Date: Mon, 8 Jan 2018 14:20:35 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: Freddie Cash <fjwcash@gmail.com> Cc: galtsev@kicp.uchicago.edu, freebsd-net <freebsd-net@freebsd.org> Subject: Re: Fwd: Re: Quasi-enterprise WiFi network Message-ID: <20180108072035.GB52442@admin.sibptus.transneft.ru> In-Reply-To: <CAOjFWZ5j%2BixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg@mail.gmail.com> References: <CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com> <20180107180422.GA46756@admin.sibptus.transneft.ru> <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> <CAOjFWZ5j%2BixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Freddie Cash wrote: > > > One trouble I expect here is: if the client goes to https destination, it > > will complain about your local apache certificate, as the client expects > > next packet (SSL negotiation) to come from host it was going originally > > to. I've seen quite a few of similar things. "Home brew" words come to my > > mind, no offense intended. Even older or two WiFi setups central IT folks > > at big university I work for did this setup that brakes when client goes > > to SSL-ed URL. Next, what if client does not use web browser at all, and > > just attempts to ssh to external host... > > > > That was an issue with our original setup that only used firewall redirect > rules, without the mod_rewrite stuff. It only worked if we walked people > through visiting a non-encrypted website, in order to bring up our login > page. As more and more sites started defaulting to HTTPS, it became > cumbersome. > > All mobile devices, including Windows/MacOS devices, include captive portal > detection these days, where they attempt to connect to a specific set of > HTTP sites after connecting to a network. The mod_rewrite rules intercept > only these requests, and redirect them to the login page. Your mod_rewrite rules are becoming more and more interesting. Please do post them. There is one more drawback however I have just thought about. If I go for a WiFi solution, I can deploy just an AP at some remote branch as a RADIUS client of the central FreeRADIUS server. If I go for a captive portal solution, I would need to install captive portals at every branch, or tunnel Internet traffic via the central hub. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180108072035.GB52442>