CoovaRADIUS-1.0.1.pdf

Coova Technologies, llc

CoovaRADIUS Server

www.coova.com

October 27, 2010Copyright c© Coova Technologies, LLC

All rights reserved.

http://www.coova.com

CoovaRADIUS Server

Contents

1 Installing CoovaRAIUS Server 5

1.1 General Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.1.1 Server Setup Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.1.2 Install License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.1.3 Starting and Stopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.1.4 Change Admin Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.2 Installation on Ubuntu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.3 Installation on MacOS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.4 Installation on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.5 VMWare & LiveCD (openSUSE) Appliance Setup . . . . . . . . . . . . . . . . . . . . . . . 16

1.6 Using with MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.7 Using with BIRT Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 Administration Web Interfaces 20

2.1 Setup Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.2 Main Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.3 JSON API Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3 Embedded Captive Portal 21

3.1 Customizing the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.2 An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.3 Auto-Login Redirection Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.4 Adding static content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4 External Captive Portals 24

4.1 Drupal Installation in openSUSE Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.2 Installing Drupal Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.3 CoovaRADIUS Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.4 Example configuration: Members only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

c© 2010 Coova Technologies, LLC Page 1 of 84

http://www.coova.com/


CoovaRADIUS Server

4.5 Example configuration: Selling access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5 Data Model Overview 30

5.1 Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.2 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.3 Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.3.1 Authorizing Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5.3.2 Banning Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5.4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5.5 Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5.6 Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.7 Access Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.8 Network User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.9 Network Realm Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.10 Access Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.11 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.12 Named Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.13 X509 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.14 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

6 Testing with JRadiusSimulator 36

6.1 Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

6.2 Adding RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

6.3 Running Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6.4 Testing against CoovaRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.5 Testing EAP-TLS and RadSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

6.6 Example Session Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

7 Configuring Access Points 49

7.1 CoovaAP 1.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7.2 CoovaAP 2.x “Dashboard” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49




CoovaRADIUS Server

7.3 Colubris / HP Procurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7.4 Ubiquiti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7.5 Open-mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7.6 CoovaChilli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

8 API, GUI, & Web Services 50

8.1 CoovaEWT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

8.2 EWT Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

8.2.1 Searching Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

8.2.2 Adding Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

8.2.3 Updating Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

8.2.4 Deleting Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

8.3 EWT Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

9 Data Services - API 53

9.1 Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

9.2 EWT Table Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

9.3 Other EWT Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

9.3.1 coova-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

9.3.2 coova-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

9.4 EWT PHP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

9.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

10 Google Maps 57

10.1 Configure API Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

10.2 Geo Coordinate Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

10.3 Administration in Drupal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

10.4 Public Map in Drupal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

10.5 Map Info Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

11 Licensing 66

11.1 Coova Software License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66




CoovaRADIUS Server

11.2 Third Party Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

11.3 Third Party Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84




CoovaRADIUS Server

1 Installing CoovaRAIUS Server

The CoovaRADIUS Server is pure Java and is able to run on any popular operating system. If not listed now,ask us and we will look into packaging a version for your system. In general, we suggest Ubuntu/Debian oranother popular Linux distribution, which will make installing Apache and Drupal a bit easier.

1.1 General Installation

The CoovaRADIUS Server has been packaged for easy installation onto several different operating systems.There are some system dependent variations to where files are stored and how the server is started. In general,you will find the application has a directory containing the Java jar files, a data directory where configurationfiles and the embedded Derby database are stored, a launch script or program, and a directory containinglicensing information.

From the License Server, download the distribution for your operating system. Then cut-and-paste the licensekey somewhere safe. You will need it during the installation process.




CoovaRADIUS Server

1.1.1 Server Setup Web Interface

After installing CoovaRADIUS based on the operating specific instructions for Ubuntu (section 1.2), Mac OSX (section 1.3), Windows (section 1.4), or VMWare/LiveCD (section 1.5), the setup is the same.

An administrative web interface is available on the “localhost” port 2080. Use the default administratorusername admin and password admin.

http://localhost:2080/

The first time you start CoovaRADIUS, it may take a few minutes longer as it creates the database. Click theRefresh button to update the screen.



http://localhost:2080/


CoovaRADIUS Server

1.1.2 Install License

Click on the License tab and enter in the license you saved from the License Server.

Click on Add License and your changes will be saved. Go back to the Database Setup tab to Stop andStart the server for the license to take effect.




CoovaRADIUS Server

1.1.3 Starting and Stopping

On the main tab in the setup interface, you have the options to Stop the running RADIUS services and toShutdown the entire server. When installing a new license key, you want to Stop the RADIUS services. Withthe RADIUS service stopped, the database setup form is displayed. With the trial license, the only databaseoption is the embedded Java Derby database.

Click Start to have the RADIUS services start up. When running, a login form is shown. Use this form tologin to the CoovaRADIUS administrative interface. The default username / password is admin / admin.

After logging into the CoovaRADIUS interface, you can always return to this setup screen simply by reloadingthe current page in your browser. This will end the login session and return you to this screen.




CoovaRADIUS Server

Once logged in, if you are using a trial license, you will be promoted with a message with a link to where youcan update your license with a purchased license.

To purchased a license, where you can either set your own RADIUS shared secret or have one generated foryou, at:

https://license.coova.net/

The license is valid for the single RADIUS shared secret and on a single production server.



https://license.coova.net/


CoovaRADIUS Server

1.1.4 Change Admin Password

Be sure to change the admin password. Do this under the Users tab. Select the admin user and click theEdit button. Edit the user, only changing the password (do not delete this user or give it a Realm).

Click Save when done to commit your changes. Note: You will have to reload your browser at this pointsince the password used to access the site has changed.




CoovaRADIUS Server

1.2 Installation on Ubuntu

Download the Ubuntu version from the Licensing Server. Save the Debian package to your system and run thefollowing command:

sudo dpkg -i CoovaRADIUS_1.0.1.deb

The following directories and files are installed by the package:

File or Directory Description

/etc/init.d/coova-radius CoovaRADIUS init script/usr/bin/coova-radius Script launches CoovaRADIUS and opens admin interface in browser/usr/bin/radius-simulator Script to launch the JRadius Simulator application/usr/share/java/com.coova/ Directory where all Java jar files are placed

/var/lib/coova-radius/ Directory where CoovaRADIUS puts all data (including Derby database)/usr/share/doc/coova-radius/ Directory where all documentation and licenses

The /usr/bin/coova-radius script can be run from the command line. If the CoovaRADIUS server is notcurrently running, and the script is being ran as the user root or coova, then the server is started. When theserver is already running, the coova-radius script will launch the administration program (which is a Firefox/ XULRunner application).




CoovaRADIUS Server

1.3 Installation on MacOS X

Download the Apple download option from the Licensing Server. Unzip the distribution file and it will create a“Coova” directory containing two MacOS X applications.

Keep the application together in the same directory. To start the CoovaRADIUS service, launch theCoovaRADIUS.app program. This will also bring up the localhost administration interface in your browser.




CoovaRADIUS Server

To access the files on CoovaRADIUS.app, right click on the application icon and select Show PackageContents.

The Data/ directory is where CoovaRADIUS will store the embedded Derby database and other files while theContent directory contains the core applicaiton.




CoovaRADIUS Server

1.4 Installation on Windows

Download the Windows version from the Licensing Server. Unzip the distribution file to your Desktop. Thearchive will expand into a directory called “Coova” and will contain the following files and directories:

Keep all the files in the same directory, however you may move the entire parent directory. As show, thisdirectory contains two applications, a lib/ directory containing the core application, and a data/ directory forthe embedded Derby database and other files.




CoovaRADIUS Server




CoovaRADIUS Server

1.5 VMWare & LiveCD (openSUSE) Appliance Setup

We offer a variety of pre-built systems based on the openSUSE Linux distribution, which includes a VMWareand LiveCD version.

The default users root and admin have password changeme. Change the default passwords as soon aspossible.

If you are using setting up Drupal, also see section 4.1.

Change System Passwords

The system is minimally configured and with default passwords in place to get things up and running quickly.Take a minute now to change some of the default password for security reasons as soon as possible.

$ passwd

(change admin user password)

$ su

(current root password)

# passwd

(change root user password)

# mysqladmin -u root password "my-new-pwd"




CoovaRADIUS Server

Change MySQL Passwords

Use the MySQL Administrator application on the desktop to access the running MySQL server using thepassword you just defined.

Shown below, under User Administration (top left) you can select User Accounts (botton left) to changetheir passwords. Once changed, click on Apply Changes (bottom right).




CoovaRADIUS Server

1.6 Using with MySQL

MySQL is supported when used with a commercial license. To use MySQL, you also need to download theMySQL Java JDBC driver and install the Jar file. Due to the license, we are unable to supply this file with ourdistribution.

Download MySQL Connector/J JDBC Driver

Download the driver, place the jar file in the CoovaRADIUS “Lib” directory and completely restart the server.

On Ubuntu there is also a package that installs the MySQL driver, which allows for the following:

# sudo apt-get install libmysql-java

# mkdir -p /var/lib/coova-radius/lib/

# cd /var/lib/coova-radius/lib/

# ln -s /usr/share/java/mysql-connector-java.jar .

After installing the MySQL JDBC Driver, and with the RADIUS service stopped, you can change the databaseconfiguration to use a MySQL server instead of the embedded Derby database. Save your changes and thenstart up the RADIUS service after creating the database in your MySQL server.

For the MySQL server setup, create the database and user you wish to use for CoovaRADIUS. The first timeCoovaRADIUS starts up it will create the database tables for you.



http://www.mysql.com/downloads/connector/j/


CoovaRADIUS Server

1.7 Using with BIRT Reporting

Download BIRT 2.5.2 Runtime

On Ubuntu:

cd /var/lib/coova-radius/

unzip /tmp/birt-runtime-2_5_2.zip

cp /usr/share/java/com.coova/mysql-connector*.jar \

/usr/share/java/com.coova/derby*.jar \

birt-runtime*/ReportEngine/plugins/org.eclipse.birt.report.data.oda.jdbc_*/drivers/

mkdir birt-log

chown -R coova birt-*

cat<<EOF >> coova_radius.properties

birt.runtime=/var/lib/coova-radius/birt-runtime-2_5_2/ReportEngine

birt.logdir=/var/lib/coova-radius/birt-log

EOF



http://www.eclipse.org/downloads/download.php?file=/birt/downloads/drops/R-R1-2_5_2-201002221500/birt-runtime-2_5_2.zip


CoovaRADIUS Server

2 Administration Web Interfaces

2.1 Setup Web Interface

The setup interface is ONLY available on the localhost of the server machine. From this interface, you canStop and Start the RADIUS server, Shutdown the entire server, and when Stopped, you can change the maindatabase settings of the RADIUS server.

http://localhost:2080/ewt/home.html

If you are installing CoovaRADIUS on a remote system, we recommend using SSH to tunnel a path to thesetup interface. Do not worry, you typically do not need to use this interface very often. See the next sectionon how to access the administration interface remotely.

ssh -L 2080:localhost:2080 remote-host-name

2.2 Main Web Interface

In addition to the server setup interface, the CoovaRADIUS administrativion interface is available at:

http://hostname:1900/ewt/home.html

or securely at:

https://hostname :1800/ewt/home.html

In both cases, you will promoted for the admin user password.

2.3 JSON API Interface

The JSON API in CoovaRADIUS has these URLs:

http://hostname :1900/ewt/json https://hostname :1800/ewt/json




CoovaRADIUS Server

3 Embedded Captive Portal

Note: This feature is still under development! If you are interested in using the embedded captive portal, let usknow your requirements.

The embedded captive portal (in pure Java) provides an easy to use alternative to setting up Drupal. Formany networks, this is all that might be required.

3.1 Customizing the Captive Portal

Customizing the embedded captive portal is done through defining Named Values under the System menu.Named values are name/value pairs that can be defined based on network, access point, client device, or user.

To define a captive portal website, the named values below should be defined for the network. Leave theaccess point, client device, and user all blank. Should you want to give a specific user, for example, a message,then override some values by duplicating them and setting both the network and user.

Named Values that control the embedded captive portal:

portal.title The page title

portal.top The top portion of the page

portal.bottom The bottom portion of the page

portal.box.box-name A custom box of name box-name

portal.css The CSS for the site

portal.favicon The path to the favicon

portal.page.index The index page is the default page

portal.page.page-name A custom portal page

portal.login.after Message after / below login

portal.login.before Message before / above login box

portal.login.failure Message displayed for login failure

portal.login.password Password field label

portal.login.submit Submit button label

portal.login.success Message displayed upon successful login

portal.login.username Username field label

portal.login.welcome Welcome message after login

portal.login.usingCode Replaces the login box when logged in using access code.

portal.network.default Default network (define without a Network)

portal.free.realm The realm name to place the access codes under.

portal.free.prefix The username prefix before the client device MAC address.

portal.free.accessPolicy The numeric ID of the access policy to use when allocating an access code.

portal.free.alwaysRenew Set to true when the access voucher should always be reset on initialredirect.

portal.free.remoteURL The URL to redirect to, with the login URL appended.

portal.free.usingCode Replaces the login link when logged in using access code.




CoovaRADIUS Server

3.2 An Example

Named Values defined for the Global Network :

Name Value

portal.favicon /com/coova/portal/static/favicon.ico

portal.title Coova Hotspot

portal.top <a href="/"><img border="0"

src="/com/coova/portal/static/coova.png"/></a>

portal.bottom <ul class="links">

<li><a href="/?page=about">about us</a>

<li><a href="/?page=locations">locations</a>

<li><a href="/?page=support">support</a>

</ul>

<div style="font-size: small; color: #666;">

Copyright (c) 2010 Coova Technologies, LLC.

</div>

portal.page.index boxes:intro,login,free

portal.page.support boxes:support

portal.page.locations boxes:ewt-portal-map

portal.page.account boxes:ewt-menu-portal-menu

portal.page.about boxes:about

portal.login.welcome You are now logged in.

<ul>

<li><a href="?page=account">My account</a>

<li><a href="?page=logout">Logout</a>

</ul>

portal.css body { background-color: lightgrey; }.box { width: 80%; border: 1px solid grey; -moz-border-radius:

10px; -webkit-border-radius: 10px; border-radius: 10px; padding:

10px; margin: auto; }.portal-box-intro, .portal-box-login { width: 50%; float:left; }.portal-box-free { clear: both; padding: 10px; }ul.links { text-align: center; margin: 0; padding: 0; }ul.links li { list-style: none; display: inline-block; padding: 0

10px; }




CoovaRADIUS Server

3.3 Auto-Login Redirection Handler

The embedded portal URI /redirect.jsp provides an easy way to auto-login users based on their ClientDevice MAC address. An access policy can optionally be set to limit access.

The following Named Values are avaialble to control this feature:

portal.redirect.style Only supports standard currently.

portal.redirect.realm The realm name to place the access codes under.

portal.redirect.prefix The username prefix before the client device MAC address.

portal.redirect.accessPolicy The numeric ID of the access policy to use when allocating an access code.

portal.redirect.alwaysRenew Set to true when the access voucher should always be reset on initialredirect.

portal.redirect.remoteURL The URL to redirect to, with the login URL appended.

3.4 Adding static content

In the CoovaRADIUS data directory, /var/lib/coova-radius/ on Linux, do the following:

$ mkdir -p com/coova/portal/static/

$ echo "it works" > com/coova/portal/static/test.html

which is then accessible in the embedded portal with the URI /com/coova/portal/static/test.html. Thiscan be used for images, HTML, or any other resource file.




CoovaRADIUS Server

4 External Captive Portals

CoovaRADIUS has an API based on the JSON format. This API can be used to integrate with a wide varietyof external third party portals. We have provided an integration module to make it easier to integrate with theDrupal content management system.

4.1 Drupal Installation in openSUSE Appliance

Always install the latest Drupal from drupal.org. At the time of this writing, the version was 6.19.

To install Drupal, execute the following commands:

$ su

(root password)

# cd /srv/www/

# rm -rf htdocs

# wget http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz

# tar xzf drupal-6.19.tar.gz

# mv drupal-6.19 htdocs

# cd htdocs/sites/default

# mkdir files

# chown wwwrun files

# mv default.settings.php settings.php

# gedit settings.php

(edit settings.php)



http://drupal.org/


CoovaRADIUS Server

Use the gedit program to edit the main Drupal settings, as shown in the previous example and also below.

$ su

(root password)

# gedit /srv/www/htdocs/sites/default/settings.php

(edit settings.php)

Edit the file, near the middle, changing db url variable with the correct information to access the database.Use the username drupal, the password used in section 1.5, and the database name drupal.




CoovaRADIUS Server

Now, use Firefox to finish the Drupal installation process:

$ firefox http://localhost/install.php

4.2 Installing Drupal Modules

Modules of interest:

◦ The Coova integration modules that come with the distribution.

◦ Ubercart shopping cart.

◦ Token is required by Ubercart.

◦ Always install the latest versions!

Installing Coova Hotspot and EWT Modules

# mkdir /srv/www/htdocs/sites/all/modules/

# cd /srv/www/htdocs/sites/all/modules/

# tar xzf /usr/lib/coova-radius/drupal/hotspot-6.x-1.x-dev.tar.gz

# tar xzf /usr/lib/coova-radius/drupal/ewt-6.x-1.x-dev.tar.gz

# cd ewt/

# tar xzf /usr/lib/coova-radius/drupal/com.coova.ewt.Drupal.tar.gz



http://drupal.org/project/ubercart

http://drupal.org/project/token


CoovaRADIUS Server

Installing Ubercart

# cd /srv/www/htdocs/sites/all/modules/

# wget http://ftp.drupal.org/files/projects/token-6.x-1.15.tar.gz

# tar xzf token-6.x-1.15.tar.gz

# rm token-6.x-1.15.tar.gz

# wget http://ftp.drupal.org/files/projects/ubercart-6.x-2.4.tar.gz

# tar xzf ubercart-6.x-2.4.tar.gz

# rm ubercart-6.x-2.4.tar.gz

4.3 CoovaRADIUS Integration

Enable Drupal modules CoovaEWT and CoovaRADIUS.

Edit CoovaEWT settings under Administer / Site configuration / CoovaEWT (q=admin/settings/ewt):

◦ Enable the API

◦ Change the API password for the admin user, see section 1.1.4

◦ Enabled CoovaEWT GUI and Ajax Proxy as needed by ewt div() inclusion

Edit CoovaRADIUS settings under Administer / Site configuration / CoovaRADIUS(q=admin/settings/coova radius); requires CoovaEWT settings are already configured:

◦ Select the main mode Auto provision standard users

◦ Enter a random Cookie Encryption Key

◦ Enable Create users able to Own client devices

◦ Select local for Realm ID

◦ Select Global Network for Network ID

Complete the integration by configuring the following in CoovaRADIUS:

◦ Create a User in CoovaRADIUS

→ Username should be the same as the Drupal admin user name

→ Realm should be local

→ Home Network should be Global Network

→ Foreign User ID should be 1 (Drupal user ID)

→ Foreign User Realm should be drupal-site (Also used in Drupal config)

◦ Edit the Network named Global Network

→ Select the newly created User as the Owner




CoovaRADIUS Server




CoovaRADIUS Server

4.4 Example configuration: Members only

Enable the Hotspot module.

Edit Hotspot settings under Administer / Site configuration / Hotspot (q=admin/settings/coova radius):

◦ Ensure the Hotspot is enabled

◦ Ensure the UAM Secret matches that for Global Network

To allow for users to register at the Hotspot, we need to make it such that the user need not verify theire-mail address during sign-up. Do this under Administer / User management / User settings(q=admin/user/settings):

◦ Uncheck Require e-mail verification when a visitor creates an account

4.5 Example configuration: Selling access




CoovaRADIUS Server

5 Data Model Overview

The database consists of the following basic objects:

Realms are essentially the grouping of users. You can have the same username in different realms, but you cannever have duplicates usernames within a realm. Realms are also an important concept in terms of “routing”of authentication, whereby RADIUS for users of a foreign realm is proxied to a third party RADIUS server.

Users are people associated with a username and password. Users can “own” objects in the system such asAccess Points and Client Devices.

Client Devices are devices that access the Network, be it a laptop, hand-held, or phone. The device isknown uniquely by it’s MAC address and can be “owned” by a User.

Access Points are the Wi-Fi routers, network access server (NAS), or any device acting as the accesscontroller, as known uniquely by MAC address.

Access Controllers define types of Access Points, or more specifically, the type of access controller beingused.

Networks are used to group together Access Points. A Network is able to be owned by a User and canoptionally be associated with a parent Network.

Access Policies define the limitations put upon an Access Voucher in the system.

Access Vouchers are the backing objects controlling the limitations set on an Access Code, NetworkUser, or Network Realm.

Access Codes define a username and password for access provisioning based on an access policy.

Access Code Sets are a grouping of Access Codes that were likely generated by the system.

Network User entries define what Users can access what Networks, based on what an Access Policies.

Network Realm entries define what Realm (and all users under it) can access what Networks, based on anAccess Policies.

Attribute Sets define a collection of Attributes of various Attribute Types. They can be associated withUsers, Client Devices, and Access Policies.

5.1 Realms

A Realm provides a username “name-space” similar to that of a domain name in an e-mail address. Realmscan represent groups of credentials (usernames and passwords) stored locally in the system or remotely inRADIUS servers elsewhere. See section ?? for more information on RADIUS Realm based routing.

Realms in RADIUS have significance as they provides a means of “routing” authentication through proxyservers to the appropriate “home” RADIUS server. There are two main ways to define a realm in a username.There is the Prefix format realm/usernamed and the Postfix format username@realm. The username withone or more realms is then used as the username for login purposes.

→ Recommendation: If possible, organize your users in a specific realm and leave the default realm




CoovaRADIUS Server

for Administrative-User (device login) purposes. With a captive portal, you can easily add a realmto a user’s username if needed.

5.2 Users

A User is an account that represents a real person and a unique Username within a Realm. The user canhave an optional Email address and must have a Password.

→ Note: Passwords in the system are stored in plain-text. This is because some RADIUSauthentication protocols require that the RADIUS server know the plain text password.

→ Recommendation: When creating users via the API where you have your own user database, youdon’t have to set the RADIUS user’s password to be that of the original users. When using acaptive portal, you can always user an alternate password (unknown to the user) for RADIUSprovisioning purposes. This will further help protect your user passwords.

User options include:

◦ Can own client devices - If the user is able to own client devices. If true, devices not otherwiseowned will be automatically owned upon successful authentication.

◦ Can own access points - If the user is able to own access points. If true, access points nototherwise owned will be automatically owned upon successful authentication when not using a“public shared secret”.

◦ Administrative User - If true, the user can only be used with “Administrative-User” Service-Typerequest (device, not user, authentication).

◦ MAC Authentication - If true, then devices owned by the user can optionally be allowed toauthenticate by MAC address.

◦ EAP Only - If true, only EAP authentication protocols are allowed for this user.

◦ EAP TLS Only - If true, only EAP-TLS (TLS, TTLS, PEAP) authentication protocols are allowedfor this user.

◦ Anonymous AP Ok - If true, then the account can be used at access points using a “publicshared secret”.

◦ Attribute Set - RADIUS attributes to send in an Access-Accept for this user.

5.3 Client Devices

A Client Device is a device, such as a laptop computer, that accesses a Network. It is uniquely identified byit’s Station Id (RADIUS Calling-Station-Id), which is the Ethernet MAC address of the device’s networkinterface. It can have a user Owner, which gets automatically assigned when a user logs in using the deviceand has the Can own client devices user option set.

Client device options include:

◦ MAC Authentication - If true, and if the user owning this device has the MAC Authenticationuser option set to true, the device will be automatically authenticated (with supported accesscontrollers and configurations).

◦ Attribute Set - RADIUS attributes to send in an Access-Accept for this device.




CoovaRADIUS Server

5.3.1 Authorizing Client Devices

Individual Client Devices can be authorized (using MAC authentication) for Networks or Access Points bybeing added to the “whitelist” table.

5.3.2 Banning Client Devices

Individual Client Devices can be banned from Networks or Access Points by being added to the “backlist”table.

5.4 Networks

A Network is a grouping of access points. It has a unique Name in the system and can have a user Owner.It may also have a Parent Network defined so that access permissions can be granted for multiple levels ofnetworks.

Network options include:

◦ Default Realm - The Realm to use for authentications requests in the network where a specificrealm is otherwise not specified.

◦ Attribute Set - RADIUS attributes to send in an Access-Accept for all session in the network.

◦ UAM Secret - The CoovaChilli uamsecret to use for a network (CoovaChilli only).

5.5 Access Points

An Access Point is uniquely identified by the Station Id (RADIUS Called-Station-Id), which is mostoften the MAC address. It can optionally have a Name, be grouped into a Network, and have a user Owner.

The system will automatically assign a user as the owner when a user logs into the access point, configuredwith the user’s specific RADIUS shared secret, and the user has option Can own access points set to true.The system will also automatically attempt to figure out the Controller Type.

Access point options include:

◦ Location - Informational purposes only.

◦ Description - Informational purposes only.

◦ MAC Address - MAC address, often the same as Station Id.

◦ NAS IP Address - IP address of the access point, automatically set from RADIUS.

◦ NAS Identifier - A RADIUS identifier, automatically set from RADIUS.

◦ Anonymous MAC Auth - When true, and used in conjunction with the MAC authenticationfeature of CoovaChilli, session at the access point are initially in “splash” mode where most networkresources are available (E-mail, etc), but port 80, the standard HTTP port, is redirected to a splashpage.

◦ Reversed Accounting - When true, the meaning of “Input” and “Output” and how they areassociated with “Download” and “Upload” are reversed. See section ?? for more information onRADIUS Accounting.




CoovaRADIUS Server

◦ Bandwidth Graphing (RRD) - When true, the “Administrative-User” session statistics are usedto produce an RRD graph of overall network throughput (requires Monitoring to be true).

◦ Monitoring - When set to true, the access point will be monitored by the system. User the“Administrative-User” session of the device, on-line status information is maintained.

◦ Attribute Set - RADIUS attributes to send in an Access-Accept for all session from this accesspoint.

5.6 Access Policies

An Access Policy defines the limitations being put on sessions for time, data, and/or bandwidth.

A policy consists of:

◦ Access Time and Access Time Units - Together these define the amount of access time granted.

◦ Access Window and Access Window Units - Together these define the time frame in which theAccess Time can be consumed.

◦ Expiry Time and Expiry Time Units - Together these define the validity duration, after whichthe voucher is unusable.

◦ Download Data and Download Data Units - Together these define the max data downloaded.

◦ Upload Data and Upload Data Units - Together these define the max data uploaded.

◦ Total Data and Total Data Units - Together these define the max data uploaded anddownloaded combined.

◦ Max Download Rate - Max bandwidth down in bits per second.

◦ Max Upload Rate - Max bandwidth up in bits per second.

◦ Max Concurrency - Max number of simultaneous sessions.

◦ Max Logins - Maximum number of logins.

◦ Auto Renew - True if the voucher automatically renews after the access window time.

The Access Voucher provides the backing object for the Access Policy and can be associatedwith an Access Code, Network User, or Network Realm.

→ Note: When making changes to an Access Policy that has already been in use, some stateinformation kept in the Access Voucher may be inconsistant with the new settings. Therefore, itis adviced to either create a new Access Policy (keep the old one in place) or to Reset all AccessVouchers associated with the policy.

Using the Auto Renew option, schemes like “1 hour access, every day” can be implemented with an AccessTime of one hour, Access Window of one day, and Auto Renew set to true. With Auto Renew set tofalse, then you have “1 hour of access total to be used within 24 hours”.

5.7 Access Codes

An Access Code defines a username and password within a Realm. Access codes can have an associatedAccess Policy and a user Owner. Additionally, access codes can be limited to a Network.




CoovaRADIUS Server

5.8 Network User Access

An entry in the Network User table enables a User to have access to a Network based on an optionalAccess Policy.

5.9 Network Realm Access

An entry in the Network Realm table enables a Realm, and all user under it, to have access to a Networkbased on an optional Access Policy. (not yet fully implemented).

5.10 Access Controllers

An Access Controller defines that features an access point has. Generally, it defines the access point make,but not necessarily as CoovaChilli can run on a variety of hardware. The RADIUS platform potentially requiresspecial support for access controller not otherwise listed in this table.

◦ Default Reversed Accounting - When set to true, access points discovers to be of this controllertype will be created with the Reversed Accounting option also set to true.

5.11 Attributes

Attributes define RADIUS Attributes that can be grouped together into Attributes Sets and used by theRADIUS server when authenticating Users, Access Codes, or Client Devices.

With many possible RADIUS attributes possible, when adding Attributes to an Attribute Set, a select boxlists the defined Attributes Types. Add more Attributes Types if the RADIUS attribute you wish to use isnot currently available.

5.12 Named Values

Named Values provide a convenient way to manage a hierarchical structure of named values that can bedefined on a Network, Access Point, User, or Client Device basis.

When named values are derived, more specific values (i.e. ones matching more of the criteria of Network,Access Point and so on) override more general values.

This table is used in the embedded captive portal and the dashbaord features.

5.13 X509 Management

When CoovaRADIUS starts, it will always ensure it has a default Certificate Authority (CA), if not it will createone. Using the CA certificate, X509 Certificates can be generated for users or for general (non-user) use.

There are a few certificates create per default and are used by the system. These include ewt-server, thecertificate running the EWT interface (port 1800); dashboard-server, the certificate running the Dashboardinterface (port 2444); radsec-server, the certificate running the RadSec interface (port 2083); andeap-server, the certificate for the EAP-TLS based authentication methods.

For details on X509 management features, see section ??.




CoovaRADIUS Server

5.14 Configuration

Name Description

com.coova.dal.version Used to track the database schema version, do not change.

com.coova.DefaultRealm System default realm.

com.coova.default.AcctInterimInterval Default system wide accounting interim interval.

com.coova.default.IdleTimeout Default system wide idle timeout.

com.coova.default.ReportType

com.coova.feature.AdvancedPolicies

com.coova.feature.ApRoaming Set to true to enable subscriber roaming between accesspoints in same network.

com.coova.feature.GenerateReports

com.coova.feature.Payments

com.coova.feature.FullAdministration

com.coova.feature.FullInformation

com.coova.feature.Reports

com.coova.menu.DisablePayments

com.coova.menu.NetworkSettings

com.coova.menu.NetworkPreferences

com.coova.menu.UserDevices

com.coova.menu.UserAccessCodeStatus




CoovaRADIUS Server

6 Testing with JRadiusSimulator

The JRadiusSimulator is an open-source RADIUS simulation and testing tool based on the JRadius framework.It is very flexible, and easy to use for simple RADIUS AAA simulations. It allows you to hand craft RADIUSrequests and to see the responses. Select from one of several authentication protocols, UDP or RadSectransport methods, and simulate your NAS by adding standard and Vendor Specific RADIUS attributes.

To start the simulator, use the radius-simulator command on Unix or double click on theRadiusSimulator program icon that came with the Windows or Mac distributions.

6.1 Basic Configuration

Configure the RADIUS Server to be your CoovaRADIUS server hostname or IP address. Set the SharedSecret appropriately. Since we are using a trial license, it is shown set to testing123. Select Generate aUnique Acct-Session-Id so that each request looks unique, as in typical real-life usage.

Click the Attributes tab to begin adding RADIUS attributes from the JRadius dictionary.



http://www.coova.org/JRadius/Simulator

http://www.coova.org/JRadius


CoovaRADIUS Server

6.2 Adding RADIUS Attributes

Add RADIUS attributes to the various RADIUS request types and states. Begin by clicking Add Attribute tobring up a listing of all available RADIUS attributes in the JRadius dictionary.

Recommended attributes to add:

User-Name

User-Password

Username and password placeholder (password replaced de-pending on authentication protocol). The username is in allpackets while the password is only added to Access Requestand/or Tunneled Requests.

NAS-Identifier The name of the NAS (access point).

NAS-Port-Type NAS port type, select from a list.

Acct-Session-Id A unique session ID generated by simulator.

Service-Type The service type, select from a list.

NAS-IP-Address The IP address of the access point.

Called-Station-Id The MAC address of the access point.

Calling-Station-Id The MAC address of the client device.

Acct-Session-Time

Acct-Input-Packets

Acct-Output-Packets

Acct-Input-Octets

Acct-Output-Octets

Some simple accounting data to add to accounting Up-date/Interim and Stop.

Warning! Be sure to save your configuration by selecting Save in the File menu of the main window.




CoovaRADIUS Server

6.3 Running Simulations

To run a simulation, click the Start button on the RADIUS tab.

Adjust the Simulation Type to test either only authentication or authentication followed by accounting. Theattributes you have defined are added to packets depending on type (Access-Request orAccounting-Request) and accounting state (Acct-Status-Type) of either Start, Interim/Update, or Stop.

If you have selected to Log RADIUS to Log tab, then you will find the output of your RADIUS simulationafter clicking on the Log tab.

Use the simulator to also test your system under load by adjusting the Requester Threads and Requestsper Thread parameters. It’s recommended, however, that you turn off the logging as it will slow you down.




CoovaRADIUS Server

6.4 Testing against CoovaRADIUS

In order to use the simulator with your CoovaRADIUS server, there are a few configurations required in orderto get an Access-Accept for your tests.

Access Point in a Network

If you have already tried a simulation and it has failed, the first thing to check is that the MAC address used inthe Called-Station-Id is that of a valid access point in CoovaRADIUS and that the Access Point is part ofa Network.

Shown is the Access Point with MAC address 00-00-00-00-00-00 automatically added to the system by ourfirst (failed) authentication attempt. The record has since been edited and placed into the Global Network.




CoovaRADIUS Server

Test User exists and has Access

The User defined in the User-Name attribute must exist in the system and must have access to the Networkassociated with Access Point.

Shown is the User with username test and password test created to be used in our simulation. The user wascreated with Realm local, which is also the Default Realm of the Global Network. Access was also addedfor the test user in the Global Network.




CoovaRADIUS Server

6.5 Testing EAP-TLS and RadSec

Note: A non-trial license is required to use the EAP and RadSec features of CoovaRADIUS.

In order to use RadSec as your Transport or to use the EAP-TLS authentication protocol, you must have aClient Certificate to use for authentication. In JRadiusSimulator, you configure this on the Keys tab.

Shown we have the simulator configured with a client certificate and private key (both in PEM format) in file/tmp/key.pem and the trusted root CA certificate in PEM format in file /tmp/ca.pem.

Click Trust All Server Certificates and leave the File fields blank to be able to use EAP-TTLS or PEAPwithout the client certificate configured.




CoovaRADIUS Server

To use with CoovaRADIUS, go to the Access / X509 tab to manage X509 certificates.

Shown is the certificate the test User after clicking New User Certificate button and generating the newcertificate.

To use this certificate with our simulation, we cut-and-paste the Certificate in PEM format to the/tmp/key.pem file, which is what we used in JRadiusSimulator. Additionally, click on the Export tab in themiddle of the page, after selecting the test user certificate in the table, and cut-and-paste the ExportedPrivate Key into the same file.

Then click on the Show Certificate Authorities button to see the certificate of the signing CA (as shownabove). Cut-and-paste the Certificate in PEM format to the /tmp/ca.pem file, as used in our simulation.




CoovaRADIUS Server

Change the Authentication Protocol to run simulations with different authentication methods. UsingEAP-TLS requires a client certificate that matches the user, while others, like EAP-TTLS and PEAP, tunnel aninner authentication and the client certificate is not required.

To run a RadSec simulation, select RadSec as the Transport method, configure the Shared Secret to beradsec (required for all RadSec tunnels), and set the ports to 2083, as shown.




CoovaRADIUS Server

6.6 Example Session Log

Access Request (PEAP)

Sending RADIUS Packet:

----------------------------------------------------------

Class: class net.jradius.packet.AccessRequest

Attributes:

NAS-Identifier := simulator

NAS-Port-Type := Wireless-802.11

User-Name := test

Service-Type := Login-User

NAS-IP-Address := 127.0.0.1

Called-Station-Id := 00-00-00-00-00-00

Calling-Station-Id := 11-11-11-11-11-11

Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f

State = [Binary Data (length=46)]

EAP-Message += [Binary Data (length=6)]

Message-Authenticator := [Binary Data (length=16)]

Received RADIUS Packet:

----------------------------------------------------------

Class: class net.jradius.packet.AccessChallenge

Attributes:

EAP-Message = [Binary Data (length=6)]


Message-Authenticator = [Binary Data (length=16)]


----------------------------------------------------------


Attributes:



User-Name := test










----------------------------------------------------------


Attributes:











CoovaRADIUS Server


----------------------------------------------------------


Attributes:



User-Name := test










----------------------------------------------------------


Attributes:






----------------------------------------------------------


Attributes:



User-Name := test










----------------------------------------------------------


Attributes:





----------------------------------------------------------


Attributes:



User-Name := test





CoovaRADIUS Server









----------------------------------------------------------


Attributes:





----------------------------------------------------------


Attributes:



User-Name := test










----------------------------------------------------------


Attributes:





----------------------------------------------------------


Attributes:



User-Name := test













CoovaRADIUS Server

----------------------------------------------------------


Attributes:





----------------------------------------------------------


Attributes:



User-Name := test










----------------------------------------------------------

Class: class net.jradius.packet.AccessAccept

Attributes:

MS-MPPE-Recv-Key = [Binary Data (length=50)]

MS-MPPE-Send-Key = [Binary Data (length=50)]


Acct-Interim-Interval = 300

User-Name = test

Chargeable-User-Identity = test@local

Class = [Binary Data (length=46)]


Accounting


----------------------------------------------------------

Class: class net.jradius.packet.AccountingRequest

Attributes:



User-Name := test





Acct-Status-Type := Start




----------------------------------------------------------

Class: class net.jradius.packet.AccountingResponse




CoovaRADIUS Server

Attributes:


----------------------------------------------------------


Attributes:



User-Name := test





Acct-Session-Time := 120

Acct-Input-Packets := 10

Acct-Output-Packets := 20

Acct-Input-Octets := 100

Acct-Output-Octets := 200

Acct-Status-Type := Alive




----------------------------------------------------------


Attributes:


----------------------------------------------------------


Attributes:



User-Name := test





Acct-Session-Time := 120

Acct-Input-Packets := 10

Acct-Output-Packets := 20

Acct-Input-Octets := 100

Acct-Output-Octets := 200

Acct-Status-Type := Stop




----------------------------------------------------------


Attributes:




CoovaRADIUS Server

7 Configuring Access Points

CoovaRADIUS can be used with a wide range of Access Points and Access Controllers. If it supports RADIUS,chances are very likely it’ll work with CoovaRADIUS. There are some RADIUS requirements, but generallyvendors do things in similar ways.

Contact us if your access point or access controller is not listed and you require assistance setting up.

7.1 CoovaAP 1.x

http://www.coova.org/CoovaAP

CoovaAP provides a easy to use interface for configuring CoovaChilli on broadcom based routers.

7.2 CoovaAP 2.x “Dashboard”

Currently configured directly in the Named Values table found in under the System tab, the followingattributes, resolved on a per access point or network basis (traversing the list of parent networks) are ofinterest:

cap.uci.hotspot.chilli.radsecret RADIUS secret for CoovaChilli....

Contact us for more information on firmware support options with centralized “Dashboard” configuration.

7.3 Colubris / HP Procurve

7.4 Ubiquiti

Contact us for more information on firmware support options.

7.5 Open-mesh

Contact us for more information on firmware support options.

7.6 CoovaChilli

Contact us for more information on CoovaChilli support options.



mailto:[email protected]

http://www.coova.org/CoovaAP






CoovaRADIUS Server

8 API, GUI, & Web Services

With CoovaRADIUS installed and running, access:

https://localhost:1800/ewt/home.html

8.1 CoovaEWT

The web based administrative interface is a static HTML and Javascript application that uses Ajax calls backto the server, using the JSON data format.

The Ajax/API calls are mostly done through a single URL, with query string parameters possibly added. Hereis the EWT API when running on the localhost:

https://localhost:1800/ewt/json

The web administrative interface uses the URL to retrieve the GUI screens as well as the data for tables andsettings. As such, the GUI of the administrative interface is customizable by editing XML files in the server.

Additionally, the data services exposed through the EWT URL serve as a pure API into the system.

Query string parameters for the EWT URL:

Parameter Description

res Main “resource” type, for API use it is most often service.

s The service name to perform, set to table for EWT Tables Services.

table When s=table, this value defines what table service to perform.

8.2 EWT Tables

With s=table and table set, the following are valid:

Parameter Description

start Sets the offset into result set, for paging.

max Maximum number of results in the result set.

sort Table field to sort on.

desc Set to true or false for a descending or ascending, respectively, sort order.

update When set to true, the POST data record is updated in the database table.

new When set to true, the POST data record is added to the database table.

delete When set to true, the POST data record is deleted from the database table.



http://www.json.org/


CoovaRADIUS Server

8.2.1 Searching Records

When searching, meaning that the new, update, and delete options are not being used, the following querystring parameters can be used to set search criteria. The field name is the table field name in Java beanformat.

Parameter SQL Query

fieldIsNull field is null

fieldIsNotNull field is not null

fieldLike field like value (string valued fields only)

fieldEqualTo field = value

fieldNotEqualTo field <> value

fieldGreaterThan field > value

fieldGreaterThanOrEqualTo field >= value

fieldLessThan field < value

fieldLessThanOrEqualTo field <= value

fieldIn field in ( value, value, ... )

fieldNotIn field not in ( value, value, ... )

fieldBetween field between value, value

fieldNotBetween field not between value, value

Examples

Some example requests. The first showing a select on the Users table limiting results to 5. The following twoqueries are placing criteria on the realm field to search for users within certain Realms.

GET /ewt/json?res=service&s=table&table=radUser&start=0&max=5&sort=id&desc=true

GET /ewt/json?res=service&s=table&table=radUser&realmEqualTo=1

GET /ewt/json?res=service&s=table&table=radUser&realmIn=1,2

In all cases, when returning a return set, the JSON format is as follows. The entire response is wrapped in aservice object which contains the total number of rows selected by the query in count and the rowsthemselves (up to max of them) in a JSON array. The JSON array of table row objects is named based on thetable. In this example, that is the radUser table.

{ "service": [

{ "count": 100,

"radUser" : [

{ "uid": 1,

"userName": "test",

"email": "[email protected]",

"realmId": 1,




CoovaRADIUS Server

"realmId_display": "coova.org (1)",

"password": "test",

"userDefault": false,

"ownsClientDevices": true,

"ownsAccessPoints": false,

"timeZone": "",

"administrativeUser" : false,

"macauthAllowed": false,

"anonApOk": false,

"eapOnly": false,

"eapTlsOnly": false,

"userNetworkOnly": false,

"createdDate": "Thu Oct 16 18:03:07 CEST 2008",

"disabled": false

},

...

]

}

]}

8.2.2 Adding Records

With the parameter new=true set, the POST data is taken to create a new record in the database table.

POST /ewt/json?res=service&s=table&new=true&table=radRealm

{ "realm": "test", "ownerId": 1 }

8.2.3 Updating Records

With the parameter update=true set, the POST data is taken to update a record in the database table.

POST /ewt/json?res=service&s=table&update=true&table=radRealm

{ "uid": 1, "realm": "test", "ownerId": 1, ... }

8.2.4 Deleting Records

With the parameter delete=true set, the POST data is taken to delete a record in the database table basedon the unique id uid.

POST /ewt/json?res=service&s=table&delete=true&table=radRealm

{ "uid": 1, ... }




CoovaRADIUS Server

8.3 EWT Permissions

9 Data Services - API

The platform can be accessed remotely programmatically using the Application Programming Interface (API).

API URL: /ewt/json

9.1 Naming

Within the API, the names of tables and columns of tables are in standard Java been format. Meaning,everywhere there is a “ ” in a name, be it a table or column name, the underscore is removed and thefollowing letter is capitalized. For example, the column name realm id is known as realmId. For the tabledata services, the table names are similarly renamed, though in the singular tense.

9.2 EWT Table Services

Service Name Database Table Notes

radAccessCodeSet rad access code sets Access code sets, see section 5.7.

radAccessCode rad access codes Access codes, see section 5.7.

radAccessPoint rad access points Access points, see section 5.5.

radAccessPolicy rad access policies Access policies, see section 5.6.

radAccessVoucher rad access vouchers Access vouchers, see section 5.6.

radActiveSessions rad sessions Select for only active session.

radAttributeSet rad attribute sets Attribute sets, see section 5.11.

radAttributeType rad attribute types Attribute types, see section 5.11.

radAttribute rad attributes Attributes, see section 5.11.

radClientDevice rad client devices Client devices, see section 5.3.

radConfig rad configs General server configurations, see section5.14.

radControllerType rad controller types Access controller types.

radDeviceVendor rad device vendors IEEE registered device vendors.

radLog rad logs RADIUS logs, when enabled on per AccessPoint basis.

radMacBlacklist rad mac blacklist Banned devices, see section 5.3.2.

radMacWhitelist rad mac whitelist Authorized devices, see section 5.3.1.

radNamedValue rad named values Named values, see section 5.12.

radNetRealm rad net realms Network realms, see section 5.9.

radNetUser rad net users Network users, see section 5.8.

radNetwork rad networks Networks, see section 5.4.

radPaymentProfile rad payment profiles Payment profiles table.

radPayment rad payments Payments table.

radRealmRoute rad realm routes Realm routes table.

radRealm rad realms Realms, see section 5.1.

radReportType rad report types Report types.




CoovaRADIUS Server

radReport rad reports Reports.

radSession rad sessions RADIUS sessions, see section ??.

radUser rad users Users, see section 5.2.

radWalledGarden rad walled garden Walled garden, see section ??.

radX509Certificate rad x509 certs X509 certificates and private keys.

radX509CA rad x509 certs Selects for Certificate Authorities only.

9.3 Other EWT Services

9.3.1 coova-users

9.3.2 coova-network

9.4 EWT PHP Client

PHP API

For PHP website integration, the same JSON formatted services used for the web interface are accessiblethrough the CoovaRADIUSClient class, contained in file CoovaRADIUSClient.php. The class is an extension ofEWTClient, found in EWTClient.php. The EWTClient uses the PHP internal JSON parsing routings and curl(libcurl) for the HTTP(S) client.

The EWTClient tries to abstract as much of the underlying JSON formatting for the API. TheCoovaRADIUSClient class is to do higher level functions.

For example, this function which uses EWTClient to add a user:

function createUser($data) {

$ewt = $this->ewtClient();

$res = $ewt->doAction(’coova-users’, ’create’, $data);

$ewt->close();

return $res;

}

Here is an example use:

require_once ’EWTClient.php’;

require_once ’CoovaRADIUSClient.php’;

$url = ’https://localhost:1800/ewt/json’;

$ewt = new CoovaRADIUSClient($url, ’admin’, ’admin’);

function customNewUser($ewt, $username, $password) {

$data = array(

’realmId’ => 1, // pre-configured realm

’networkId’ => 1, // pre-configured network




CoovaRADIUS Server

’userName’ => $username,

’password’ => $password,

’netUser’ => array( ’networkId’ => 1 )

);

return $ewt->createUser($data);

}

Which will not only create the user in the Users table, but create a Network User entry for the network with Id1 (pre-defined in the database, in this case the ”Global Network”). This will allow the user to actually accessthe network.

JSON data is converted into PHP arrays, as the output of this example demonstrates:

// Access code example

var_dump($ewt->provisionAccessCode(array(

’accessPolicyId’ => 1)));

Which results in:

array(4) {

["uid"] => int(14)

["username"] => string(8) "joLvRTET"

["accessPolicyId"]=> int(1)

["password"]=> string(8) "4njYg6uN"

}

9.5 Examples

$ curl --cacert ca.pem --key key.pem --cert cert.pem -k \

"https://ewt-server:1800/ewt/json?res=service&s=table&table=radAccessPoint&macAddressLike=00-12-CF-80-68-71&start=0&max=1"

{"service":[

{"radAccessPoint":

[{"uid":1,

"location":"My_HotSpot",

"ownerId":2,

"calledStationId":"00-12-CF-80-68-71",

"networkId":1,

"vendorId_display":"Accton Technology Corp (3953)",

"macAddress":"00-12-CF-80-68-71",

"vendorId":3953,

"attributeSetId_display":"",

"networkId_display":"Global Network (1)",

"reversedAccounting":true,




CoovaRADIUS Server

"ownerId_display":"c9w (2)",

"name":"nas01",

"controllerTypeId_display":"CoovaChilli (2)",

"nasIpAddress":"10.99.100.1",

"wanIpAddress":"62.163.177.27",

"nasIdentifier":"nas01",

"createdDate":"2010-06-23 08:17:44 UTC",

"controllerTypeId":2}],

"count":1}]

}




CoovaRADIUS Server

10 Google Maps

CoovaRADIUS supports the use of Google Maps to aid in the geo positioning of networks and access points.

10.1 Configure API Key

For Google Maps to work, you need to sign-up for a Google API Key which has to match the URL of thewebsite showing the maps. CoovaRADIUS user interfaces, maps included, can be embedded into a variety ofsites. In order to have Google Maps work, CoovaRADIUS must know the API key to use.

With no API key configured, Google Maps will not be available and the above will be shown.




CoovaRADIUS Server

To acquire a Google Maps API key, visit:

http://code.google.com/apis/maps/signup.html

Enter the hostname of the CoovaRADIUS interface to generate a key for it. In our example we are usinghttps://localhost:1800/, and we generated a key for that URL. Once generated, enter the API key intothe CoovaRADIUS configuration under the System menu and the Named Values sub-menu.

Create a new Named Value Configuration entry, setting everything to none except the Name and Valuefields. For the Name, enter:

com.google.api.key.siteKey

Where siteKey is either: the HTTP Host the interface is being viewed at (e.g.com.google.api.key.localhost:1800 or the Drupal Realm if the maps are being injected into a Drupalsite (e.g. com.google.api.key.drupal-site).

If your CoovaRADIUS administration interface is available using multiple URLs, then repeat the API keygeneration and configuration process for each hostname that will be used.

10.2 Geo Coordinate Administration

For each network you wish to use maps with, start out by positioning the “center” of the network.CoovaRADIUS will use the network center as the default position when showing maps of access points.



http://code.google.com/apis/maps/signup.html


CoovaRADIUS Server

To jump to a location, enter in the address of the location in the search field and click find. Move the markerto the exact location and you will see the coordinates get automatically filled in to the form. Once the positionis correct, be sure to click Save.




CoovaRADIUS Server

Once the network center is set, go and adjust the location of each access point. In a similar fashion, move themarker to the exact location of the access point, click Save when done.




CoovaRADIUS Server

10.3 Administration in Drupal

Maps can also be used in the embedded Drupal user interfaces.

Set the “center” of the network and default zoom level, as shown above.




CoovaRADIUS Server

Adjust the position of each access point, click on Save when done.




CoovaRADIUS Server

10.4 Public Map in Drupal

Exposing a public map to the public can be done easily by embedding the CoovaRADIUS interface directlyinto a Drupal web page.

The above map is generated using the folloing Drupal page content, using PHP code as the Input format:

<?php

echo ewt_div(’drupal-my-network-map’, ’’, "{ }");

?>

10.5 Map Info Window

The contents of the map info popup window can be changed on a network or access point basis. The defaultcontent shows the network name and access point name.




CoovaRADIUS Server

To change it, add an entry in the Named Values configuration with the key name com.coova.map.APInfo. Ifthere is an entry with that key name associated with the specific network and access point, then the value is




CoovaRADIUS Server

used for the popup window content. Add an entry just associated with a network (leaving the access point onnone) and the value will be used for all access points that otherwise don’t have a specific entry.




CoovaRADIUS Server

11 Licensing

11.1 Coova Software License

Coova Technologies, LLC

SOFTWARE LICENSE AGREEMENT

NOTE: THIS AGREEMENT WILL ONLY APPLY TO THE EXTENT THAT NO

BINDING AGREEMENT, WRITTEN OR ELECTRONIC, (THE "OTHER AGREEMENT") IS

ALREADY IN PLACE BETWEEN CUSTOMER (DEFINED BELOW) AND COOVA

TECHNOLOGIES, LLC. PERTAINING TO THE SOFTWARE PRODUCT TO WHICH THIS

AGREEMENT APPLIES. TO THE EXTENT THAT ANY OTHER AGREEMENT IS IN

EFFECT, THEN SUCH OTHER AGREEMENT WILL GOVERN CUSTOMERS DOWNLOAD AND

USE OF THE SOLUTION AND RECEIPT OF PROFESSIONAL SERVICES AND THIS

AGREEMENT WILL NOT APPLY EVEN IF YOU ARE REQUIRED TO CLICK THE BOX

AFFIRMING YOUR CONSENT TO THE TERMS OF THIS AGREEMENT.

BY COMPLETING THE ONLINE REGISTRATION FORM AND CLICKING THE "I

AGREE" BUTTON, YOU SUBMIT TO COOVA TECHNOLOGIES, LLC., A CALIFORNIA

LIMITED LIABILITY COMPANY ("WE" OR "COOVA"), AN OFFER TO OBTAIN THE

RIGHT TO USE THE SOLUTION AND RECEIVE ROFESSIONAL SERVICES (AS DEFINED

BELOW) UNDER THE PROVISIONS OF THIS LICENSE AND PROFESSIONAL SERVICES

AGREEMENT (THE "AGREEMENT").

BY CLICKING THE "I AGREE" BUTTON, YOU HEREBY AGREE THAT YOU HAVE

THE REQUISITE AUTHORITY, POWER AND RIGHT TO FULLY BIND THE PERSON

AND/OR ENTITIE(S) (COLLECTIVELY, THE "CUSTOMER") WISHING TO USE THE

SOLUTION LISTED ON THE ORDER CONFIRMATION PAGE, PRICING SCHEDULE,

QUOTE AND/OR INVOICE (EACH AN "PURCHASE ORDER") WHICH COOVA PROVIDES

TO CUSTOMER IN CONNECTION WITH THE PURCHASE OF LICENSES TO THE

SOLUTION AND RECEIPT OF PROFESSIONAL SERVICES DESCRIBED BELOW. THE

TERMS OF EACH ORDERING DOCUMENT WILL SET FORTH THE SPECIFIC TERMS OF

THE ORDER BUT ALL APPLICABLE TERMS AND CONDITIONS BELOW SHALL

APPLY.

IF YOU DO NOT HAVE THE AUTHORITY TO BIND THE CUSTOMER OR YOU OR THE

CUSTOMER DO NOT AGREE TO ANY OF THE TERMS BELOW, COOVA IS UNWILLING TO

PROVIDE THE SOLUTION OR PROFESSIONAL SERVICES TO THE CUSTOMER, AND YOU

SHOULD NOT CLICK TO ACCEPT THE TERMS OF THIS AGREEMENT AND YOU SHOULD

DISCONTINUE THE ORDER, DOWNLOAD AND/OR INSTALLATION PROCESS AND NOT

REQUEST ANY PROFESSIONAL SERVICES OR SUPPORT.

1.0 Ordering

The Purchase Order will specify the Coova standard software product

offering ("Base Software"), any Modules or Feature Upgrades (each as

defined below) that Customer is licensing, the number of production




CoovaRADIUS Server

server instances, the number of RADIUS shared secrets and the shared

secrets themselves, any consulting, configuration, customization or

other professional services ("Professional Services") and all other

necessary information. The Base Software and any Modules and/or

Feature Upgrades acquired by Customer pursuant to an Purchase Order

are collectively referred to as the "Solution". All Purchase Orders

are incorporated herein by reference. Following Coovas acceptance

of each Order Document and Customers payment of any initial fees

(as described in Section 12.0 below) due under such Purchase Order,

Coova will make the Solution available to Customer for download

using a password protected account on Coovas website or an

pre-authorized URL to an Amazon S3 storage location. Coova may make

available to Customer certain optional functionality or services

which may be provided as either an update or upgrade to the Base

Software ("Feature Upgrade") or a separate stand-alone module

("Module"). Certain Feature Upgrades and Modules may require that

the Customer agree to certain restrictions provided by Coova in

advance which are in addition to the terms and conditions of this

Agreement. Any additional or separate pricing associated with

Feature Upgrades or Modules will be as set forth on the Purchase

Order or otherwise agreed to by the parties in writing.

2.0 Solution, License Grants and Restrictions

2.1 License Grants

Subject to the terms of this Agreement and during the applicable

license term, Coova grants to Customer a limited, worldwide,

non-exclusive, non-transferable license, without sublicense

rights, to (a) unless otherwise expressly set forth within the

Purchase Order, to install a single instance of the Solution in

one (1) production environment and permit in accordance with the

authorized license implementation set forth on the Purchase Order

(as further described in Section 2.3 below), (b) if permitted by

Coova in its sole discretion, install and use the portions of the

Solution made available in source code format for internal testing

purposes and to create modifications ("Customer Modification") to

the Solution solely for purposes of developing bug fixes,

customizations, or additional features pertaining to the Solution

(and no other product or service), and (c) use and make a

reasonable number of copies of any descriptions, instructions, or

other documentation made available in connection with the

Solution, if any ("Documentation"). Certain Modules are provided

on a hosted basis and, in such instances, Customer will not

install the Module but rather will access the Module via the

functionality of the Base Solution. Coova takes no responsibility

for and neither makes nor gives any guarantees, conditions or




CoovaRADIUS Server

warranties with respect to any Customer Modifications or the

Solutions interoperability with such Customer Modifications.

Customer grants to Coova and its licensees a perpetual,

irrevocable, worldwide, royalty-free, sublicenseable license under

Customers intellectual property rights to use and otherwise

exploit all Customer Modifications. The term of each license to

the Solution purchased by Customer will commence on the date that

Customer first receives access to the Solution and will continue

for the period set forth on the Purchase Order. Upon expiration,

the license term will automatically renew for successive terms of

one (1) year each at the then current fees unless either party

provides written notice of non-renewal at least thirty (30) days

prior to the end of the then current term. The license term for

subsequently purchased licenses will be pro-rated so that all

pre-existing and newly acquired licenses are coterminous.

2.2 License Restrictions

Except as otherwise expressly permitted under this Agreement,

Customer agrees not to: (a) reverse engineer or otherwise attempt

to discover the source code of or trade secrets embodied in the

Solution or any portion thereof; (b) distribute, transfer, grant

sublicenses to, or otherwise make available the Solution or

Customer Modifications (or any portion thereof) to third parties,

including, but not limited to, making such Solution or Customer

Modifications available (i) through resellers or other

distributors, or (ii) as an application service provider, service

bureau, or rental source; (c) embed or incorporate in any manner

the Solution or Customer Modifications (or any element thereof)

into other applications of Customer or third parties; (d) create

modifications to or derivative works of the Solution; (e)

reproduce the Solution except that Customer may make up to two

archival copies of the Solution solely for backup purposes; (f)

attempt or permit any third party to attempt to modify, alter, or

circumvent the license control and protection mechanisms within

the Solution; (g) use or transmit the Solution in violation of any

applicable law, rule or regulation, including any export/import

laws, (h) in any way access, use, or copy any portion of the

Solution code (including the logic and/or architecture thereof and

any trade secrets included therein) to directly or indirectly

develop, promote, distribute, sell or support any product or

service that is competitive with the Solution or (i) remove,

obscure or alter any copyright notices or any name, trademark,

service mark, hyperlink or other designation of Coova displayed on

any display screen within the Solution (Coova Marks).

Customer shall not permit any third party to perform any of the

foregoing actions and shall be responsible for all damages and




CoovaRADIUS Server

liabilities incurred as a result of such actions. The Solution is

a "commercial item," as that term is defined at 48 C.F.R. 2.101

(OCT 1995), and more specifically is "commercial computer

software" and "commercial computer software documentation,d" as

such terms are used in 48 C.F.R. 12.212 (SEPT 1995). Consistent

with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4

(JUNE 1995), the Solution is provided to U.S. Government End Users

(i) only as a commercial end item and (ii) with only those rights

as are granted to all other end users pursuant to the terms and

conditions herein.

2.3 License Implementation Types

Except with respect to the Modules, which shall be licensed

pursuant to the specific terms related to such Module set forth on

the relevant Purchase Order, such Purchase Order will designate

which of the following Solution license implementation types the

Customer will receive: (a) Single Network: Customer may use the

solution for a single network, using a single RADIUS shared

secret, and on a single production server; and (b) Service

Provider License: Under this licensing scheme, Customer may use

solution with unlimited RADIUS shared secrets on the number of

production servers as specified in the Purchase Order.

2.4 Bankruptcy

All licenses granted pursuant to this Agreement are, for purposes

of Section 365(n) of the U.S. Bankruptcy Code, deemed to be

licenses of rights to "intellectual property" as defined under

Section 101 of the U.S. Bankruptcy Code. In any bankruptcy or

insolvency proceeding involving Coova, Customer, as licensee of

such rights, will retain and fully exercise all of its rights and

elections under the U.S. Bankruptcy Code, which will apply

notwithstanding conflict of law principles.

3.0 Support and Maintenance

Solution support and maintenance services ("Support Services") may

be ordered at the "Standard" or "Premium" level. Pricing for such

Support Services will be set forth on the Purchase Order; provided,

however, that Standard Support Services shall be provided in

connection with each subscription license for no additional cost.

The terms of Standard and Premium Support Services can be found on

Coovas website along with additional support-related terms which

are incorporated herein by reference.

4.0 Professional Services




CoovaRADIUS Server

If indicated in an Order Form, Coova will perform Professional

Services. The particulars of each Professional Services engagement

will be as set forth in one or more statements of work (each an

"SOW") entered into by the parties. Customer will provide all

assistance reasonably requested by Coova in connection with the

Professional Services. Coova will retain all right, title and

interest in and to all deliverables (including any and all

intellectual, property rights therein) provided under each SOW

("Deliverables") except to the extent that they contain any

information that Customer can document is its proprietary and

confidential information. Customers rights to the Deliverables

shall be the same as Customers rights to the Solution.

5.0 Publicity

During the Term of this Agreement, Customer hereby agrees that Coova

shall have the right, but not the obligation, to include Customers

name and logo as a customer who uses the Solution on the Coova

website and in other materials promoting the Solution.

6.0 Proprietary Rights

As between the parties, Coova will retain all ownership rights in

and to the Coova Marks, the Solution (including any optional

functionality), the Documentation, Deliverables, all updates and

upgrades provided as part of Support Services and other derivative

works of the Solution and/or Documentation that are provided by

Coova, and all intellectual property rights incorporated into or

related to the foregoing. Customer acknowledges that the goodwill

associated with the Coova Marks belongs exclusively to Coova and,

upon request, Customer will modify or cease its use of any Coova

Marks. All rights not expressly licensed by Coova under this

Agreement are reserved.

7.0 Warranties and Disclaimer

7.1 Warranties

Each of the parties represents and warrants that it has all

necessary corporate power and authority to enter into and perform

its obligations under this Agreement. To Coovas knowledge, the

use by Customer of the Solution (exclusive of any third party or

open source materials included therein) when and as provided under

this Agreement does not misappropriate or infringe any

U.S. copyrights or U.S. trade secrets of any third party.




CoovaRADIUS Server

7.2 Disclaimer

The express warranties in Section 7.1 are the exclusive warranties

offered by Coova and all other conditions and warranties,

including, without limitation, any conditions or warranties of

fitness for a particular purpose, non-infringement, accuracy,

quiet enjoyment, title, merchantability and those that arise from

any course of dealing or course of performance are hereby

disclaimed. Coova does not warrant that Customers use the

Solution will be uninterrupted or error-free, that errors will be

corrected or that it will be free of viruses or other harmful

components. The Solution (including all components thereof), the

Support Services, the Professional Services and all Deliverables

are provided "as is" and without warranty of any kind.

8.0 Indemnification

Each party will indemnify, defend, and hold the other harmless from

and against any and all liabilities, damages, losses, claims, costs,

and expenses (including attorneys fees) arising out of or resulting

from any violation of such parties representations and warranties

set forth in Section 7.1 above. In the event of any third party

action, suit, proceeding or investigation for which indemnification

is sought (the "Proceeding"), the other party shall promptly notify

the indemnifying party, provided that any failure to so notify the

indemnifying party will not relieve the indemnifying party from any

liability or obligation which it may have to any indemnified person

except to the extent of any material prejudice to the indemnifying

party resulting from such failure. If any such Proceeding is

brought against an indemnified person, the indemnifying party will

be entitled to assume and control the defense thereof. Each

indemnified person will be obligated to cooperate reasonably with

the indemnifying party, at the expense of the indemnifying party, in

connection with such defense and the compromise or settlement of any

such Proceeding. The foregoing indemnification shall not apply to

the extent that any action by the indemnified party gives rise to or

otherwise enhances any such claim.

9.0 Limitations on Liability

To the extent permitted by law, in no event shall Coova be liable to

Customer, users or to any third party in connection with this

Agreement, including the Solution, Support Services and intellectual

property provided hereunder, whether under theory of contract, tort

or otherwise, for (A) any indirect, incidental, punitive,

consequential, or special damages (including any damage to business

reputation, lost profits or lost data), whether foreseeable or not




CoovaRADIUS Server

and whether Coova is advised of the possibility of such damages or

(b) any amounts in excess of the total of the Fees actually paid and

the fees payable to Coova by Customer under this Agreement during

the one (1) year period prior to the date that such liability first

arises.</p>

10.0 Confidentiality

The Solution and all trade secret information incorporated therein

or derived, directly or indirectly, therefrom are confidential

information of Coova. Customer shall keep in confidence and trust

and not disclose or disseminate, or permit any employee, agent or

other party working under Customers direction to disclose or

disseminate, the substance of any such confidential information of

Coova. The commitments in this Agreement will not impose any

obligations on Customer with respect to any portion of the received

information which, as evidenced by independent documentation: (a) is

now generally known or available or which hereafter, through no act

or failure to act on Customers part, becomes generally known or

available; or (b) is rightfully known to Customer at the time of

receiving such information. Customer acknowledges that monetary

damages may not be a sufficient remedy for unauthorized disclosure

or use of Coovas confidential information and that Coova may seek,

without waiving any other rights or remedies, such injunctive or

equitable relief as may be deemed proper by a court of competent

jurisdiction.

11.0 Term, Termination and Effect

This Agreement shall continue in effect until terminated as set

forth herein. The applicable license term for each license

purchased will be as set forth in the applicable Purchase Order.<i>

</i>This Agreement may be terminated by either party if the other

party materially breaches this Agreement and does not cure the

breach within thirty (30) days after receiving written notice

thereof from the non-breaching party (except that such cure period

shall be five (5) days for breaches of Sections 2 or 12).

Additionally, a particular Purchase Order may be terminated by Coova

in the event that Customer fails to pay applicable fees when due.

Upon any termination of this Agreement, without prejudice to any

other rights or remedies which the parties may have, (a) all rights

licensed and obligations required hereunder shall immediately cease;

provided that Sections 2.2, 6.0, 8.0 though 11.0 and 14.0 shall

survive termination, (b) Customer will promptly delete and destroy

all instances of the Solution in its possession or control (if any),

and (c) Customer shall pay to Coova any outstanding fees that have

accrued prior to the date of termination.




CoovaRADIUS Server

12.0 Fees and Payment

Subject to the terms and conditions below, all fees for the Solution

licenses, Professional Services and/or Support Services will be set

forth on the applicable Purchase Order. Unless otherwise agreed to

in writing by the parties, Customer will pay all undisputed fees

owed within thirty (30) days after Coovas issuance of an invoice

pertaining thereto. Payments will be sent to the address included

on the invoice. All amounts payable shall be in the currency of the

United States and specifically exclude (and Customer is responsible

for) any and all applicable sales, use and other taxes, (other than

taxes based on Coovas income). Each party is responsible for its

own expenses under this Agreement.

13.0 Audit

Not more than once each year, Coova will have the right to perform

an audit to verify that Customer is using the Solution in compliance

with this Agreement. That audit will be performed during normal

business hours upon not less than fifteen (15) days prior written

notice to Customer. That audit will be conducted at Coovas sole

cost and expense and will be subject to reasonable security and

access restrictions. Customer will be permitted to have Customer

personnel present during the audit. If an audit conducted under

this Section discloses that Customer has underpaid by more than five

percent (5%) any license Fees payable under this Agreement during

the period covered by the audit, Customer will pay Coova the amount

of that underpayment and, in addition, will reimburse Coovas

reasonable and actual costs for that audit.

14.0 Miscellaneous

The parties are independent contractors with respect to each other,

and nothing in this Agreement shall be construed as creating an

employer-employee relationship, a partnership, agency relationship

or a joint venture between the parties. Each party will be

excused from any delay or failure in performance hereunder, other

than the payment of money, caused by reason of any occurrence or

contingency beyond its reasonable control, including but not limited

to acts of God, earthquake, labor disputes and strikes, riots, war

and governmental requirements. The obligations and rights of the

party so excused will be extended on a day-to-day basis for the

period of time equal to that of the underlying cause of the delay.

This Agreement controls the actions of all party representatives,

officers, agents, employees and associated individuals. The

terms of this Agreement shall be binding on the parties, and all




CoovaRADIUS Server

successors to the foregoing. Customer will not assign, transfer or

delegate its rights or obligations under this Agreement (in whole or

in part) without Coovas prior written consent. Any attempted

assignment, transfer or delegation in violation of the foregoing

shall be null and void. All modifications to or waivers of any

terms of this Agreement must be in a writing that is signed by the

parties hereto and expressly references this Agreement. This

Agreement shall be governed by the laws of the State of Oregon,

without regard to Oregon conflict of laws rules. The exclusive

venue and jurisdiction for any and all disputes, claims and

controversies arising from or relating to this Agreement shall be

the state or federal courts located in Multnomah County, Oregon.

Each party waives any objection (on the grounds of lack of

jurisdiction, forum non conveniens or otherwise) to the exercise of

such jurisdiction over it by any such courts. The United Nations

Convention on Contracts for the International Sale of Goods will not

apply to the interpretation or enforcement of this Agreement. In

the event that any provision of this Agreement conflicts with

governing law or if any provision is held to be null, void or

otherwise ineffective or invalid by a court of competent

jurisdiction, (a) such provision shall be deemed to be restated to

reflect as nearly as possible the original intentions of the parties

in accordance with applicable law, and (b) the remaining terms,

provisions, covenants and restrictions of this Agreement shall

remain in full force and effect. No waiver of any breach of any

provision of this Agreement shall constitute a waiver of any prior,

concurrent or subsequent breach of the same or any other provisions

hereof, and no waiver shall be effective unless made in writing and

signed by an authorized representative of the waiving party. This

Agreement includes any applicable Purchase Orders. Collectively the

foregoing constitutes the entire agreement between the parties with

respect to the subject matter hereof and supersedes all prior and

contemporaneous agreements or communications, including, without

limitation, any quotations or proposals submitted by Coova. The

terms on any purchase order or similar document submitted by

Customer to Coova will have no effect and are hereby rejected.All

notices, consents and approvals under this Agreement must be

delivered in writing by courier, by facsimile, or by certified or

registered mail, (postage prepaid and return receipt requested) to

the other party at its main corporate headquarters and sent to the

attention of such partys Chief Executive Officer.




CoovaRADIUS Server

11.2 Third Party Licenses

Apache License 2.0

Apache License

Version 2.0, January 2004

http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

1. Definitions.

"License" shall mean the terms and conditions for use, reproduction,

and distribution as defined by Sections 1 through 9 of this document.

"Licensor" shall mean the copyright owner or entity authorized by

the copyright owner that is granting the License.

"Legal Entity" shall mean the union of the acting entity and all

other entities that control, are controlled by, or are under common

control with that entity. For the purposes of this definition,

"control" means (i) the power, direct or indirect, to cause the

direction or management of such entity, whether by contract or

otherwise, or (ii) ownership of fifty percent (50%) or more of the

outstanding shares, or (iii) beneficial ownership of such entity.

"You" (or "Your") shall mean an individual or Legal Entity

exercising permissions granted by this License.

"Source" form shall mean the preferred form for making modifications,

including but not limited to software source code, documentation

source, and configuration files.

"Object" form shall mean any form resulting from mechanical

transformation or translation of a Source form, including but

not limited to compiled object code, generated documentation,

and conversions to other media types.

"Work" shall mean the work of authorship, whether in Source or

Object form, made available under the License, as indicated by a

copyright notice that is included in or attached to the work

(an example is provided in the Appendix below).

"Derivative Works" shall mean any work, whether in Source or Object

form, that is based on (or derived from) the Work and for which the

editorial revisions, annotations, elaborations, or other modifications




CoovaRADIUS Server

represent, as a whole, an original work of authorship. For the purposes

of this License, Derivative Works shall not include works that remain

separable from, or merely link (or bind by name) to the interfaces of,

the Work and Derivative Works thereof.

"Contribution" shall mean any work of authorship, including

the original version of the Work and any modifications or additions

to that Work or Derivative Works thereof, that is intentionally

submitted to Licensor for inclusion in the Work by the copyright owner

or by an individual or Legal Entity authorized to submit on behalf of

the copyright owner. For the purposes of this definition, "submitted"

means any form of electronic, verbal, or written communication sent

to the Licensor or its representatives, including but not limited to

communication on electronic mailing lists, source code control systems,

and issue tracking systems that are managed by, or on behalf of, the

Licensor for the purpose of discussing and improving the Work, but

excluding communication that is conspicuously marked or otherwise

designated in writing by the copyright owner as "Not a Contribution."

"Contributor" shall mean Licensor and any individual or Legal Entity

on behalf of whom a Contribution has been received by Licensor and

subsequently incorporated within the Work.

2. Grant of Copyright License. Subject to the terms and conditions of

this License, each Contributor hereby grants to You a perpetual,

worldwide, non-exclusive, no-charge, royalty-free, irrevocable

copyright license to reproduce, prepare Derivative Works of,

publicly display, publicly perform, sublicense, and distribute the

Work and such Derivative Works in Source or Object form.

3. Grant of Patent License. Subject to the terms and conditions of

this License, each Contributor hereby grants to You a perpetual,

worldwide, non-exclusive, no-charge, royalty-free, irrevocable

(except as stated in this section) patent license to make, have made,

use, offer to sell, sell, import, and otherwise transfer the Work,

where such license applies only to those patent claims licensable

by such Contributor that are necessarily infringed by their

Contribution(s) alone or by combination of their Contribution(s)

with the Work to which such Contribution(s) was submitted. If You

institute patent litigation against any entity (including a

cross-claim or counterclaim in a lawsuit) alleging that the Work

or a Contribution incorporated within the Work constitutes direct

or contributory patent infringement, then any patent licenses

granted to You under this License for that Work shall terminate

as of the date such litigation is filed.

4. Redistribution. You may reproduce and distribute copies of the




CoovaRADIUS Server

Work or Derivative Works thereof in any medium, with or without

modifications, and in Source or Object form, provided that You

meet the following conditions:

(a) You must give any other recipients of the Work or

Derivative Works a copy of this License; and

(b) You must cause any modified files to carry prominent notices

stating that You changed the files; and

(c) You must retain, in the Source form of any Derivative Works

that You distribute, all copyright, patent, trademark, and

attribution notices from the Source form of the Work,

excluding those notices that do not pertain to any part of

the Derivative Works; and

(d) If the Work includes a "NOTICE" text file as part of its

distribution, then any Derivative Works that You distribute must

include a readable copy of the attribution notices contained

within such NOTICE file, excluding those notices that do not

pertain to any part of the Derivative Works, in at least one

of the following places: within a NOTICE text file distributed

as part of the Derivative Works; within the Source form or

documentation, if provided along with the Derivative Works; or,

within a display generated by the Derivative Works, if and

wherever such third-party notices normally appear. The contents

of the NOTICE file are for informational purposes only and

do not modify the License. You may add Your own attribution

notices within Derivative Works that You distribute, alongside

or as an addendum to the NOTICE text from the Work, provided

that such additional attribution notices cannot be construed

as modifying the License.

You may add Your own copyright statement to Your modifications and

may provide additional or different license terms and conditions

for use, reproduction, or distribution of Your modifications, or

for any such Derivative Works as a whole, provided Your use,

reproduction, and distribution of the Work otherwise complies with

the conditions stated in this License.

5. Submission of Contributions. Unless You explicitly state otherwise,

any Contribution intentionally submitted for inclusion in the Work

by You to the Licensor shall be under the terms and conditions of

this License, without any additional terms or conditions.

Notwithstanding the above, nothing herein shall supersede or modify

the terms of any separate license agreement you may have executed

with Licensor regarding such Contributions.




CoovaRADIUS Server

6. Trademarks. This License does not grant permission to use the trade

names, trademarks, service marks, or product names of the Licensor,

except as required for reasonable and customary use in describing the

origin of the Work and reproducing the content of the NOTICE file.

7. Disclaimer of Warranty. Unless required by applicable law or

agreed to in writing, Licensor provides the Work (and each

Contributor provides its Contributions) on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or

implied, including, without limitation, any warranties or conditions

of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A

PARTICULAR PURPOSE. You are solely responsible for determining the

appropriateness of using or redistributing the Work and assume any

risks associated with Your exercise of permissions under this License.

8. Limitation of Liability. In no event and under no legal theory,

whether in tort (including negligence), contract, or otherwise,

unless required by applicable law (such as deliberate and grossly

negligent acts) or agreed to in writing, shall any Contributor be

liable to You for damages, including any direct, indirect, special,

incidental, or consequential damages of any character arising as a

result of this License or out of the use or inability to use the

Work (including but not limited to damages for loss of goodwill,

work stoppage, computer failure or malfunction, or any and all

other commercial damages or losses), even if such Contributor

has been advised of the possibility of such damages.

9. Accepting Warranty or Additional Liability. While redistributing

the Work or Derivative Works thereof, You may choose to offer,

and charge a fee for, acceptance of support, warranty, indemnity,

or other liability obligations and/or rights consistent with this

License. However, in accepting such obligations, You may act only

on Your own behalf and on Your sole responsibility, not on behalf

of any other Contributor, and only if You agree to indemnify,

defend, and hold each Contributor harmless for any liability

incurred by, or claims asserted against, such Contributor by reason

of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONS

APPENDIX: How to apply the Apache License to your work.

To apply the Apache License to your work, attach the following

boilerplate notice, with the fields enclosed by brackets "[]"

replaced with your own identifying information. (Don’t include

the brackets!) The text should be enclosed in the appropriate




CoovaRADIUS Server

comment syntax for the file format. We also recommend that a

file or class name and description of purpose be included on the

same "printed page" as the copyright notice for easier

identification within third-party archives.

Copyright [yyyy] [name of copyright owner]

Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

BSD License

The BSD License

The following is a BSD license template. To generate your own

license, change the values of OWNER, ORGANIZATION and YEAR from

their original values as given here, and substitute your

own. Also, you may optionally omit clause 3 and still be OSD

conformant.

Note: On January 9th, 2008 the OSI Board approved the "Simplified

BSD License" variant used by FreeBSD and others, which omits the

final "no-endorsement" clause and is thus roughly equivalent to

the MIT License.

Historical Note: The original license used on BSD Unix had four

clauses. The advertising clause (the third of four clauses)

required you to acknowledge use of U.C. Berkeley code in your

advertising of any product using that code. It was officially

rescinded by the Director of the Office of Technology Licensing of

the University of California on July 22nd, 1999. He states that

clause 3 is "hereby deleted in its entirety." The four clause

license has not been approved by OSI. The license below does not

contain the advertising clause.

This prelude is not part of the license.

<OWNER> = Regents of the University of California




CoovaRADIUS Server

<ORGANIZATION> = University of California, Berkeley

<YEAR> = 1998

In the original BSD license, both occurrences of the phrase "COPYRIGHT

HOLDERS AND CONTRIBUTORS" in the disclaimer read "REGENTS AND

CONTRIBUTORS".

Here is the license template:

Copyright (c) <YEAR>, <OWNER>


Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are

met:

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above

copyright notice, this list of conditions and the following

disclaimer in the documentation and/or other materials provided

with the distribution.

* Neither the name of the <ORGANIZATION> nor the names of its

contributors may be used to endorse or promote products derived

from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

MIT License

The MIT License

Copyright (c) <year> <copyright holders>




CoovaRADIUS Server

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

in the Software without restriction, including without limitation the rights

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

copies of the Software, and to permit persons to whom the Software is

furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in

all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

THE SOFTWARE.

HSQLDB License

COPYRIGHTS AND LICENSES (based on BSD License)

For work developed by the HSQL Development Group:

Copyright (c) 2001-2010, The HSQL Development Group All rights

reserved.



met:

Redistributions of source code must retain the above copyright notice,

this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

Neither the name of the HSQL Development Group nor the names of its

contributors may be used to endorse or promote products derived from

this software without specific prior written permission.




A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL HSQL

DEVELOPMENT GROUP, HSQLDB.ORG, OR CONTRIBUTORS BE LIABLE FOR ANY




CoovaRADIUS Server

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE

GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER

IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR

OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF

ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

For work originally developed by the Hypersonic SQL Group:

Copyright (c) 1995-2000 by the Hypersonic SQL Group.




met:

Redistributions of source code must retain the above copyright notice,

this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

Neither the name of the Hypersonic SQL Group nor the names of its

contributors may be used to endorse or promote products derived from

this software without specific prior written permission.




A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE HYPERSONIC

SQL GROUP, OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,

INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,

BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS

OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR

TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE

USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH

DAMAGE.

This software consists of voluntary contributions made by many

individuals on behalf of the Hypersonic SQL Group.




CoovaRADIUS Server

SLF4J License

Copyright (c) 2004-2008 QOS.ch All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining

a copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish,

distribute, sublicense, and/or sell copies of the Software, and to

permit persons to whom the Software is furnished to do so, subject to

the following conditions: The above copyright notice and this

permission notice shall be included in all copies or substantial

portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE

LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION

OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION

WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.




CoovaRADIUS Server

11.3 Third Party Notices




Documents

CoovaRADIUS-1.0.1.pdf