(Note: The following was written before NoCatAuth existed)BR Captive portals allow you to leverage a common browser as a secure authentication device. They also have the potential to allow you to do everything securely via SSL and IPSec and setup per user quality of service rules, and still maintain an open network. If you are curious about why you might want to install a captive portal please see WhyCaptivePortal. You can also see the beginning of our software requirements process at CaptivePortalDefinition.
Captive portals are becoming a popular way for SMS/BSN vendors to provide user authentication and IP flow management (basically traffic shaping and bandwidth control) without a required client application. They work by forcing un-authenticated users to a web page, once you have "captured them" this way by allowing the web page to interact with the router/firewall you can completely control their access.
- I'm in the preliminary stages of writing code and seeing how I want it to work. Currently I'm using perl and though I'd love to use this an an excuse to learn python, it would slow me way down right now.
- I reference Linux cause that's what I know, not because it's better/worse than your 1337 OS.
All software will be released under the [http://www.fsf.org/copyleft/gpl.html GNU General Public License].
- A new user gets physical connectivity to the wireless network (eg. they plug in their wireless card within range of one of our antennas).
- They issue a DHCP request and are assigned an IP address (all un-authenticated IP's are firewalled so they can only talk on the local segment).
As soon as they open their browser they will be forced a local web page (the CaptivePortal). Here they will be given the chance to log in as a community user, sign up for a new account or request guest access.
- The portal authenticates them against some form of user database (ldap, radius etc).
- Based on a successful authentication the portal then does the following things:
- Updates the user database saying that they have authenticated and are good for X amount of time.
- Grants their IP access through the firewall.
- Sets QoS routing rules so that they get provisioned a certain amount of bandwidth (eg. local users might get more than roaming registered users, who in turn might get more than unknown guest users).
- Now once every X hours/days the portal goes through it's list of all the ip's allowed through the firewall (ie. authenticated users) and checks to make sure that they are still allowed access:
- If they are, great carry on.
- If they aren't, remove their access. The next time that user wants access they will hit the portal again and have to log in.
Comments and Thoughts:
I think that this is all relatively straight forward to implement. It'll basically just be a matter of setting up the user database, and some web scripting to interact with the server to change system settings. The reason for a central user database (instead of sticking with the autonomous system model we use elsewhere) is that it makes authenticated roaming possible and also moves the user database (really the only important data that the portals will store) to a more reliable distributed model. We'll see if it's really as easy as all that ...
Why bother with this? Because I want to avoid the tragedy of the commons. If we just open up our networks sooner or later people will start to abuse it because they didn't work to set it up and they don't know the people that did. I want this to be an open network by choice rather then because we don't have the ability to control it. The time will come when we're going to be forced to control it or the network will die from abuse.
Why do something like this instead of PPPOE, IPSec or Authenticated DHCP?
- All of those require a client app, which means it's harder for inexperienced users to get started and thus will require more support from the community. All the portal requires is a web browser.
- All of those but IPSec require clear text logins. The portal can do everything over SSL/TLS. IPSec is a good solution, and has the additional benefit of encrypting traffic after authentication. However I'm not sure how it will scale and there is a shortage of good clients for Windows and Mac. Also it is my belief that general transport security should be the clients responsibility not the servers. The servers responsibility is to allow you to authenticate and get on with your business in a convenient and secure manner.
For examples and downloads of various Captive/Forced/Active Portal software please see the PortalSoftware page.
Additional note on potential hardware: FreeGeek has lots of old 486 boxes I bet they would be happy to give by the dozens to act as routers or hubs. (Would need to be router-on-a-floppy or other tiny linux, I suppose, as most large, working hard drives they have, they use.) -JonGracie
Are you planning on using Radius?
I just found WiCap, a free self-described "captive portal that doesn't suck"
I haven't messed with NoCatAuth, but the authors of WiCap are describing their system as being like NoCat except easier to configure. It supports OpenBSD, and from looking at it quickly, it appears it might be the only OS it supports. That's fine with me. I love OpenBSD.
hi i'm trying to set up nocatauth on openbsd pc and i've to say that's a mess to configure ! took a look on wicap but the manual is absolutely non-existent i'm beginning to despair anyone succeed to set up and run the 2 modules of nocat on 3.4 openbsd ? [CategoryDocumentation]
bruno, if you check this.. a better place to ask this question would be to the General Mailing list. See http://lists.personaltelco.net/
For those looking for a Captive Portal for OpenBSD ~3.5...I got fed up and wrote one, I am calling it WiCap-PHP because it is like WiCap but is actually supported and documented...Search the list for more information. You can also email me and I will tell you all about it. [http://wiki.personaltelco.net/index.cgi/WiCap_2dPHP WiCap-PHP] has a page on this WIKI and is where all updates will be posted.
[http://www.125we.com/suanming/index.htm 算命] [http://www.gotobiz.net 机柜] [http://www.netnetn.net 阀门] [http://www.netnetn.net/zhihuifa.htm 止回阀] [http://www.netnetn.net/diefa.htm 蝶阀] [http://www.netnetn.net/zhafa.htm 闸阀] [http://www.netnetn.net/qiufa.htm 球阀] [http://www.netnetn.net/tiaojiefa.htm 调节阀] [http://www.netnetn.net/pinghengfa.htm 平衡阀] [http://www.netnetn.net/jianyafa.htm 减压阀] [http://www.netnetn.net/diandongfa.htm 电动阀] [http://www.netnetn.net/qidongfa.htm 气动阀] [http://www.netnetn.net/sitemap.htm 阀门] [http://www.netnetn.com 点焊机] [http://www.netnetn.com/fhj.htm 缝焊机] [http://www.netnetn.com/thj.htm 凸焊机] [http://www.netnetn.com/lzhj.htm 螺柱焊机] [http://www.bochao.com.cn/cad.htm CAD] [http://www.online-ccc.com ccc certification] [http://www.65588125.com/hunqing.htm 婚庆] [http://www.1so.com.cn/hunqing/index.htm 婚庆] [http://www.huahuan.com/cp/h9mox-155.htm SDH] [http://www.1so.com.cn/yumingzhuce.asp 域名注册] [http://www.1so.com.cn/xunizhuji.asp 虚拟主机] [http://www.1so.com.cn/fwqzuyong.asp 服务器租用] [http://www.1so.com.cn/zhujituoguan.asp 主机托管] [http://www.aohua.com.cn/qianzheng.htm 商务签证] [http://www.1so.com.cn/dianhanji/index.htm 点焊机] [http://www.1so.com.cn/fenghanji/index.htm 缝焊机] [http://www.1so.com.cn/tuhanji/index.htm 凸焊机] [http://www.1so.com.cn/luozhuhanji/index.htm 螺柱焊机] [http://www.goodyour.com/books/ 周易] [http://www.1so.com.cn/sony/index.htm sony投影机] [http://www.1so.com.cn/qiming/index.htm 起名] [http://www.antu.com.cn/fme_jjie.htm GIS] [http://www.1so.com.cn/jianshe.asp 网站建设] [http://www.cnvideomeeting.com 视频会议] [http://www.hit168.net/canon.htm 佳能数码相机] [http://www.hit168.net/kodak.htm 柯达数码相机] [http://www.hit168.net/casio.htm 卡西欧数码相机] [http://www.hit168.net/sony.htm 索尼数码相机] [http://www.zytemp.com.cn/hwcw.htm 红外测温] [http://www.welltrend.com.cn/yiminnet/index.htm 移民] [http://www.1so.com.cn/jiguinet/index.htm 机柜] [http://www.1so.com.cn/jdq/index.htm 继电器] [http://www.bjsailing.com.cn/changanqi.htm 传感器] [http://www.cmmdc.com.cn 医药电子商务] [http://www.bccec.com.cn 法语培训] [http://www.qs.com.cn/sjgrq.htm 手机干扰器] [http://www.qs.com.cn/wlaqglk.htm 安全隔离卡] [http://www.qs.com.cn/jsjgrq.htm 计算机扰器] [http://www.qs.com.cn/jsjgrq.htm 手机信号阻断器] [http://www.hmlaser.com/laser.htm 激光] [http://www.1so.com.cn/liyi/index.htm 礼仪] [http://cn.safenet-inc.com VPN] [http://www.hmlaser.com/laser.htm 激光] [http://www.westzh.com/YLCGQ.HTM 压力传感器] [http://www.1so.com.cn/shiyanshebei/index.htm 试验设备] [http://www.1so.com.cn/shipincaijika/index.htm 视频采集卡] [http://www.1so.com.cn/xungeng/index.htm 巡更] [http://www.1so.com.cn/ganzaoshebei/index.htm 干燥设备] [http://www.nebulax.net] [http://www.nebulax.net/index.asp] [http://www.nebulax.net/tangshi.asp] [http://www.nebulax.net/songci.asp] [http://www.nebulax.net/chengyu.asp] [http://www.nebulax.net/xiudou.asp] [http://www.nebulax.net/yuanqu.asp] [http://www.nebulax.net/wangluo.asp]