Date: Sun, 7 Jan 2018 10:53:41 -0800 From: Freddie Cash <fjwcash@gmail.com> To: galtsev@kicp.uchicago.edu Cc: Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: Fwd: Re: Quasi-enterprise WiFi network Message-ID: <CAOjFWZ5j%2BixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg@mail.gmail.com> In-Reply-To: <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> References: <CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com> <20180107180422.GA46756@admin.sibptus.transneft.ru> <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 7, 2018 10:40 AM, "Valeri Galtsev" <galtsev@kicp.uchicago.edu> wrote: On Sun, January 7, 2018 12:04 pm, Victor Sudakov wrote: > Freddie Cash wrote: >> > >> > I'm trying to setup a quasi-enterprise WiFi network for mobile >> > devices. This will be a solution for a public library with the only >> > requirement that guest users should get personal credentials for WiFi >> > access from a librarian (not a shared PSK for everyone). > >> >> You don't *need* RADIUS for this, although it may make some things >> easier >> in some setups. >> >> All you need is a separate vlan for the "guest" wireless clients to >> connect >> to, at the default gateway for that vlan to the FreeBSD machine, and use >> firewall rules to redirect all "new" devices to a local Apache setup >> (new >> meaning you don't know the MAC address). >> >> In Apache, you use mod_rewrite rules to change the requested URL to a >> local >> webpage where you display your rules and whatnot, along with the login One trouble I expect here is: if the client goes to https destination, it will complain about your local apache certificate, as the client expects next packet (SSL negotiation) to come from host it was going originally to. I've seen quite a few of similar things. "Home brew" words come to my mind, no offense intended. Even older or two WiFi setups central IT folks at big university I work for did this setup that brakes when client goes to SSL-ed URL. Next, what if client does not use web browser at all, and just attempts to ssh to external host... Of course, your mod_rewrite rules, Freddie, may help. That was an issue with our original setup that only used firewall redirect rules, without the mod_rewrite stuff. It only worked if we walked people through visiting a non-encrypted website, in order to bring up our login page. As more and more sites started defaulting to HTTPS, it became cumbersome. All mobile devices, including Windows/MacOS devices, include captive portal detection these days, where they attempt to connect to a specific set of HTTP sites after connecting to a network. The mod_rewrite rules intercept only these requests, and redirect them to the login page. The original process was: - connect to wireless network - enter wireless key - open browser and access website - get redirected to login page - login With the mod_rewrite rules, the process is just: - connect to wireless network - enter wireless key - login page appears automatically - login Cheers, Freddie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ5j%2BixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg>