Disclaimer:
Any information on this page can be incomplete, outdated, written in bad english, useless, hazardous to your health or just plain wrong in many ways.
Copyright:
Tino is a rewrite of an unnamed project by me (Hannu Teulahti) and Kari Hänninen of Vaasa Polytechnic. Visual Layout of the cgi interface has been designed by Erkki Mellin of Vaasa Polytechnic.
What:
Tino is the authentication and access component of Palosaari Campus Wireless Network.
Why:
We experimented with our original access controller Oasis (part of StockholmOpen.net), and it kept crashing. After many bugfixes by many people it still crashed several times a day, so I decided to rewrite the whole thing.
How:
Tino is written in perl for portability, easy maintenance and customization. Authentication is done trough Authen::Radius perl module. Tino has been developed on Debian Woody. It should work with minimal modifications in any modern Unix-like operating system which has a descent firewall and can run Internet Systems Consortium DHCP server.
Theory of operation:
CGI:
-
New user is redirected to the Tino login page.
-
Users mac address is looked up from dhcp servers leases file.
-
login page requests user to log in.
-
after successful login; users ip, mac, login time and name is written to a separate file in the spool directory.
-
Tino calls an external firewall script to open the connection for the users ip and mac addresses.
shell program:
-
cron runs the shell-part of tino periodically.
-
tino compares the logged in users from the spoolfiles and dhcp servers leases file.
-
if user's dhcp lease has expired tino clears the firewall entry and deletes the file from the spooldirectory.
Download:
Tino is distributed under the Gnu General Public License. Download the latest version here.
Installation (for Debian):
-
untar archive files to /usr/local/tino
-
Create a ScriptAlias directive to Apache's configuration:
ScriptAlias /tino.cgi /usr/local/tino/tino.cgi
-
Create spool directory and initial logfile:
mkdir /var/spool/tino
touch /var/log/tino
chown www-data:www-data /var/spool/tino /var/log/tino
-
Create directories for temporary users:
mkdir -p /var/spool/tino-users/<realm>
where <realm> is the domain part of temporary user (wlan0123@realm)
chown www-data:www-data /var/spool/tino-users/<realm>
-
Create a crontab file /etc/cron.d/tino:
* * * * * www-data /usr/local/tino/tino check
0 0 * * * root /usr/bin/savelog -p /var/log/tino &>/dev/null
-
Configure sudo to allow www-data user to run firewall script without a password
-
Make '/usr/local/tino/tino reset' run at startup
-
Limit dhcp server's leasetime to a short value ~5min
Firewall script:
Tino distribution does not contain a firewall script. Script must support the following commandline options:
To open a rule: open <IP> <MAC> <USERNAME>
To close a rule: close <IP> <MAC> <USERNAME>
To reset the firewall: reset
<IP> is in dotted decimal form (xxx.xxx.xxx.xxx)
<MAC> is in the form xx:xx:xx:xx:xx:xx
<USERNAME> is in the form user@domain.dom
Configuration:
Configuration is made in tino.pm perl module. Variable names should be easy to understand.
Temporary users:
For every temporary user you must create a separate file in /var/spool/tino-users/<realm>. The name of the file is the username (without the realm part).
Contents ot the file:
pass= md5 encrypted password (in same format as in the linux shadow password)
expire= unix time, when the user expires (even if never used)
first=0 (first login, must be initially 0, used internally by tino)
length= how long the user is valid after first login (in seconds)
Known bugs:
Links:
Patches to Tino by Arch Red
Changelog:
1.1 -> 1.2
- Userlist shows all logins from a user, previously list showed every user only once
- If a dhcp lease was expired less than 5 mins ago the lease is assumed to be active.
- Support for temporary users
- html code fixups
Hannu Teulahti
