Date: Sun, 7 Jan 2018 12:40:30 -0600 (CST) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Victor Sudakov" <vas@mpeks.tomsk.su> Cc: "Freddie Cash" <fjwcash@gmail.com>, "freebsd-net" <freebsd-net@freebsd.org> Subject: Re: Fwd: Re: Quasi-enterprise WiFi network Message-ID: <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> In-Reply-To: <20180107180422.GA46756@admin.sibptus.transneft.ru> References: <CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com> <20180107180422.GA46756@admin.sibptus.transneft.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, January 7, 2018 12:04 pm, Victor Sudakov wrote: > Freddie Cash wrote: >> > >> > I'm trying to setup a quasi-enterprise WiFi network for mobile >> > devices. This will be a solution for a public library with the only >> > requirement that guest users should get personal credentials for WiFi >> > access from a librarian (not a shared PSK for everyone). > >> >> You don't *need* RADIUS for this, although it may make some things >> easier >> in some setups. >> >> All you need is a separate vlan for the "guest" wireless clients to >> connect >> to, at the default gateway for that vlan to the FreeBSD machine, and use >> firewall rules to redirect all "new" devices to a local Apache setup >> (new >> meaning you don't know the MAC address). >> >> In Apache, you use mod_rewrite rules to change the requested URL to a >> local >> webpage where you display your rules and whatnot, along with the login One trouble I expect here is: if the client goes to https destination, it will complain about your local apache certificate, as the client expects next packet (SSL negotiation) to come from host it was going originally to. I've seen quite a few of similar things. "Home brew" words come to my mind, no offense intended. Even older or two WiFi setups central IT folks at big university I work for did this setup that brakes when client goes to SSL-ed URL. Next, what if client does not use web browser at all, and just attempts to ssh to external host... Of course, your mod_rewrite rules, Freddie, may help. > > What you are suggesting is essentially a hand-made captive portal. I > would be grateful for your mod_rewrite rules, but this will be a last > resort. AFAIK there are implementations of a captive portal in > M0n0wall and pfSense. Thanks, Victor! Valeri > I've also seen howtos like > https://www.unixmen.com/freebsd-10-1-x64-wifi-captive-portal/ > > But if I can, I'd try a pure WiFi solution first, of course if it > exists. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > AS43859 > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52165.108.68.171.12.1515350430.squirrel>