Hi
I've managed to have a captive portal allowing users to sign in using their facebook social login, this wouldn't be possible without the help of many users of this forum who helped me at some points.
I've decided to write this mini how to in retribution and as a resource for anyone who wants to do something similar.
I'm not going to get into detail because for most of the actions required, there's plenty of documentation about it.
But i will describe the parts i found by trial and error (wifidog and authpuppy the documentation is not quite clear)
For this I've used a Tp-link TL-WA701ND V2.
1. Flash the router
This is very straight forward, you access the web administration interface of the router and make the flashing using the image in this link https://yadi.sk/d/n-Y5sXuXJLGLE
I did'n got any trouble at this point.
After flashing you have to re enable the wireless interface.
2.- Configure as Routed AP.
Configure the device to work as a routed AP, I've followed this tutorial http://wiki.openwrt.org/doc/recipes/routedap
But I've changed this:
*Delete the bridge interface
*Create a ethernet interface and a wireless interface
*for the ethernet used dhcp to get the ip
*For wireless fix the ip of the interface to 192.168.2.1 and configure dhcp to provide ip in that range to the stations.
Once you have the ap working and stations able to connect and browse the internet we can continue
3.- Install wifidog
You can follow this tutorial
http://wiki.openwrt.org/doc/howto/wirel … .wifidog?s[]=wifidog
4. Install authpuppy in your server
this is a little bit tricky, first of all, you need a server to run the authpuppy, i've used a rackspace server of 1cpu, 1gb ram with centOs and lamp ($15dll month)
Download the sources of the authpuppy and then proceed to upload the files to your server, put the symphony config files outside your www folder and put the authpuppy files inside the www, otherwise authpuppy could throw some errors. Take into consideration having a mysql database ready with a user with all privileges.
5. Configure authpuppy.
Once you have installed authpuppy, create a new node
Install the plugins of CMS and Webservices https://code.launchpad.net/~alliancecsf … vicePlugin
6.- Configure your wifidog.conf
In your router configure your wifidog.conf to indicate the address of your authpuppy server, you easily can find where to indicate the url or ip.
Also you should configure the name of the wifi interface, in my case wlan0
Reboot your router and test it.
once you are connected to the wireless network, you should see the authpuppy log in screen, create an account and you should be able after that to navigate freely.
With this you have the base, now we need to do some tweaks to use fb as authenticator.
7.-allow FB set of ip's in wifidog.conf
as we need to connect to facebook for the social login, we need to whitelist the ips of facebook.
You should include this in the global firewall rules of wifidog.conf.
Firewallrule allow to 31.13.24.0/21
FirewallRule allow to 31.13.64.0/18
FirewallRule allow to 66.220.144.0/20
FirewallRule allow to 69.63.176.0/20
FirewallRule allow to 69.171.224.0/19
FirewallRule allow to 74.119.76.0/22
FirewallRule allow to 103.4.96.0/22
FirewallRule allow to 173.252.64.0/18
FirewallRule allow to 204.15.20.0/22
You also should add the url of the server where you are gonna host the splash page (if different from the same ip of the authpuppy)
You also have to open the ip's used by facebook to host the static content, but this ip's change from location to location because they are hosted with akamai, so, to bypass this i've used rc.local to execute this commands for the iptables
iptables -t nat -A WiFiDog_wlan0_Global -d fbstatic-a.akamaihd.net -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d fbstatic-a.akamaihd.net -j ACCEPT
iptables -t nat -A WiFiDog_wlan0_Global -d s-static.ak.facebook.com -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d s-static.ak.facebook.com -j ACCEPT
iptables -t nat -A WiFiDog_wlan0_Global -d connect.facebook.net -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d connect.facebook.net -j ACCEPT
then i've used the cronjobs to execute this commands every 20min because in some cases akamai switch ips during the day depending on traffic and load, running those commands make the iptables to resolve and update the ip of the url indicated in the command.
8. Configure the cms plugin in authpuppy
Login in your authpuppy and in the configuration of the cms plugin, you have to indicate the the url of your welcome page and if it's the case, the url users see after validation. it's important you pass the %getparameters%?%originurl% in the url, otherwise you couldn't develop the authentication script customized for your intentions.
9. Develop the welcome page and the validation page.
In the welcome page I've used the php sdk of facebook to create the login url for the social login.
Once the user authorized my app and I am able to get their info, I've manually create the user in the ap_users table used by authpuppy, for the password I've used a fixed value of 6Afx/PgtEy+bsBjKZzihnw== (encription of 1234567890) and for the username the mail of the user, the validation token could be any string with a random hex value of 40 chars.
Once you created the user in the table, you need to create an access token for wifidog so the users can navigate internet, for that you use the web service plugin of authpuppy.
you need to invocate this url
http://YOURURL/ws/?action=auth&authenticator=apAuthLocalUser&submit[apAuthLocalUserconnect]=Connect&apAuthLocalUser[username]=$correo&apAuthLocalUser[password]=1234567890&gw_id=$gw_id&gw_address=$gw_address&gw_port=$gw_port
the gw id, gw address, gw port are the values you get from the GET parameters the wifidog send to your welcome page.
This url will return a json with the token and a url, use this url to redirect the user (is a internal url of the router with some parameters to authenticate the user inside the router and open the navigation)
after this wifidog will redirect the user to the validation page you configured in the cms plugin.
I'm not an expert so possibly i couldn't answer any specific problem you could fin depending on your harwdware but for sure following this steps you could have a captive portal up and running.
I'll try to use chillispot in the following days, maybe it's easier, i'll let you know.
thanks