en:dpi:dpi_bestpractice:dpi_bestpractice_wifi_login [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    Next revision    		Previous revision
    en:dpi:dpi_bestpractice:dpi_bestpractice_wifi_login [2020/08/26 10:44] lexx26en:dpi:dpi_bestpractice:dpi_bestpractice_wifi_login [2023/08/28 14:53] (current) – removed elena.krasnobryzh
    Line 1: Line 1:
    -====== 4 Subscriber athorization in WiFi network by a phone number ====== 
    -{{indexmenu_n>4}} 
    -===== Introduction ===== 
    -Due to the tightening of the rules of access through public WiFi hotspots to the network operator, there is a need to identify the subscriber's one way of using the phone number. In this example, we analyze the WiFi access using the athorization by the phone number of subscriber. 
    - 
    -===== Scheme ===== 
    -Sequencing: 
    -  - The subscriber is connected to a WiFi network 
    -  - Showing a welcome page with the information that the user must open a browser and identify yourself ((for mobile devices such as iphone automatically displays the welcome page opens in a special browser mode, where you can not save the session cookie and the browser you want to open separately)) 
    -  - Subscriber opens the browser, it goes to any URL, subscriber is redirected to the athorization page 
    -  - on athorization page user enters a phone number and requests the access code 
    -  - Access code sent to the phone number via SMS 
    -  - Obtained access code the subscriber enters in the form field 
    -  - Session cookies stored on the user device to prevent next redirection for a day ((session cookies are used to re-identify the subscriber in the network that would not be needed again to identify the caller by sending SMS, shelf life can be regulated operator yourself)), then user's browser is redirected to the requested URL 
    - 
    -For the network settings needed: 
    -  - DHCP server for the centralized issuance of subscribers addresses with a possibility when issuing a new IP address to call a shell script ((feel plugged in to DPI)) 
    -  - The virtual machine with installed Apache WEB-server (httpd), [[en:dpi:dpi_components:nfsen:start| module to view statistics and reports (nfsen)]] 
    -  - Access to the service for sending SMS messages ((in this example www.smsdirect.ru service)) 
    -  - (Optional) the NAT to reduce usage of IPv4 addresses, and the NAT log record translations IP <-> IP, PORT ((will not be considered further, to simplify the scheme)) 
    -  - (Optional) the Radius authentication to get network subscriber identifier ((will not be considered further, to simplify the scheme)) 
    - 
    -Network schema (inline): 
    -  -> WiFi router, configure to get IP from external DHCP server and welcome page setted ((welcome page is at WEB server)) 
    -  -> Network routers 
    -  -> VAS Experts DPI 
    -  -> Border router 
    - 
    -all traffik from subscribers pass trought the VAS Experts DPI. 
    - 
    -The sequence of operation: 
    -  - Subscriber unit is connected to a WiFi router 
    -  - WiFi router requests a new IP from the DHCP server 
    -  - DHCP server runs a shell script when new IP issued and sends the data to WiFi router 
    -  - Shell script sets on the VAS Experts DPI whitelist service for subscriber and rate plan with access restrictions 
    -  - Welcome page is shown to subsriber, the subscriber activates the browser and enters any URL 
    -  - The VAS Experts DPI redirects the subcriber to athoruzation page, WEB-server shows the athorizathion page ((as verified by the presence of a cookie, if the cookie is there, then there is an automatic check-in according to the subscriber's network stored in a cookie)), the user enters a phone number and press "get the access code" 
    -  - WEB-server receives a request for an access code generates a random number and sends it to the subscriber's phone, the user enters the code into the form and click to confirm 
    -  - WEB-server receives a request for confirmation of access code if the code is correct, is a shell script to remove the service whitelist and activate WiFi default rate plan, sets a cookie in the browser and redirects to the requested URL 
    - 
    -[[http://vasexperts.ru/upload/ident.rar|source code]] 
    - 
    -===== VAS Experts DPI Settings ===== 
    -Using class description in protocols.txt 
    -  http    cs0 
    -  https   cs0 
    -  dns     cs0 
    -  default cs1 
    - 
    -Cnverting: 
    -  cat protocols.txt|lst2dscp /etc/dpi/protocols.dscp 
    - 
    -From the source code copy the directory to DPI server: 
    -  htdocs/wifi/.script в /home/fastdpi/ 
    -   
    -Create file with default rate plan default_policing.cfg WiFi internet access with 10 mbit limits: 
    -  htb_inbound_root=rate 10mbit 
    -  htb_inbound_class0=rate 1mbit ceil 10mbit 
    -  htb_inbound_class1=rate 1mbit ceil 10mbit 
    -  htb_inbound_class2=rate 8bit ceil 10mbit 
    -  htb_inbound_class3=rate 8bit ceil 10mbit 
    -  htb_inbound_class4=rate 8bit ceil 10mbit 
    -  htb_inbound_class5=rate 8bit ceil 10mbit 
    -  htb_inbound_class6=rate 8bit ceil 10mbit 
    -  htb_inbound_class7=rate 8bit ceil 10mbit 
    -  htb_root=rate 10mbit 
    -  htb_class0=rate 1mbit ceil 10mbit 
    -  htb_class1=rate 1mbit ceil 10mbit 
    -  htb_class2=rate 8bit ceil 10mbit 
    -  htb_class3=rate 8bit ceil 10mbit 
    -  htb_class4=rate 8bit ceil 10mbit 
    -  htb_class5=rate 8bit ceil 10mbit 
    -  htb_class6=rate 8bit ceil 10mbit 
    -  htb_class7=rate 8bit ceil 10mbit 
    - 
    -Create file with rate plan captive_portal_hard.cfg to restrict access to internet only several application protocols to use with white list: 
    -  htb_inbound_root=rate 256kbit 
    -  htb_inbound_class0=rate 8bit ceil 256kbit 
    -  htb_inbound_class1=rate 8bit ceil 8bit 
    -  htb_inbound_class2=rate 8bit ceil 8bit 
    -  htb_inbound_class3=rate 8bit ceil 8bit 
    -  htb_inbound_class4=rate 8bit ceil 8bit 
    -  htb_inbound_class5=rate 8bit ceil 8bit 
    -  htb_inbound_class6=rate 8bit ceil 8bit 
    -  htb_inbound_class7=rate 8bit ceil 8bit 
    -  htb_root=rate 256kbit 
    -  htb_class0=rate 8bit ceil 256kbit 
    -  htb_class1=rate 8bit ceil 8bit 
    -  htb_class2=rate 8bit ceil 8bit 
    -  htb_class3=rate 8bit ceil 8bit 
    -  htb_class4=rate 8bit ceil 8bit 
    -  htb_class5=rate 8bit ceil 8bit 
    -  htb_class6=rate 8bit ceil 8bit 
    -  htb_class7=rate 8bit ceil 8bit 
    - 
    -Configure white list service: 
    -  cp_server=yoursite.ru/welcome.php 
    - 
    -===== DHCP Configuration ===== 
    -  - configure [[en:dpi:dpi_components:platform:subscriber_management:subsman_remote:subsman_remote_ssh|remote SSH control]] to DPI server 
    -  - set trigger for new IP issue: ssh dpi_user@dpi_host "/home/fastdpi/_add_captive_portal.sh <IP>" 
    - 
    -===== Web Server Configuration ===== 
    -  - configure [[en:dpi:dpi_components:platform:subscriber_management:subsman_remote:subsman_remote_ssh|remote SSH control]] to DPI server 
    -  - configure Apache, example in directory conf/ of source code: \\ в conf.d/php.ini move/add settings from sample conf/php.ini\\ include file main.conf\\ configure DocumentRooot on /var/www/html/htdocs/wifi/ 
    -  - copy htdocs/ in /var/www/html 
    -  - edit /var/www/html/htdocs/wifi/.script/remove_captive_portal.sh 
    -  - edit /var/www/html/htdocs/wifi/request.php set USER и PASSWORD for SMS service access