[ previous ] [ next ] [ threads ]
 From:  "Quark IT - Hilton Travis" <hilton at quarkit dot com dot au>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] DHCP Server request
 Date:  Sat, 12 Mar 2005 09:30:17 +1000
Hi Jesse,

> -----Original Message-----
> From: Jesse Guardiani [mailto:jesse at wingnet dot net] 
> Sent: Wednesday, 9 March 2005 00:01
> On Tuesday 08 March 2005 6:41 am, Quark IT - Hilton Travis wrote:
> > Hi Chris,
> > 
> > I clearly explained earlier that I know the difference 
> > between the Internet and an internal machine.  
> > Suggesting so is totally and utterly missing the whole 
> > point of my original question.
> > 
> > As this is a firewall/gateway device, there's NO WAY 
> > that it can stop a machine talking to another machine 
> > on the same physical segment.  A firewall/gateway, in 
> > case there's anyone out there still unclear on this
> > (and if there is, WHY are they on the dev list???) 
> > can only block traffic passing through it - not 
> > traffic on a local LAN, nor traffic on the local 
> > freeway or train line.
> > 
> > What I was asking was if there was a way to utilize 
> > Captive Portal without a RADIUS Server, instead 
> > authenticating to a file of user/pass or a local 
> > database or some other means of auth.
> To answer this question, in case someone comes across 
> it in the archives:
> No, it's not currently possible to do Captive Portal 
> username & password auth without a RADIUS server in 
> 1.11 or 1.2b6. However, it is possible to use MAC 
> pass-through or "Allowed IP addresses" without a 
> RADIUS server. Or at least that is my understanding. 
> This basically offers the same functionality as 
> username & password auth, but on a per-machine basis 
> (i.e. no roaming from computer to computer).

That would probably be preferable in this case to MAC Pass-through, as
with MAC pass-through, if the users are gaming when the timer expires,
the game freezes and they have to open and browse in a web browser
before they can return to the game, in which they have then more often
than not died - this is generally happening after hours, and is not
going down well.  :)  You know gamers...

> Personally, I use "Allowed IP addresses" on my local 
> WLAN. I was using MAC pass-through, but for some 
> reason that was buggy and from time to time it 
> wouldn't allow my clients through, even after they 
> opened a web browser and started to surf. "Allowed 
> IP Addresses", while slightly less secure, works 
> every time for me.

I'll look into this option.  I agree that the security is less with this
than with MACs, but with the ease of altering one's MAC address (though
this isn't likely to be THAT easy to those users on this LAN) its not
that much less secure.

> Having said that, a patch was submitted just 
> yesterday by Pascal Suter for 1.2b6 that looks 
> capable of adding a local user authentication 
> database. Look for the subject "local usermanager" 
> in the archives. I haven't tried it yet. Maybe you 
> can give it a try and let us know what you think?

Excellent.  I know I'm not the only one asking for this functionality -
there have been others.

> For what it's worth, I think a local user auth 
> database would be useful for Captive Portal. It 
> would allow user based roaming instead of machine
> based roaming and without a RADIUS server, which 
> could be nice in certain situations.

Agreed.  Maybe if I changed the subject of this thread it would have
confused people less, however I thought that wouldn't be necessary as
people generally prefer the previous information to remain intact than
to have it all deleted by starting a new thread.  Looks like I was
making unfounded assumptions - at least you can see where I'm coming

> -- 
> Jesse Guardiani, Systems Administrator
> WingNET Internet Services,
> P.O. Box 2605 // Cleveland, TN 37320-2605
> 423-559-LINK (v)  423-559-5145 (f)
> http://www.wingnet.net



Hilton Travis                          Phone: +61 (0)7 3344 3889
(Brisbane, Australia)                  Phone: +61 (0)419 792 394
Manager, Quark IT                      http://www.quarkit.com.au
         Quark AudioVisual             http://www.quarkav.net

http://www.threatcode.com/ <-- its now time to shame poor coders 
into writing code that is acceptable for use on today's networks

War doesn't determine who is right.  War determines who is left.

This document and any attachments are for the intended recipient 
  only.  It may contain confidential, privileged or copyright 
     material which must not be disclosed or distributed.