Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 7 Jan 2018 10:33:33 -0800
From:      Freddie Cash <fjwcash@gmail.com>
To:        Victor Sudakov <vas@mpeks.tomsk.su>
Cc:        freebsd-net <freebsd-net@freebsd.org>
Subject:   Re: Fwd: Re: Quasi-enterprise WiFi network
Message-ID:  <CAOjFWZ4KFdTr17SxOx127vPsXC72csP%2BhMx5k_A=oZYiV%2BAsAw@mail.gmail.com>
In-Reply-To: <CAOjFWZ6vsjqCT0x9WDSPEN%2BZFcOmD6o8HY--S=Lw8m7ErEbOtw@mail.gmail.com>
References:  <CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com> <20180107180422.GA46756@admin.sibptus.transneft.ru> <CAOjFWZ4LCS2yP7-z-RtKvVrwQAE=t=JxZEanS91GShpkN%2BSgNg@mail.gmail.com> <CAOjFWZ6vsjqCT0x9WDSPEN%2BZFcOmD6o8HY--S=Lw8m7ErEbOtw@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 7, 2018 10:04 AM, "Victor Sudakov" <vas@mpeks.tomsk.su> wrote:

Freddie Cash wrote:
> >
> > I'm trying to setup a quasi-enterprise WiFi network for mobile
> > devices. This will be a solution for a public library with the only
> > requirement that guest users should get personal credentials for WiFi
> > access from a librarian (not a shared PSK for everyone).

>
> You don't *need* RADIUS for this, although it may make some things easier
> in some setups.
>
> All you need is a separate vlan for the "guest" wireless clients to
connect
> to, at the default gateway for that vlan to the FreeBSD machine, and use
> firewall rules to redirect all "new" devices to a local Apache setup (new
> meaning you don't know the MAC address).
>
> In Apache, you use mod_rewrite rules to change the requested URL to a
local
> webpage where you display your rules and whatnot, along with the login

What you are suggesting is essentially a hand-made captive portal. I
would be grateful for your mod_rewrite rules, but this will be a last
resort. AFAIK there are implementations of a captive portal in
M0n0wall and pfSense. I've also seen howtos like https://www.unixmen.com/
freebsd-10-1-x64-wifi-captive-portal/

But if I can, I'd try a pure WiFi solution first, of course if it
exists.


Ah, ok, now I see what you mean by "quasi-enterprise WiFi). You are looking
for a way to create an encrypted wireless connection where a
username/password combo is used instead of a PSK, using something like (but
not as heavy as) 802.1x.

Can't help with that. We stayed down the 802.1x path, had a working RADIUS
setup, but balked at all the setup that would be required on the end-user
devices and abandoned it.

There may be a way to do it automatically nowadays, without requiring
client certs and 802.1x clients, but we haven't looked into it in over 5
years.

Good luck. Hopefully someone else has more insight. :D

Cheers,
Freddie



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ4KFdTr17SxOx127vPsXC72csP%2BhMx5k_A=oZYiV%2BAsAw>