[CoovaChilli] Understanding how Login works

Nkansah Rexford seanmavley at gmail.com
Fri Jan 13 19:37:15 GMT 2017


Hello all, My name is rexford, just joined.

I'm working on RadiusNES, a revamp of DaloRADIUS using Nodejs, Express and
Angular 2.1

I'm struggling to understand some of the mechanism behind how login of
chillispot works. Here's what I know:

   - When user isn't logged in and redirects happen, a challenge is part of
   the query params.
   - This challenge query parameter is used to create, yet another password
   on the fly as per the function here:
   https://github.com/lirantal/daloradius/blob/master/contrib/chilli/portal-bluechipwireless/hotspotlogin/hotspotlogin.php#L159
   - Then eventually, something like this is what is sent to the chillispot
   logon url residing at uamip:uamport/logon (in my case
   192.168.182.1:3990/logon?username=username&password=newpassword)

A wild guess I have (since I have no idea how the logon works), is that the
challenge is created for security reasons basically, so no one intercepts
the plaintext passwords, right?

Now quick questions:

   - Is there a way to disable this challenge feature (Yes I know all the
   security risks)? I'm using Chillispot in DD-WRT e1200v2 Linksys Router.
   - If that's not possible (or at least not recommend), any tip on how to
   replicate the pack, unpack, md5 and implode2 functions in vanilla
   javascript?

thanks for help

I hope this is a right platform to ask the above questions.

rexford

1. https://github.com/seanmavley/RadiusNES-angular
https://github.com/seanmavley/RadiusNES-Server
2. I have leads on doing those functions, but just curious it's already
been written somewhere else.


More information about the CoovaChilli mailing list