From owner-freebsd-net@freebsd.org  Sun Jan  7 18:33:36 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F2D47E7A177
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun,  7 Jan 2018 18:33:36 +0000 (UTC)
 (envelope-from fjwcash@gmail.com)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com
 [IPv6:2a00:1450:4010:c07::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 67B507283A
 for <freebsd-net@freebsd.org>; Sun,  7 Jan 2018 18:33:36 +0000 (UTC)
 (envelope-from fjwcash@gmail.com)
Received: by mail-lf0-x230.google.com with SMTP id f3so9970545lfe.4
 for <freebsd-net@freebsd.org>; Sun, 07 Jan 2018 10:33:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=jNXPiUD4W0C2I4P5sRL3ubHnWLLvsJWMCDBnF4qiKNI=;
 b=LSmg5dJ9ANdMngeB5GLaddNsOaMCW1b7nyFMzZoquVaNdAOZVMFoslpLnGBpTUejsq
 z8RA5rB2nZPdhVr6Iaru7NrbZwd0XVaUWS54O/6SQpk4/bCM5abPe02uG/rM3L1m+wAM
 1LwiIYHkd/bdcP0kVkoZ92u4RvDQTaQOAEILijIJe7i6xCYobSwPzNwVrgZqSEbZfbFV
 6S23AUgbYyt4c03YQzY6Rp0+jC1w7diNABsBf7sKFZZfx3XRjAq+5BrtqFzWgWSkKvCD
 cVVsAncemUb8dn0NPPDaal9Ws3vi7uI0E+rdQWyHv2Q4O+yZKk/Y8z9zkGgUMzZgEODB
 Lqbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=jNXPiUD4W0C2I4P5sRL3ubHnWLLvsJWMCDBnF4qiKNI=;
 b=No1PGLcfKo7+xPvHOSXbrn0nTNCtXe98PrKezgCZBudSA9waRxMLgxEMlcnbfdWJOg
 nRWLWxQneJ6qR6hQLSMGbIK7luHEoALjnGVgqvojpC3/dQQWTwo/cEMTW5OF2DNXW7xD
 VTmkdzAeXQ09H73MXNMOr4r3HdACuhEf68KSMTKf4heo6Q0ldQ00krBGv/VKuyLDk3RB
 zrqUxHhIPAW1Zxj75CzVwttau4L1rSlja/+gLC5vWnwoh+AKvInEwHQ4BmGSGa8jdco9
 hkKV8IwNcvxD/T4SVdtUvEwhV7oMyhSndVYNkfduMVZuUsPvVziMcxJs0SC4UblfDuvB
 IcBg==
X-Gm-Message-State: AKwxytcVCM9mgYEjbZBfWCZsfBq/3vnWe4GnaKc54vWWsDTWRPAwxhLi
 CiW1Sjuor5LlOWvUaCZ+J+nPnIjF++SoWn1Kgz9hLw==
X-Google-Smtp-Source: ACJfBouaUwPj6eWzi7+x5MerVCjXA3Lm0JZnlNufVN8QWyhx1NCVecwHsfOBgeKXFDN54DJgFRHd+B8Iz/t0A4j+bO8=
X-Received: by 10.46.126.3 with SMTP id z3mr3118749ljc.59.1515350014067; Sun,
 07 Jan 2018 10:33:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.163.207 with HTTP; Sun, 7 Jan 2018 10:33:33 -0800 (PST)
Received: by 10.25.163.207 with HTTP; Sun, 7 Jan 2018 10:33:33 -0800 (PST)
In-Reply-To: <CAOjFWZ6vsjqCT0x9WDSPEN+ZFcOmD6o8HY--S=Lw8m7ErEbOtw@mail.gmail.com>
References: <CAOjFWZ6kYSTKmPHpQqd+ywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com>
 <20180107180422.GA46756@admin.sibptus.transneft.ru>
 <CAOjFWZ4LCS2yP7-z-RtKvVrwQAE=t=JxZEanS91GShpkN+SgNg@mail.gmail.com>
 <CAOjFWZ6vsjqCT0x9WDSPEN+ZFcOmD6o8HY--S=Lw8m7ErEbOtw@mail.gmail.com>
From: Freddie Cash <fjwcash@gmail.com>
Date: Sun, 7 Jan 2018 10:33:33 -0800
Message-ID: <CAOjFWZ4KFdTr17SxOx127vPsXC72csP+hMx5k_A=oZYiV+AsAw@mail.gmail.com>
Subject: Re: Fwd: Re: Quasi-enterprise WiFi network
To: Victor Sudakov <vas@mpeks.tomsk.su>
Cc: freebsd-net <freebsd-net@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jan 2018 18:33:37 -0000

On Jan 7, 2018 10:04 AM, "Victor Sudakov" <vas@mpeks.tomsk.su> wrote:

Freddie Cash wrote:
> >
> > I'm trying to setup a quasi-enterprise WiFi network for mobile
> > devices. This will be a solution for a public library with the only
> > requirement that guest users should get personal credentials for WiFi
> > access from a librarian (not a shared PSK for everyone).

>
> You don't *need* RADIUS for this, although it may make some things easier
> in some setups.
>
> All you need is a separate vlan for the "guest" wireless clients to
connect
> to, at the default gateway for that vlan to the FreeBSD machine, and use
> firewall rules to redirect all "new" devices to a local Apache setup (new
> meaning you don't know the MAC address).
>
> In Apache, you use mod_rewrite rules to change the requested URL to a
local
> webpage where you display your rules and whatnot, along with the login

What you are suggesting is essentially a hand-made captive portal. I
would be grateful for your mod_rewrite rules, but this will be a last
resort. AFAIK there are implementations of a captive portal in
M0n0wall and pfSense. I've also seen howtos like https://www.unixmen.com/
freebsd-10-1-x64-wifi-captive-portal/

But if I can, I'd try a pure WiFi solution first, of course if it
exists.


Ah, ok, now I see what you mean by "quasi-enterprise WiFi). You are looking
for a way to create an encrypted wireless connection where a
username/password combo is used instead of a PSK, using something like (but
not as heavy as) 802.1x.

Can't help with that. We stayed down the 802.1x path, had a working RADIUS
setup, but balked at all the setup that would be required on the end-user
devices and abandoned it.

There may be a way to do it automatically nowadays, without requiring
client certs and 802.1x clients, but we haven't looked into it in over 5
years.

Good luck. Hopefully someone else has more insight. :D

Cheers,
Freddie