1.4
◦ Enabled CoovaEWT GUI and Ajax Proxy as needed by ewt div() inclusion
Edit CoovaRADIUS settings under Administer / Site configuration / CoovaRADIUS
(q=admin/settings/coova radius); requires CoovaEWT settings are already configured:
◦ Select the main mode Auto provision standard users
◦ Enter a random Cookie Encryption Key
◦ Enable Create users able to Own client devices
◦ Select local for Realm ID
◦ Select Global Network for Network ID
Complete the integration by configuring the following in CoovaRADIUS:
◦ Create a User in CoovaRADIUS
→ Username should be the same as the Drupal admin user name
→ Realm should be local
→ Home Network should be Global Network
→ Foreign User ID should be 1 (Drupal user ID)
→ Foreign User Realm should be drupal-site (Also used in Drupal config)
◦ Edit the Network named Global Network
→ Select the newly created User as the Owner
Page 29 of 119
CoovaRADIUS Server
Page 30 of 119
CoovaRADIUS Server
4.4
Example configuration: Members only
Enable the Hotspot module.
Edit Hotspot settings under Administer / Site configuration / Hotspot (q=admin/settings/coova radius):
◦ Ensure the Hotspot is enabled
◦ Ensure the UAM Secret matches that for Global Network
To allow for users to register at the Hotspot, we need to make it such that the user need not verify their
e-mail address during sign-up. Do this under Administer / User management / User settings
(q=admin/user/settings):
◦ Uncheck Require e-mail verification when a visitor creates an account
4.5
Example configuration: Selling access
Page 31 of 119
CoovaRADIUS Server
5
Data Model Overview
The database consists of the following basic objects:
Realms are essentially the grouping of users. You can have the same username in different realms, but you
can never have duplicates usernames within a realm. Realms are also an important concept in terms of
routing of authentication, whereby RADIUS for users of a foreign realm is proxied to a third party RADIUS
server using Realm Routes.
Users are people associated with a username and password. Users can own objects in the system such as
Access Points and Client Devices.
Client Devices are devices that access the Network, be it a laptop, hand-held, or phone. The device is
known uniquely by it’s MAC address and can be owned by a User.
Access Points are the Wi-Fi routers, network access server (NAS), or any device acting as the access
controller, as known uniquely by MAC address.
Access Controllers define types of Access Points, or more specifically, the type of access controller being
used.
Networks are used to group together Access Points. A Network is able to be owned by a User and can
optionally be associated with a parent Network.
Access Policies define the limitations put upon an Access Voucher in the system.
Access Vouchers are the backing objects controlling the limitations set on an Access Code, Network
User, or Network Realm.
Access Codes define a username and password for access provisioning based on an access policy.
Access Code Sets are a grouping of Access Codes that were likely generated by the system.
Network User entries define what Users can access what Networks, based on what an Access Policies.
Network Realm entries define what Realm (and all users under it) can access what Networks, based on an
Access Policies.
Attribute Sets define a collection of Attributes of various Attribute Types. They can be associated with
Users, Client Devices, and Access Policies.
5.1
Realms
A Realm provides a username name-space similar to that of a domain name in an e-mail address. Realms can
represent groups of credentials (usernames and passwords) stored locally in the system or remotely in RADIUS
servers elsewhere.
Realms in RADIUS have significance as they provides a means of “routing” authentication through proxy
servers to the appropriate “home” RADIUS server. There are two main ways to define a realm in a username.
There is the Prefix format realm/username and the Postfix format username@realm. The username with
one or more realms is then used as the username for login purposes.
Page 32 of 119
CoovaRADIUS Server
→ Recommendation: If possible, organize your users in a specific realm and leave the default realm
for Administrative-User (device login) purposes. With a captive portal, you can easily add a realm
to a user’s username if needed.
5.1.1
Realm Routes
A Realm Route defines a grouping of RADIUS Servers to forward RADIUS for a Realm to.
5.2
Users
A User is an account that represents a real person and a unique Username within a Realm. The user can
have an optional Email address and must have a Password.
→ Note: Passwords in the system are stored in plain-text. This is because some RADIUS
authentication protocols require that the RADIUS server know the plain text password.
→ Recommendation: When creating users via the API where you have your own user database, you
don’t have to set the RADIUS user’s password to be that of the original users. When using a
captive portal, you can always user an alternate password (unknown to the user) for RADIUS
provisioning purposes. This will further help protect your user passwords.
User options include:
◦ Can own client devices - If the user is able to own client devices. If true, devices not otherwise
owned will be automatically owned upon successful authentication.
◦ Can own access points - If the user is able to own access points. If true, access points not
otherwise owned will be automatically owned upon successful authentication when not using a
“public shared secret”.
◦ Administrative User - If true, the user can only be used with “Administrative-User” Service-Type
request (device, not user, authentication).
◦ MAC Authentication - If true, then devices owned by the user can optionally be allowed to
authenticate by MAC address.
◦ EAP Only - If true, only EAP authentication protocols are allowed for this user.
◦ EAP TLS Only - If true, only EAP-TLS (TLS, TTLS, PEAP) authentication protocols are allowed
for this user.
◦ Anonymous AP Ok - If true, then the account can be used at access points using a “public
shared secret”.
◦ Attribute Set - RADIUS attributes to send in an Access-Accept for this user.
5.2.1
Administrative-User
In RADIUS, the Service-Type attribute specifies the service request. Whereas Login-User or Framed-User
are typical for user logins, The value of Administrative-User is often used for the router/access controller
itself to authenticate and potentially retrieve configurations.
Page 33 of 119
CoovaRADIUS Server
5.3
Client Devices
A Client Device is a device, such as a laptop computer, that accesses a Network. It is uniquely identified by
it’s Station Id (RADIUS Calling-Station-Id), which is the Ethernet MAC address of the device’s network
interface. It can have a user Owner, which gets automatically assigned when a user logs in using the device
and has the Can own client devices user option set.
Client device options include:
◦ MAC Authentication - If true, and if the user owning this device has the MAC Authentication
user option set to true, the device will be automatically authenticated (with supported access
controllers and configurations).
◦ Attribute Set - RADIUS attributes to send in an Access-Accept for this device.
5.3.1
Authorizing Client Devices
Individual Client Devices can be authorized (using MAC authentication) for Networks or Access Points by
being added to the “whitelist” table.
5.3.2
Banning Client Devices
Individual Client Devices can be banned from Networks or Access Points by being added to the “backlist”
table.
5.4
Networks
A Network is a grouping of access points. It has a unique Name in the system and can have a user Owner.
It may also have a Parent Network defined so that access permissions can be granted for multiple levels of
networks.
Network options include:
◦ Default Realm - The Realm to use for authentications requests in the network where a specific
realm is otherwise not specified.
◦ Attribute Set - RADIUS attributes to send in an Access-Accept for all session in the network.
◦ UAM Secret - The CoovaChilli uamsecret to use for a network (CoovaChilli only).
5.5
Access Points
An Access Point is uniquely identified by the Station Id (RADIUS Called-Station-Id), which is most
often the MAC address. It can optionally have a Name, be grouped into a Network, and have a user Owner.
The system will automatically assign a user as the owner when a user logs into the access point, configured
with the user’s specific RADIUS shared secret, and the user has option Can own access points set to true.
The system will also automatically attempt to figure out the Controller Type.
Access point options include:
◦ Location - Informational purposes only.
Page 34 of 119
CoovaRADIUS Server
◦ Description - Informational purposes only.
◦ MAC Address - MAC address, often the same as Station Id.
◦ NAS IP Address - IP address of the access point, automatically set from RADIUS.
◦ NAS Identifier - A RADIUS identifier, automatically set from RADIUS.
◦ Anonymous MAC Auth - When true, and used in conjunction with the MAC authentication
feature of CoovaChilli, session at the access point are initially in “splash” mode where most network
resources are available (E-mail, etc), but port 80, the standard HTTP port, is redirected to a splash
page.
◦ Reversed Accounting - When true, the meaning of “Input” and “Output” and how they are
associated with “Download” and “Upload” are reversed. See section ?? for more information on
RADIUS Accounting.
◦ Bandwidth Graphing (RRD) - When true, the “Administrative-User” session statistics are used
to produce an RRD graph of overall network throughput (requires Monitoring to be true).
◦ Monitoring - When set to true, the access point will be monitored by the system. User the
“Administrative-User” session of the device, on-line status information is maintained.
◦ Attribute Set - RADIUS attributes to send in an Access-Accept for all session from this access
point.
5.6
Access Policies
An Access Policy defines the limitations being put on sessions for time, data, and/or bandwidth.
A policy consists of:
◦ Access Time and Access Time Units - Together these define the amount of access time granted.
◦ Access Window and Access Window Units - Together these define the time frame in which the
Access Time can be consumed.
◦ Expiry Time and Expiry Time Units - Together these define the validity duration, after which
the voucher is unusable.
◦ Download Data and Download Data Units - Together these define the max data downloaded.
◦ Upload Data and Upload Data Units - Together these define the max data uploaded.
◦ Total Data and Total Data Units - Together these define the max data uploaded and
downloaded combined.
◦ Max Download Rate - Max bandwidth down in bits per second.
◦ Max Upload Rate - Max bandwidth up in bits per second.
◦ Max Concurrency - Max number of simultaneous sessions.
◦ Max Logins - Maximum number of logins.
◦ Auto Renew - True if the voucher automatically renews after the access window time.
The Access Voucher provides the backing object for the Access Policy and can be associated
with an Access Code, Network User, or Network Realm.
Page 35 of 119
CoovaRADIUS Server
→ Note: When making changes to an Access Policy that has already been in use, some state
information kept in the Access Voucher may be inconsistant with the new settings. Therefore, it
is adviced to either create a new Access Policy (keep the old one in place) or to Reset all Access
Vouchers associated with the policy.
Using the Auto Renew option, schemes like “1 hour access, every day” can be implemented with an Access
Time of one hour, Access Window of one day, and Auto Renew set to true. With Auto Renew set to
false, then you have “1 hour of access total to be used within 24 hours”.
5.7
Access Codes
An Access Code defines a username and password within a Realm. Access codes can have an associated
Access Policy and a user Owner. Additionally, access codes can be limited to a Network.
5.8
Network User Access
An entry in the Network User table enables a User to have access to a Network based on an optional
Access Policy.
5.9
Network Realm Access
An entry in the Network Realm table enables a Realm, and all user under it, to have access to a Network
based on an optional Access Policy. (not yet fully implemented).
5.10
Access Controllers
An Access Controller defines that features an access point has. Generally, it defines the access point make,
but not necessarily as CoovaChilli can run on a variety of hardware. The RADIUS platform potentially requires
special support for access controller not otherwise listed in this table.
◦ Default Reversed Accounting - When set to true, access points discovers to be of this controller
type will be created with the Reversed Accounting option also set to true.
5.11
Attributes
Attributes define RADIUS Attributes that can be grouped together into Attributes Sets and used by the
RADIUS server when authenticating Users, Access Codes, or Client Devices.
With many possible RADIUS attributes possible, when adding Attributes to an Attribute Set, a select box
lists the defined Attributes Types. Add more Attributes Types if the RADIUS attribute you wish to use is
not currently available.
5.12
Named Values
Named Values provide a convenient way to manage a hierarchical structure of named values that can be
defined on a Network, Access Point, User, or Client Device basis.
When named values are derived, more specific values (i.e. ones matching more of the criteria of Network,
Access Point and so on) override more general values.
Page 36 of 119
CoovaRADIUS Server
This table is used in the embedded captive portal and the dashbaord features.
5.13
X509 Management
When CoovaRADIUS starts, it will always ensure it has a default Certificate Authority (CA), if not it will create
one. Using the CA certificate, X509 Certificates can be generated for users or for general (non-user) use.
There are a few certificates create per default and are used by the system. These include ewt-server, the
certificate running the EWT interface (port 1800); dashboard-server, the certificate running the Dashboard
interface (port 2444); radsec-server, the certificate running the RadSec interface (port 2083); and
eap-server, the certificate for the EAP-TLS based authentication methods.
5.14
Configuration
Name
Description
com.coova.dal.version
Used to track the database schema version, do not change.
com.coova.DefaultRealm
System default realm.
com.coova.default.AcctInterimInterval Default system wide accounting interim interval.
com.coova.default.IdleTimeout
Default system wide idle timeout.
com.coova.default.ReportType
com.coova.feature.AdvancedPolicies
com.coova.feature.ApRoaming
Set to true to enable subscriber roaming between access
points in same network.
com.coova.feature.GenerateReports
com.coova.feature.Payments
com.coova.feature.FullAdministration
com.coova.feature.FullInformation
com.coova.feature.Reports
com.coova.menu.DisablePayments
com.coova.menu.NetworkSettings
com.coova.menu.NetworkPreferences
com.coova.menu.UserDevices
com.coova.menu.UserAccessCodeStatus
Page 37 of 119
CoovaRADIUS Server
6
Testing with JRadiusSimulator
The JRadiusSimulator is an open-source RADIUS simulation and testing tool based on the JRadius framework.
It is very flexible, and easy to use for simple RADIUS AAA simulations. It allows you to hand craft RADIUS
requests and to see the responses. Select from one of several authentication protocols, UDP or RadSec
transport methods, and simulate your NAS by adding standard and Vendor Specific RADIUS attributes.
To start the simulator, use the radius-simulator command on Unix or double click on the
RadiusSimulator program icon that came with the Windows or Mac distributions.
6.1
Basic Configuration
Configure the RADIUS Server to be your CoovaRADIUS server hostname or IP address. Set the Shared
Secret appropriately. Since we are using a trial license, it is shown set to testing123. Select Generate a
Unique Acct-Session-Id so that each request looks unique, as in typical real-life usage.
Click the Attributes tab to begin adding RADIUS attributes from the JRadius dictionary.
Page 38 of 119
CoovaRADIUS Server
6.2
Adding RADIUS Attributes
Add RADIUS attributes to the various RADIUS request types and states. Begin by clicking Add Attribute to
bring up a listing of all available RADIUS attributes in the JRadius dictionary.
Recommended attributes to add:
User-Name
User-Password
NAS-Identifier
NAS-Port-Type
Acct-Session-Id
Service-Type
NAS-IP-Address
Called-Station-Id
Calling-Station-Id
Acct-Session-Time
Acct-Input-Packets
Acct-Output-Packets
Acct-Input-Octets
Acct-Output-Octets
Username and password placeholder (password replaced depending on authentication protocol). The username is in all
packets while the password is only added to Access Request
and/or Tunneled Requests.
The name of the NAS (access point).
NAS port type, select from a list.
A unique session ID generated by simulator.
The service type, select from a list.
The IP address of the access point.
The MAC address of the access point.
The MAC address of the client device.
Some simple accounting data to add to accounting Update/Interim and Stop.
Warning! Be sure to save your configuration by selecting Save in the File menu of the main window.
Page 39 of 119
CoovaRADIUS Server
6.3
Running Simulations
To run a simulation, click the Start button on the RADIUS tab.
Adjust the Simulation Type to test either only authentication or authentication followed by accounting. The
attributes you have defined are added to packets depending on type (Access-Request or
Accounting-Request) and accounting state (Acct-Status-Type) of either Start, Interim/Update, or Stop.
If you have selected to Log RADIUS to Log tab, then you will find the output of your RADIUS simulation
after clicking on the Log tab.
Use the simulator to also test your system under load by adjusting the Requester Threads and Requests
per Thread parameters. It’s recommended, however, that you turn off the logging as it will slow you down.
Page 40 of 119
CoovaRADIUS Server
6.4
Testing against CoovaRADIUS
In order to use the simulator with your CoovaRADIUS server, there are a few configurations required in order
to get an Access-Accept for your tests.
Access Point in a Network
If you have already tried a simulation and it has failed, the first thing to check is that the MAC address used in
the Called-Station-Id is that of a valid access point in CoovaRADIUS and that the Access Point is part of
a Network.
Shown is the Access Point with MAC address 00-00-00-00-00-00 automatically added to the system by our
first (failed) authentication attempt. The record has since been edited and placed into the Global Network.
Page 41 of 119
CoovaRADIUS Server
Test User exists and has Access
The User defined in the User-Name attribute must exist in the system and must have access to the Network
associated with Access Point.
Shown is the User with username test and password test created to be used in our simulation. The user was
created with Realm local, which is also the Default Realm of the Global Network. Access was also added
for the test user in the Global Network.
Page 42 of 119
CoovaRADIUS Server
6.5
Testing EAP-TLS and RadSec
Note: A non-trial license is required to use the EAP and RadSec features of CoovaRADIUS.
In order to use RadSec as your Transport or to use the EAP-TLS authentication protocol, you must have a
Client Certificate to use for authentication. In JRadiusSimulator, you configure this on the Keys tab.
Shown we have the simulator configured with a client certificate and private key (both in PEM format) in file
/tmp/key.pem and the trusted root CA certificate in PEM format in file /tmp/ca.pem.
Click Trust All Server Certificates and leave the File fields blank to be able to use EAP-TTLS or PEAP
without the client certificate configured.
Page 43 of 119
CoovaRADIUS Server
To use with CoovaRADIUS, go to the Access / X509 tab to manage X509 certificates.
Shown is the certificate the test User after clicking New User Certificate button and generating the new
certificate.
To use this certificate with our simulation, we cut-and-paste the Certificate in PEM format to the
/tmp/key.pem file, which is what we used in JRadiusSimulator. Additionally, click on the Export tab in the
middle of the page, after selecting the test user certificate in the table, and cut-and-paste the Exported
Private Key into the same file.
Then click on the Show Certificate Authorities button to see the certificate of the signing CA (as shown
above). Cut-and-paste the Certificate in PEM format to the /tmp/ca.pem file, as used in our simulation.
Page 44 of 119
CoovaRADIUS Server
Change the Authentication Protocol to run simulations with different authentication methods. Using
EAP-TLS requires a client certificate that matches the user, while others, like EAP-TTLS and PEAP, tunnel an
inner authentication and the client certificate is not required.
To run a RadSec simulation, select RadSec as the Transport method, configure the Shared Secret to be
radsec (required for all RadSec tunnels), and set the ports to 2083, as shown.
Page 45 of 119
CoovaRADIUS Server
6.6
Example Session Log
Access Request (PEAP)
Sending RADIUS Packet:
---------------------------------------------------------Class: class net.jradius.packet.AccessRequest
Attributes:
NAS-Identifier := simulator
NAS-Port-Type := Wireless-802.11
User-Name := test
Service-Type := Login-User
NAS-IP-Address := 127.0.0.1
Called-Station-Id := 00-00-00-00-00-00
Calling-Station-Id := 11-11-11-11-11-11
Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f
State = [Binary Data (length=46)]
EAP-Message += [Binary Data (length=6)]
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge
Attributes:
EAP-Message = [Binary Data (length=6)]
Message-Authenticator = [Binary Data (length=16)]
Attributes:
User-Name := test
Attributes:
Page 46 of 119
CoovaRADIUS Server
Attributes:
User-Name := test
Attributes:
Attributes:
User-Name := test
Attributes:
Attributes:
User-Name := test
Page 47 of 119
CoovaRADIUS Server
Attributes:
Attributes:
User-Name := test
Attributes:
Attributes:
User-Name := test
Page 48 of 119
CoovaRADIUS Server
Attributes:
Attributes:
User-Name := test
---------------------------------------------------------Class: class net.jradius.packet.AccessAccept
Attributes:
MS-MPPE-Recv-Key = [Binary Data (length=50)]
MS-MPPE-Send-Key = [Binary Data (length=50)]
Acct-Interim-Interval = 300
User-Name = test
Chargeable-User-Identity = test@local
Class = [Binary Data (length=46)]
Accounting
---------------------------------------------------------Class: class net.jradius.packet.AccountingRequest
Attributes:
User-Name := test
Acct-Status-Type := Start
---------------------------------------------------------Class: class net.jradius.packet.AccountingResponse
Page 49 of 119
CoovaRADIUS Server
Attributes:
Attributes:
User-Name := test
Acct-Session-Time := 120
Acct-Input-Packets := 10
Acct-Output-Packets := 20
Acct-Input-Octets := 100
Acct-Output-Octets := 200
Acct-Status-Type := Alive
Attributes:
Attributes:
User-Name := test
Acct-Session-Time := 120
Acct-Input-Packets := 10
Acct-Output-Packets := 20
Acct-Input-Octets := 100
Acct-Output-Octets := 200
Acct-Status-Type := Stop
Attributes:
Page 50 of 119
CoovaRADIUS Server
7
Working with CoovaEWT, Firmware, and CoovaRADIUS
Coova uses a single Graphical User Interface (GUI) framework in both it’s back-end and firmware products.
The “Coova Embedded Web Toolkit” (CoovaEWT) is the combination of a HTML/JavaScript application
that runs in any browser and a JSON formatted API.
CoovaEWT drives the core CoovaRADIUS administrative interfaces and CoovaRADIUS GUI components
embedded into Drupal. The CoovaEWT client application can run in any browser comtainer, making it easy to
include it in our Firefox plug-in CoovaFX.
When embedded into a firmware, only the scripts that drive the JSON API are required to be embedded when
used with one of our CoovaEWT clients. This example above shows Ubiquiti firmware with that is Coova
Enabled. To make it easy, a link is provided to a Java Web Start application, but any CoovaEWT client,
including the one in CoovaFX, will do.
When running, a window showing the Coova icon will appear. Kill this window to stop the program.
Page 51 of 119
CoovaRADIUS Server
After clicking on the WebStart link, your browser will download and start the CoovaEWT Desktop application.
It will also automatically send your browser to the EWT Browser page with the URL for the Ubiquiti page
you were at already filled in. Enter in your Ubiquiti administrator username and password (both the default
ubnt in our case), and then click “Go”.
When accessing the Ubiquiti configuration page using the “EWT Browser”, the CoovaEWT interfaces are
made available.
Page 52 of 119
CoovaRADIUS Server
7.1
Using CoovaEWT in CoovaFX
Our CoovaFX firefox add-on now also includes the same application available via Web Start.
After installing CoovaFX version 1.5, right click on the Coova icon found in the status bar. This will bring up
a menu of options. Of interest are the options EWT Console and EWT Browser.
Page 53 of 119
CoovaRADIUS Server
Selecting the EWT Browser option will being up a browser window with the same EWT browsing application
shown in the previous example.
The EWT Console option will allow you to configure and use the interface with other EWT back-end systems.
Page 54 of 119
CoovaRADIUS Server
After clicking on the edit configurations button, shown in the previous screen-shot, you are able to add and
edit EWT sources. Shown below are two such configurations already created, one for our Ubiquiti Router and
another for our instance of CoovaRADIUS.
Click on the add button to start a new configuration. Below is our configuration to access the CoovaEWT
interface embedded in the Ubiquiti router. We named this entry Ubnt-38 and the URL is
http://192.168.100.38/ewt.cgi, which points to the EWT CGI embedded in the Ubiquiti firmware.
Complete the configuration by entering the required Username and Password required to access your
Ubiquiti web interface and enter the UI Resource of hotspot.
Page 55 of 119
CoovaRADIUS Server
After adding EWT sources, you can then switch between the them easily!
Selecting to access the Ubnt-38 configuration, the GUI changes to the very same user interface that is
embedded in the Ubiquiti administrative interface shown previously.
From here, you can manage the hotspot features of the Ubiquiti using only the light-weight JSON formatted
API between the CoovaEWT client and the Ubiquiti router.
Page 56 of 119
CoovaRADIUS Server
7.2
Switching to CoovaRADIUS
Shown below is the EWT configuration for a CoovaRADIUS server running on the localhost. In this case,
our URL is set to http://localhost:1900/ewt/json (or https://localhost:1800/ewt/json with SSL)
and the UI Resource is coova. Of course, we also need to enter the Username and Password of the
CoovaRADIUS administrator.
After selecting to view CoovaRADIUS, the CoovaRADIUS user interface is loaded and ready to go.
Page 57 of 119
CoovaRADIUS Server
8
Configuring Access Points
CoovaRADIUS can be used with a wide range of Access Points and Access Controllers. If it supports RADIUS,
chances are very likely it’ll work with CoovaRADIUS. There are some RADIUS requirements, but generally
vendors do things in similar ways.
Contact us if your access point or access controller is not listed and you require assistance setting up.
8.1
CoovaChilli
Contact us for more information on CoovaChilli support options.
8.2
CoovaAP 1.x
http://www.coova.org/CoovaAP
CoovaAP provides a easy to use interface for configuring CoovaChilli on broadcom based routers.
8.3
CoovaAP 2.x “Dashboard”
Currently configured directly in the Named Values table found in under the System tab, the following
attributes, resolved on a per access point or network basis (traversing the list of parent networks) are of
interest:
cap.uci.hotspot.chilli.radsecret RADIUS secret for CoovaChilli.
...
Contact us for more information on firmware support options with centralized “Dashboard” configuration.
8.4
Open-mesh
Contact us for more information on firmware support options.
Page 58 of 119
CoovaRADIUS Server
8.5
Ubiquiti
Our latest firmware release for Ubiquiti Routers, based on the Ubiquiti SDK, is now available. Coova has
added CoovaChilli, our open-source access controller, and has made it configurable using CoovaEWT. See
section 7 for more information on CoovaEWT.
After flashing your router with our firmware, under the Services tab you will see the above message. To access
the CoovaEWT user interface, you need to use one of our CoovaEWT Client applications. To make it easy,
a link is provided to a Java Web Start application. Clicking on the Web Start link will have your computer
download the CoovaEWT client application on-line and start it up right away. See section 7 for more
information on CoovaEWT.
Contact us for more information on firmware support options.
Page 59 of 119
CoovaRADIUS Server
8.6
Colubris / HP Procurve
There are a number of possible configurations with the Colubris (now HP Procurve). CoovaRADIUS can be
used to authenticate users using 802.1X, MAC Authentication, or captive portal; using the Colubris internal
captive portal, the portal embedded in CoovaRADIUS, or with any other external Colubris compatible captive
portal.
8.6.1
PPTP VPN Tunnel (Optional)
When possible, it is always recommended to use RADIUS on private networks, not over the Internet. When
dealing with remote access points, one option is to use a PPTP Virtual Private Network (VPN) to tunnel
RADIUS. A convenient solution is to use the same server running CoovaRADIUS to also be the PPTP VPN
server for your network.
Here we show the Colubris configured to use a PPTP VPN. Connecting to the same server running
CoovaRADIUS, with the VPN connection in place, we can switch to using the tunnel IP address, in our
example 10.0.0.1, for our RADIUS server in the Colubris RADIUS Profiles.
Page 60 of 119
CoovaRADIUS Server
8.6.2
RADIUS Profile
To begin, configure the Colubris to use your CoovaRADIUS server. On the Security / RADIUS profiles screen,
Add New Profile or edit your existing profile.
In our example, we gave the profile the name CoovaRADIUS, which is configured to point to our
CoovaRADIUS server at IP address 192.168.100.1. We could also use our example PPTP tunnel IP
10.0.0.1 if we used the optional PPTP client. Use ports 1812 and 1812 as shown, and use the RADIUS
shared secret for your CoovaRADIUS license.
Check the option to Use message authenticator then scroll down and click Save.
Page 61 of 119
CoovaRADIUS Server
8.6.3
Virtual Service Communities
Using Virtual Service Communities (VSC), you can configure one or more wireless networks. For each, you
have the option of using no authentication, a captive portal for authentication, MAC address authentication,
or 802.1X authentication. In our example, we show both a secure wireless network using 802.1X authentication
and another open network that is using a captive portal for authentication.
Click Add New VSC Profile to add a new wireless network. For a secure network using 802.1X
authentication, enable Wireless Protection: WPA and select to use the CoovaRADIUS RADIUS profile.
Once configured in CoovaRADIUS (see section 8.6.5), this secure network is ready for use.
Page 62 of 119
CoovaRADIUS Server
For the captive portal network, enable HTML-based user logins and select to use RADIUS
authentication, also selecting the CoovaRADIUS RADIUS profile. Enable RADIUS accounting as well.
Page 63 of 119
CoovaRADIUS Server
8.6.4
Public Access Attributes
On the Public access / Attrbutes screen, you can define the various Colubris captive portal attributes. This
configuration can also be centralized using RADIUS. Enable Retrieve attributes using RADIUS and
configure a RADIUS username and password to use.
In this example, we will use Username colubris, which is a User account we will create in CoovaRADIUS in
the next section.
Page 64 of 119
CoovaRADIUS Server
The next section will discuss how to configure portal settings in CoovaRADIUS. When all setup, a green light
will be shown.
Page 65 of 119
CoovaRADIUS Server
8.6.5
CoovaRADIUS Configuration
The basic CoovaRADIUS configuration in this example consists of the following:
◦ A Realm named local configured to be a local realm,
◦ A Network named Global Network which we give default realm local,
◦ An Attribute Set named Colubris Config which we will add attributes to,
◦ A User named colubris (not in any Realm) that has Attribute Set Colubris Config assigned,
◦ A User named test in the Realm local that we will use to login, and
◦ Give User test access to the Network Global Network.
Network and Realm
Use a realm to organize your users. There is a realm named local per default. To add more or change the
name of this realm, go to the Routing / Realms tab. You should also already have the Network named
Global Network. In our example, we gave this network the default Realm of local.
Page 66 of 119
CoovaRADIUS Server
Colubris Attributes
Create an Attribute Set under the Attributes / Attribute Sets tab that will hold our Colubris attributes. We
created the set named Colubris Config and then clicked on it in the table, as shown above.
By clicking the Attributes tab next to Details, we are able to view, delete, and add new RADIUS attributes.
Here we can add Colubris-AVPair attributes to the Attribute Set. These attributes are used by the Colubris
to configure a wide range of settings (see your Colubris manual for details). These settings are also possible to
set directly in your Colubris, but here we show how to centralize the configuration.
At a minimum, the following Colubris-AVPair attributes are required to setup the Colubris with an external
captive portal (in this case, the embedded captive portal in CoovaRADIUS running on port 1080):
Name
login-url
transport-page
session-page
fail-page
logo
access-list
use-access-list
Value
http://hostname :1080/colubris.jsp?c=%c&m=%m&n=%n&l=%l&o=%o&i=%i&p=%p&C=%C&r=%r
http://hostname :1080/colubris.jsp?page=transport
http://hostname :1080/colubris.jsp?page=session
http://hostname :1080/colubris.jsp?page=fail
http://hostname :1080/colubris.jsp?page=logo
coova,ACCEPT,tcp,hostname,80
coova
Where hostname should be replaced with your CoovaRADIUS server hostname. At a minimum, we add the
CoovaRADIUS hostname also to the coova access list, which is what the Colubris uses to define the “walled
garden” of allowed hosts. The coova name is special as CoovaRADIUS will add any Walled Garden entries
Page 67 of 119
CoovaRADIUS Server
(see the Network / Walled Garden tab) to the access list.
When using the Colubris with the embedded captive portal in CoovaRADIUS, you can also use a short cut
method of defining the Public access attributes. Instead of Creating the Colubris Config Attribute Set and
adding atttributes individually, you can simply add a single Named Value configuration (under the System /
Named Values tab in CoovaRADIUS) for the Global Network and with Name colubris.portalUrl. The
Value should be the base URL of the CoovaRADIUS captive portal, as shown below for our example network.
Page 68 of 119
CoovaRADIUS Server
The Administrative-User
Create a new User under the Users / Users tab for use as the “Administrative-User”, RADIUS credentials that
are used by the Colubris for configuration purposes.
In this example, we use the Username of colubris and, for demonstration purposes, a Password of the
same. Check both Can own access points and Administrative-User, then select the Colubris Config
Attribute Set that we just created.
While creating users, we additionally created the regular test user. In this case, the user is not an
Administrative-User and we select local for the Realm.
For this regular user to have access to the network for testing, we add a entry under the Access / User Access.
We grant the test user unlimited (no access policy) access to the Global Network.
Page 69 of 119
CoovaRADIUS Server
Access Points
As RADIUS starts arriving at the CoovaRADIUS server, Access Points are automatically added to the system
based on the Called-Station-Id RADIUS attribute, which is typically the MAC address of the wireless interface.
With the Colubris, since it uses a different Called-Station-Id for it’s Administrative-User session versus regular
sessions, you will currently see two Access Points per gateway.
As Access Points appear, Edit them to set the Network to Global Network.
Page 70 of 119
CoovaRADIUS Server
8.7
MikroTik Setup
In this short example, we configure the MikroTik to use the embedded (MikroTik) captive portal and
CoovaRADIUS. Note: At this time, the Drupal portal and the CoovaRADIUS embedded portal do not work
with MikroTik’s access controller.
Objectives
◦ Basic MikroTik configuration,
◦ Use the hostname internal.coova.net for the embedded captive portal,
◦ Install a SSL certificate for the hostname and configure to use SSL,
◦ Setup a PPTP VPN Tunnel to protect RADIUS,
◦ Setup RADIUS to point to CoovaRADIUS over VPN, and
◦ Setup the Hotspot module.
WinBox
Use WinBox to connect to your MikroTik router.
Resources
◦ http://wiki.mikrotik.com/wiki/Main Page
◦ http://wiki.mikrotik.com/wiki/Manual:Winbox
Page 71 of 119
CoovaRADIUS Server
8.7.1
Basic Network Setup
For a basic setup, here is what we want:
◦ WAN connection on ether1 and a DHCP Client to configure it,
◦ WLAN access point on wlan1 broadcasting a signal,
◦ A bridge interface containing wlan1, ether2, and ether3,
◦ The Hotspot module running on the bridge.
WAN Interface: From the DHCP Client window, click on the plus sign to add a new DHCP Client on the
ether1 interface.
Page 72 of 119
CoovaRADIUS Server
WLAN Interface: From the Wireless window, enable the wlan1 interface if disabled.
Configure the interface with Mode ap bridge and rename the SSID.
Page 73 of 119
CoovaRADIUS Server
Hotspot Bridge: Since we want to run a Hotspot on both the wireless and one or more of the Ethernet
ports, we will create a Bridge interface.
Add the wlan1, ether2, and ether3 interfaces.
Page 74 of 119
CoovaRADIUS Server
From the Address List window, click on the red plus sign to add a new IP address. Assign an IP to the
Hotspot bridge just created. In this example, we use 172.16.1.1.
From the Hotspot window (under IP menu), start out by selecting Hotspot Setup. Select the hotspotBridge
interface, then keep hitting Next accepting the defaults. We will go back to edit the configuration after.
Page 75 of 119
CoovaRADIUS Server
8.7.2
PPTP VPN Tunnel (Optional)
From the Interfaces window, click on the red plus sign to show a menu of the possible interface types. Select
to create a new PPTP Client interface.
Page 76 of 119
CoovaRADIUS Server
Edit the interface to set the Dial Out properties. Enter the IP address, username, and password required for
your PPTP server.
The PPTP server in our example will configure the VPN such that the MikroTik will be assigned IP address
from the range 10.0.0.100 to 10.0.0.200 while the server-side of the PPTP tunnel will have IP address
10.0.0.1.
See section 1.8 for more information on setting up a PPTP server.
Page 77 of 119
CoovaRADIUS Server
8.7.3
DNS
In the DNS window, create a record for the hostname used in your SSL certificate. Have this hostname point
to the IP address of the internal captive portal address.
Page 78 of 119
CoovaRADIUS Server
8.7.4
RADIUS
In the Radius window, create a record the RADIUS server in your network. Enable the hotspot service and
set the IP address and shared secret accordingly.
Page 79 of 119
CoovaRADIUS Server
8.7.5
Installing SSL Certificate
Requirements:
◦ Your SSL private key in PEM format, with or without a password.
◦ Your CA issued certificate in PEM format.
◦ Combine the key and certificate PEM files into www.crt file.
Upload the www.crt file by dragging it into the Files window of WinBox. Note where the file is then located,
most likely hotspot/www.crt.
Page 80 of 119
CoovaRADIUS Server
From the Certificates window, select to Import. Find the www.crt file, enter the password if there is one,
and import the key.
When imported, the certificate will be given a name, such as cert1. Be sure to delete the certificate file
from the Files window.
Page 81 of 119
CoovaRADIUS Server
8.7.6
Hotspot Server Profile
Create a Hotspot Server and give it a name. In this example, we give the hotspot a name that looks like a
MAC address. We did this because CoovaRADIUS expects a MAC address in the Called-Station-Id
RADIUS attribute. Per default, the MikroTik uses the Name of the hotspot as the Called-Station-Id.
Ideally, use the MAC address of your Wireless interface as the profile name.
When creating a new hotspot, use the Hotspot Setup feature to quickly get things started. Then go back
and edit where necessary.
Page 82 of 119
CoovaRADIUS Server
Under the Server Profiles menu, edit the profile and set the Hotspot Address and DNS Name to be the
same settings configured in section 8.7.3.
Under the Login tab in the Hotspot Server Profile window, enable only HTTPS for Login By. Also
configure the SSL Certificate to be the one we imported.
Page 83 of 119
CoovaRADIUS Server
Under the RADIUS tab, enable Use RADIUS and set the Location ID and Location Name settings
(Note: these values are important for iPass as they are used in the GIS XML code). Enable Accounting.
Page 84 of 119
CoovaRADIUS Server
8.7.7
Hotspot Walled Garden
Add the hostname pb.ipass.com to the walled garden. Also add the CRL address for your SSL Certificate
Authority. In our case, this is crl.thawte.com.
Page 85 of 119
CoovaRADIUS Server
9
API, GUI, & Web Services
With CoovaRADIUS installed and running, access:
https://localhost:1800/ewt/home.html
9.1
CoovaEWT
The web based administrative interface is a static HTML and Javascript application that uses Ajax calls back
to the server, using the JSON data format.
The Ajax/API calls are mostly done through a single URL, with query string parameters possibly added. Here
is the EWT API when running on the localhost:
https://localhost:1800/ewt/json
The web administrative interface uses the URL to retrieve the GUI screens as well as the data for tables and
settings. As such, the GUI of the administrative interface is customizable by editing XML files in the server.
Additionally, the data services exposed through the EWT URL serve as a pure API into the system.
Query string parameters for the EWT URL:
Parameter
res
s
table
9.2
Description
Main “resource” type, for API use it is most often service.
The service name to perform, set to table for EWT Tables Services.
When s=table, this value defines what table service to perform.
EWT Tables
With s=table and table set, the following are valid:
Parameter
start
max
sort
desc
update
new
delete
Description
Sets the offset into result set, for paging.
Maximum number of results in the result set.
Table field to sort on.
Set to true or false for a descending or ascending, respectively, sort order.
When set to true, the POST data record is updated in the database table.
When set to true, the POST data record is added to the database table.
When set to true, the POST data record is deleted from the database table.
Page 86 of 119
CoovaRADIUS Server
9.2.1
Searching Records
When searching, meaning that the new, update, and delete options are not being used, the following query
string parameters can be used to set search criteria. The field name is the table field name in Java bean
format.
Parameter
fieldIsNull
fieldIsNotNull
fieldLike
fieldEqualTo
fieldNotEqualTo
fieldGreaterThan
fieldGreaterThanOrEqualTo
fieldLessThan
fieldLessThanOrEqualTo
fieldIn
fieldNotIn
fieldBetween
fieldNotBetween
SQL Query
field is null
field is not null
field like value (string valued fields only)
field = value
field <> value
field > value
field >= value
field < value
field <= value
field in ( value, value, ... )
field not in ( value, value, ... )
field between value, value
field not between value, value
Examples
Some example requests. The first showing a select on the Users table limiting results to 5. The following two
queries are placing criteria on the realm field to search for users within certain Realms.
GET /ewt/json?res=service&s=table&table=radUser&start=0&max=5&sort=id&desc=true
GET /ewt/json?res=service&s=table&table=radUser&realmEqualTo=1
GET /ewt/json?res=service&s=table&table=radUser&realmIn=1,2
In all cases, when returning a return set, the JSON format is as follows. The entire response is wrapped in a
service object which contains the total number of rows selected by the query in count and the rows
themselves (up to max of them) in a JSON array. The JSON array of table row objects is named based on the
table. In this example, that is the radUser table.
{ "service": [
{ "count": 100,
"radUser" : [
{ "uid": 1,
"userName": "test",
"email": "[email protected]",
"realmId": 1,
Page 87 of 119
CoovaRADIUS Server
"realmId_display": "coova.org (1)",
"password": "test",
"userDefault": false,
"ownsClientDevices": true,
"ownsAccessPoints": false,
"timeZone": "",
"administrativeUser" : false,
"macauthAllowed": false,
"anonApOk": false,
"eapOnly": false,
"eapTlsOnly": false,
"userNetworkOnly": false,
"createdDate": "Thu Oct 16 18:03:07 CEST 2008",
"disabled": false
},
...
]
}
]}
9.2.2
Adding Records
With the parameter new=true set, the POST data is taken to create a new record in the database table.
POST /ewt/json?res=service&s=table&new=true&table=radRealm
{ "realm": "test", "ownerId": 1 }
9.2.3
Updating Records
With the parameter update=true set, the POST data is taken to update a record in the database table.
POST /ewt/json?res=service&s=table&update=true&table=radRealm
{ "uid": 1, "realm": "test", "ownerId": 1, ... }
9.2.4
Deleting Records
With the parameter delete=true set, the POST data is taken to delete a record in the database table based
on the unique id uid.
POST /ewt/json?res=service&s=table&delete=true&table=radRealm
{ "uid": 1, ... }
Page 88 of 119
CoovaRADIUS Server
9.3
EWT Permissions
10
Data Services - API
The platform can be accessed remotely programmatically using the Application Programming Interface (API).
API URL: /ewt/json
10.1
Naming
Within the API, the names of tables and columns of tables are in standard Java been format. Meaning,
everywhere there is a “ ” in a name, be it a table or column name, the underscore is removed and the
following letter is capitalized. For example, the column name realm id is known as realmId. For the table
data services, the table names are similarly renamed, though in the singular tense.
10.2
EWT Table Services
Service Name
radAccessCodeSet
radAccessCode
radAccessPoint
radAccessPolicy
radAccessVoucher
radActiveSessions
radAttributeSet
radAttributeType
radAttribute
radClientDevice
radConfig
Database Table
rad access code sets
rad access codes
rad access points
rad access policies
rad access vouchers
rad sessions
rad attribute sets
rad attribute types
rad attributes
rad client devices
rad configs
radControllerType
radDeviceVendor
radLog
rad controller types
rad device vendors
rad logs
radMacBlacklist
radMacWhitelist
radNamedValue
radNetRealm
radNetUser
radNetwork
radPaymentProfile
radPayment
radRealmRoute
radRealm
radReportType
rad
rad
rad
rad
rad
rad
rad
rad
rad
rad
rad
mac blacklist
mac whitelist
named values
net realms
net users
networks
payment profiles
payments
realm routes
realms
report types
Notes
Access code sets, see section 5.7.
Access codes, see section 5.7.
Access points, see section 5.5.
Access policies, see section 5.6.
Access vouchers, see section 5.6.
Select for only active session.
Attribute sets, see section 5.11.
Attribute types, see section 5.11.
Attributes, see section 5.11.
Client devices, see section 5.3.
General server configurations, see section
5.14.
Access controller types.
IEEE registered device vendors.
RADIUS logs, when enabled on per Access
Point basis.
Banned devices, see section 5.3.2.
Authorized devices, see section 5.3.1.
Named values, see section 5.12.
Network realms, see section 5.9.
Network users, see section 5.8.
Networks, see section 5.4.
Payment profiles table.
Payments table.
Realm routes table.
Realms, see section 5.1.
Report types.
Page 89 of 119
CoovaRADIUS Server
radReport
radSession
radUser
radWalledGarden
radX509Certificate
radX509CA
10.3
reports
sessions
users
walled garden
x509 certs
x509 certs
Reports.
RADIUS sessions, see section ??.
Users, see section 5.2.
Walled garden, see section ??.
X509 certificates and private keys.
Selects for Certificate Authorities only.
Other EWT Services
10.3.1
coova-users
10.3.2
coova-network
10.4
rad
rad
rad
rad
rad
rad
EWT PHP Client
PHP API
For PHP website integration, the same JSON formatted services used for the web interface are accessible
through the CoovaRADIUSClient class, contained in file CoovaRADIUSClient.php. The class is an extension of
EWTClient, found in EWTClient.php. The EWTClient uses the PHP internal JSON parsing routings and curl
(libcurl) for the HTTP(S) client.
The EWTClient tries to abstract as much of the underlying JSON formatting for the API. The
CoovaRADIUSClient class is to do higher level functions.
For example, this function which uses EWTClient to add a user:
function createUser($data) {
$ewt = $this->ewtClient();
$res = $ewt->doAction(’coova-users’, ’create’, $data);
$ewt->close();
return $res;
}
Here is an example use:
require_once ’EWTClient.php’;
require_once ’CoovaRADIUSClient.php’;
$url = ’https://localhost:1800/ewt/json’;
$ewt = new CoovaRADIUSClient($url, ’admin’, ’admin’);
function customNewUser($ewt, $username, $password) {
$data = array(
’realmId’
=> 1, // pre-configured realm
’networkId’ => 1, // pre-configured network
Page 90 of 119
CoovaRADIUS Server
’userName’
’password’
’netUser’
=> $username,
=> $password,
=> array( ’networkId’ => 1 )
);
return $ewt->createUser($data);
}
Which will not only create the user in the Users table, but create a Network User entry for the network with Id
1 (pre-defined in the database, in this case the ”Global Network”). This will allow the user to actually access
the network.
JSON data is converted into PHP arrays, as the output of this example demonstrates:
// Access code example
var_dump($ewt->provisionAccessCode(array(
’accessPolicyId’ => 1)));
Which results in:
array(4) {
["uid"] => int(14)
["username"] => string(8) "joLvRTET"
["accessPolicyId"]=> int(1)
["password"]=> string(8) "4njYg6uN"
}
10.5
Examples
$ curl --cacert ca.pem --key key.pem --cert cert.pem -k \
"https://ewt-server:1800/ewt/json?res=service&s=table&table=radAccessPoint&macAddressLike=00-1
{"service":[
{"radAccessPoint":
[{"uid":1,
"location":"My_HotSpot",
"ownerId":2,
"calledStationId":"00-12-CF-80-68-71",
"networkId":1,
"vendorId_display":"Accton Technology Corp (3953)",
"macAddress":"00-12-CF-80-68-71",
"vendorId":3953,
"attributeSetId_display":"",
"networkId_display":"Global Network (1)",
"reversedAccounting":true,
Page 91 of 119
CoovaRADIUS Server
"ownerId_display":"c9w (2)",
"name":"nas01",
"controllerTypeId_display":"CoovaChilli (2)",
"nasIpAddress":"10.99.100.1",
"wanIpAddress":"62.163.177.27",
"nasIdentifier":"nas01",
"createdDate":"2010-06-23 08:17:44 UTC",
"controllerTypeId":2}],
"count":1}]
}
Page 92 of 119
CoovaRADIUS Server
11
Google Maps
CoovaRADIUS supports the use of Google Maps to aid in the geo positioning of networks and access points.
11.1
Configure API Key
For Google Maps to work, you need to sign-up for a Google API Key which has to match the URL of the
website showing the maps. CoovaRADIUS user interfaces, maps included, can be embedded into a variety of
sites. In order to have Google Maps work, CoovaRADIUS must know the API key to use.
With no API key configured, Google Maps will not be available and the above will be shown.
Page 93 of 119
CoovaRADIUS Server
To acquire a Google Maps API key, visit:
http://code.google.com/apis/maps/signup.html
Enter the hostname of the CoovaRADIUS interface to generate a key for it. In our example we are using
https://localhost:1800/, and we generated a key for that URL. Once generated, enter the API key into
the CoovaRADIUS configuration under the System menu and the Named Values sub-menu.
Create a new Named Value Configuration entry, setting everything to none except the Name and Value
fields. For the Name, enter:
com.google.api.key.siteKey
Where siteKey is either: the HTTP Host the interface is being viewed at (e.g.
com.google.api.key.localhost:1800 or the Drupal Realm if the maps are being injected into a Drupal
site (e.g. com.google.api.key.drupal-site).
If your CoovaRADIUS administration interface is available using multiple URLs, then repeat the API key
generation and configuration process for each hostname that will be used.
11.2
Geo Coordinate Administration
For each network you wish to use maps with, start out by positioning the “center” of the network.
CoovaRADIUS will use the network center as the default position when showing maps of access points.
Page 94 of 119
CoovaRADIUS Server
To jump to a location, enter in the address of the location in the search field and click find. Move the marker
to the exact location and you will see the coordinates get automatically filled in to the form. Once the position
is correct, be sure to click Save.
Page 95 of 119
CoovaRADIUS Server
Once the network center is set, go and adjust the location of each access point. In a similar fashion, move the
marker to the exact location of the access point, click Save when done.
Page 96 of 119
CoovaRADIUS Server
11.3
Administration in Drupal
Maps can also be used in the embedded Drupal user interfaces.
Set the “center” of the network and default zoom level, as shown above.
Page 97 of 119
CoovaRADIUS Server
Adjust the position of each access point, click on Save when done.
Page 98 of 119
CoovaRADIUS Server
11.4
Public Map in Drupal
Exposing a public map to the public can be done easily by embedding the CoovaRADIUS interface directly
into a Drupal web page.
The above map is generated using the folloing Drupal page content, using PHP code as the Input format:
<?php
echo ewt_div(’drupal-my-network-map’, ’’, "{ }");
?>
11.5
Map Info Window
The contents of the map info popup window can be changed on a network or access point basis. The default
content shows the network name and access point name.
Page 99 of 119
CoovaRADIUS Server
To change it, add an entry in the Named Values configuration with the key name com.coova.map.APInfo. If
there is an entry with that key name associated with the specific network and access point, then the value is
Page 100 of 119
CoovaRADIUS Server
used for the popup window content. Add an entry just associated with a network (leaving the access point on
none) and the value will be used for all access points that otherwise don’t have a specific entry.
Page 101 of 119
CoovaRADIUS Server
12
Other Topics
12.1
Working with iPass
You can use your CoovaRADIUS server to roam with iPass. Here is some important information on how to
comply with the iPass requirements and how to setup and use CoovaRADIUS.
12.1.1
RADIUS VPN Tunnel
The RADIUS from the access controllers must not go over the open Internet. Typically for Hotspots, this
means you have to tunnel the RADIUS using a VPN or RadSec (RADIUS over TLS).
12.1.2
CoovaRADIUS Realm & Route
Configuring CoovaRADIUS for iPass requires the adding of the iPass NetServer as a RADIUS Server under
Routing / Servers in the CoovaRADIUS administration.
Page 102 of 119
CoovaRADIUS Server
Under Routing / Realms add a Realm for ipass
Click the Routes tab and add realm route to the iPass NetServer entry.
Page 103 of 119
CoovaRADIUS Server
13
About Coova Technologies
Coova Technologies, LLC is a leading provider of commercial and open-source solutions for the wireless and
WiFi Hotspot markets. The Coova platform allows for companies to manage wireless networks through a
comprehensive, flexible set of solutions that centralize and integrate RADIUS software, router firmware, and a
web toolkit for client side interfaces. CoovaRADIUS and the open-source JRadius are Java based RADIUS
solutions. CoovaChilli, found in commercial firmware worldwide, is an open-source access controller that brings
captive portal features to a wide range of third-party routers. CoovaEWT is an extensive embedded web
toolkit that provides the client-side interface to Coova components. CoovaEWT APIs are integral to all Coova
products. More about Coova commercial solutions can be found at www.coova.com. More about Coova
open-source solutions can be found at www.coova.org.
Page 104 of 119
CoovaRADIUS Server
14
14.1
Licensing
Coova Software License
Coova Technologies, LLC
SOFTWARE LICENSE AGREEMENT
NOTE: THIS AGREEMENT WILL ONLY APPLY TO THE EXTENT THAT NO
BINDING AGREEMENT, WRITTEN OR ELECTRONIC, (THE "OTHER AGREEMENT") IS
ALREADY IN PLACE BETWEEN CUSTOMER (DEFINED BELOW) AND COOVA
TECHNOLOGIES, LLC. PERTAINING TO THE SOFTWARE PRODUCT TO WHICH THIS
AGREEMENT APPLIES. TO THE EXTENT THAT ANY OTHER AGREEMENT IS IN
EFFECT, THEN SUCH OTHER AGREEMENT WILL GOVERN CUSTOMERS DOWNLOAD AND
USE OF THE SOLUTION AND RECEIPT OF PROFESSIONAL SERVICES AND THIS
AGREEMENT WILL NOT APPLY EVEN IF YOU ARE REQUIRED TO CLICK THE BOX
AFFIRMING YOUR CONSENT TO THE TERMS OF THIS AGREEMENT.
BY COMPLETING THE ONLINE REGISTRATION FORM AND CLICKING THE "I
AGREE" BUTTON, YOU SUBMIT TO COOVA TECHNOLOGIES, LLC., A CALIFORNIA
LIMITED LIABILITY COMPANY ("WE" OR "COOVA"), AN OFFER TO OBTAIN THE
RIGHT TO USE THE SOLUTION AND RECEIVE ROFESSIONAL SERVICES (AS DEFINED
BELOW) UNDER THE PROVISIONS OF THIS LICENSE AND PROFESSIONAL SERVICES
AGREEMENT (THE "AGREEMENT").
BY CLICKING THE "I AGREE" BUTTON, YOU HEREBY AGREE THAT YOU HAVE
THE REQUISITE AUTHORITY, POWER AND RIGHT TO FULLY BIND THE PERSON
AND/OR ENTITIE(S) (COLLECTIVELY, THE "CUSTOMER") WISHING TO USE THE
SOLUTION LISTED ON THE ORDER CONFIRMATION PAGE, PRICING SCHEDULE,
QUOTE AND/OR INVOICE (EACH AN "PURCHASE ORDER") WHICH COOVA PROVIDES
TO CUSTOMER IN CONNECTION WITH THE PURCHASE OF LICENSES TO THE
SOLUTION AND RECEIPT OF PROFESSIONAL SERVICES DESCRIBED BELOW. THE
TERMS OF EACH ORDERING DOCUMENT WILL SET FORTH THE SPECIFIC TERMS OF
THE ORDER BUT ALL APPLICABLE TERMS AND CONDITIONS BELOW SHALL
APPLY.
IF YOU DO NOT HAVE THE AUTHORITY TO BIND THE CUSTOMER OR YOU OR THE
CUSTOMER DO NOT AGREE TO ANY OF THE TERMS BELOW, COOVA IS UNWILLING TO
PROVIDE THE SOLUTION OR PROFESSIONAL SERVICES TO THE CUSTOMER, AND YOU
SHOULD NOT CLICK TO ACCEPT THE TERMS OF THIS AGREEMENT AND YOU SHOULD
DISCONTINUE THE ORDER, DOWNLOAD AND/OR INSTALLATION PROCESS AND NOT
REQUEST ANY PROFESSIONAL SERVICES OR SUPPORT.
1.0 Ordering
The Purchase Order will specify the Coova standard software product
offering ("Base Software"), any Modules or Feature Upgrades (each as
defined below) that Customer is licensing, the number of production
Page 105 of 119
CoovaRADIUS Server
server instances, the number of RADIUS shared secrets and the shared
secrets themselves, any consulting, configuration, customization or
other professional services ("Professional Services") and all other
necessary information. The Base Software and any Modules and/or
Feature Upgrades acquired by Customer pursuant to an Purchase Order
are collectively referred to as the "Solution". All Purchase Orders
are incorporated herein by reference. Following Coovas acceptance
of each Order Document and Customers payment of any initial fees
(as described in Section 12.0 below) due under such Purchase Order,
Coova will make the Solution available to Customer for download
using a password protected account on Coovas website or an
pre-authorized URL to an Amazon S3 storage location. Coova may make
available to Customer certain optional functionality or services
which may be provided as either an update or upgrade to the Base
Software ("Feature Upgrade") or a separate stand-alone module
("Module"). Certain Feature Upgrades and Modules may require that
the Customer agree to certain restrictions provided by Coova in
advance which are in addition to the terms and conditions of this
Agreement. Any additional or separate pricing associated with
Feature Upgrades or Modules will be as set forth on the Purchase
Order or otherwise agreed to by the parties in writing.
2.0 Solution, License Grants and Restrictions
2.1 License Grants
Subject to the terms of this Agreement and during the applicable
license term, Coova grants to Customer a limited, worldwide,
non-exclusive, non-transferable license, without sublicense
rights, to (a) unless otherwise expressly set forth within the
Purchase Order, to install a single instance of the Solution in
one (1) production environment and permit in accordance with the
authorized license implementation set forth on the Purchase Order
(as further described in Section 2.3 below), (b) if permitted by
Coova in its sole discretion, install and use the portions of the
Solution made available in source code format for internal testing
purposes and to create modifications ("Customer Modification") to
the Solution solely for purposes of developing bug fixes,
customizations, or additional features pertaining to the Solution
(and no other product or service), and (c) use and make a
reasonable number of copies of any descriptions, instructions, or
other documentation made available in connection with the
Solution, if any ("Documentation"). Certain Modules are provided
on a hosted basis and, in such instances, Customer will not
install the Module but rather will access the Module via the
functionality of the Base Solution. Coova takes no responsibility
for and neither makes nor gives any guarantees, conditions or
Page 106 of 119
CoovaRADIUS Server
warranties with respect to any Customer Modifications or the
Solutions interoperability with such Customer Modifications.
Customer grants to Coova and its licensees a perpetual,
irrevocable, worldwide, royalty-free, sublicenseable license under
Customers intellectual property rights to use and otherwise
exploit all Customer Modifications. The term of each license to
the Solution purchased by Customer will commence on the date that
Customer first receives access to the Solution and will continue
for the period set forth on the Purchase Order. Upon expiration,
the license term will automatically renew for successive terms of
one (1) year each at the then current fees unless either party
provides written notice of non-renewal at least thirty (30) days
prior to the end of the then current term. The license term for
subsequently purchased licenses will be pro-rated so that all
pre-existing and newly acquired licenses are coterminous.
2.2 License Restrictions
Except as otherwise expressly permitted under this Agreement,
Customer agrees not to: (a) reverse engineer or otherwise attempt
to discover the source code of or trade secrets embodied in the
Solution or any portion thereof; (b) distribute, transfer, grant
sublicenses to, or otherwise make available the Solution or
Customer Modifications (or any portion thereof) to third parties,
including, but not limited to, making such Solution or Customer
Modifications available (i) through resellers or other
distributors, or (ii) as an application service provider, service
bureau, or rental source; (c) embed or incorporate in any manner
the Solution or Customer Modifications (or any element thereof)
into other applications of Customer or third parties; (d) create
modifications to or derivative works of the Solution; (e)
reproduce the Solution except that Customer may make up to two
archival copies of the Solution solely for backup purposes; (f)
attempt or permit any third party to attempt to modify, alter, or
circumvent the license control and protection mechanisms within
the Solution; (g) use or transmit the Solution in violation of any
applicable law, rule or regulation, including any export/import
laws, (h) in any way access, use, or copy any portion of the
Solution code (including the logic and/or architecture thereof and
any trade secrets included therein) to directly or indirectly
develop, promote, distribute, sell or support any product or
service that is competitive with the Solution or (i) remove,
obscure or alter any copyright notices or any name, trademark,
service mark, hyperlink or other designation of Coova displayed on
any display screen within the Solution (Coova Marks).
Customer shall not permit any third party to perform any of the
foregoing actions and shall be responsible for all damages and
Page 107 of 119
CoovaRADIUS Server
liabilities incurred as a result of such actions. The Solution is
a "commercial item," as that term is defined at 48 C.F.R. 2.101
(OCT 1995), and more specifically is "commercial computer
software" and "commercial computer software documentation,d" as
such terms are used in 48 C.F.R. 12.212 (SEPT 1995). Consistent
with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4
(JUNE 1995), the Solution is provided to U.S. Government End Users
(i) only as a commercial end item and (ii) with only those rights
as are granted to all other end users pursuant to the terms and
conditions herein.
2.3 License Implementation Types
Except with respect to the Modules, which shall be licensed
pursuant to the specific terms related to such Module set forth on
the relevant Purchase Order, such Purchase Order will designate
which of the following Solution license implementation types the
Customer will receive: (a) Single Network: Customer may use the
solution for a single network, using a single RADIUS shared
secret, and on a single production server; and (b) Service
Provider License: Under this licensing scheme, Customer may use
solution with unlimited RADIUS shared secrets on the number of
production servers as specified in the Purchase Order.
2.4 Bankruptcy
All licenses granted pursuant to this Agreement are, for purposes
of Section 365(n) of the U.S. Bankruptcy Code, deemed to be
licenses of rights to "intellectual property" as defined under
Section 101 of the U.S. Bankruptcy Code. In any bankruptcy or
insolvency proceeding involving Coova, Customer, as licensee of
such rights, will retain and fully exercise all of its rights and
elections under the U.S. Bankruptcy Code, which will apply
notwithstanding conflict of law principles.
3.0 Support and Maintenance
Solution support and maintenance services ("Support Services") may
be ordered at the "Standard" or "Premium" level. Pricing for such
Support Services will be set forth on the Purchase Order; provided,
however, that Standard Support Services shall be provided in
connection with each subscription license for no additional cost.
The terms of Standard and Premium Support Services can be found on
Coovas website along with additional support-related terms which
are incorporated herein by reference.
4.0 Professional Services
Page 108 of 119
CoovaRADIUS Server
If indicated in an Order Form, Coova will perform Professional
Services. The particulars of each Professional Services engagement
will be as set forth in one or more statements of work (each an
"SOW") entered into by the parties. Customer will provide all
assistance reasonably requested by Coova in connection with the
Professional Services. Coova will retain all right, title and
interest in and to all deliverables (including any and all
intellectual, property rights therein) provided under each SOW
("Deliverables") except to the extent that they contain any
information that Customer can document is its proprietary and
confidential information. Customers rights to the Deliverables
shall be the same as Customers rights to the Solution.
5.0 Publicity
During the Term of this Agreement, Customer hereby agrees that Coova
shall have the right, but not the obligation, to include Customers
name and logo as a customer who uses the Solution on the Coova
website and in other materials promoting the Solution.
6.0 Proprietary Rights
As between the parties, Coova will retain all ownership rights in
and to the Coova Marks, the Solution (including any optional
functionality), the Documentation, Deliverables, all updates and
upgrades provided as part of Support Services and other derivative
works of the Solution and/or Documentation that are provided by
Coova, and all intellectual property rights incorporated into or
related to the foregoing. Customer acknowledges that the goodwill
associated with the Coova Marks belongs exclusively to Coova and,
upon request, Customer will modify or cease its use of any Coova
Marks. All rights not expressly licensed by Coova under this
Agreement are reserved.
7.0 Warranties and Disclaimer
7.1 Warranties
Each of the parties represents and warrants that it has all
necessary corporate power and authority to enter into and perform
its obligations under this Agreement. To Coovas knowledge, the
use by Customer of the Solution (exclusive of any third party or
open source materials included therein) when and as provided under
this Agreement does not misappropriate or infringe any
U.S. copyrights or U.S. trade secrets of any third party.
Page 109 of 119
CoovaRADIUS Server
7.2 Disclaimer
The express warranties in Section 7.1 are the exclusive warranties
offered by Coova and all other conditions and warranties,
including, without limitation, any conditions or warranties of
fitness for a particular purpose, non-infringement, accuracy,
quiet enjoyment, title, merchantability and those that arise from
any course of dealing or course of performance are hereby
disclaimed. Coova does not warrant that Customers use the
Solution will be uninterrupted or error-free, that errors will be
corrected or that it will be free of viruses or other harmful
components. The Solution (including all components thereof), the
Support Services, the Professional Services and all Deliverables
are provided "as is" and without warranty of any kind.
8.0 Indemnification
Each party will indemnify, defend, and hold the other harmless from
and against any and all liabilities, damages, losses, claims, costs,
and expenses (including attorneys fees) arising out of or resulting
from any violation of such parties representations and warranties
set forth in Section 7.1 above. In the event of any third party
action, suit, proceeding or investigation for which indemnification
is sought (the "Proceeding"), the other party shall promptly notify
the indemnifying party, provided that any failure to so notify the
indemnifying party will not relieve the indemnifying party from any
liability or obligation which it may have to any indemnified person
except to the extent of any material prejudice to the indemnifying
party resulting from such failure. If any such Proceeding is
brought against an indemnified person, the indemnifying party will
be entitled to assume and control the defense thereof. Each
indemnified person will be obligated to cooperate reasonably with
the indemnifying party, at the expense of the indemnifying party, in
connection with such defense and the compromise or settlement of any
such Proceeding. The foregoing indemnification shall not apply to
the extent that any action by the indemnified party gives rise to or
otherwise enhances any such claim.
9.0 Limitations on Liability
To the extent permitted by law, in no event shall Coova be liable to
Customer, users or to any third party in connection with this
Agreement, including the Solution, Support Services and intellectual
property provided hereunder, whether under theory of contract, tort
or otherwise, for (A) any indirect, incidental, punitive,
consequential, or special damages (including any damage to business
reputation, lost profits or lost data), whether foreseeable or not
Page 110 of 119
CoovaRADIUS Server
and whether Coova is advised of the possibility of such damages or
(b) any amounts in excess of the total of the Fees actually paid and
the fees payable to Coova by Customer under this Agreement during
the one (1) year period prior to the date that such liability first
arises.</p>
10.0 Confidentiality
The Solution and all trade secret information incorporated therein
or derived, directly or indirectly, therefrom are confidential
information of Coova. Customer shall keep in confidence and trust
and not disclose or disseminate, or permit any employee, agent or
other party working under Customers direction to disclose or
disseminate, the substance of any such confidential information of
Coova.  The commitments in this Agreement will not impose any
obligations on Customer with respect to any portion of the received
information which, as evidenced by independent documentation: (a) is
now generally known or available or which hereafter, through no act
or failure to act on Customers part, becomes generally known or
available; or (b) is rightfully known to Customer at the time of
receiving such information. Customer acknowledges that monetary
damages may not be a sufficient remedy for unauthorized disclosure
or use of Coovas confidential information and that Coova may seek,
without waiving any other rights or remedies, such injunctive or
equitable relief as may be deemed proper by a court of competent
jurisdiction.
11.0 Term, Termination and Effect
This Agreement shall continue in effect until terminated as set
forth herein. The applicable license term for each license
purchased will be as set forth in the applicable Purchase Order.<i>
</i>This Agreement may be terminated by either party if the other
party materially breaches this Agreement and does not cure the
breach within thirty (30) days after receiving written notice
thereof from the non-breaching party (except that such cure period
shall be five (5) days for breaches of Sections 2 or 12).
Additionally, a particular Purchase Order may be terminated by Coova
in the event that Customer fails to pay applicable fees when due.
Upon any termination of this Agreement, without prejudice to any
other rights or remedies which the parties may have, (a) all rights
licensed and obligations required hereunder shall immediately cease;
provided that Sections 2.2, 6.0, 8.0 though 11.0 and 14.0 shall
survive termination, (b) Customer will promptly delete and destroy
all instances of the Solution in its possession or control (if any),
and (c) Customer shall pay to Coova any outstanding fees that have
accrued prior to the date of termination.
Page 111 of 119
CoovaRADIUS Server
12.0 Fees and Payment
Subject to the terms and conditions below, all fees for the Solution
licenses, Professional Services and/or Support Services will be set
forth on the applicable Purchase Order. Unless otherwise agreed to
in writing by the parties, Customer will pay all undisputed fees
owed within thirty (30) days after Coovas issuance of an invoice
pertaining thereto. Payments will be sent to the address included
on the invoice. All amounts payable shall be in the currency of the
United States and specifically exclude (and Customer is responsible
for) any and all applicable sales, use and other taxes, (other than
taxes based on Coovas income). Each party is responsible for its
own expenses under this Agreement.
13.0 Audit
Not more than once each year, Coova will have the right to perform
an audit to verify that Customer is using the Solution in compliance
with this Agreement. That audit will be performed during normal
business hours upon not less than fifteen (15) days prior written
notice to Customer. That audit will be conducted at Coovas sole
cost and expense and will be subject to reasonable security and
access restrictions. Customer will be permitted to have Customer
personnel present during the audit. If an audit conducted under
this Section discloses that Customer has underpaid by more than five
percent (5%) any license Fees payable under this Agreement during
the period covered by the audit, Customer will pay Coova the amount
of that underpayment and, in addition, will reimburse Coovas
reasonable and actual costs for that audit.
14.0 Miscellaneous
The parties are independent contractors with respect to each other,
and nothing in this Agreement shall be construed as creating an
employer-employee relationship, a partnership, agency relationship
or a joint venture between the parties.  Each party will be
excused from any delay or failure in performance hereunder, other
than the payment of money, caused by reason of any occurrence or
contingency beyond its reasonable control, including but not limited
to acts of God, earthquake, labor disputes and strikes, riots, war
and governmental requirements. The obligations and rights of the
party so excused will be extended on a day-to-day basis for the
period of time equal to that of the underlying cause of the delay.
This Agreement controls the actions of all party representatives,
officers, agents, employees and associated individuals.  The
terms of this Agreement shall be binding on the parties, and all
Page 112 of 119
CoovaRADIUS Server
successors to the foregoing. Customer will not assign, transfer or
delegate its rights or obligations under this Agreement (in whole or
in part) without Coovas prior written consent. Any attempted
assignment, transfer or delegation in violation of the foregoing
shall be null and void. All modifications to or waivers of any
terms of this Agreement must be in a writing that is signed by the
parties hereto and expressly references this Agreement.  This
Agreement shall be governed by the laws of the State of Oregon,
without regard to Oregon conflict of laws rules. The exclusive
venue and jurisdiction for any and all disputes, claims and
controversies arising from or relating to this Agreement shall be
the state or federal courts located in Multnomah County, Oregon.
Each party waives any objection (on the grounds of lack of
jurisdiction, forum non conveniens or otherwise) to the exercise of
such jurisdiction over it by any such courts. The United Nations
Convention on Contracts for the International Sale of Goods will not
apply to the interpretation or enforcement of this Agreement. In
the event that any provision of this Agreement conflicts with
governing law or if any provision is held to be null, void or
otherwise ineffective or invalid by a court of competent
jurisdiction, (a) such provision shall be deemed to be restated to
reflect as nearly as possible the original intentions of the parties
in accordance with applicable law, and (b) the remaining terms,
provisions, covenants and restrictions of this Agreement shall
remain in full force and effect. No waiver of any breach of any
provision of this Agreement shall constitute a waiver of any prior,
concurrent or subsequent breach of the same or any other provisions
hereof, and no waiver shall be effective unless made in writing and
signed by an authorized representative of the waiving party. This
Agreement includes any applicable Purchase Orders. Collectively the
foregoing constitutes the entire agreement between the parties with
respect to the subject matter hereof and supersedes all prior and
contemporaneous agreements or communications, including, without
limitation, any quotations or proposals submitted by Coova. The
terms on any purchase order or similar document submitted by
Customer to Coova will have no effect and are hereby rejected.All
notices, consents and approvals under this Agreement must be
delivered in writing by courier, by facsimile, or by certified or
registered mail, (postage prepaid and return receipt requested) to
the other party at its main corporate headquarters and sent to the
attention of such partys Chief Executive Officer.
Page 113 of 119
CoovaRADIUS Server
14.2
Third Party Licenses
Apache License 2.0
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
Page 114 of 119
CoovaRADIUS Server
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Page 115 of 119
CoovaRADIUS Server
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form
that You distribute, all copyright,
attribution notices from the Source
excluding those notices that do not
the Derivative Works; and
of any Derivative Works
patent, trademark, and
form of the Work,
pertain to any part of
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
Page 116 of 119
CoovaRADIUS Server
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don’t include
the brackets!) The text should be enclosed in the appropriate
Page 117 of 119
CoovaRADIUS Server
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
BSD License
The BSD License
The following is a BSD license template. To generate your own
license, change the values of OWNER, ORGANIZATION and YEAR from
their original values as given here, and substitute your
own. Also, you may optionally omit clause 3 and still be OSD
conformant.
Note: On January 9th, 2008 the OSI Board approved the "Simplified
BSD License" variant used by FreeBSD and others, which omits the
final "no-endorsement" clause and is thus roughly equivalent to
the MIT License.
Historical Note: The original license used on BSD Unix had four
clauses. The advertising clause (the third of four clauses)
required you to acknowledge use of U.C. Berkeley code in your
advertising of any product using that code. It was officially
rescinded by the Director of the Office of Technology Licensing of
the University of California on July 22nd, 1999. He states that
clause 3 is "hereby deleted in its entirety." The four clause
license has not been approved by OSI. The license below does not
contain the advertising clause.
This prelude is not part of the license.
<OWNER> = Regents of the University of California
Page 118 of 119
CoovaRADIUS Server
<ORGANIZATION> = University of California, Berkeley
<YEAR> = 1998
In the original BSD license, both occurrences of the phrase "COPYRIGHT
HOLDERS AND CONTRIBUTORS" in the disclaimer read "REGENTS AND
CONTRIBUTORS".
Here is the license template:
Copyright (c) <YEAR>, <OWNER>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
* Neither the name of the <ORGANIZATION> nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
MIT License
The MIT License
Copyright (c) <year> <copyright holders>
Page 119 of 119
CoovaRADIUS Server
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
HSQLDB License
COPYRIGHTS AND LICENSES (based on BSD License)
For work developed by the HSQL Development Group:
Copyright (c) 2001-2010, The HSQL Development Group All rights
reserved.
met:
Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Neither the name of the HSQL Development Group nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL HSQL
DEVELOPMENT GROUP, HSQLDB.ORG, OR CONTRIBUTORS BE LIABLE FOR ANY
Page 120 of 119
CoovaRADIUS Server
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
For work originally developed by the Hypersonic SQL Group:
Copyright (c) 1995-2000 by the Hypersonic SQL Group.
All rights reserved.
met:
Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Neither the name of the Hypersonic SQL Group nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE HYPERSONIC
SQL GROUP, OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This software consists of voluntary contributions made by many
individuals on behalf of the Hypersonic SQL Group.
Page 121 of 119
CoovaRADIUS Server
SLF4J License
Copyright (c) 2004-2008 QOS.ch All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions: The above copyright notice and this
permission notice shall be included in all copies or substantial
portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Page 122 of 119
CoovaRADIUS Server
14.3
Third Party Notices
Page 123 of 119

CoovaRADIUS Server - Amazon Web Services

Transcription

Similar documents

WELCOME TO CAESARS PALACE

WHAT`S NEW!

Dedicated to Success - Arc Industries, Inc.

2015 Winners

SoundStop Underlayment Front

the truth - Join RE/MAX

You`ve Got the Power! - Ethos Education Group

Foodmaster Plaza

eSchoolData User Guide - Spackenkill Union Free School District

Portal User Guide

About Drupal