Because SOWN offers access to the University Network, we require a mechanism for authenticating our users.
After reviewing the options, it was decided to build our own portal in-house.
- Each node needs to run the latest version of dhcp3-server which has support for event calls when users obtain a lease.
How it works
On connect, the following things happen:
On the Node
- Any rules which exist to do with that ip/mac address are removed (in case they didn't expire or somehow still exist)
- The node then looks for details of that mac address in it's local clients.list file, this contains the mac address and group memberships.
- If nothing is matched then the only thing the clients can access are the 3 main sown servers directly + the captive portal page which they are redirected to.
- If the clients mac address matches then the node will update iptables to allow that client access to the things that it has access to (internet access, SOWN access et al).
- Each node has a set of rules associated with it, which can be changed at auth.sown.org.uk
- Each [SOWN]-home node is able to authenticate users without the need to redirect them to login in the event that the node becomes disconnected from auth.sown.org.uk. To add a new home user however requires connection to auth.sown.org.uk
auth.sown.org.uk manages every node, but each node can operate from a cache if it is unreachable. The nodes will not run http at this point.
The design is as follows:
- Once authorised the clients mac and group membership is added to the nodes clients.list file
- auth.sown.org.uk will then tell the node to run the authorizing script
There are a few alternatives for open source/free captive portal software. A list of alternatives is available at http://wiki.personaltelco.net/index.cgi/PortalSoftware
Another list of Open Source Captive Portal Firmware, most if not all based on Open-WRT.
This is used by ISS to provide access control for the ISS wireless network. The access point is open for anyone to connect to, but nothing is available until you have logged in through the BlueSocket HTML login page that you are redirected to. Another alternative name for this technology is Universal Access Method (UAM).
Two varieties: NoCat Splash and NoCat Auth
Just displays a splash screen which the user clicks through to access the internet. Written in C. No authentication available, therefore unsuitable for this project.
Has been trialled on Zepler node for testing, and does work although seems to be unstable.
Can authenticate users properly. Written in Perl.
Authenticates with a RADIUS server. Written in C.
A complete solution in one product written in C. Pretty cool, but not really what is required in this situation.