I have the following setup:
A soekris board running m0n0wall 1.2b9 (let's call it mono) is connected to the ethernet port of a
The LAN interface of mono has been assigned the 192.168.1.1 and dhcp has been enabled. The LAN
interface is connected with an ethernet cable to a Linksys wrt54gs router that is running as an
Access Point to offer wireless connectivity.
Linksys has been assigned the 192.168.1.2
A laptop is wirelessly connected to the the network, assigned for example the ip 192.168.1.193.
Without captive portal enabled the laptop user can browse the internet
Captive portal is enabled with radius authentication against an external radius server (freeradius).
The laptop user is prompted for username and password.
Once submitted, the mono requests authentication not for the laptop ip/mac(192.168.1.194) but for
linksys Access Point (192.168.1.2).
The radius server returns Access-Accept, and accounting starts
Mon Jun 20 01:18:07 2005
Service-Type = Login-User
User-Name = "tester2"
NAS-Identifier = "m0n0wall.local"
NAS-Port = 0
NAS-Port-Type = Ethernet
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Acct-Session-Id = "24663e0bdc156fad"
Framed-IP-Address = 192.168.1.2
NAS-IP-Address = m.y.i.p
Client-IP-Address = m.y.i.p
Acct-Unique-Session-Id = "74621ed97a0dace5"
Timestamp = 1119226687
As a result mono opens the firewall for linksys IP/mac and not for the laptop one, and the laptop
user is prompted for usr/pwd again.
Reading the FAQ, I came across the following entry:
'Captive Portal relies on MAC addresses to function. In order for this to work, Captive Portal
clients must be on the same layer 2 network as m0n0wall. In the case of a router behind m0n0wall,
the only MAC address m0n0wall would see would be the router's MAC. The first machine authenticated
behind the router would allow all machines behind that router access'
that rings some bells, but how do you explain the fact that this setup used to work as desired with
1.2b7 version (opens the firewall for laptop ip/mac instead of linksys one)?
I apologise for the lengthy email, and I would appreciate some feedback on this