2

I'm the admin of a wireless network ... but as most people aint expert there seem to be a general problem connecting to it ... as we are using WPA Enterprise, so on windows platforms there are some common steps that have to be used to get it to work. But users are stupid.

Many places they have some kind of opennet, where you are just able to connect ... but when trying to access sites, that are not in some kind of internal list, you are redirected to a login page on a web server, so after you are authenticated there, you can browse the internet.

How is this done? Any hints? Linux? Windows? Some special hardware/firewall ?

Links, info ... all are welcome.

Syska
  • 133
  • 1
  • 7
  • Related question, with a great solution .. http://serverfault.com/questions/15066/free-wifi-hotspot-management-software-for-school – tomjedrz Nov 19 '09 at 07:25

3 Answers3

2

Here's how it's accomplished where I work (our networking guy could probably elaborate more):

When you connect to the open WL network you are on the 1st public vLAN which redirects (via Squid) all traffic to our authentication page. Authenticating (via kerberos) puts the user on the 2nd VLAN which has unrestricted access.

I'm a little gray on some of the details in there, but I'm sure someone else will fill in the missing spots.

scraft3613
  • 470
  • 1
  • 4
  • 12
  • 1
    I'm getting the idea ... now I just need the easiest way to setup it up, I'm I want to go that way, or maybe We will just stick with what we got now ... since its working, but giving some users a hard time :-) – Syska Nov 19 '09 at 17:12
0

In another life I wrote exactly such a mechanism. A little firewall here, a web server there, some stuff in between to turn on and off the firewall for a given IP address, and a default rule that redirects all port 80 traffic to a web server that has the login page. Easy as cake? Not really.

First, you can try looking at nocat, an open source project to do just this sort of thing.

Don't try to do it (write up a mechanism that does wireless authentication through a captive portal) yourself. It's a short road to crazy-town.

The simplest way to do it yourself is to run 2 sets of APs (if they're cheapo non-vlan, single ssid consumer APs). One set of APs is on a private network with a web server, a DHCP server and a DNS server that answers with the IP of the web server for all DNS lookups. Someone looks up google.com? They get 192.168.66.6. They look up snoopy.com? 192.168.66.6. They look up bobsyeruncle.net? 192.168.66.6. And on that web server, you put a web page that says "welcome to (insert company here)." "If you want to use the wireless network, change your ssid to "securenet", set it to "WPA2" and "eap-ttls" (or whatever wireless auth protocol you're using might be).

The other APs will, of course, be connected to the "wireless" interface on your firewall and allow whatever access you deem proper for wireless network access at your site.

Oh -- wait -- you're not using a pre-shared key, are you? If you are, you really don't have any wireless security at all. Once I know the key, I can spy on everyone's traffic. Even junky consumer APs these days support WPA-enterprise and radius, and you can use the radius server on windows and make wireless authentication work properly.

For that lesson, you'll need to put another quarter in the machine and ask another question...

chris
  • 11,784
  • 6
  • 41
  • 51
  • Well ... seems like this is too much work ... for something thats allready working ... but this was also more of a ... how do people, companies do this. So thanks for that. – Syska Nov 19 '09 at 17:11
0

If you're open to commercial solutions, Cisco wireless products can do exactly this. You buy a number of lightweight Aironet access points (enough to cover the physical space), a Wireless LAN Controller to manage them, and configure Web Authentication on the controller.

Your expense is $500/AP plus $2K-$5K for the controller (depends on how many APs you need to manage).

However, I must say here that properly executed Enterprise auth doesn't require any steps on the client side. It just works. Take AD, RADIUS, same Wireless Controller to manage the network, push the correct GPO down to the clients, and - magic! - everyone is on the wireless, transparently authenticated with their AD credentials. And then you can use Web Auth for guest access, where it belongs.

Max Alginin
  • 3,284
  • 14
  • 11
  • I'm pretty sure that any high-end(ish) wireless solution will have a captive portal authentication system. Certainly trapeze and chantry/siemens/enterasys, aruba, and the 3 or 4 cisco wireless solutions offer it. I assumed that they were using consumer APs which don't offer multiple ssids and vlan tagging and IP portability and similar fancy features. – chris Nov 19 '09 at 15:00
  • The AP's are using auth though a FreeRadius server ... so there are no AD. Its a dorm/kollegium ... where students live, so money are limited. We are using Aironet 1500 or something like that from Cisco. Could just be nice, if the Auth where easier for the users ... not that I mind setting it up ... could just be easier. – Syska Nov 19 '09 at 17:10
  • It's best to have AD or any other single sign on solution - otherwise you'll have the same problem over and over again when adding new services for the users. If you have no money or know Linux, use Samba; if you have some money and prefer Windows, grab a copy of SBS. – Max Alginin Nov 19 '09 at 20:40
  • The only use for FreeRadius is for Auth to the Wireless. Now I just need a smarter way to auth the users ... but this seems to complicated. – Syska Nov 21 '09 at 12:44