Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_options:use_cases:dpi_bestpractice_wifi_login [2023/08/29 12:52] – elena.krasnobryzh
+++ en:dpi:dpi_options:use_cases:dpi_bestpractice_wifi_login [2024/10/14 12:15] (current) – [Subscriber athorization in WiFi network by a phone number] elena.krasnobryzh
@@ Line 1: / Line 1: @@
-====== dpi_bestpractice_wifi_login ======
+====== Subscriber athorization in WiFi network by a phone number ======
+{{indexmenu_n>4}}
+<note important> We recommend that you explore the [[en:dpi:dpi_components:module_wi-fi_hotspot|Wi-Fi HotSpot module]] feature, the control is carried out via [[en:dpi:dpi_components:dpiui| DPIUI2 graphical interface]]. \\
+There is an option for self-implementation of this module below.\\
+[[en:dpi:dpi_options:use_cases:wifi_hotspot_session_management|Detailed instructions on how to deploy Wi-Fi Hot Spot.]]</note>
+===== Introduction =====
+Due to the tightening of the rules for access through public WiFi hotspots to the operator's network, it became necessary to identify the subscriber in one of the ways by the phone number, by passport data or through the portal of state services. In this example, we will analyze the organization of access using subscriber identification by phone number.
+===== Workflow =====
+Sequencing:
+  - the subscriber connects to the WiFi network
+  - a welcome page appears with information, that the subscriber must open a browser and identify themselves ((for mobile devices, for example iphone, the automatically displayed welcome page opens in a special browser mode, in which session cookies cannot be saved and you need to open the browser separately.))
+  - the subscriber opens the browser, when going to any URL, the subscriber is redirected to the identification page
+  - the subscriber enters a phone number, requests an access code
+  - the access code is sent to the phone number via SMS
+  - the subscriber enters the received access code
+  - session cookies are written to the subscriber device with storage for 24 hours ((session cookies are used to re-identify the subscriber in the network so that it is not required to re-identify the subscriber by sending SMS, the storage period can be regulated by the operator independently.)) and the transition to the requested one occurs. user URL.
+For the network settings you will need:
+  - DHCP server for the centralized issuance of subscribers addresses with a possibility when issuing a new IP address to call a shell script ((feel plugged in to DPI))
+  - The virtual machine with installed Apache WEB-server (httpd), [[en:dpi:dpi_components:utilities:oldutility:nfsen| module for viewing statistics and reports (nfsen)]]
+  - Access to the service for sending SMS messages ((in this example www.smsdirect.ru service))
+  - (Optional) the NAT to reduce usage of IPv4 addresses, and the NAT log record translations IP <-> IP, PORT ((will not be considered further, to simplify the scheme))
+  - (Optional) the Radius authentication to get network subscriber identifier ((will not be considered further, to simplify the scheme))
+Network diagram (inline):
+  - WiFi router, configured to recieve IP from external DHCP server, and a welcome page setted ((welcome page is on the WEB server))
+  - Network routers
+  - Stingray Service Gateway
+  - Border router
+Thus, all subscriber traffic passes through the SSG.
+The sequence of operation:
+  - Subscriber unit is connected to a WiFi router
+  - WiFi router requests a new IP from the DHCP server
+  - DHCP server runs a shell script when new IP issued and sends the data to WiFi router
+  - Shell script sets on the SSG Allow list service for subscriber and rate plan with access restrictions
+  - Welcome page is shown to subsriber, the subscriber activates the browser and enters any URL
+  - The SSG redirects the subcriber to athoruzation page, WEB-server shows the athorizathion page ((as verified by the presence of a cookie, if the cookie is there, then there is an automatic check-in according to the subscriber's network stored in a cookie)), the user enters a phone number and press "get the access code"
+  - WEB-server receives a request for an access code generates a random number and sends it to the subscriber's phone, the user enters the code into the form and click to confirm
+  - WEB-server receives a request for confirmation of access code if the code is correct, is a shell script to remove the service Allow list and activate WiFi default rate plan, sets a cookie in the browser and redirects to the requested URL.
+[[http://vasexperts.ru/upload/ident.rar|Source code]]
+===== Stingray Service Gateway Settings =====
+Using class description in protocols.txt
+  http    cs0
+  https   cs0
+  dns     cs0
+  default cs1
+Converting:
+  cat protocols.txt|lst2dscp /etc/dpi/protocols.dscp
+From the source code copy the directory to DPI server:
+  htdocs/wifi/.script в /home/fastdpi/
+Create a tariff file default_policing.cfg for Internet access via WiFi - 10 mbit:
+  htb_inbound_root=rate 10mbit
+  htb_inbound_class0=rate 1mbit ceil 10mbit
+  htb_inbound_class1=rate 1mbit ceil 10mbit
+  htb_inbound_class2=rate 8bit ceil 10mbit
+  htb_inbound_class3=rate 8bit ceil 10mbit
+  htb_inbound_class4=rate 8bit ceil 10mbit
+  htb_inbound_class5=rate 8bit ceil 10mbit
+  htb_inbound_class6=rate 8bit ceil 10mbit
+  htb_inbound_class7=rate 8bit ceil 10mbit
+  htb_root=rate 10mbit
+  htb_class0=rate 1mbit ceil 10mbit
+  htb_class1=rate 1mbit ceil 10mbit
+  htb_class2=rate 8bit ceil 10mbit
+  htb_class3=rate 8bit ceil 10mbit
+  htb_class4=rate 8bit ceil 10mbit
+  htb_class5=rate 8bit ceil 10mbit
+  htb_class6=rate 8bit ceil 10mbit
+  htb_class7=rate 8bit ceil 10mbit
+Create a tariff file captive_portal_hard.cfg to block access to the Internet together with an Allow list:
+  htb_inbound_root=rate 256kbit
+  htb_inbound_class0=rate 8bit ceil 256kbit
+  htb_inbound_class1=rate 8bit ceil 8bit
+  htb_inbound_class2=rate 8bit ceil 8bit
+  htb_inbound_class3=rate 8bit ceil 8bit
+  htb_inbound_class4=rate 8bit ceil 8bit
+  htb_inbound_class5=rate 8bit ceil 8bit
+  htb_inbound_class6=rate 8bit ceil 8bit
+  htb_inbound_class7=rate 8bit ceil 8bit
+  htb_root=rate 256kbit
+  htb_class0=rate 8bit ceil 256kbit
+  htb_class1=rate 8bit ceil 8bit
+  htb_class2=rate 8bit ceil 8bit
+  htb_class3=rate 8bit ceil 8bit
+  htb_class4=rate 8bit ceil 8bit
+  htb_class5=rate 8bit ceil 8bit
+  htb_class6=rate 8bit ceil 8bit
+  htb_class7=rate 8bit ceil 8bit
+Configure an Allow list service:
+  cp_server=yoursite.ru/welcome.php
+===== DHCP Configuration =====
+  - configure [[en:dpi:dpi_components:platform:subscriber_management:subsman_remote#remote_execution_of_ssh_commands|remote command execution via SSH]] to DPI server
+  - set to trigger to issue a new IP: ssh dpi_user@dpi_host "/home/fastdpi/_add_captive_portal.sh <IP>"
+===== Web Server Configuration =====
+  - configure [[en:dpi:dpi_components:platform:subscriber_management:subsman_remote#remote_execution_of_ssh_commands|remote SSH control]] to DPI server
+  - configure Apache, example in directory conf/ of source code: \\ в conf.d/php.ini move/add settings from sample conf/php.ini\\ include file main.conf\\ configure DocumentRooot on /var/www/html/htdocs/wifi/
+  - copy htdocs/ in /var/www/html
+  - edit /var/www/html/htdocs/wifi/.script/remove_captive_portal.sh
+  - edit /var/www/html/htdocs/wifi/request.php set USER и PASSWORD for SMS service access