Yiannis Maglaras wrote:
> Hi there,
> I have the following setup:
> A soekris board running m0n0wall 1.2b9 (let's call it mono) is connected to the ethernet port of a
> The LAN interface of mono has been assigned the 192.168.1.1 and dhcp has been enabled. The LAN
interface is connected with an ethernet cable to a Linksys wrt54gs router that is running as an
Access Point to offer wireless connectivity.
> Linksys has been assigned the 192.168.1.2
> A laptop is wirelessly connected to the the network, assigned for example the ip 192.168.1.193.
Without captive portal enabled the laptop user can browse the internet
> Captive portal is enabled with radius authentication against an external radius server
> The laptop user is prompted for username and password.
> Once submitted, the mono requests authentication not for the laptop ip/mac(192.168.1.194) but for
linksys Access Point (192.168.1.2).
> The radius server returns Access-Accept, and accounting starts
> Mon Jun 20 01:18:07 2005
> Service-Type = Login-User
> User-Name = "tester2"
> NAS-Identifier = "m0n0wall.local"
> NAS-Port = 0
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Acct-Session-Id = "24663e0bdc156fad"
> Framed-IP-Address = 192.168.1.2
> NAS-IP-Address = m.y.i.p
> Client-IP-Address = m.y.i.p
> Acct-Unique-Session-Id = "74621ed97a0dace5"
> Timestamp = 1119226687
> As a result mono opens the firewall for linksys IP/mac and not for the laptop one, and the laptop
user is prompted for usr/pwd again.
> Reading the FAQ, I came across the following entry:
> 'Captive Portal relies on MAC addresses to function. In order for this to work, Captive Portal
clients must be on the same layer 2 network as m0n0wall. In the case of a router behind m0n0wall,
the only MAC address m0n0wall would see would be the router's MAC. The first machine authenticated
behind the router would allow all machines behind that router access'
> that rings some bells, but how do you explain the fact that this setup used to work as desired
with 1.2b7 version (opens the firewall for laptop ip/mac instead of linksys one)?
> I apologise for the lengthy email, and I would appreciate some feedback on this
Client authentication against M0n0wall behind access points should
function of course.
I don't understand one thing :
If your Linksys acts as a router in addition of an access point, then
all your clients behind your Linksys should be authorized by M0n0 's
If your Linksys isn't a router, then you should see your laptop wireless
ethernet address in the radius accountings...
That's what I get on Radius accounting :
Packet-Type = Access-Request
Tue Jun 21 08:59:14 2005
User-Name = "toto at univ dot fr"
Framed-MTU = 1400
Called-Station-Id = "0011.5cc6.f960" -> access point mac address
Calling-Station-Id = "000e.35f6.7768" -> laptop wireless card
Service-Type = Login-User
Message-Authenticator = 0x1deaf7d6482bc2f4384176701e5ede06
NAS-Port-Type = Wireless-802.11
NAS-Port = 1471
NAS-IP-Address = 22.214.171.124 -> access point IP address
NAS-Identifier = "accesspoint-floor1"
Client-IP-Address = 126.96.36.199 -> access point IP address
Be sure that your Linksys acts ONLY as an access point and no
O / / Denis Mirassou
@|~| Service Réseaux
/ \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)