From owner-freebsd-net@freebsd.org Sun Jan 7 18:53:44 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6632FE7AE2B for ; Sun, 7 Jan 2018 18:53:44 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DD2ED73477 for ; Sun, 7 Jan 2018 18:53:43 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-lf0-x22d.google.com with SMTP id h5so9993393lfj.2 for ; Sun, 07 Jan 2018 10:53:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=c/HqMSGxqwfA2YfVVGGiNn+YFxjArKBOkU339+7QXSc=; b=krmn8zn++hJRUYVkFf8HVSBdIySmaZAsk0HUkYWD/Q2WZu8MSDX/3OOY2bEWSeGpwB VRfxyfR369uJ8wQNatB33BIfyU1BIN/1vl4Mgtj8C8ZHS1VWigVhdAXP7Md3RX8bgMrC +X/veI6rG2BLHkpUuB99DOaydL3+MS3I2LR1tUcmFW0I5VA+rJJi5NbyFq0U5Xb9zNCU ZAuZyczCkFUkQahTR8FEYAIBRZ67mwAOS6jRJGKxuI9OrTh2WBnrMQFJnd4zq58If1QE gTnRaH+hq7WmgGv65ByIiLq9sRVqMq9D3SfOxiqqTFvQDiP32c5t5qEfTZ1J0eD1yIGS YYtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=c/HqMSGxqwfA2YfVVGGiNn+YFxjArKBOkU339+7QXSc=; b=cUrgq3GgOqH1xk1LstGf5yuBhxYP0o+NXP3OZ8BU51l+o7hjAaUvVBUCcPbEq07fR6 /DKXB7EgDn31l7ymuiRhMUGJ4lP9dynu2vjUja2j2XnCFqbweV3VW5L43W+25EB8PGyo +UBzS6p/DWgckXCqFilEy+EcayAtMGYPm24A6WREJJ9Qh2+CG7FG3TxuuzoyiA5knt9y gII0tksU7f+g8tyLuv19IiKPCQMpjboynkmJz4hmo+5qJVcYep8Yu4NkMUt5pmrd3Bnj K2kQgU5/BactFU8fxFBt2ojH4hz+7E52hhNWc7/k9ukbOqroJ96uZlGTtSxdylA2imsQ tQWw== X-Gm-Message-State: AKwxytcFXv7JsXe8nztUOzAk5ECkEdWIo2MMljolc1wI+Kn9R9Kq+xXT 7OF+yVZqL1ykVx5VFdywVATpGJ2XROPdACqcXZeZXg== X-Google-Smtp-Source: ACJfBosIjOQaBjfB5MENRr9Ani0RtIcgPmLE/q+IoqOBGENofJxLRdRfAkA1a64H9ilguzUEOkpCg2+Rh6IjA4rVUSA= X-Received: by 10.25.212.83 with SMTP id l80mr4264738lfg.83.1515351221952; Sun, 07 Jan 2018 10:53:41 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.163.207 with HTTP; Sun, 7 Jan 2018 10:53:41 -0800 (PST) Received: by 10.25.163.207 with HTTP; Sun, 7 Jan 2018 10:53:41 -0800 (PST) In-Reply-To: <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> References: <20180107180422.GA46756@admin.sibptus.transneft.ru> <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> From: Freddie Cash Date: Sun, 7 Jan 2018 10:53:41 -0800 Message-ID: Subject: Re: Fwd: Re: Quasi-enterprise WiFi network To: galtsev@kicp.uchicago.edu Cc: Victor Sudakov , freebsd-net Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jan 2018 18:53:44 -0000 On Jan 7, 2018 10:40 AM, "Valeri Galtsev" wrote: On Sun, January 7, 2018 12:04 pm, Victor Sudakov wrote: > Freddie Cash wrote: >> > >> > I'm trying to setup a quasi-enterprise WiFi network for mobile >> > devices. This will be a solution for a public library with the only >> > requirement that guest users should get personal credentials for WiFi >> > access from a librarian (not a shared PSK for everyone). > >> >> You don't *need* RADIUS for this, although it may make some things >> easier >> in some setups. >> >> All you need is a separate vlan for the "guest" wireless clients to >> connect >> to, at the default gateway for that vlan to the FreeBSD machine, and use >> firewall rules to redirect all "new" devices to a local Apache setup >> (new >> meaning you don't know the MAC address). >> >> In Apache, you use mod_rewrite rules to change the requested URL to a >> local >> webpage where you display your rules and whatnot, along with the login One trouble I expect here is: if the client goes to https destination, it will complain about your local apache certificate, as the client expects next packet (SSL negotiation) to come from host it was going originally to. I've seen quite a few of similar things. "Home brew" words come to my mind, no offense intended. Even older or two WiFi setups central IT folks at big university I work for did this setup that brakes when client goes to SSL-ed URL. Next, what if client does not use web browser at all, and just attempts to ssh to external host... Of course, your mod_rewrite rules, Freddie, may help. That was an issue with our original setup that only used firewall redirect rules, without the mod_rewrite stuff. It only worked if we walked people through visiting a non-encrypted website, in order to bring up our login page. As more and more sites started defaulting to HTTPS, it became cumbersome. All mobile devices, including Windows/MacOS devices, include captive portal detection these days, where they attempt to connect to a specific set of HTTP sites after connecting to a network. The mod_rewrite rules intercept only these requests, and redirect them to the login page. The original process was: - connect to wireless network - enter wireless key - open browser and access website - get redirected to login page - login With the mod_rewrite rules, the process is just: - connect to wireless network - enter wireless key - login page appears automatically - login Cheers, Freddie