CaptivePortal

From SOWNWiki

Because SOWN offers access to the University Network, we require a mechanism for authenticating our users.

Several solutions to this were investigated including NoCat Splash and WiFi Dog captive portal suite.

After reviewing the options, it was decided to build our own portal in-house.

Hosted on auth.sown.org.uk. access and security is handled using iptables.

• Each node needs to run the latest version of dhcp3-server which has support for event calls when users obtain a lease.

Contents 1 How it works 1.1 On the Node 1.2 auth.sown.org.uk 2 Alternatives 2.1 BlueSocket 2.2 NoCat 2.2.1 NoCat Splash 2.2.2 NoCat Auth 2.3 Chillispot 2.4 WiFi Dog

How it works

On connect, the following things happen:

On the Node

• Any rules which exist to do with that ip/mac address are removed (in case they didn't expire or somehow still exist)
• The node then looks for details of that mac address in it's local clients.list file, this contains the mac address and group memberships.
• If nothing is matched then the only thing the clients can access are the 3 main sown servers directly + the captive portal page which they are redirected to.
• If the clients mac address matches then the node will update iptables to allow that client access to the things that it has access to (internet access, SOWN access et al).

• Each node has a set of rules associated with it, which can be changed at auth.sown.org.uk

• Each [SOWN]-home node is able to authenticate users without the need to redirect them to login in the event that the node becomes disconnected from auth.sown.org.uk. To add a new home user however requires connection to auth.sown.org.uk

auth.sown.org.uk

auth.sown.org.uk manages every node, but each node can operate from a cache if it is unreachable. The nodes will not run http at this point.

The design is as follows:

• Once authorised the clients mac and group membership is added to the nodes clients.list file
• auth.sown.org.uk will then tell the node to run the authorizing script

Alternatives

There are a few alternatives for open source/free captive portal software. A list of alternatives is available at http://wiki.personaltelco.net/index.cgi/PortalSoftware

Another list of Open Source Captive Portal Firmware, most if not all based on Open-WRT.

BlueSocket

This is used by ISS to provide access control for the ISS wireless network. The access point is open for anyone to connect to, but nothing is available until you have logged in through the BlueSocket HTML login page that you are redirected to. Another alternative name for this technology is Universal Access Method (UAM).

NoCat

http://www.nocat.net

Two varieties: NoCat Splash and NoCat Auth

NoCat Splash

Just displays a splash screen which the user clicks through to access the internet. Written in C. No authentication available, therefore unsuitable for this project.

Has been trialled on Zepler node for testing, and does work although seems to be unstable.

NoCat Auth

Can authenticate users properly. Written in Perl.

Chillispot

http://www.chillispot.org

Authenticates with a RADIUS server. Written in C.

WiFi Dog

http://dev.wifidog.org

A complete solution in one product written in C. Pretty cool, but not really what is required in this situation.