[ previous ] [ next ] [ threads ]
 
 From:  "Yiannis Maglaras" <ym at untopic dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Captive portal problem authenticating users behind Access Point
 Date:  Mon, 20 Jun 2005 23:56:08 +0100
Hi there,

I have the following setup:
A soekris board running m0n0wall 1.2b9 (let's call it mono) is connected to the ethernet port of a
dsl router.
The LAN interface of mono has been assigned the 192.168.1.1 and dhcp has been enabled. The LAN
interface is connected with an ethernet cable to a Linksys wrt54gs router that is running as an
Access Point to offer wireless connectivity. 
Linksys has been assigned the 192.168.1.2
A laptop is wirelessly connected to the the network, assigned for example the ip 192.168.1.193.
Without captive portal enabled the laptop user can browse the internet
Captive portal is enabled with radius authentication against an external radius server (freeradius).
The laptop user is prompted for username and password. 
Once submitted, the mono  requests authentication not for the laptop ip/mac(192.168.1.194) but for
linksys Access Point (192.168.1.2).
The radius server returns Access-Accept, and accounting starts 

Mon Jun 20 01:18:07 2005
        Service-Type = Login-User
        User-Name = "tester2"
        NAS-Identifier = "m0n0wall.local"
        NAS-Port = 0
        NAS-Port-Type = Ethernet
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Acct-Session-Id = "24663e0bdc156fad"
        Framed-IP-Address = 192.168.1.2
        NAS-IP-Address = m.y.i.p
        Client-IP-Address = m.y.i.p
        Acct-Unique-Session-Id = "74621ed97a0dace5"
        Timestamp = 1119226687

As a result mono opens the firewall for linksys IP/mac and not for the laptop one, and the laptop
user is prompted for usr/pwd again.

Reading the FAQ, I came across the following entry:

'Captive Portal relies on MAC addresses to function. In order for this to work, Captive Portal
clients must be on the same layer 2 network as m0n0wall. In the case of a router behind m0n0wall,
the only MAC address m0n0wall would see would be the router's MAC. The first machine authenticated
behind the router would allow all machines behind that router access' 

that rings some bells, but how do you explain the fact that this setup used to work as desired with
1.2b7 version (opens the firewall for laptop ip/mac instead of linksys one)?

I apologise for the lengthy email, and I would appreciate some feedback on this

Thank's
Yiannis