Craynerd
Posts: 37
Joined: Mon Nov 25, 2013 9:09 pm

School auto-login to Internet session

Mon Jan 19, 2015 6:37 am

Morning, I'm a teacher at a school in manchester and near 9 months ago we built a Pi weather station which automatically tweets the weather conditions and a picture. The Internet rules changed a month ago and has caused a huge issue with the project. Any non-windows machine must login with their normal network credentials to authenticate at the beginning of an Internet session.
We do have a proxy and I have a file 10proxy that is handling that but apparently, this is not an authentication with the proxy but a session authentication to monitor web browsing.

On the pi, if I login, boot up Midori and login when I hit the GUI that asks me to, then boot up my weather station Python script, everything works fine. Of course, since I run the weather station headless and 24/7 outside, it is not possible to login. Especially since the session authentication runs out every 8 hours.

Is there a script I can use to auto login to the session? The login page opens as the first screen what ever website you try and go to when you first start the session.

Any help appreciated as without this, the weather station is useless!

Chris

Craynerd
Posts: 37
Joined: Mon Nov 25, 2013 9:09 pm

Re: School auto-login to Internet session

Mon Jan 19, 2015 6:39 am

Just to clarify, as this is apparently not a proxy authentication but registering with the UTM for a browser session, doing this in 10proxy does NOT work: http://username:password@ipaddress:port

Heater
Posts: 16832
Joined: Tue Jul 17, 2012 3:02 pm

Re: School auto-login to Internet session

Mon Jan 19, 2015 10:19 am

I'm only a beginner at this authentication business having only just managed to write my first server side code for handling basic and local auth, handling cookies, csrf tokens and so on.

But it seems to be that if you are faced with a login page prior to getting any internet access then there must be some form collecting usernames and passwords and then passing those to the server in a POST request on submit. Ergo it's possible to do all that programatically from a headless client.

I have no idea how this works in Python but in node.js it is very simple to create HTTP client code that can generate all manner of requests, read and write any headers, take care of cookies etc etc etc For example like this https://github.com/request/request

So this is now an exercise in finding out what that login page looks like when it gets to a client and what POST request is required in response. Taking care of cookies and csrf tokens etc if need be. I's start by with "view source". You might need to do some packet sniffing of a log in with wireshark or whatever. Of course if the thing uses HTTPS that's a bit of a problem.

If this ever worked I might be worried about keeping credentials on a machine that is out in the open. Does this thing have it's own account?

On the other hand, perhaps it's time to install a 3G dongle into the weather station, or some other means of by passing the school network.

One way we have tackled this in the past is to get the administrators to open a VPN port for our embedded systems that are inside their network. We used OpenSwan. Then our units had no connectivity to the internal network but could get out to the internet via the VPN. That does of course require you have some server on the net running the other end of the VPN connection, but hey a google cloud instance is very cheap.
Memory in C++ is a leaky abstraction .

User avatar
DougieLawson
Posts: 40162
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: School auto-login to Internet session

Mon Jan 19, 2015 10:30 am

Craynerd wrote:Is there a script I can use to auto login to the session? The login page opens as the first screen what ever website you try and go to when you first start the session.
Does a login use https: or http:

If it's http: then you could trace the flow with tcpdump.

If it's https: you'll need to workout exactly what data comes down to request a login and how your credentials are sent back which is going to be a much harder task.

Your Raspberry Pi has a unique MAC address (whether it's wired or wireless), so why can't your network admin update their rules with a special case that allows that MAC address to be permanently authenticated.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Heater
Posts: 16832
Joined: Tue Jul 17, 2012 3:02 pm

Re: School auto-login to Internet session

Mon Jan 19, 2015 10:48 am

Presumable a paranoid admin, which they all should be, would know that a MAC address can be spoofed by anyone to gain access.
Memory in C++ is a leaky abstraction .

User avatar
DougieLawson
Posts: 40162
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: School auto-login to Internet session

Mon Jan 19, 2015 11:13 am

Heater wrote:Presumable a paranoid admin, which they all should be, would know that a MAC address can be spoofed by anyone to gain access.
That's not going to work if the Raspberry Pi is connected 24*365.25
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Heater
Posts: 16832
Joined: Tue Jul 17, 2012 3:02 pm

Re: School auto-login to Internet session

Mon Jan 19, 2015 11:53 am

True. I guess the kids in school can arrange for less than 24/7 operation of the Pi :)
Memory in C++ is a leaky abstraction .

User avatar
DougieLawson
Posts: 40162
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: School auto-login to Internet session

Mon Jan 19, 2015 1:30 pm

The problem with trying to program a way round the security system is that's probably a violation of the network admin policy and that could be a grounds for dismissal. They probably have a special policy for network printers and connected scanners (and suchlike), so just get the Raspberry Pi included in that group.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Craynerd
Posts: 37
Joined: Mon Nov 25, 2013 9:09 pm

Re: School auto-login to Internet session

Mon Jan 19, 2015 2:38 pm

Many thanks for all your replies. I half expected to come to back to an empty thread!

Firstly, the policy was brought in place to track student mac users internet browsing as apparently mac did not naturally authenticate with the login. I work with the IT manager and line manage the IT team with the head so there is no issue in terms of violating any policy - he is trying to help as best he can!
I don`t believe any other device has to authenticate directly to the net as DougieLawson suggested so there is not a group that have a free pass through. Although we own and manage all our equipment, the UTM is configured and partly managed by an outside company and so admittedly we have asked them for help.

I`d love to write a script if possible!

Return to “General discussion”