[ previous ] [ next ] [ threads ]
 
 From:  Amaury Amblard-Ladurantie <darcache at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  [Captive portal] Questions/feat reqs (radius, HTTPS, customization)
 Date:  Tue, 25 Oct 2005 16:11:40 +0200
Hello

Let me start by saying that I have been greatly impressed by the
m0n0wal project. So many functionnalities so easily accessible is
something many commercial vendors would like to acheive.

I have been using m0n0wall as a router/firewall on some old hardware
for a few years now and have been very happy about it. I would like to
use the "captive portal" feature in order to provide internet access
to friends (I am planning on adding a third interface and plugging in
a "dumb" wifi AP). I have read the documentation and searched the
mailing-lists, and most of my questions have been answered. I have
however a few questions/requests for features (hence the post on the
-devel ML) left regarding the captive portal.

1/ Non radius/ local authentication
I know most (if not all) captive portals use a separate authentication
servers, most often based on radius. I don't see any security
requirement for that, and I wonder if it would be possible to use a
*local* authentication base (using radius or just passwd type flat
files), which would allow m0n0wall not to be dependent on another
server?
I find it a bit to inapropriate to install a radius server just to
check a couple of login/passwords, where a standard Unix type
authentication system would be perfectly suited IMHO.
Or would it be possible to include a radius server in m0n0wall for the
same benefit?

2/ HTTPS portal page
The portal page is accessible via HTTP on port 8000, and via HTTPS on port 8001.
Is it possible to force users to authenticate using the encrypted web
page and to prevent them using the clear text web page?

3/ Portal page customization
If I read the documentation correctly, the only way to customize the
"captive portal" web page is to upload a file, and, if any image, CSS
of Javascript file is loaded by the web page, to add the relevant IP
address in the "authorized IP addresses" list.
I see many drawbacks with this approach:
- the pf rule applied for the "autorized IP addresses" list is the
same before and after authentication. However, only HTTP/HTTPS is
needed before authentication, and since I don't trust the client
before the authentication, I don't want them to connect to anything
else rather than 80 for example. Once they have successfully
authentified I have no problem changing the filtering rules to allow
them to access other services on that IP address.
- many websites use "Virtual hosting". I don't want non authenticated
users to be able to access the other websites hosted on that server.
This could be solved by DNS restriction but since I guess we are
dealing with IP filtering, it is out of question.
- the captive portal web page elements which cannot be hosted on the
m0n0wall (images, CSS etc) have to be hosted on a public website on
the Internet (hosting them on an internal secured website is not
acceptable to me as I have no internal server running 24/7). It means
unless I configure some filtering solution to reject any IP address
but my m0n0wall IP address (what to do then when the public IP address
is dynamic), anyone will be able to download the components of the
captive portal web page, which should remain private IMHO.

Is it possible to upload all the captive portal web page components
onto the m0n0wall computer itself rather than having to rely on
another server ?
If yes, is there a *simple* way of doing so (other than mounting &
hacking the m0n0wall disk image) ?
if not, are you planning no developping such a feature ?

And, finally, is it possible to upload PHP code as the captive portal
web page which would be interpreted at run time or is it limited to
HTML ?

Thank you for your help, and congratulations to all the contributors
of the project for this amazing achievement.
Best regards,
Amaury