CoovaRADIUS Server - Amazon Web Services
Transcription
CoovaRADIUS Server - Amazon Web Services
Coova Technologies, LLC CoovaRADIUS Server www.coova.com February 4, 2011 c Coova Technologies, LLC Copyright CoovaRADIUS Server Contents 1 Installing CoovaRAIUS Server 1.1 2 General Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 Server Setup Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.2 Install License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.3 Starting and Stopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1.4 Change Admin Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2 Installation on Ubuntu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3 Installation on MacOS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4 Installation on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.5 VMWare & LiveCD (openSUSE) Appliance Setup . . . . . . . . . . . . . . . . . . . . . . . . 13 1.6 Using with MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.7 Using with BIRT Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.8 Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.9 Installation Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2 Administration Web Interfaces 18 2.1 Setup Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2 Main Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3 JSON API Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3 Embedded Captive Portal 19 3.1 Customizing the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.2 An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.3 Auto-Login Redirection Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.4 Adding static content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.5 Using with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4 External Captive Portals 4.1 22 Drupal Installation in openSUSE Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . c 2010 Coova Technologies, LLC 22 Page 1 of 119 CoovaRADIUS Server 4.2 Installing Drupal Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.3 CoovaRADIUS Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.4 Example configuration: Members only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.5 Example configuration: Selling access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5 Data Model Overview 5.1 28 Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.1.1 Realm Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 5.2.1 Administrative-User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.3.1 Authorizing Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.3.2 Banning Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.5 Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.6 Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5.7 Access Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.8 Network User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.9 Network Realm Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.10 Access Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.11 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.12 Named Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.13 X509 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.14 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.2 5.3 6 Testing with JRadiusSimulator 34 6.1 Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 6.2 Adding RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 6.3 Running Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 6.4 Testing against CoovaRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 c 2010 Coova Technologies, LLC Page 2 of 119 CoovaRADIUS Server 6.5 Testing EAP-TLS and RadSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 6.6 Example Session Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 7 Working with CoovaEWT, Firmware, and CoovaRADIUS 47 7.1 Using CoovaEWT in CoovaFX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 7.2 Switching to CoovaRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 8 Configuring Access Points 54 8.1 CoovaChilli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 8.2 CoovaAP 1.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 8.3 CoovaAP 2.x “Dashboard” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 8.4 Open-mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 8.5 Ubiquiti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 8.6 Colubris / HP Procurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 8.6.1 PPTP VPN Tunnel (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 8.6.2 RADIUS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 8.6.3 Virtual Service Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 8.6.4 Public Access Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 8.6.5 CoovaRADIUS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 MikroTik Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 8.7.1 Basic Network Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 8.7.2 PPTP VPN Tunnel (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 8.7.3 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 8.7.4 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 8.7.5 Installing SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 8.7.6 Hotspot Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 8.7.7 Hotspot Walled Garden . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 8.7 9 API, GUI, & Web Services 82 9.1 CoovaEWT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 9.2 EWT Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 c 2010 Coova Technologies, LLC Page 3 of 119 CoovaRADIUS Server 9.3 9.2.1 Searching Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 9.2.2 Adding Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 9.2.3 Updating Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 9.2.4 Deleting Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 EWT Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 10 Data Services - API 85 10.1 Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 10.2 EWT Table Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 10.3 Other EWT Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 10.3.1 coova-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 10.3.2 coova-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 10.4 EWT PHP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 10.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 11 Google Maps 89 11.1 Configure API Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 11.2 Geo Coordinate Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 11.3 Administration in Drupal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 11.4 Public Map in Drupal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 11.5 Map Info Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 12 Other Topics 98 12.1 Working with iPass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 12.1.1 RADIUS VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 12.1.2 CoovaRADIUS Realm & Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 13 About Coova Technologies 100 14 Licensing 101 14.1 Coova Software License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 14.2 Third Party Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 c 2010 Coova Technologies, LLC Page 4 of 119 CoovaRADIUS Server 14.3 Third Party Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 c 2010 Coova Technologies, LLC Page 5 of 119 CoovaRADIUS Server 1 Installing CoovaRAIUS Server The CoovaRADIUS Server is pure Java and is able to run on any popular operating system. If not listed now, ask us and we will look into packaging a version for your system. In general, we suggest Ubuntu/Debian or another popular Linux distribution, which will make installing Apache and Drupal a bit easier. 1.1 General Installation The CoovaRADIUS Server has been packaged for easy installation onto several different operating systems. There are some system dependent variations to where files are stored and how the server is started. In general, you will find the application has a directory containing the Java jar files, a data directory where configuration files and the embedded Derby database are stored, a launch script or program, and a directory containing licensing information. From the License Server, download the distribution for your operating system. Then cut-and-paste the license key somewhere safe. You will need it during the installation process. c 2010 Coova Technologies, LLC Page 6 of 119 CoovaRADIUS Server 1.1.1 Server Setup Web Interface After installing CoovaRADIUS based on the operating specific instructions for Ubuntu (section 1.2), Mac OS X (section 1.3), Windows (section 1.4), or VMWare/LiveCD (section 1.5), the setup is the same. An administrative web interface is available on the “localhost” port 2080. Use the default administrator username admin and password admin. http://localhost:2080/ The first time you start CoovaRADIUS, it may take a few minutes longer as it creates the database. Click the Refresh button to update the screen. c 2010 Coova Technologies, LLC Page 7 of 119 CoovaRADIUS Server 1.1.2 Install License Click on the License tab and enter in the license you saved from the License Server. Click on Add License and your changes will be saved. Go back to the Database Setup tab to Stop and Start the server for the license to take effect. c 2010 Coova Technologies, LLC Page 8 of 119 CoovaRADIUS Server 1.1.3 Starting and Stopping On the main tab in the setup interface, you have the options to Stop the running RADIUS services and to Shutdown the entire server. When installing a new license key, you want to Stop the RADIUS services. With the RADIUS service stopped, the database setup form is displayed. With the trial license, the only database option is the embedded Java Derby database. Click Start to have the RADIUS services start up. When running, a login form is shown. Use this form to login to the CoovaRADIUS administrative interface. The default username / password is admin / admin. After logging into the CoovaRADIUS interface, you can always return to this setup screen simply by reloading the current page in your browser. This will end the login session and return you to this screen. c 2010 Coova Technologies, LLC Page 9 of 119 CoovaRADIUS Server Once logged in, if you are using a trial license, you will be promoted with a message with a link to where you can update your license with a purchased license. To purchased a license, where you can either set your own RADIUS shared secret or have one generated for you, at: https://license.coova.net/ The license is valid for the single RADIUS shared secret and on a single production server. c 2010 Coova Technologies, LLC Page 10 of 119 CoovaRADIUS Server 1.1.4 Change Admin Password Be sure to change the admin password. Do this under the Users tab. Select the admin user and click the Edit button. Edit the user, only changing the password (do not delete this user or give it a Realm). Click Save when done to commit your changes. Note: You will have to reload your browser at this point since the password used to access the site has changed. c 2010 Coova Technologies, LLC Page 11 of 119 CoovaRADIUS Server 1.2 Installation on Ubuntu Download the Ubuntu version from the Licensing Server. Save the Debian package to your system and run the following command: sudo dpkg -i CoovaRADIUS_1.0.1.deb The following directories and files are installed by the package: File or Directory Description /etc/init.d/coova-radius /usr/bin/coova-radius /usr/bin/radius-simulator /usr/share/java/com.coova/ /var/lib/coova-radius/ /usr/share/doc/coova-radius/ CoovaRADIUS init script Script launches CoovaRADIUS and opens admin interface in browser Script to launch the JRadius Simulator application Directory where all Java jar files are placed Directory where CoovaRADIUS puts all data (including Derby database) Directory where all documentation and licenses The /usr/bin/coova-radius script can be run from the command line. If the CoovaRADIUS server is not currently running, and the script is being ran as the user root or coova, then the server is started. When the server is already running, the coova-radius script will launch the administration program (which is a Firefox / XULRunner application). c 2010 Coova Technologies, LLC Page 12 of 119 CoovaRADIUS Server 1.3 Installation on MacOS X Download the Apple download option from the Licensing Server. Unzip the distribution file and it will create a “Coova” directory containing two MacOS X applications. Keep the application together in the same directory. To start the CoovaRADIUS service, launch the CoovaRADIUS.app program. This will also bring up the localhost administration interface in your browser. c 2010 Coova Technologies, LLC Page 13 of 119 CoovaRADIUS Server To access the files on CoovaRADIUS.app, right click on the application icon and select Show Package Contents. The Data/ directory is where CoovaRADIUS will store the embedded Derby database and other files while the Content directory contains the core applicaiton. c 2010 Coova Technologies, LLC Page 14 of 119 CoovaRADIUS Server 1.4 Installation on Windows Download the Windows version from the Licensing Server. Unzip the distribution file to your Desktop. The archive will expand into a directory called “Coova” and will contain the following files and directories: Keep all the files in the same directory, however you may move the entire parent directory. As show, this directory contains two applications, a lib/ directory containing the core application, and a data/ directory for the embedded Derby database and other files. c 2010 Coova Technologies, LLC Page 15 of 119 CoovaRADIUS Server c 2010 Coova Technologies, LLC Page 16 of 119 CoovaRADIUS Server 1.5 VMWare & LiveCD (openSUSE) Appliance Setup We offer a variety of pre-built systems based on the openSUSE Linux distribution, which includes a VMWare and LiveCD version. The default users root and admin have password changeme. Change the default passwords as soon as possible. If you are using setting up Drupal, also see section 4.1. Change System Passwords The system is minimally configured and with default passwords in place to get things up and running quickly. Take a minute now to change some of the default password for security reasons as soon as possible. $ passwd (change admin user password) $ su (current root password) # passwd (change root user password) # mysqladmin -u root password "my-new-pwd" c 2010 Coova Technologies, LLC Page 17 of 119 CoovaRADIUS Server Change MySQL Passwords Use the MySQL Administrator application on the desktop to access the running MySQL server using the password you just defined. Shown below, under User Administration (top left) you can select User Accounts (botton left) to change their passwords. Once changed, click on Apply Changes (bottom right). c 2010 Coova Technologies, LLC Page 18 of 119 CoovaRADIUS Server 1.6 Using with MySQL MySQL is supported when used with a commercial license. To use MySQL, you also need to download the MySQL Java JDBC driver and install the Jar file. Due to the license, we are unable to supply this file with our distribution. Download MySQL Connector/J JDBC Driver Download the driver, place the jar file in the CoovaRADIUS “Lib” directory and completely restart the server. On Ubuntu there is also a package that installs the MySQL driver, which allows for the following: # # # # sudo apt-get install libmysql-java mkdir -p /var/lib/coova-radius/lib/ cd /var/lib/coova-radius/lib/ ln -s /usr/share/java/mysql-connector-java.jar . After installing the MySQL JDBC Driver, and with the RADIUS service stopped, you can change the database configuration to use a MySQL server instead of the embedded Derby database. Save your changes and then start up the RADIUS service after creating the database in your MySQL server. For the MySQL server setup, create the database and user you wish to use for CoovaRADIUS. The first time CoovaRADIUS starts up it will create the database tables for you. c 2010 Coova Technologies, LLC Page 19 of 119 CoovaRADIUS Server 1.7 Using with BIRT Reporting Download BIRT 2.5.2 Runtime On Ubuntu: cd /var/lib/coova-radius/ unzip /tmp/birt-runtime-2_5_2.zip cp /usr/share/java/com.coova/mysql-connector*.jar \ /usr/share/java/com.coova/derby*.jar \ birt-runtime*/ReportEngine/plugins/org.eclipse.birt.report.data.oda.jdbc_*/drivers/ mkdir birt-log chown -R coova birt-* cat<<EOF >> coova_radius.properties birt.runtime=/var/lib/coova-radius/birt-runtime-2_5_2/ReportEngine birt.logdir=/var/lib/coova-radius/birt-log EOF c 2010 Coova Technologies, LLC Page 20 of 119 CoovaRADIUS Server 1.8 Virtual Private Network (VPN) Server side, with the pptpd package installed. On Ubuntu Linux: # apt-get install pptpd On openSUSE Linux: # zypper install pptpd In /etc/pptpd.conf you need the following: option /etc/ppp/options.pptp localip 10.0.0.1 remoteip 10.0.0.100-200 and the following in /etc/ppp/options.pptp: lock noauth refuse-pap refuse-eap refuse-chap refuse-mschap nobsdcomp nodeflate and the following in /etc/ppp/chap-secrets: # username coova-ap mikrotik-1 colubris myusername # ... 1.9 service password * myPptpPassword * myPptpPassword * myPptpPassword * myPptpPassword ip-address * * * * Installation Notes Dependency problems on a Debian system Sometimes the names of dependencies change and dpkg might complain about an unavailable dependency. You can get around this by editing the debian package itself to remove the offending dependency. Here is how: # # # # # # # # # # # apt-get install binutils ar xf CoovaRADIUS-1.0.2.deb rm -rf control mkdir control cd control/ tar xzvf ../control.tar.gz gedit control tar czvf ../control.tar.gz . cd .. ar -r coovaradius.deb debian-binary control.tar.gz data.tar.gz dpkg -i coovaradius.deb c 2010 Coova Technologies, LLC Page 21 of 119 CoovaRADIUS Server 2 2.1 Administration Web Interfaces Setup Web Interface The setup interface is ONLY available on the localhost of the server machine. From this interface, you can Stop and Start the RADIUS server, Shutdown the entire server, and when Stopped, you can change the main database settings of the RADIUS server. http://localhost:2080/ewt/home.html If you are installing CoovaRADIUS on a remote system, we recommend using SSH to tunnel a path to the setup interface. Do not worry, you typically do not need to use this interface very often. See the next section on how to access the administration interface remotely. ssh -L 2080:localhost:2080 remote-host-name 2.2 Main Web Interface In addition to the server setup interface, the CoovaRADIUS administrativion interface is available at: http://hostname:1900/ewt/home.html or securely at: https://hostname :1800/ewt/home.html In both cases, you will promoted for the admin user password. 2.3 JSON API Interface The JSON API in CoovaRADIUS has these URLs: http://hostname :1900/ewt/json https://hostname :1800/ewt/json c 2010 Coova Technologies, LLC Page 22 of 119 CoovaRADIUS Server 3 Embedded Captive Portal Note: This feature is still under development! If you are interested in using the embedded captive portal, let us know your requirements. The embedded captive portal (in pure Java) provides an easy to use alternative to setting up Drupal. For many networks, this is all that might be required. 3.1 Customizing the Captive Portal Customizing the embedded captive portal is done through defining Named Values under the System menu. Named values are name/value pairs that can be defined based on network, access point, client device, or user. To define a captive portal website, the named values below should be defined for the network. Leave the access point, client device, and user all blank. Should you want to give a specific user, for example, a message, then override some values by duplicating them and setting both the network and user. Named Values that control the embedded captive portal: portal.title portal.top portal.bottom portal.box.box-name portal.css portal.favicon portal.page.index portal.page.page-name portal.login.after portal.login.before portal.login.failure portal.login.password portal.login.submit portal.login.success portal.login.username portal.login.welcome portal.login.usingCode portal.network.default portal.free.realm portal.free.prefix portal.free.accessPolicy portal.free.alwaysRenew portal.free.remoteURL portal.free.usingCode c 2010 Coova Technologies, LLC The page title The top portion of the page The bottom portion of the page A custom box of name box-name The CSS for the site The path to the favicon The index page is the default page A custom portal page Message after / below login Message before / above login box Message displayed for login failure Password field label Submit button label Message displayed upon successful login Username field label Welcome message after login Replaces the login box when logged in using access code. Default network (define without a Network) The realm name to place the access codes under. The username prefix before the client device MAC address. The numeric ID of the access policy to use when allocating an access code. Set to true when the access voucher should always be reset on initial redirect. The URL to redirect to, with the login URL appended. Replaces the login link when logged in using access code. Page 23 of 119 CoovaRADIUS Server 3.2 An Example Named Values defined for the Global Network: Name portal.favicon portal.title portal.top portal.bottom portal.page.index portal.page.support portal.page.locations portal.page.account portal.page.about portal.login.welcome portal.css c 2010 Coova Technologies, LLC Value /com/coova/portal/static/favicon.ico Coova Hotspot <a href="/"><img border="0" src="/com/coova/portal/static/coova.png"/></a> <ul class="links"> <li><a href="/?page=about">about us</a> <li><a href="/?page=locations">locations</a> <li><a href="/?page=support">support</a> </ul> <div style="font-size: small; color: #666;"> Copyright (c) 2010 Coova Technologies, LLC. </div> boxes:intro,login,free boxes:support boxes:ewt-portal-map boxes:ewt-menu-portal-menu boxes:about You are now logged in. <ul> <li><a href="?page=account">My account</a> <li><a href="?page=logout">Logout</a> </ul> body { background-color: lightgrey; } .box { width: 80%; border: 1px solid grey; -moz-border-radius: 10px; -webkit-border-radius: 10px; border-radius: 10px; padding: 10px; margin: auto; } .portal-box-intro, .portal-box-login { width: 50%; float:left; } .portal-box-free { clear: both; padding: 10px; } ul.links { text-align: center; margin: 0; padding: 0; } ul.links li { list-style: none; display: inline-block; padding: 0 10px; } Page 24 of 119 CoovaRADIUS Server 3.3 Auto-Login Redirection Handler The embedded portal URI /redirect.jsp provides an easy way to auto-login users based on their Client Device MAC address. An access policy can optionally be set to limit access. The following Named Values are avaialble to control this feature: portal.redirect.style portal.redirect.realm portal.redirect.prefix portal.redirect.accessPolicy portal.redirect.alwaysRenew portal.redirect.remoteURL 3.4 Only supports standard currently. The realm name to place the access codes under. The username prefix before the client device MAC address. The numeric ID of the access policy to use when allocating an access code. Set to true when the access voucher should always be reset on initial redirect. The URL to redirect to, with the login URL appended. Adding static content In the CoovaRADIUS data directory, /var/lib/coova-radius/ on Linux, do the following: $ mkdir -p com/coova/portal/static/ $ echo "it works" > com/coova/portal/static/test.html which is then accessible in the embedded portal with the URI /com/coova/portal/static/test.html. This can be used for images, HTML, or any other resource file. 3.5 Using with SSL The following openSSL command is helpful in creating a JKS keystore for use with the embedded Jetty web server. $ openssl pkcs12 -export -in www.crt -inkey www.key -out www.p12 -name "hotspot.wisp.com" $ keytool -importkeystore -srckeystore www.p12 -srcstoretype PKCS12 -destkeystore www.keystore c 2010 Coova Technologies, LLC Page 25 of 119 CoovaRADIUS Server 4 External Captive Portals CoovaRADIUS has an API based on the JSON format. This API can be used to integrate with a wide variety of external third party portals. We have provided an integration module to make it easier to integrate with the Drupal content management system. 4.1 Drupal Installation in openSUSE Appliance Always install the latest Drupal from drupal.org. At the time of this writing, the version was 6.19. To install Drupal, execute the following commands: $ su (root password) # cd /srv/www/ # rm -rf htdocs # wget http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz # tar xzf drupal-6.19.tar.gz # mv drupal-6.19 htdocs # cd htdocs/sites/default # mkdir files # chown wwwrun files # mv default.settings.php settings.php # gedit settings.php (edit settings.php) c 2010 Coova Technologies, LLC Page 26 of 119 CoovaRADIUS Server Use the gedit program to edit the main Drupal settings, as shown in the previous example and also below. $ su (root password) # gedit /srv/www/htdocs/sites/default/settings.php (edit settings.php) Edit the file, near the middle, changing db url variable with the correct information to access the database. Use the username drupal, the password used in section 1.5, and the database name drupal. c 2010 Coova Technologies, LLC Page 27 of 119 CoovaRADIUS Server Now, use Firefox to finish the Drupal installation process: $ firefox http://localhost/install.php 4.2 Installing Drupal Modules Modules of interest: ◦ ◦ ◦ ◦ The Coova integration modules that come with the distribution. Ubercart shopping cart. Token is required by Ubercart. Always install the latest versions! Installing Coova Hotspot and EWT Modules # # # # # # mkdir /srv/www/htdocs/sites/all/modules/ cd /srv/www/htdocs/sites/all/modules/ tar xzf /usr/lib/coova-radius/drupal/hotspot-6.x-1.x-dev.tar.gz tar xzf /usr/lib/coova-radius/drupal/ewt-6.x-1.x-dev.tar.gz cd ewt/ tar xzf /usr/lib/coova-radius/drupal/com.coova.ewt.Drupal.tar.gz c 2010 Coova Technologies, LLC Page 28 of 119 CoovaRADIUS Server Installing Ubercart # # # # # # # cd /srv/www/htdocs/sites/all/modules/ wget http://ftp.drupal.org/files/projects/token-6.x-1.15.tar.gz tar xzf token-6.x-1.15.tar.gz rm token-6.x-1.15.tar.gz wget http://ftp.drupal.org/files/projects/ubercart-6.x-2.4.tar.gz tar xzf ubercart-6.x-2.4.tar.gz rm ubercart-6.x-2.4.tar.gz 4.3 CoovaRADIUS Integration Enable Drupal modules CoovaEWT and CoovaRADIUS. Edit CoovaEWT settings under Administer / Site configuration / CoovaEWT (q=admin/settings/ewt): ◦ Enable the API ◦ Change the API password for the admin user, see section 1.1.4 ◦ Enabled CoovaEWT GUI and Ajax Proxy as needed by ewt div() inclusion Edit CoovaRADIUS settings under Administer / Site configuration / CoovaRADIUS (q=admin/settings/coova radius); requires CoovaEWT settings are already configured: ◦ Select the main mode Auto provision standard users ◦ Enter a random Cookie Encryption Key ◦ Enable Create users able to Own client devices ◦ Select local for Realm ID ◦ Select Global Network for Network ID Complete the integration by configuring the following in CoovaRADIUS: ◦ Create a User in CoovaRADIUS → Username should be the same as the Drupal admin user name → Realm should be local → Home Network should be Global Network → Foreign User ID should be 1 (Drupal user ID) → Foreign User Realm should be drupal-site (Also used in Drupal config) ◦ Edit the Network named Global Network → Select the newly created User as the Owner c 2010 Coova Technologies, LLC Page 29 of 119 CoovaRADIUS Server c 2010 Coova Technologies, LLC Page 30 of 119 CoovaRADIUS Server 4.4 Example configuration: Members only Enable the Hotspot module. Edit Hotspot settings under Administer / Site configuration / Hotspot (q=admin/settings/coova radius): ◦ Ensure the Hotspot is enabled ◦ Ensure the UAM Secret matches that for Global Network To allow for users to register at the Hotspot, we need to make it such that the user need not verify their e-mail address during sign-up. Do this under Administer / User management / User settings (q=admin/user/settings): ◦ Uncheck Require e-mail verification when a visitor creates an account 4.5 Example configuration: Selling access c 2010 Coova Technologies, LLC Page 31 of 119 CoovaRADIUS Server 5 Data Model Overview The database consists of the following basic objects: Realms are essentially the grouping of users. You can have the same username in different realms, but you can never have duplicates usernames within a realm. Realms are also an important concept in terms of routing of authentication, whereby RADIUS for users of a foreign realm is proxied to a third party RADIUS server using Realm Routes. Users are people associated with a username and password. Users can own objects in the system such as Access Points and Client Devices. Client Devices are devices that access the Network, be it a laptop, hand-held, or phone. The device is known uniquely by it’s MAC address and can be owned by a User. Access Points are the Wi-Fi routers, network access server (NAS), or any device acting as the access controller, as known uniquely by MAC address. Access Controllers define types of Access Points, or more specifically, the type of access controller being used. Networks are used to group together Access Points. A Network is able to be owned by a User and can optionally be associated with a parent Network. Access Policies define the limitations put upon an Access Voucher in the system. Access Vouchers are the backing objects controlling the limitations set on an Access Code, Network User, or Network Realm. Access Codes define a username and password for access provisioning based on an access policy. Access Code Sets are a grouping of Access Codes that were likely generated by the system. Network User entries define what Users can access what Networks, based on what an Access Policies. Network Realm entries define what Realm (and all users under it) can access what Networks, based on an Access Policies. Attribute Sets define a collection of Attributes of various Attribute Types. They can be associated with Users, Client Devices, and Access Policies. 5.1 Realms A Realm provides a username name-space similar to that of a domain name in an e-mail address. Realms can represent groups of credentials (usernames and passwords) stored locally in the system or remotely in RADIUS servers elsewhere. Realms in RADIUS have significance as they provides a means of “routing” authentication through proxy servers to the appropriate “home” RADIUS server. There are two main ways to define a realm in a username. There is the Prefix format realm/username and the Postfix format username@realm. The username with one or more realms is then used as the username for login purposes. c 2010 Coova Technologies, LLC Page 32 of 119 CoovaRADIUS Server → Recommendation: If possible, organize your users in a specific realm and leave the default realm for Administrative-User (device login) purposes. With a captive portal, you can easily add a realm to a user’s username if needed. 5.1.1 Realm Routes A Realm Route defines a grouping of RADIUS Servers to forward RADIUS for a Realm to. 5.2 Users A User is an account that represents a real person and a unique Username within a Realm. The user can have an optional Email address and must have a Password. → Note: Passwords in the system are stored in plain-text. This is because some RADIUS authentication protocols require that the RADIUS server know the plain text password. → Recommendation: When creating users via the API where you have your own user database, you don’t have to set the RADIUS user’s password to be that of the original users. When using a captive portal, you can always user an alternate password (unknown to the user) for RADIUS provisioning purposes. This will further help protect your user passwords. User options include: ◦ Can own client devices - If the user is able to own client devices. If true, devices not otherwise owned will be automatically owned upon successful authentication. ◦ Can own access points - If the user is able to own access points. If true, access points not otherwise owned will be automatically owned upon successful authentication when not using a “public shared secret”. ◦ Administrative User - If true, the user can only be used with “Administrative-User” Service-Type request (device, not user, authentication). ◦ MAC Authentication - If true, then devices owned by the user can optionally be allowed to authenticate by MAC address. ◦ EAP Only - If true, only EAP authentication protocols are allowed for this user. ◦ EAP TLS Only - If true, only EAP-TLS (TLS, TTLS, PEAP) authentication protocols are allowed for this user. ◦ Anonymous AP Ok - If true, then the account can be used at access points using a “public shared secret”. ◦ Attribute Set - RADIUS attributes to send in an Access-Accept for this user. 5.2.1 Administrative-User In RADIUS, the Service-Type attribute specifies the service request. Whereas Login-User or Framed-User are typical for user logins, The value of Administrative-User is often used for the router/access controller itself to authenticate and potentially retrieve configurations. c 2010 Coova Technologies, LLC Page 33 of 119 CoovaRADIUS Server 5.3 Client Devices A Client Device is a device, such as a laptop computer, that accesses a Network. It is uniquely identified by it’s Station Id (RADIUS Calling-Station-Id), which is the Ethernet MAC address of the device’s network interface. It can have a user Owner, which gets automatically assigned when a user logs in using the device and has the Can own client devices user option set. Client device options include: ◦ MAC Authentication - If true, and if the user owning this device has the MAC Authentication user option set to true, the device will be automatically authenticated (with supported access controllers and configurations). ◦ Attribute Set - RADIUS attributes to send in an Access-Accept for this device. 5.3.1 Authorizing Client Devices Individual Client Devices can be authorized (using MAC authentication) for Networks or Access Points by being added to the “whitelist” table. 5.3.2 Banning Client Devices Individual Client Devices can be banned from Networks or Access Points by being added to the “backlist” table. 5.4 Networks A Network is a grouping of access points. It has a unique Name in the system and can have a user Owner. It may also have a Parent Network defined so that access permissions can be granted for multiple levels of networks. Network options include: ◦ Default Realm - The Realm to use for authentications requests in the network where a specific realm is otherwise not specified. ◦ Attribute Set - RADIUS attributes to send in an Access-Accept for all session in the network. ◦ UAM Secret - The CoovaChilli uamsecret to use for a network (CoovaChilli only). 5.5 Access Points An Access Point is uniquely identified by the Station Id (RADIUS Called-Station-Id), which is most often the MAC address. It can optionally have a Name, be grouped into a Network, and have a user Owner. The system will automatically assign a user as the owner when a user logs into the access point, configured with the user’s specific RADIUS shared secret, and the user has option Can own access points set to true. The system will also automatically attempt to figure out the Controller Type. Access point options include: ◦ Location - Informational purposes only. c 2010 Coova Technologies, LLC Page 34 of 119 CoovaRADIUS Server ◦ Description - Informational purposes only. ◦ MAC Address - MAC address, often the same as Station Id. ◦ NAS IP Address - IP address of the access point, automatically set from RADIUS. ◦ NAS Identifier - A RADIUS identifier, automatically set from RADIUS. ◦ Anonymous MAC Auth - When true, and used in conjunction with the MAC authentication feature of CoovaChilli, session at the access point are initially in “splash” mode where most network resources are available (E-mail, etc), but port 80, the standard HTTP port, is redirected to a splash page. ◦ Reversed Accounting - When true, the meaning of “Input” and “Output” and how they are associated with “Download” and “Upload” are reversed. See section ?? for more information on RADIUS Accounting. ◦ Bandwidth Graphing (RRD) - When true, the “Administrative-User” session statistics are used to produce an RRD graph of overall network throughput (requires Monitoring to be true). ◦ Monitoring - When set to true, the access point will be monitored by the system. User the “Administrative-User” session of the device, on-line status information is maintained. ◦ Attribute Set - RADIUS attributes to send in an Access-Accept for all session from this access point. 5.6 Access Policies An Access Policy defines the limitations being put on sessions for time, data, and/or bandwidth. A policy consists of: ◦ Access Time and Access Time Units - Together these define the amount of access time granted. ◦ Access Window and Access Window Units - Together these define the time frame in which the Access Time can be consumed. ◦ Expiry Time and Expiry Time Units - Together these define the validity duration, after which the voucher is unusable. ◦ Download Data and Download Data Units - Together these define the max data downloaded. ◦ Upload Data and Upload Data Units - Together these define the max data uploaded. ◦ Total Data and Total Data Units - Together these define the max data uploaded and downloaded combined. ◦ Max Download Rate - Max bandwidth down in bits per second. ◦ Max Upload Rate - Max bandwidth up in bits per second. ◦ Max Concurrency - Max number of simultaneous sessions. ◦ Max Logins - Maximum number of logins. ◦ Auto Renew - True if the voucher automatically renews after the access window time. The Access Voucher provides the backing object for the Access Policy and can be associated with an Access Code, Network User, or Network Realm. c 2010 Coova Technologies, LLC Page 35 of 119 CoovaRADIUS Server → Note: When making changes to an Access Policy that has already been in use, some state information kept in the Access Voucher may be inconsistant with the new settings. Therefore, it is adviced to either create a new Access Policy (keep the old one in place) or to Reset all Access Vouchers associated with the policy. Using the Auto Renew option, schemes like “1 hour access, every day” can be implemented with an Access Time of one hour, Access Window of one day, and Auto Renew set to true. With Auto Renew set to false, then you have “1 hour of access total to be used within 24 hours”. 5.7 Access Codes An Access Code defines a username and password within a Realm. Access codes can have an associated Access Policy and a user Owner. Additionally, access codes can be limited to a Network. 5.8 Network User Access An entry in the Network User table enables a User to have access to a Network based on an optional Access Policy. 5.9 Network Realm Access An entry in the Network Realm table enables a Realm, and all user under it, to have access to a Network based on an optional Access Policy. (not yet fully implemented). 5.10 Access Controllers An Access Controller defines that features an access point has. Generally, it defines the access point make, but not necessarily as CoovaChilli can run on a variety of hardware. The RADIUS platform potentially requires special support for access controller not otherwise listed in this table. ◦ Default Reversed Accounting - When set to true, access points discovers to be of this controller type will be created with the Reversed Accounting option also set to true. 5.11 Attributes Attributes define RADIUS Attributes that can be grouped together into Attributes Sets and used by the RADIUS server when authenticating Users, Access Codes, or Client Devices. With many possible RADIUS attributes possible, when adding Attributes to an Attribute Set, a select box lists the defined Attributes Types. Add more Attributes Types if the RADIUS attribute you wish to use is not currently available. 5.12 Named Values Named Values provide a convenient way to manage a hierarchical structure of named values that can be defined on a Network, Access Point, User, or Client Device basis. When named values are derived, more specific values (i.e. ones matching more of the criteria of Network, Access Point and so on) override more general values. c 2010 Coova Technologies, LLC Page 36 of 119 CoovaRADIUS Server This table is used in the embedded captive portal and the dashbaord features. 5.13 X509 Management When CoovaRADIUS starts, it will always ensure it has a default Certificate Authority (CA), if not it will create one. Using the CA certificate, X509 Certificates can be generated for users or for general (non-user) use. There are a few certificates create per default and are used by the system. These include ewt-server, the certificate running the EWT interface (port 1800); dashboard-server, the certificate running the Dashboard interface (port 2444); radsec-server, the certificate running the RadSec interface (port 2083); and eap-server, the certificate for the EAP-TLS based authentication methods. 5.14 Configuration Name Description com.coova.dal.version Used to track the database schema version, do not change. com.coova.DefaultRealm System default realm. com.coova.default.AcctInterimInterval Default system wide accounting interim interval. com.coova.default.IdleTimeout Default system wide idle timeout. com.coova.default.ReportType com.coova.feature.AdvancedPolicies com.coova.feature.ApRoaming Set to true to enable subscriber roaming between access points in same network. com.coova.feature.GenerateReports com.coova.feature.Payments com.coova.feature.FullAdministration com.coova.feature.FullInformation com.coova.feature.Reports com.coova.menu.DisablePayments com.coova.menu.NetworkSettings com.coova.menu.NetworkPreferences com.coova.menu.UserDevices com.coova.menu.UserAccessCodeStatus c 2010 Coova Technologies, LLC Page 37 of 119 CoovaRADIUS Server 6 Testing with JRadiusSimulator The JRadiusSimulator is an open-source RADIUS simulation and testing tool based on the JRadius framework. It is very flexible, and easy to use for simple RADIUS AAA simulations. It allows you to hand craft RADIUS requests and to see the responses. Select from one of several authentication protocols, UDP or RadSec transport methods, and simulate your NAS by adding standard and Vendor Specific RADIUS attributes. To start the simulator, use the radius-simulator command on Unix or double click on the RadiusSimulator program icon that came with the Windows or Mac distributions. 6.1 Basic Configuration Configure the RADIUS Server to be your CoovaRADIUS server hostname or IP address. Set the Shared Secret appropriately. Since we are using a trial license, it is shown set to testing123. Select Generate a Unique Acct-Session-Id so that each request looks unique, as in typical real-life usage. Click the Attributes tab to begin adding RADIUS attributes from the JRadius dictionary. c 2010 Coova Technologies, LLC Page 38 of 119 CoovaRADIUS Server 6.2 Adding RADIUS Attributes Add RADIUS attributes to the various RADIUS request types and states. Begin by clicking Add Attribute to bring up a listing of all available RADIUS attributes in the JRadius dictionary. Recommended attributes to add: User-Name User-Password NAS-Identifier NAS-Port-Type Acct-Session-Id Service-Type NAS-IP-Address Called-Station-Id Calling-Station-Id Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Input-Octets Acct-Output-Octets Username and password placeholder (password replaced depending on authentication protocol). The username is in all packets while the password is only added to Access Request and/or Tunneled Requests. The name of the NAS (access point). NAS port type, select from a list. A unique session ID generated by simulator. The service type, select from a list. The IP address of the access point. The MAC address of the access point. The MAC address of the client device. Some simple accounting data to add to accounting Update/Interim and Stop. Warning! Be sure to save your configuration by selecting Save in the File menu of the main window. c 2010 Coova Technologies, LLC Page 39 of 119 CoovaRADIUS Server 6.3 Running Simulations To run a simulation, click the Start button on the RADIUS tab. Adjust the Simulation Type to test either only authentication or authentication followed by accounting. The attributes you have defined are added to packets depending on type (Access-Request or Accounting-Request) and accounting state (Acct-Status-Type) of either Start, Interim/Update, or Stop. If you have selected to Log RADIUS to Log tab, then you will find the output of your RADIUS simulation after clicking on the Log tab. Use the simulator to also test your system under load by adjusting the Requester Threads and Requests per Thread parameters. It’s recommended, however, that you turn off the logging as it will slow you down. c 2010 Coova Technologies, LLC Page 40 of 119 CoovaRADIUS Server 6.4 Testing against CoovaRADIUS In order to use the simulator with your CoovaRADIUS server, there are a few configurations required in order to get an Access-Accept for your tests. Access Point in a Network If you have already tried a simulation and it has failed, the first thing to check is that the MAC address used in the Called-Station-Id is that of a valid access point in CoovaRADIUS and that the Access Point is part of a Network. Shown is the Access Point with MAC address 00-00-00-00-00-00 automatically added to the system by our first (failed) authentication attempt. The record has since been edited and placed into the Global Network. c 2010 Coova Technologies, LLC Page 41 of 119 CoovaRADIUS Server Test User exists and has Access The User defined in the User-Name attribute must exist in the system and must have access to the Network associated with Access Point. Shown is the User with username test and password test created to be used in our simulation. The user was created with Realm local, which is also the Default Realm of the Global Network. Access was also added for the test user in the Global Network. c 2010 Coova Technologies, LLC Page 42 of 119 CoovaRADIUS Server 6.5 Testing EAP-TLS and RadSec Note: A non-trial license is required to use the EAP and RadSec features of CoovaRADIUS. In order to use RadSec as your Transport or to use the EAP-TLS authentication protocol, you must have a Client Certificate to use for authentication. In JRadiusSimulator, you configure this on the Keys tab. Shown we have the simulator configured with a client certificate and private key (both in PEM format) in file /tmp/key.pem and the trusted root CA certificate in PEM format in file /tmp/ca.pem. Click Trust All Server Certificates and leave the File fields blank to be able to use EAP-TTLS or PEAP without the client certificate configured. c 2010 Coova Technologies, LLC Page 43 of 119 CoovaRADIUS Server To use with CoovaRADIUS, go to the Access / X509 tab to manage X509 certificates. Shown is the certificate the test User after clicking New User Certificate button and generating the new certificate. To use this certificate with our simulation, we cut-and-paste the Certificate in PEM format to the /tmp/key.pem file, which is what we used in JRadiusSimulator. Additionally, click on the Export tab in the middle of the page, after selecting the test user certificate in the table, and cut-and-paste the Exported Private Key into the same file. Then click on the Show Certificate Authorities button to see the certificate of the signing CA (as shown above). Cut-and-paste the Certificate in PEM format to the /tmp/ca.pem file, as used in our simulation. c 2010 Coova Technologies, LLC Page 44 of 119 CoovaRADIUS Server Change the Authentication Protocol to run simulations with different authentication methods. Using EAP-TLS requires a client certificate that matches the user, while others, like EAP-TTLS and PEAP, tunnel an inner authentication and the client certificate is not required. To run a RadSec simulation, select RadSec as the Transport method, configure the Shared Secret to be radsec (required for all RadSec tunnels), and set the ports to 2083, as shown. c 2010 Coova Technologies, LLC Page 45 of 119 CoovaRADIUS Server 6.6 Example Session Log Access Request (PEAP) Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=6)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=6)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=72)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=22)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] c 2010 Coova Technologies, LLC Page 46 of 119 CoovaRADIUS Server Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=6)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=105)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=236)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=65)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User c 2010 Coova Technologies, LLC Page 47 of 119 CoovaRADIUS Server NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=6)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=59)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=80)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=59)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=144)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: c 2010 Coova Technologies, LLC Page 48 of 119 CoovaRADIUS Server ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=43)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=96)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessAccept Attributes: MS-MPPE-Recv-Key = [Binary Data (length=50)] MS-MPPE-Send-Key = [Binary Data (length=50)] EAP-Message = [Binary Data (length=4)] Acct-Interim-Interval = 300 User-Name = test Chargeable-User-Identity = test@local Class = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Accounting Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Status-Type := Start Class = [Binary Data (length=46)] Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingResponse c 2010 Coova Technologies, LLC Page 49 of 119 CoovaRADIUS Server Attributes: Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Time := 120 Acct-Input-Packets := 10 Acct-Output-Packets := 20 Acct-Input-Octets := 100 Acct-Output-Octets := 200 Acct-Status-Type := Alive Class = [Binary Data (length=46)] Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingResponse Attributes: Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Time := 120 Acct-Input-Packets := 10 Acct-Output-Packets := 20 Acct-Input-Octets := 100 Acct-Output-Octets := 200 Acct-Status-Type := Stop Class = [Binary Data (length=46)] Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingResponse Attributes: c 2010 Coova Technologies, LLC Page 50 of 119 CoovaRADIUS Server 7 Working with CoovaEWT, Firmware, and CoovaRADIUS Coova uses a single Graphical User Interface (GUI) framework in both it’s back-end and firmware products. The “Coova Embedded Web Toolkit” (CoovaEWT) is the combination of a HTML/JavaScript application that runs in any browser and a JSON formatted API. CoovaEWT drives the core CoovaRADIUS administrative interfaces and CoovaRADIUS GUI components embedded into Drupal. The CoovaEWT client application can run in any browser comtainer, making it easy to include it in our Firefox plug-in CoovaFX. When embedded into a firmware, only the scripts that drive the JSON API are required to be embedded when used with one of our CoovaEWT clients. This example above shows Ubiquiti firmware with that is Coova Enabled. To make it easy, a link is provided to a Java Web Start application, but any CoovaEWT client, including the one in CoovaFX, will do. When running, a window showing the Coova icon will appear. Kill this window to stop the program. c 2010 Coova Technologies, LLC Page 51 of 119 CoovaRADIUS Server After clicking on the WebStart link, your browser will download and start the CoovaEWT Desktop application. It will also automatically send your browser to the EWT Browser page with the URL for the Ubiquiti page you were at already filled in. Enter in your Ubiquiti administrator username and password (both the default ubnt in our case), and then click “Go”. When accessing the Ubiquiti configuration page using the “EWT Browser”, the CoovaEWT interfaces are made available. c 2010 Coova Technologies, LLC Page 52 of 119 CoovaRADIUS Server 7.1 Using CoovaEWT in CoovaFX Our CoovaFX firefox add-on now also includes the same application available via Web Start. After installing CoovaFX version 1.5, right click on the Coova icon found in the status bar. This will bring up a menu of options. Of interest are the options EWT Console and EWT Browser. c 2010 Coova Technologies, LLC Page 53 of 119 CoovaRADIUS Server Selecting the EWT Browser option will being up a browser window with the same EWT browsing application shown in the previous example. The EWT Console option will allow you to configure and use the interface with other EWT back-end systems. c 2010 Coova Technologies, LLC Page 54 of 119 CoovaRADIUS Server After clicking on the edit configurations button, shown in the previous screen-shot, you are able to add and edit EWT sources. Shown below are two such configurations already created, one for our Ubiquiti Router and another for our instance of CoovaRADIUS. Click on the add button to start a new configuration. Below is our configuration to access the CoovaEWT interface embedded in the Ubiquiti router. We named this entry Ubnt-38 and the URL is http://192.168.100.38/ewt.cgi, which points to the EWT CGI embedded in the Ubiquiti firmware. Complete the configuration by entering the required Username and Password required to access your Ubiquiti web interface and enter the UI Resource of hotspot. c 2010 Coova Technologies, LLC Page 55 of 119 CoovaRADIUS Server After adding EWT sources, you can then switch between the them easily! Selecting to access the Ubnt-38 configuration, the GUI changes to the very same user interface that is embedded in the Ubiquiti administrative interface shown previously. From here, you can manage the hotspot features of the Ubiquiti using only the light-weight JSON formatted API between the CoovaEWT client and the Ubiquiti router. c 2010 Coova Technologies, LLC Page 56 of 119 CoovaRADIUS Server 7.2 Switching to CoovaRADIUS Shown below is the EWT configuration for a CoovaRADIUS server running on the localhost. In this case, our URL is set to http://localhost:1900/ewt/json (or https://localhost:1800/ewt/json with SSL) and the UI Resource is coova. Of course, we also need to enter the Username and Password of the CoovaRADIUS administrator. After selecting to view CoovaRADIUS, the CoovaRADIUS user interface is loaded and ready to go. c 2010 Coova Technologies, LLC Page 57 of 119 CoovaRADIUS Server 8 Configuring Access Points CoovaRADIUS can be used with a wide range of Access Points and Access Controllers. If it supports RADIUS, chances are very likely it’ll work with CoovaRADIUS. There are some RADIUS requirements, but generally vendors do things in similar ways. Contact us if your access point or access controller is not listed and you require assistance setting up. 8.1 CoovaChilli Contact us for more information on CoovaChilli support options. 8.2 CoovaAP 1.x http://www.coova.org/CoovaAP CoovaAP provides a easy to use interface for configuring CoovaChilli on broadcom based routers. 8.3 CoovaAP 2.x “Dashboard” Currently configured directly in the Named Values table found in under the System tab, the following attributes, resolved on a per access point or network basis (traversing the list of parent networks) are of interest: cap.uci.hotspot.chilli.radsecret RADIUS secret for CoovaChilli. ... Contact us for more information on firmware support options with centralized “Dashboard” configuration. 8.4 Open-mesh Contact us for more information on firmware support options. c 2010 Coova Technologies, LLC Page 58 of 119 CoovaRADIUS Server 8.5 Ubiquiti Our latest firmware release for Ubiquiti Routers, based on the Ubiquiti SDK, is now available. Coova has added CoovaChilli, our open-source access controller, and has made it configurable using CoovaEWT. See section 7 for more information on CoovaEWT. After flashing your router with our firmware, under the Services tab you will see the above message. To access the CoovaEWT user interface, you need to use one of our CoovaEWT Client applications. To make it easy, a link is provided to a Java Web Start application. Clicking on the Web Start link will have your computer download the CoovaEWT client application on-line and start it up right away. See section 7 for more information on CoovaEWT. Contact us for more information on firmware support options. c 2010 Coova Technologies, LLC Page 59 of 119 CoovaRADIUS Server 8.6 Colubris / HP Procurve There are a number of possible configurations with the Colubris (now HP Procurve). CoovaRADIUS can be used to authenticate users using 802.1X, MAC Authentication, or captive portal; using the Colubris internal captive portal, the portal embedded in CoovaRADIUS, or with any other external Colubris compatible captive portal. 8.6.1 PPTP VPN Tunnel (Optional) When possible, it is always recommended to use RADIUS on private networks, not over the Internet. When dealing with remote access points, one option is to use a PPTP Virtual Private Network (VPN) to tunnel RADIUS. A convenient solution is to use the same server running CoovaRADIUS to also be the PPTP VPN server for your network. Here we show the Colubris configured to use a PPTP VPN. Connecting to the same server running CoovaRADIUS, with the VPN connection in place, we can switch to using the tunnel IP address, in our example 10.0.0.1, for our RADIUS server in the Colubris RADIUS Profiles. c 2010 Coova Technologies, LLC Page 60 of 119 CoovaRADIUS Server 8.6.2 RADIUS Profile To begin, configure the Colubris to use your CoovaRADIUS server. On the Security / RADIUS profiles screen, Add New Profile or edit your existing profile. In our example, we gave the profile the name CoovaRADIUS, which is configured to point to our CoovaRADIUS server at IP address 192.168.100.1. We could also use our example PPTP tunnel IP 10.0.0.1 if we used the optional PPTP client. Use ports 1812 and 1812 as shown, and use the RADIUS shared secret for your CoovaRADIUS license. Check the option to Use message authenticator then scroll down and click Save. c 2010 Coova Technologies, LLC Page 61 of 119 CoovaRADIUS Server 8.6.3 Virtual Service Communities Using Virtual Service Communities (VSC), you can configure one or more wireless networks. For each, you have the option of using no authentication, a captive portal for authentication, MAC address authentication, or 802.1X authentication. In our example, we show both a secure wireless network using 802.1X authentication and another open network that is using a captive portal for authentication. Click Add New VSC Profile to add a new wireless network. For a secure network using 802.1X authentication, enable Wireless Protection: WPA and select to use the CoovaRADIUS RADIUS profile. Once configured in CoovaRADIUS (see section 8.6.5), this secure network is ready for use. c 2010 Coova Technologies, LLC Page 62 of 119 CoovaRADIUS Server For the captive portal network, enable HTML-based user logins and select to use RADIUS authentication, also selecting the CoovaRADIUS RADIUS profile. Enable RADIUS accounting as well. c 2010 Coova Technologies, LLC Page 63 of 119 CoovaRADIUS Server 8.6.4 Public Access Attributes On the Public access / Attrbutes screen, you can define the various Colubris captive portal attributes. This configuration can also be centralized using RADIUS. Enable Retrieve attributes using RADIUS and configure a RADIUS username and password to use. In this example, we will use Username colubris, which is a User account we will create in CoovaRADIUS in the next section. c 2010 Coova Technologies, LLC Page 64 of 119 CoovaRADIUS Server The next section will discuss how to configure portal settings in CoovaRADIUS. When all setup, a green light will be shown. c 2010 Coova Technologies, LLC Page 65 of 119 CoovaRADIUS Server 8.6.5 CoovaRADIUS Configuration The basic CoovaRADIUS configuration in this example consists of the following: ◦ A Realm named local configured to be a local realm, ◦ A Network named Global Network which we give default realm local, ◦ An Attribute Set named Colubris Config which we will add attributes to, ◦ A User named colubris (not in any Realm) that has Attribute Set Colubris Config assigned, ◦ A User named test in the Realm local that we will use to login, and ◦ Give User test access to the Network Global Network. Network and Realm Use a realm to organize your users. There is a realm named local per default. To add more or change the name of this realm, go to the Routing / Realms tab. You should also already have the Network named Global Network. In our example, we gave this network the default Realm of local. c 2010 Coova Technologies, LLC Page 66 of 119 CoovaRADIUS Server Colubris Attributes Create an Attribute Set under the Attributes / Attribute Sets tab that will hold our Colubris attributes. We created the set named Colubris Config and then clicked on it in the table, as shown above. By clicking the Attributes tab next to Details, we are able to view, delete, and add new RADIUS attributes. Here we can add Colubris-AVPair attributes to the Attribute Set. These attributes are used by the Colubris to configure a wide range of settings (see your Colubris manual for details). These settings are also possible to set directly in your Colubris, but here we show how to centralize the configuration. At a minimum, the following Colubris-AVPair attributes are required to setup the Colubris with an external captive portal (in this case, the embedded captive portal in CoovaRADIUS running on port 1080): Name login-url transport-page session-page fail-page logo access-list use-access-list Value http://hostname :1080/colubris.jsp?c=%c&m=%m&n=%n&l=%l&o=%o&i=%i&p=%p&C=%C&r=%r http://hostname :1080/colubris.jsp?page=transport http://hostname :1080/colubris.jsp?page=session http://hostname :1080/colubris.jsp?page=fail http://hostname :1080/colubris.jsp?page=logo coova,ACCEPT,tcp,hostname,80 coova Where hostname should be replaced with your CoovaRADIUS server hostname. At a minimum, we add the CoovaRADIUS hostname also to the coova access list, which is what the Colubris uses to define the “walled garden” of allowed hosts. The coova name is special as CoovaRADIUS will add any Walled Garden entries c 2010 Coova Technologies, LLC Page 67 of 119 CoovaRADIUS Server (see the Network / Walled Garden tab) to the access list. When using the Colubris with the embedded captive portal in CoovaRADIUS, you can also use a short cut method of defining the Public access attributes. Instead of Creating the Colubris Config Attribute Set and adding atttributes individually, you can simply add a single Named Value configuration (under the System / Named Values tab in CoovaRADIUS) for the Global Network and with Name colubris.portalUrl. The Value should be the base URL of the CoovaRADIUS captive portal, as shown below for our example network. c 2010 Coova Technologies, LLC Page 68 of 119 CoovaRADIUS Server The Administrative-User Create a new User under the Users / Users tab for use as the “Administrative-User”, RADIUS credentials that are used by the Colubris for configuration purposes. In this example, we use the Username of colubris and, for demonstration purposes, a Password of the same. Check both Can own access points and Administrative-User, then select the Colubris Config Attribute Set that we just created. While creating users, we additionally created the regular test user. In this case, the user is not an Administrative-User and we select local for the Realm. For this regular user to have access to the network for testing, we add a entry under the Access / User Access. We grant the test user unlimited (no access policy) access to the Global Network. c 2010 Coova Technologies, LLC Page 69 of 119 CoovaRADIUS Server Access Points As RADIUS starts arriving at the CoovaRADIUS server, Access Points are automatically added to the system based on the Called-Station-Id RADIUS attribute, which is typically the MAC address of the wireless interface. With the Colubris, since it uses a different Called-Station-Id for it’s Administrative-User session versus regular sessions, you will currently see two Access Points per gateway. As Access Points appear, Edit them to set the Network to Global Network. c 2010 Coova Technologies, LLC Page 70 of 119 CoovaRADIUS Server 8.7 MikroTik Setup In this short example, we configure the MikroTik to use the embedded (MikroTik) captive portal and CoovaRADIUS. Note: At this time, the Drupal portal and the CoovaRADIUS embedded portal do not work with MikroTik’s access controller. Objectives ◦ Basic MikroTik configuration, ◦ Use the hostname internal.coova.net for the embedded captive portal, ◦ Install a SSL certificate for the hostname and configure to use SSL, ◦ Setup a PPTP VPN Tunnel to protect RADIUS, ◦ Setup RADIUS to point to CoovaRADIUS over VPN, and ◦ Setup the Hotspot module. WinBox Use WinBox to connect to your MikroTik router. Resources ◦ http://wiki.mikrotik.com/wiki/Main Page ◦ http://wiki.mikrotik.com/wiki/Manual:Winbox c 2010 Coova Technologies, LLC Page 71 of 119 CoovaRADIUS Server 8.7.1 Basic Network Setup For a basic setup, here is what we want: ◦ WAN connection on ether1 and a DHCP Client to configure it, ◦ WLAN access point on wlan1 broadcasting a signal, ◦ A bridge interface containing wlan1, ether2, and ether3, ◦ The Hotspot module running on the bridge. WAN Interface: From the DHCP Client window, click on the plus sign to add a new DHCP Client on the ether1 interface. c 2010 Coova Technologies, LLC Page 72 of 119 CoovaRADIUS Server WLAN Interface: From the Wireless window, enable the wlan1 interface if disabled. Configure the interface with Mode ap bridge and rename the SSID. c 2010 Coova Technologies, LLC Page 73 of 119 CoovaRADIUS Server Hotspot Bridge: Since we want to run a Hotspot on both the wireless and one or more of the Ethernet ports, we will create a Bridge interface. Add the wlan1, ether2, and ether3 interfaces. c 2010 Coova Technologies, LLC Page 74 of 119 CoovaRADIUS Server From the Address List window, click on the red plus sign to add a new IP address. Assign an IP to the Hotspot bridge just created. In this example, we use 172.16.1.1. From the Hotspot window (under IP menu), start out by selecting Hotspot Setup. Select the hotspotBridge interface, then keep hitting Next accepting the defaults. We will go back to edit the configuration after. c 2010 Coova Technologies, LLC Page 75 of 119 CoovaRADIUS Server 8.7.2 PPTP VPN Tunnel (Optional) From the Interfaces window, click on the red plus sign to show a menu of the possible interface types. Select to create a new PPTP Client interface. c 2010 Coova Technologies, LLC Page 76 of 119 CoovaRADIUS Server Edit the interface to set the Dial Out properties. Enter the IP address, username, and password required for your PPTP server. The PPTP server in our example will configure the VPN such that the MikroTik will be assigned IP address from the range 10.0.0.100 to 10.0.0.200 while the server-side of the PPTP tunnel will have IP address 10.0.0.1. See section 1.8 for more information on setting up a PPTP server. c 2010 Coova Technologies, LLC Page 77 of 119 CoovaRADIUS Server 8.7.3 DNS In the DNS window, create a record for the hostname used in your SSL certificate. Have this hostname point to the IP address of the internal captive portal address. c 2010 Coova Technologies, LLC Page 78 of 119 CoovaRADIUS Server 8.7.4 RADIUS In the Radius window, create a record the RADIUS server in your network. Enable the hotspot service and set the IP address and shared secret accordingly. c 2010 Coova Technologies, LLC Page 79 of 119 CoovaRADIUS Server 8.7.5 Installing SSL Certificate Requirements: ◦ Your SSL private key in PEM format, with or without a password. ◦ Your CA issued certificate in PEM format. ◦ Combine the key and certificate PEM files into www.crt file. Upload the www.crt file by dragging it into the Files window of WinBox. Note where the file is then located, most likely hotspot/www.crt. c 2010 Coova Technologies, LLC Page 80 of 119 CoovaRADIUS Server From the Certificates window, select to Import. Find the www.crt file, enter the password if there is one, and import the key. When imported, the certificate will be given a name, such as cert1. Be sure to delete the certificate file from the Files window. c 2010 Coova Technologies, LLC Page 81 of 119 CoovaRADIUS Server 8.7.6 Hotspot Server Profile Create a Hotspot Server and give it a name. In this example, we give the hotspot a name that looks like a MAC address. We did this because CoovaRADIUS expects a MAC address in the Called-Station-Id RADIUS attribute. Per default, the MikroTik uses the Name of the hotspot as the Called-Station-Id. Ideally, use the MAC address of your Wireless interface as the profile name. When creating a new hotspot, use the Hotspot Setup feature to quickly get things started. Then go back and edit where necessary. c 2010 Coova Technologies, LLC Page 82 of 119 CoovaRADIUS Server Under the Server Profiles menu, edit the profile and set the Hotspot Address and DNS Name to be the same settings configured in section 8.7.3. Under the Login tab in the Hotspot Server Profile window, enable only HTTPS for Login By. Also configure the SSL Certificate to be the one we imported. c 2010 Coova Technologies, LLC Page 83 of 119 CoovaRADIUS Server Under the RADIUS tab, enable Use RADIUS and set the Location ID and Location Name settings (Note: these values are important for iPass as they are used in the GIS XML code). Enable Accounting. c 2010 Coova Technologies, LLC Page 84 of 119 CoovaRADIUS Server 8.7.7 Hotspot Walled Garden Add the hostname pb.ipass.com to the walled garden. Also add the CRL address for your SSL Certificate Authority. In our case, this is crl.thawte.com. c 2010 Coova Technologies, LLC Page 85 of 119 CoovaRADIUS Server 9 API, GUI, & Web Services With CoovaRADIUS installed and running, access: https://localhost:1800/ewt/home.html 9.1 CoovaEWT The web based administrative interface is a static HTML and Javascript application that uses Ajax calls back to the server, using the JSON data format. The Ajax/API calls are mostly done through a single URL, with query string parameters possibly added. Here is the EWT API when running on the localhost: https://localhost:1800/ewt/json The web administrative interface uses the URL to retrieve the GUI screens as well as the data for tables and settings. As such, the GUI of the administrative interface is customizable by editing XML files in the server. Additionally, the data services exposed through the EWT URL serve as a pure API into the system. Query string parameters for the EWT URL: Parameter res s table 9.2 Description Main “resource” type, for API use it is most often service. The service name to perform, set to table for EWT Tables Services. When s=table, this value defines what table service to perform. EWT Tables With s=table and table set, the following are valid: Parameter start max sort desc update new delete Description Sets the offset into result set, for paging. Maximum number of results in the result set. Table field to sort on. Set to true or false for a descending or ascending, respectively, sort order. When set to true, the POST data record is updated in the database table. When set to true, the POST data record is added to the database table. When set to true, the POST data record is deleted from the database table. c 2010 Coova Technologies, LLC Page 86 of 119 CoovaRADIUS Server 9.2.1 Searching Records When searching, meaning that the new, update, and delete options are not being used, the following query string parameters can be used to set search criteria. The field name is the table field name in Java bean format. Parameter fieldIsNull fieldIsNotNull fieldLike fieldEqualTo fieldNotEqualTo fieldGreaterThan fieldGreaterThanOrEqualTo fieldLessThan fieldLessThanOrEqualTo fieldIn fieldNotIn fieldBetween fieldNotBetween SQL Query field is null field is not null field like value (string valued fields only) field = value field <> value field > value field >= value field < value field <= value field in ( value, value, ... ) field not in ( value, value, ... ) field between value, value field not between value, value Examples Some example requests. The first showing a select on the Users table limiting results to 5. The following two queries are placing criteria on the realm field to search for users within certain Realms. GET /ewt/json?res=service&s=table&table=radUser&start=0&max=5&sort=id&desc=true GET /ewt/json?res=service&s=table&table=radUser&realmEqualTo=1 GET /ewt/json?res=service&s=table&table=radUser&realmIn=1,2 In all cases, when returning a return set, the JSON format is as follows. The entire response is wrapped in a service object which contains the total number of rows selected by the query in count and the rows themselves (up to max of them) in a JSON array. The JSON array of table row objects is named based on the table. In this example, that is the radUser table. { "service": [ { "count": 100, "radUser" : [ { "uid": 1, "userName": "test", "email": "test@domain.com", "realmId": 1, c 2010 Coova Technologies, LLC Page 87 of 119 CoovaRADIUS Server "realmId_display": "coova.org (1)", "password": "test", "userDefault": false, "ownsClientDevices": true, "ownsAccessPoints": false, "timeZone": "", "administrativeUser" : false, "macauthAllowed": false, "anonApOk": false, "eapOnly": false, "eapTlsOnly": false, "userNetworkOnly": false, "createdDate": "Thu Oct 16 18:03:07 CEST 2008", "disabled": false }, ... ] } ]} 9.2.2 Adding Records With the parameter new=true set, the POST data is taken to create a new record in the database table. POST /ewt/json?res=service&s=table&new=true&table=radRealm { "realm": "test", "ownerId": 1 } 9.2.3 Updating Records With the parameter update=true set, the POST data is taken to update a record in the database table. POST /ewt/json?res=service&s=table&update=true&table=radRealm { "uid": 1, "realm": "test", "ownerId": 1, ... } 9.2.4 Deleting Records With the parameter delete=true set, the POST data is taken to delete a record in the database table based on the unique id uid. POST /ewt/json?res=service&s=table&delete=true&table=radRealm { "uid": 1, ... } c 2010 Coova Technologies, LLC Page 88 of 119 CoovaRADIUS Server 9.3 EWT Permissions 10 Data Services - API The platform can be accessed remotely programmatically using the Application Programming Interface (API). API URL: /ewt/json 10.1 Naming Within the API, the names of tables and columns of tables are in standard Java been format. Meaning, everywhere there is a “ ” in a name, be it a table or column name, the underscore is removed and the following letter is capitalized. For example, the column name realm id is known as realmId. For the table data services, the table names are similarly renamed, though in the singular tense. 10.2 EWT Table Services Service Name radAccessCodeSet radAccessCode radAccessPoint radAccessPolicy radAccessVoucher radActiveSessions radAttributeSet radAttributeType radAttribute radClientDevice radConfig Database Table rad access code sets rad access codes rad access points rad access policies rad access vouchers rad sessions rad attribute sets rad attribute types rad attributes rad client devices rad configs radControllerType radDeviceVendor radLog rad controller types rad device vendors rad logs radMacBlacklist radMacWhitelist radNamedValue radNetRealm radNetUser radNetwork radPaymentProfile radPayment radRealmRoute radRealm radReportType rad rad rad rad rad rad rad rad rad rad rad c 2010 Coova Technologies, LLC mac blacklist mac whitelist named values net realms net users networks payment profiles payments realm routes realms report types Notes Access code sets, see section 5.7. Access codes, see section 5.7. Access points, see section 5.5. Access policies, see section 5.6. Access vouchers, see section 5.6. Select for only active session. Attribute sets, see section 5.11. Attribute types, see section 5.11. Attributes, see section 5.11. Client devices, see section 5.3. General server configurations, see section 5.14. Access controller types. IEEE registered device vendors. RADIUS logs, when enabled on per Access Point basis. Banned devices, see section 5.3.2. Authorized devices, see section 5.3.1. Named values, see section 5.12. Network realms, see section 5.9. Network users, see section 5.8. Networks, see section 5.4. Payment profiles table. Payments table. Realm routes table. Realms, see section 5.1. Report types. Page 89 of 119 CoovaRADIUS Server radReport radSession radUser radWalledGarden radX509Certificate radX509CA 10.3 reports sessions users walled garden x509 certs x509 certs Reports. RADIUS sessions, see section ??. Users, see section 5.2. Walled garden, see section ??. X509 certificates and private keys. Selects for Certificate Authorities only. Other EWT Services 10.3.1 coova-users 10.3.2 coova-network 10.4 rad rad rad rad rad rad EWT PHP Client PHP API For PHP website integration, the same JSON formatted services used for the web interface are accessible through the CoovaRADIUSClient class, contained in file CoovaRADIUSClient.php. The class is an extension of EWTClient, found in EWTClient.php. The EWTClient uses the PHP internal JSON parsing routings and curl (libcurl) for the HTTP(S) client. The EWTClient tries to abstract as much of the underlying JSON formatting for the API. The CoovaRADIUSClient class is to do higher level functions. For example, this function which uses EWTClient to add a user: function createUser($data) { $ewt = $this->ewtClient(); $res = $ewt->doAction(’coova-users’, ’create’, $data); $ewt->close(); return $res; } Here is an example use: require_once ’EWTClient.php’; require_once ’CoovaRADIUSClient.php’; $url = ’https://localhost:1800/ewt/json’; $ewt = new CoovaRADIUSClient($url, ’admin’, ’admin’); function customNewUser($ewt, $username, $password) { $data = array( ’realmId’ => 1, // pre-configured realm ’networkId’ => 1, // pre-configured network c 2010 Coova Technologies, LLC Page 90 of 119 CoovaRADIUS Server ’userName’ ’password’ ’netUser’ => $username, => $password, => array( ’networkId’ => 1 ) ); return $ewt->createUser($data); } Which will not only create the user in the Users table, but create a Network User entry for the network with Id 1 (pre-defined in the database, in this case the ”Global Network”). This will allow the user to actually access the network. JSON data is converted into PHP arrays, as the output of this example demonstrates: // Access code example var_dump($ewt->provisionAccessCode(array( ’accessPolicyId’ => 1))); Which results in: array(4) { ["uid"] => int(14) ["username"] => string(8) "joLvRTET" ["accessPolicyId"]=> int(1) ["password"]=> string(8) "4njYg6uN" } 10.5 Examples $ curl --cacert ca.pem --key key.pem --cert cert.pem -k \ "https://ewt-server:1800/ewt/json?res=service&s=table&table=radAccessPoint&macAddressLike=00-1 {"service":[ {"radAccessPoint": [{"uid":1, "location":"My_HotSpot", "ownerId":2, "calledStationId":"00-12-CF-80-68-71", "networkId":1, "vendorId_display":"Accton Technology Corp (3953)", "macAddress":"00-12-CF-80-68-71", "vendorId":3953, "attributeSetId_display":"", "networkId_display":"Global Network (1)", "reversedAccounting":true, c 2010 Coova Technologies, LLC Page 91 of 119 CoovaRADIUS Server "ownerId_display":"c9w (2)", "name":"nas01", "controllerTypeId_display":"CoovaChilli (2)", "nasIpAddress":"10.99.100.1", "wanIpAddress":"62.163.177.27", "nasIdentifier":"nas01", "createdDate":"2010-06-23 08:17:44 UTC", "controllerTypeId":2}], "count":1}] } c 2010 Coova Technologies, LLC Page 92 of 119 CoovaRADIUS Server 11 Google Maps CoovaRADIUS supports the use of Google Maps to aid in the geo positioning of networks and access points. 11.1 Configure API Key For Google Maps to work, you need to sign-up for a Google API Key which has to match the URL of the website showing the maps. CoovaRADIUS user interfaces, maps included, can be embedded into a variety of sites. In order to have Google Maps work, CoovaRADIUS must know the API key to use. With no API key configured, Google Maps will not be available and the above will be shown. c 2010 Coova Technologies, LLC Page 93 of 119 CoovaRADIUS Server To acquire a Google Maps API key, visit: http://code.google.com/apis/maps/signup.html Enter the hostname of the CoovaRADIUS interface to generate a key for it. In our example we are using https://localhost:1800/, and we generated a key for that URL. Once generated, enter the API key into the CoovaRADIUS configuration under the System menu and the Named Values sub-menu. Create a new Named Value Configuration entry, setting everything to none except the Name and Value fields. For the Name, enter: com.google.api.key.siteKey Where siteKey is either: the HTTP Host the interface is being viewed at (e.g. com.google.api.key.localhost:1800 or the Drupal Realm if the maps are being injected into a Drupal site (e.g. com.google.api.key.drupal-site). If your CoovaRADIUS administration interface is available using multiple URLs, then repeat the API key generation and configuration process for each hostname that will be used. 11.2 Geo Coordinate Administration For each network you wish to use maps with, start out by positioning the “center” of the network. CoovaRADIUS will use the network center as the default position when showing maps of access points. c 2010 Coova Technologies, LLC Page 94 of 119 CoovaRADIUS Server To jump to a location, enter in the address of the location in the search field and click find. Move the marker to the exact location and you will see the coordinates get automatically filled in to the form. Once the position is correct, be sure to click Save. c 2010 Coova Technologies, LLC Page 95 of 119 CoovaRADIUS Server Once the network center is set, go and adjust the location of each access point. In a similar fashion, move the marker to the exact location of the access point, click Save when done. c 2010 Coova Technologies, LLC Page 96 of 119 CoovaRADIUS Server 11.3 Administration in Drupal Maps can also be used in the embedded Drupal user interfaces. Set the “center” of the network and default zoom level, as shown above. c 2010 Coova Technologies, LLC Page 97 of 119 CoovaRADIUS Server Adjust the position of each access point, click on Save when done. c 2010 Coova Technologies, LLC Page 98 of 119 CoovaRADIUS Server 11.4 Public Map in Drupal Exposing a public map to the public can be done easily by embedding the CoovaRADIUS interface directly into a Drupal web page. The above map is generated using the folloing Drupal page content, using PHP code as the Input format: <?php echo ewt_div(’drupal-my-network-map’, ’’, "{ }"); ?> 11.5 Map Info Window The contents of the map info popup window can be changed on a network or access point basis. The default content shows the network name and access point name. c 2010 Coova Technologies, LLC Page 99 of 119 CoovaRADIUS Server To change it, add an entry in the Named Values configuration with the key name com.coova.map.APInfo. If there is an entry with that key name associated with the specific network and access point, then the value is c 2010 Coova Technologies, LLC Page 100 of 119 CoovaRADIUS Server used for the popup window content. Add an entry just associated with a network (leaving the access point on none) and the value will be used for all access points that otherwise don’t have a specific entry. c 2010 Coova Technologies, LLC Page 101 of 119 CoovaRADIUS Server 12 Other Topics 12.1 Working with iPass You can use your CoovaRADIUS server to roam with iPass. Here is some important information on how to comply with the iPass requirements and how to setup and use CoovaRADIUS. 12.1.1 RADIUS VPN Tunnel The RADIUS from the access controllers must not go over the open Internet. Typically for Hotspots, this means you have to tunnel the RADIUS using a VPN or RadSec (RADIUS over TLS). 12.1.2 CoovaRADIUS Realm & Route Configuring CoovaRADIUS for iPass requires the adding of the iPass NetServer as a RADIUS Server under Routing / Servers in the CoovaRADIUS administration. c 2010 Coova Technologies, LLC Page 102 of 119 CoovaRADIUS Server Under Routing / Realms add a Realm for ipass Click the Routes tab and add realm route to the iPass NetServer entry. c 2010 Coova Technologies, LLC Page 103 of 119 CoovaRADIUS Server 13 About Coova Technologies Coova Technologies, LLC is a leading provider of commercial and open-source solutions for the wireless and WiFi Hotspot markets. The Coova platform allows for companies to manage wireless networks through a comprehensive, flexible set of solutions that centralize and integrate RADIUS software, router firmware, and a web toolkit for client side interfaces. CoovaRADIUS and the open-source JRadius are Java based RADIUS solutions. CoovaChilli, found in commercial firmware worldwide, is an open-source access controller that brings captive portal features to a wide range of third-party routers. CoovaEWT is an extensive embedded web toolkit that provides the client-side interface to Coova components. CoovaEWT APIs are integral to all Coova products. More about Coova commercial solutions can be found at www.coova.com. More about Coova open-source solutions can be found at www.coova.org. c 2010 Coova Technologies, LLC Page 104 of 119 CoovaRADIUS Server 14 14.1 Licensing Coova Software License Coova Technologies, LLC SOFTWARE LICENSE AGREEMENT NOTE: THIS AGREEMENT WILL ONLY APPLY TO THE EXTENT THAT NO BINDING AGREEMENT, WRITTEN OR ELECTRONIC, (THE "OTHER AGREEMENT") IS ALREADY IN PLACE BETWEEN CUSTOMER (DEFINED BELOW) AND COOVA TECHNOLOGIES, LLC. PERTAINING TO THE SOFTWARE PRODUCT TO WHICH THIS AGREEMENT APPLIES. TO THE EXTENT THAT ANY OTHER AGREEMENT IS IN EFFECT, THEN SUCH OTHER AGREEMENT WILL GOVERN CUSTOMERS DOWNLOAD AND USE OF THE SOLUTION AND RECEIPT OF PROFESSIONAL SERVICES AND THIS AGREEMENT WILL NOT APPLY EVEN IF YOU ARE REQUIRED TO CLICK THE BOX AFFIRMING YOUR CONSENT TO THE TERMS OF THIS AGREEMENT. BY COMPLETING THE ONLINE REGISTRATION FORM AND CLICKING THE "I AGREE" BUTTON, YOU SUBMIT TO COOVA TECHNOLOGIES, LLC., A CALIFORNIA LIMITED LIABILITY COMPANY ("WE" OR "COOVA"), AN OFFER TO OBTAIN THE RIGHT TO USE THE SOLUTION AND RECEIVE ROFESSIONAL SERVICES (AS DEFINED BELOW) UNDER THE PROVISIONS OF THIS LICENSE AND PROFESSIONAL SERVICES AGREEMENT (THE "AGREEMENT"). BY CLICKING THE "I AGREE" BUTTON, YOU HEREBY AGREE THAT YOU HAVE THE REQUISITE AUTHORITY, POWER AND RIGHT TO FULLY BIND THE PERSON AND/OR ENTITIE(S) (COLLECTIVELY, THE "CUSTOMER") WISHING TO USE THE SOLUTION LISTED ON THE ORDER CONFIRMATION PAGE, PRICING SCHEDULE, QUOTE AND/OR INVOICE (EACH AN "PURCHASE ORDER") WHICH COOVA PROVIDES TO CUSTOMER IN CONNECTION WITH THE PURCHASE OF LICENSES TO THE SOLUTION AND RECEIPT OF PROFESSIONAL SERVICES DESCRIBED BELOW. THE TERMS OF EACH ORDERING DOCUMENT WILL SET FORTH THE SPECIFIC TERMS OF THE ORDER BUT ALL APPLICABLE TERMS AND CONDITIONS BELOW SHALL APPLY. IF YOU DO NOT HAVE THE AUTHORITY TO BIND THE CUSTOMER OR YOU OR THE CUSTOMER DO NOT AGREE TO ANY OF THE TERMS BELOW, COOVA IS UNWILLING TO PROVIDE THE SOLUTION OR PROFESSIONAL SERVICES TO THE CUSTOMER, AND YOU SHOULD NOT CLICK TO ACCEPT THE TERMS OF THIS AGREEMENT AND YOU SHOULD DISCONTINUE THE ORDER, DOWNLOAD AND/OR INSTALLATION PROCESS AND NOT REQUEST ANY PROFESSIONAL SERVICES OR SUPPORT. 1.0 Ordering The Purchase Order will specify the Coova standard software product offering ("Base Software"), any Modules or Feature Upgrades (each as defined below) that Customer is licensing, the number of production c 2010 Coova Technologies, LLC Page 105 of 119 CoovaRADIUS Server server instances, the number of RADIUS shared secrets and the shared secrets themselves, any consulting, configuration, customization or other professional services ("Professional Services") and all other necessary information. The Base Software and any Modules and/or Feature Upgrades acquired by Customer pursuant to an Purchase Order are collectively referred to as the "Solution". All Purchase Orders are incorporated herein by reference. Following Coovas acceptance of each Order Document and Customers payment of any initial fees (as described in Section 12.0 below) due under such Purchase Order, Coova will make the Solution available to Customer for download using a password protected account on Coovas website or an pre-authorized URL to an Amazon S3 storage location. Coova may make available to Customer certain optional functionality or services which may be provided as either an update or upgrade to the Base Software ("Feature Upgrade") or a separate stand-alone module ("Module"). Certain Feature Upgrades and Modules may require that the Customer agree to certain restrictions provided by Coova in advance which are in addition to the terms and conditions of this Agreement. Any additional or separate pricing associated with Feature Upgrades or Modules will be as set forth on the Purchase Order or otherwise agreed to by the parties in writing. 2.0 Solution, License Grants and Restrictions 2.1 License Grants Subject to the terms of this Agreement and during the applicable license term, Coova grants to Customer a limited, worldwide, non-exclusive, non-transferable license, without sublicense rights, to (a) unless otherwise expressly set forth within the Purchase Order, to install a single instance of the Solution in one (1) production environment and permit in accordance with the authorized license implementation set forth on the Purchase Order (as further described in Section 2.3 below), (b) if permitted by Coova in its sole discretion, install and use the portions of the Solution made available in source code format for internal testing purposes and to create modifications ("Customer Modification") to the Solution solely for purposes of developing bug fixes, customizations, or additional features pertaining to the Solution (and no other product or service), and (c) use and make a reasonable number of copies of any descriptions, instructions, or other documentation made available in connection with the Solution, if any ("Documentation"). Certain Modules are provided on a hosted basis and, in such instances, Customer will not install the Module but rather will access the Module via the functionality of the Base Solution. Coova takes no responsibility for and neither makes nor gives any guarantees, conditions or c 2010 Coova Technologies, LLC Page 106 of 119 CoovaRADIUS Server warranties with respect to any Customer Modifications or the Solutions interoperability with such Customer Modifications. Customer grants to Coova and its licensees a perpetual, irrevocable, worldwide, royalty-free, sublicenseable license under Customers intellectual property rights to use and otherwise exploit all Customer Modifications. The term of each license to the Solution purchased by Customer will commence on the date that Customer first receives access to the Solution and will continue for the period set forth on the Purchase Order. Upon expiration, the license term will automatically renew for successive terms of one (1) year each at the then current fees unless either party provides written notice of non-renewal at least thirty (30) days prior to the end of the then current term. The license term for subsequently purchased licenses will be pro-rated so that all pre-existing and newly acquired licenses are coterminous. 2.2 License Restrictions Except as otherwise expressly permitted under this Agreement, Customer agrees not to: (a) reverse engineer or otherwise attempt to discover the source code of or trade secrets embodied in the Solution or any portion thereof; (b) distribute, transfer, grant sublicenses to, or otherwise make available the Solution or Customer Modifications (or any portion thereof) to third parties, including, but not limited to, making such Solution or Customer Modifications available (i) through resellers or other distributors, or (ii) as an application service provider, service bureau, or rental source; (c) embed or incorporate in any manner the Solution or Customer Modifications (or any element thereof) into other applications of Customer or third parties; (d) create modifications to or derivative works of the Solution; (e) reproduce the Solution except that Customer may make up to two archival copies of the Solution solely for backup purposes; (f) attempt or permit any third party to attempt to modify, alter, or circumvent the license control and protection mechanisms within the Solution; (g) use or transmit the Solution in violation of any applicable law, rule or regulation, including any export/import laws, (h) in any way access, use, or copy any portion of the Solution code (including the logic and/or architecture thereof and any trade secrets included therein) to directly or indirectly develop, promote, distribute, sell or support any product or service that is competitive with the Solution or (i) remove, obscure or alter any copyright notices or any name, trademark, service mark, hyperlink or other designation of Coova displayed on any display screen within the Solution (Coova Marks). Customer shall not permit any third party to perform any of the foregoing actions and shall be responsible for all damages and c 2010 Coova Technologies, LLC Page 107 of 119 CoovaRADIUS Server liabilities incurred as a result of such actions. The Solution is a "commercial item," as that term is defined at 48 C.F.R. 2.101 (OCT 1995), and more specifically is "commercial computer software" and "commercial computer software documentation,d" as such terms are used in 48 C.F.R. 12.212 (SEPT 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (JUNE 1995), the Solution is provided to U.S. Government End Users (i) only as a commercial end item and (ii) with only those rights as are granted to all other end users pursuant to the terms and conditions herein. 2.3 License Implementation Types Except with respect to the Modules, which shall be licensed pursuant to the specific terms related to such Module set forth on the relevant Purchase Order, such Purchase Order will designate which of the following Solution license implementation types the Customer will receive: (a) Single Network: Customer may use the solution for a single network, using a single RADIUS shared secret, and on a single production server; and (b) Service Provider License: Under this licensing scheme, Customer may use solution with unlimited RADIUS shared secrets on the number of production servers as specified in the Purchase Order. 2.4 Bankruptcy All licenses granted pursuant to this Agreement are, for purposes of Section 365(n) of the U.S. Bankruptcy Code, deemed to be licenses of rights to "intellectual property" as defined under Section 101 of the U.S. Bankruptcy Code. In any bankruptcy or insolvency proceeding involving Coova, Customer, as licensee of such rights, will retain and fully exercise all of its rights and elections under the U.S. Bankruptcy Code, which will apply notwithstanding conflict of law principles. 3.0 Support and Maintenance Solution support and maintenance services ("Support Services") may be ordered at the "Standard" or "Premium" level. Pricing for such Support Services will be set forth on the Purchase Order; provided, however, that Standard Support Services shall be provided in connection with each subscription license for no additional cost. The terms of Standard and Premium Support Services can be found on Coovas website along with additional support-related terms which are incorporated herein by reference. 4.0 Professional Services c 2010 Coova Technologies, LLC Page 108 of 119 CoovaRADIUS Server If indicated in an Order Form, Coova will perform Professional Services. The particulars of each Professional Services engagement will be as set forth in one or more statements of work (each an "SOW") entered into by the parties. Customer will provide all assistance reasonably requested by Coova in connection with the Professional Services. Coova will retain all right, title and interest in and to all deliverables (including any and all intellectual, property rights therein) provided under each SOW ("Deliverables") except to the extent that they contain any information that Customer can document is its proprietary and confidential information. Customers rights to the Deliverables shall be the same as Customers rights to the Solution. 5.0 Publicity During the Term of this Agreement, Customer hereby agrees that Coova shall have the right, but not the obligation, to include Customers name and logo as a customer who uses the Solution on the Coova website and in other materials promoting the Solution. 6.0 Proprietary Rights As between the parties, Coova will retain all ownership rights in and to the Coova Marks, the Solution (including any optional functionality), the Documentation, Deliverables, all updates and upgrades provided as part of Support Services and other derivative works of the Solution and/or Documentation that are provided by Coova, and all intellectual property rights incorporated into or related to the foregoing. Customer acknowledges that the goodwill associated with the Coova Marks belongs exclusively to Coova and, upon request, Customer will modify or cease its use of any Coova Marks. All rights not expressly licensed by Coova under this Agreement are reserved. 7.0 Warranties and Disclaimer 7.1 Warranties Each of the parties represents and warrants that it has all necessary corporate power and authority to enter into and perform its obligations under this Agreement. To Coovas knowledge, the use by Customer of the Solution (exclusive of any third party or open source materials included therein) when and as provided under this Agreement does not misappropriate or infringe any U.S. copyrights or U.S. trade secrets of any third party. c 2010 Coova Technologies, LLC Page 109 of 119 CoovaRADIUS Server 7.2 Disclaimer The express warranties in Section 7.1 are the exclusive warranties offered by Coova and all other conditions and warranties, including, without limitation, any conditions or warranties of fitness for a particular purpose, non-infringement, accuracy, quiet enjoyment, title, merchantability and those that arise from any course of dealing or course of performance are hereby disclaimed. Coova does not warrant that Customers use the Solution will be uninterrupted or error-free, that errors will be corrected or that it will be free of viruses or other harmful components. The Solution (including all components thereof), the Support Services, the Professional Services and all Deliverables are provided "as is" and without warranty of any kind. 8.0 Indemnification Each party will indemnify, defend, and hold the other harmless from and against any and all liabilities, damages, losses, claims, costs, and expenses (including attorneys fees) arising out of or resulting from any violation of such parties representations and warranties set forth in Section 7.1 above. In the event of any third party action, suit, proceeding or investigation for which indemnification is sought (the "Proceeding"), the other party shall promptly notify the indemnifying party, provided that any failure to so notify the indemnifying party will not relieve the indemnifying party from any liability or obligation which it may have to any indemnified person except to the extent of any material prejudice to the indemnifying party resulting from such failure. If any such Proceeding is brought against an indemnified person, the indemnifying party will be entitled to assume and control the defense thereof. Each indemnified person will be obligated to cooperate reasonably with the indemnifying party, at the expense of the indemnifying party, in connection with such defense and the compromise or settlement of any such Proceeding. The foregoing indemnification shall not apply to the extent that any action by the indemnified party gives rise to or otherwise enhances any such claim. 9.0 Limitations on Liability To the extent permitted by law, in no event shall Coova be liable to Customer, users or to any third party in connection with this Agreement, including the Solution, Support Services and intellectual property provided hereunder, whether under theory of contract, tort or otherwise, for (A) any indirect, incidental, punitive, consequential, or special damages (including any damage to business reputation, lost profits or lost data), whether foreseeable or not c 2010 Coova Technologies, LLC Page 110 of 119 CoovaRADIUS Server and whether Coova is advised of the possibility of such damages or (b) any amounts in excess of the total of the Fees actually paid and the fees payable to Coova by Customer under this Agreement during the one (1) year period prior to the date that such liability first arises.</p> 10.0 Confidentiality The Solution and all trade secret information incorporated therein or derived, directly or indirectly, therefrom are confidential information of Coova. Customer shall keep in confidence and trust and not disclose or disseminate, or permit any employee, agent or other party working under Customers direction to disclose or disseminate, the substance of any such confidential information of Coova. The commitments in this Agreement will not impose any obligations on Customer with respect to any portion of the received information which, as evidenced by independent documentation: (a) is now generally known or available or which hereafter, through no act or failure to act on Customers part, becomes generally known or available; or (b) is rightfully known to Customer at the time of receiving such information. Customer acknowledges that monetary damages may not be a sufficient remedy for unauthorized disclosure or use of Coovas confidential information and that Coova may seek, without waiving any other rights or remedies, such injunctive or equitable relief as may be deemed proper by a court of competent jurisdiction. 11.0 Term, Termination and Effect This Agreement shall continue in effect until terminated as set forth herein. The applicable license term for each license purchased will be as set forth in the applicable Purchase Order.<i> </i>This Agreement may be terminated by either party if the other party materially breaches this Agreement and does not cure the breach within thirty (30) days after receiving written notice thereof from the non-breaching party (except that such cure period shall be five (5) days for breaches of Sections 2 or 12). Additionally, a particular Purchase Order may be terminated by Coova in the event that Customer fails to pay applicable fees when due. Upon any termination of this Agreement, without prejudice to any other rights or remedies which the parties may have, (a) all rights licensed and obligations required hereunder shall immediately cease; provided that Sections 2.2, 6.0, 8.0 though 11.0 and 14.0 shall survive termination, (b) Customer will promptly delete and destroy all instances of the Solution in its possession or control (if any), and (c) Customer shall pay to Coova any outstanding fees that have accrued prior to the date of termination. c 2010 Coova Technologies, LLC Page 111 of 119 CoovaRADIUS Server 12.0 Fees and Payment Subject to the terms and conditions below, all fees for the Solution licenses, Professional Services and/or Support Services will be set forth on the applicable Purchase Order. Unless otherwise agreed to in writing by the parties, Customer will pay all undisputed fees owed within thirty (30) days after Coovas issuance of an invoice pertaining thereto. Payments will be sent to the address included on the invoice. All amounts payable shall be in the currency of the United States and specifically exclude (and Customer is responsible for) any and all applicable sales, use and other taxes, (other than taxes based on Coovas income). Each party is responsible for its own expenses under this Agreement. 13.0 Audit Not more than once each year, Coova will have the right to perform an audit to verify that Customer is using the Solution in compliance with this Agreement. That audit will be performed during normal business hours upon not less than fifteen (15) days prior written notice to Customer. That audit will be conducted at Coovas sole cost and expense and will be subject to reasonable security and access restrictions. Customer will be permitted to have Customer personnel present during the audit. If an audit conducted under this Section discloses that Customer has underpaid by more than five percent (5%) any license Fees payable under this Agreement during the period covered by the audit, Customer will pay Coova the amount of that underpayment and, in addition, will reimburse Coovas reasonable and actual costs for that audit. 14.0 Miscellaneous The parties are independent contractors with respect to each other, and nothing in this Agreement shall be construed as creating an employer-employee relationship, a partnership, agency relationship or a joint venture between the parties. Each party will be excused from any delay or failure in performance hereunder, other than the payment of money, caused by reason of any occurrence or contingency beyond its reasonable control, including but not limited to acts of God, earthquake, labor disputes and strikes, riots, war and governmental requirements. The obligations and rights of the party so excused will be extended on a day-to-day basis for the period of time equal to that of the underlying cause of the delay. This Agreement controls the actions of all party representatives, officers, agents, employees and associated individuals. The terms of this Agreement shall be binding on the parties, and all c 2010 Coova Technologies, LLC Page 112 of 119 CoovaRADIUS Server successors to the foregoing. Customer will not assign, transfer or delegate its rights or obligations under this Agreement (in whole or in part) without Coovas prior written consent. Any attempted assignment, transfer or delegation in violation of the foregoing shall be null and void. All modifications to or waivers of any terms of this Agreement must be in a writing that is signed by the parties hereto and expressly references this Agreement. This Agreement shall be governed by the laws of the State of Oregon, without regard to Oregon conflict of laws rules. The exclusive venue and jurisdiction for any and all disputes, claims and controversies arising from or relating to this Agreement shall be the state or federal courts located in Multnomah County, Oregon. Each party waives any objection (on the grounds of lack of jurisdiction, forum non conveniens or otherwise) to the exercise of such jurisdiction over it by any such courts. The United Nations Convention on Contracts for the International Sale of Goods will not apply to the interpretation or enforcement of this Agreement. In the event that any provision of this Agreement conflicts with governing law or if any provision is held to be null, void or otherwise ineffective or invalid by a court of competent jurisdiction, (a) such provision shall be deemed to be restated to reflect as nearly as possible the original intentions of the parties in accordance with applicable law, and (b) the remaining terms, provisions, covenants and restrictions of this Agreement shall remain in full force and effect. No waiver of any breach of any provision of this Agreement shall constitute a waiver of any prior, concurrent or subsequent breach of the same or any other provisions hereof, and no waiver shall be effective unless made in writing and signed by an authorized representative of the waiving party. This Agreement includes any applicable Purchase Orders. Collectively the foregoing constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements or communications, including, without limitation, any quotations or proposals submitted by Coova. The terms on any purchase order or similar document submitted by Customer to Coova will have no effect and are hereby rejected.All notices, consents and approvals under this Agreement must be delivered in writing by courier, by facsimile, or by certified or registered mail, (postage prepaid and return receipt requested) to the other party at its main corporate headquarters and sent to the attention of such partys Chief Executive Officer. c 2010 Coova Technologies, LLC Page 113 of 119 CoovaRADIUS Server 14.2 Third Party Licenses Apache License 2.0 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications c 2010 Coova Technologies, LLC Page 114 of 119 CoovaRADIUS Server represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the c 2010 Coova Technologies, LLC Page 115 of 119 CoovaRADIUS Server Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form that You distribute, all copyright, attribution notices from the Source excluding those notices that do not the Derivative Works; and of any Derivative Works patent, trademark, and form of the Work, pertain to any part of (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. c 2010 Coova Technologies, LLC Page 116 of 119 CoovaRADIUS Server 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don’t include the brackets!) The text should be enclosed in the appropriate c 2010 Coova Technologies, LLC Page 117 of 119 CoovaRADIUS Server comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. BSD License The BSD License The following is a BSD license template. To generate your own license, change the values of OWNER, ORGANIZATION and YEAR from their original values as given here, and substitute your own. Also, you may optionally omit clause 3 and still be OSD conformant. Note: On January 9th, 2008 the OSI Board approved the "Simplified BSD License" variant used by FreeBSD and others, which omits the final "no-endorsement" clause and is thus roughly equivalent to the MIT License. Historical Note: The original license used on BSD Unix had four clauses. The advertising clause (the third of four clauses) required you to acknowledge use of U.C. Berkeley code in your advertising of any product using that code. It was officially rescinded by the Director of the Office of Technology Licensing of the University of California on July 22nd, 1999. He states that clause 3 is "hereby deleted in its entirety." The four clause license has not been approved by OSI. The license below does not contain the advertising clause. This prelude is not part of the license. <OWNER> = Regents of the University of California c 2010 Coova Technologies, LLC Page 118 of 119 CoovaRADIUS Server <ORGANIZATION> = University of California, Berkeley <YEAR> = 1998 In the original BSD license, both occurrences of the phrase "COPYRIGHT HOLDERS AND CONTRIBUTORS" in the disclaimer read "REGENTS AND CONTRIBUTORS". Here is the license template: Copyright (c) <YEAR>, <OWNER> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. MIT License The MIT License Copyright (c) <year> <copyright holders> c 2010 Coova Technologies, LLC Page 119 of 119 CoovaRADIUS Server Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. HSQLDB License COPYRIGHTS AND LICENSES (based on BSD License) For work developed by the HSQL Development Group: Copyright (c) 2001-2010, The HSQL Development Group All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the HSQL Development Group nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL HSQL DEVELOPMENT GROUP, HSQLDB.ORG, OR CONTRIBUTORS BE LIABLE FOR ANY c 2010 Coova Technologies, LLC Page 120 of 119 CoovaRADIUS Server DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. For work originally developed by the Hypersonic SQL Group: Copyright (c) 1995-2000 by the Hypersonic SQL Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the Hypersonic SQL Group nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE HYPERSONIC SQL GROUP, OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the Hypersonic SQL Group. c 2010 Coova Technologies, LLC Page 121 of 119 CoovaRADIUS Server SLF4J License Copyright (c) 2004-2008 QOS.ch All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. c 2010 Coova Technologies, LLC Page 122 of 119 CoovaRADIUS Server 14.3 Third Party Notices c 2010 Coova Technologies, LLC Page 123 of 119