Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 7 Jan 2018 08:58:41 -0800
From:      Freddie Cash <fjwcash@gmail.com>
To:        freebsd-net <freebsd-net@freebsd.org>
Subject:   Fwd: Re: Quasi-enterprise WiFi network
Message-ID:  <CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Dammit, forgot to include the list again. Resending
---------- Forwarded message ----------
From: fjwcash@gmail.com
Date: Jan 7, 2018 8:58 AM
Subject: Re: Quasi-enterprise WiFi network
To: Victor Sudakov <vas@mpeks.tomsk.su>
Cc:



On Jan 7, 2018 6:31 AM, "Victor Sudakov" <vas@mpeks.tomsk.su> wrote:

Colleagues,

I'm trying to setup a quasi-enterprise WiFi network for mobile
devices. This will be a solution for a public library with the only
requirement that guest users should get personal credentials for WiFi
access from a librarian (not a shared PSK for everyone).

The library has a FreeBSD router with FreeRADIUS3, and several
TP-Link APs which support "Enterprise WiFi" and can be RADIUS clients.

The point is I don't want to require customers to install X.509
certificates on their mobile devices, the network setup should be
simple and transparent for the customer. I don't care if some Evil
Hacker impersonates my quasi-enterprise network and collects all the
passwords, so I really need no certificates to authenticate the
network to customers.

The only condition is that each customer has a personal
login/password which expires daily (any RADIUS server can expire
accounts, I'm sure FreeRADIUS is no exception).

I would also consider a variant with FreeBSD+hostapd as AP (instead of
the TP-Link routers) if it's more feasible.

Could you please point me in the right direction. Maybe I'm totally
wrong and I should use a different approach altogether?


You don't *need* RADIUS for this, although it may make some things easier
in some setups.

All you need is a separate vlan for the "guest" wireless clients to connect
to, at the default gateway for that vlan to the FreeBSD machine, and use
firewall rules to redirect all "new" devices to a local Apache setup (new
meaning you don't know the MAC address).

In Apache, you use mod_rewrite rules to change the requested URL to a local
webpage where you display your rules and whatnot, along with the login
page. Write this in PHP or Ruby or Python or whatever your preferred web
scripting language is, connecting to whatever authentication database you
want to use.

Upon successful login, add the MAC address to the firewall rules (tables
work well for this) to allow internet traffic. At midnight, empty that
table.

That's the setup we use at work (although with Linux on the wireless
firewalls, using iptables and upset) to provide wireless access to guests
in the schools.

With this, you can even create an encrypted wireless setup, and just
provide the PSK to the patrons on the same card as you provide their login
info.

The mod_rewrite rules are the magic that provide the captive portal
detection for mobile devices so that the login page appears automatically
as soon as they connect to the wireless network. I can provide those
tomorrow if you want, as I can't access them from home.

Cheers,
Freddie



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw>