[ previous ] [ next ] [ threads ]
 
 From:  Denis Mirassou <Mirassou at cict dot fr>
 To:  Yiannis Maglaras <ym at untopic dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Captive portal problem authenticating users behind Access Point
 Date:  Tue, 21 Jun 2005 09:19:52 +0200 
Yiannis Maglaras wrote:
> Hi there,
> 
> I have the following setup:
> A soekris board running m0n0wall 1.2b9 (let's call it mono) is connected to the ethernet port of a
dsl router.
> The LAN interface of mono has been assigned the 192.168.1.1 and dhcp has been enabled. The LAN
interface is connected with an ethernet cable to a Linksys wrt54gs router that is running as an
Access Point to offer wireless connectivity. 
> Linksys has been assigned the 192.168.1.2
> A laptop is wirelessly connected to the the network, assigned for example the ip 192.168.1.193.
Without captive portal enabled the laptop user can browse the internet
> Captive portal is enabled with radius authentication against an external radius server
(freeradius).
> The laptop user is prompted for username and password. 
> Once submitted, the mono  requests authentication not for the laptop ip/mac(192.168.1.194) but for
linksys Access Point (192.168.1.2).
> The radius server returns Access-Accept, and accounting starts 
> 
> Mon Jun 20 01:18:07 2005
>         Service-Type = Login-User
>         User-Name = "tester2"
>         NAS-Identifier = "m0n0wall.local"
>         NAS-Port = 0
>         NAS-Port-Type = Ethernet
>         Acct-Status-Type = Start
>         Acct-Authentic = RADIUS
>         Acct-Session-Id = "24663e0bdc156fad"
>         Framed-IP-Address = 192.168.1.2
>         NAS-IP-Address = m.y.i.p
>         Client-IP-Address = m.y.i.p
>         Acct-Unique-Session-Id = "74621ed97a0dace5"
>         Timestamp = 1119226687
> 
> As a result mono opens the firewall for linksys IP/mac and not for the laptop one, and the laptop
user is prompted for usr/pwd again.
> 
> Reading the FAQ, I came across the following entry:
> 
> 'Captive Portal relies on MAC addresses to function. In order for this to work, Captive Portal
clients must be on the same layer 2 network as m0n0wall. In the case of a router behind m0n0wall,
the only MAC address m0n0wall would see would be the router's MAC. The first machine authenticated
behind the router would allow all machines behind that router access' 
> 
> that rings some bells, but how do you explain the fact that this setup used to work as desired
with 1.2b7 version (opens the firewall for laptop ip/mac instead of linksys one)?
> 
> I apologise for the lengthy email, and I would appreciate some feedback on this
> 
> Thank's
> Yiannis

Hi,

Client authentication against M0n0wall behind access points should 
function of course.

I don't understand one thing :

If your Linksys acts as a router in addition of an access point, then 
all your clients behind your Linksys should be authorized by M0n0 's 
captive portal.

If your Linksys isn't a router, then you should see your laptop wireless 
ethernet address in the radius accountings...

That's what I get on Radius accounting :

Packet-Type = Access-Request
Tue Jun 21 08:59:14 2005
         User-Name = "toto at univ dot fr"
         Framed-MTU = 1400
         Called-Station-Id = "0011.5cc6.f960" -> access point mac address
         Calling-Station-Id = "000e.35f6.7768" -> laptop wireless card 
ethernet address
         Service-Type = Login-User
         Message-Authenticator = 0x1deaf7d6482bc2f4384176701e5ede06
         EAP-Message = 
0x0201001b01757465737475743140756e69762d746c7365312e6672
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1471
         NAS-IP-Address = 1.1.1.1	-> access point IP address
         NAS-Identifier = "accesspoint-floor1"
         Client-IP-Address = 1.1.1.1	-> access point IP address

Be sure that your Linksys acts ONLY as an access point and no 
router/NAT/firewall.

Regards,


-- 
         /\
      /\/  \
  O  / / Denis Mirassou
@|~|  Service Réseaux
/ \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)