From owner-freebsd-net@freebsd.org Sun Jan 7 16:58:47 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18618E75F86 for ; Sun, 7 Jan 2018 16:58:47 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 823E16E2C0 for ; Sun, 7 Jan 2018 16:58:46 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-lf0-x231.google.com with SMTP id h137so9806885lfe.8 for ; Sun, 07 Jan 2018 08:58:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=8NG4NqQ+qddwvmEAL2855CbpRwxejXZIe1CJHgVJF3c=; b=dCnK+XpckcJbs4MEfRnCD0BvNImLpTgonqgXdkNs9QQITX6TZ2NaXWIICxJlbG0VE5 VCOfkNNKUE9oBveyWFh0uLPAsdNEeKcp+EEALZnEXd/bARAxHM7ojiBEHTFG0bSBlDZ+ P1RXaFoMTr7agl4P2NUJoFYGYrli8XcanTINrYpF0mQVz0HKGSvZ5j10doMzsuHUr1fM mpKZybjL0ajRV1YbM1UsLv7Zob13IIntQLvERGCj3c/FvPJKk2VL2T7qLNYb9yWiDgWj sFp3JPfoq8vzfx+ePXXZ9YEwEHx2qeO0ope96P56Elpm1ctQ0DFGVK0pnKW4xYax9wBJ kU8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=8NG4NqQ+qddwvmEAL2855CbpRwxejXZIe1CJHgVJF3c=; b=QyxWD+7ZQcbVPR/TQV7Lz7cIkM2sMBKju1PTnpkuW5ba6t8RGeEe/PCMDzQoaP5clq wYpJMRvkYbmoG06owVWp8mCRYpkGiZsRC+wtG+28JmjQbhT3kAzPK+7Lulku58BYAbEj JVuGoa/hq3xstIMeUOUmtSYXtf7UlPx/M3/8xtFxdhmCbWKrYuzHbI3JT8iA2uAqvWdj 5A8BqPwDZhy/935zz9kcs1+2MtupwUUgzrUcZR1kjBXvBHsllVsAipOz+nbEiW9aqjrc T3mFpfSDfRAPWjJ7fZeR2K5EBzbXxb33jxmyd+tIuPdgU5fKZMJpgXtvGAeyeBkgTCnJ m41w== X-Gm-Message-State: AKwxytd+xNiMcNjZXWFCv/Fuvxb/ARVOB0nUw5XMaEL9SHzIvgFMfI1N AlQnpc7BT2Xf9HA6C553C+/I1S101I4mTs8sdm2Ehw== X-Google-Smtp-Source: ACJfBov6trlTw8BFu0s5NG2DObBMSfGvL6MwusIzL0mXx6TC5fwVBLgnKg7Xy+KnjRPofldijxERqDo9TgS2DbrkiVY= X-Received: by 10.46.126.3 with SMTP id z3mr3022357ljc.59.1515344323167; Sun, 07 Jan 2018 08:58:43 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.163.207 with HTTP; Sun, 7 Jan 2018 08:58:41 -0800 (PST) Received: by 10.25.163.207 with HTTP; Sun, 7 Jan 2018 08:58:41 -0800 (PST) From: Freddie Cash Date: Sun, 7 Jan 2018 08:58:41 -0800 Message-ID: Subject: Fwd: Re: Quasi-enterprise WiFi network To: freebsd-net Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jan 2018 16:58:47 -0000 Dammit, forgot to include the list again. Resending ---------- Forwarded message ---------- From: fjwcash@gmail.com Date: Jan 7, 2018 8:58 AM Subject: Re: Quasi-enterprise WiFi network To: Victor Sudakov Cc: On Jan 7, 2018 6:31 AM, "Victor Sudakov" wrote: Colleagues, I'm trying to setup a quasi-enterprise WiFi network for mobile devices. This will be a solution for a public library with the only requirement that guest users should get personal credentials for WiFi access from a librarian (not a shared PSK for everyone). The library has a FreeBSD router with FreeRADIUS3, and several TP-Link APs which support "Enterprise WiFi" and can be RADIUS clients. The point is I don't want to require customers to install X.509 certificates on their mobile devices, the network setup should be simple and transparent for the customer. I don't care if some Evil Hacker impersonates my quasi-enterprise network and collects all the passwords, so I really need no certificates to authenticate the network to customers. The only condition is that each customer has a personal login/password which expires daily (any RADIUS server can expire accounts, I'm sure FreeRADIUS is no exception). I would also consider a variant with FreeBSD+hostapd as AP (instead of the TP-Link routers) if it's more feasible. Could you please point me in the right direction. Maybe I'm totally wrong and I should use a different approach altogether? You don't *need* RADIUS for this, although it may make some things easier in some setups. All you need is a separate vlan for the "guest" wireless clients to connect to, at the default gateway for that vlan to the FreeBSD machine, and use firewall rules to redirect all "new" devices to a local Apache setup (new meaning you don't know the MAC address). In Apache, you use mod_rewrite rules to change the requested URL to a local webpage where you display your rules and whatnot, along with the login page. Write this in PHP or Ruby or Python or whatever your preferred web scripting language is, connecting to whatever authentication database you want to use. Upon successful login, add the MAC address to the firewall rules (tables work well for this) to allow internet traffic. At midnight, empty that table. That's the setup we use at work (although with Linux on the wireless firewalls, using iptables and upset) to provide wireless access to guests in the schools. With this, you can even create an encrypted wireless setup, and just provide the PSK to the patrons on the same card as you provide their login info. The mod_rewrite rules are the magic that provide the captive portal detection for mobile devices so that the login page appears automatically as soon as they connect to the wireless network. I can provide those tomorrow if you want, as I can't access them from home. Cheers, Freddie