Date: Sun, 7 Jan 2018 08:58:41 -0800 From: Freddie Cash <fjwcash@gmail.com> To: freebsd-net <freebsd-net@freebsd.org> Subject: Fwd: Re: Quasi-enterprise WiFi network Message-ID: <CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Dammit, forgot to include the list again. Resending ---------- Forwarded message ---------- From: fjwcash@gmail.com Date: Jan 7, 2018 8:58 AM Subject: Re: Quasi-enterprise WiFi network To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: On Jan 7, 2018 6:31 AM, "Victor Sudakov" <vas@mpeks.tomsk.su> wrote: Colleagues, I'm trying to setup a quasi-enterprise WiFi network for mobile devices. This will be a solution for a public library with the only requirement that guest users should get personal credentials for WiFi access from a librarian (not a shared PSK for everyone). The library has a FreeBSD router with FreeRADIUS3, and several TP-Link APs which support "Enterprise WiFi" and can be RADIUS clients. The point is I don't want to require customers to install X.509 certificates on their mobile devices, the network setup should be simple and transparent for the customer. I don't care if some Evil Hacker impersonates my quasi-enterprise network and collects all the passwords, so I really need no certificates to authenticate the network to customers. The only condition is that each customer has a personal login/password which expires daily (any RADIUS server can expire accounts, I'm sure FreeRADIUS is no exception). I would also consider a variant with FreeBSD+hostapd as AP (instead of the TP-Link routers) if it's more feasible. Could you please point me in the right direction. Maybe I'm totally wrong and I should use a different approach altogether? You don't *need* RADIUS for this, although it may make some things easier in some setups. All you need is a separate vlan for the "guest" wireless clients to connect to, at the default gateway for that vlan to the FreeBSD machine, and use firewall rules to redirect all "new" devices to a local Apache setup (new meaning you don't know the MAC address). In Apache, you use mod_rewrite rules to change the requested URL to a local webpage where you display your rules and whatnot, along with the login page. Write this in PHP or Ruby or Python or whatever your preferred web scripting language is, connecting to whatever authentication database you want to use. Upon successful login, add the MAC address to the firewall rules (tables work well for this) to allow internet traffic. At midnight, empty that table. That's the setup we use at work (although with Linux on the wireless firewalls, using iptables and upset) to provide wireless access to guests in the schools. With this, you can even create an encrypted wireless setup, and just provide the PSK to the patrons on the same card as you provide their login info. The mod_rewrite rules are the magic that provide the captive portal detection for mobile devices so that the login page appears automatically as soon as they connect to the wireless network. I can provide those tomorrow if you want, as I can't access them from home. Cheers, Freddie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ6kYSTKmPHpQqd%2BywrUNVLcG6JNzwFJYPyt5z1H4HeRUw>