Re: [m0n0wall] Captive portal problem authenticating users behind Access Point

From:	"Yiannis Maglaras" <ym at untopic dot com>
To:	<Mirassou at cict dot fr>
Cc:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Captive portal problem authenticating users behind Access Point
Date:	Tue, 21 Jun 2005 10:46:44 +0100
Hi Denis,

So you are saying that this shouldn't be happening unless the Linksys is
acting as a router instead of just an Access Point.
My linksys is set to act solely as Access Point. No router functionalities
are enabled.

I assume from your email that you have a similar setup.
Which version of m0n0wall are you running?
I didn't have any problem when using 1.2b7. Once I switched to 1.2b9, I
started experiencing this issue?

Yiannis
----- Original Message ----- 
From: "Denis Mirassou" <Mirassou at cict dot fr>
To: "Yiannis Maglaras" <ym at untopic dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, June 21, 2005 8:19 AM
Subject: Re: [m0n0wall] Captive portal problem authenticating users behind 
Access Point


> Yiannis Maglaras wrote:
>> Hi there,
>>
>> I have the following setup:
>> A soekris board running m0n0wall 1.2b9 (let's call it mono) is connected 
>> to the ethernet port of a dsl router.
>> The LAN interface of mono has been assigned the 192.168.1.1 and dhcp has 
>> been enabled. The LAN interface is connected with an ethernet cable to a 
>> Linksys wrt54gs router that is running as an Access Point to offer 
>> wireless connectivity. Linksys has been assigned the 192.168.1.2
>> A laptop is wirelessly connected to the the network, assigned for example 
>> the ip 192.168.1.193. Without captive portal enabled the laptop user can 
>> browse the internet
>> Captive portal is enabled with radius authentication against an external 
>> radius server (freeradius).
>> The laptop user is prompted for username and password. Once submitted, 
>> the mono  requests authentication not for the laptop 
>> ip/mac(192.168.1.194) but for linksys Access Point (192.168.1.2).
>> The radius server returns Access-Accept, and accounting starts Mon Jun 20 
>> 01:18:07 2005
>>         Service-Type = Login-User
>>         User-Name = "tester2"
>>         NAS-Identifier = "m0n0wall.local"
>>         NAS-Port = 0
>>         NAS-Port-Type = Ethernet
>>         Acct-Status-Type = Start
>>         Acct-Authentic = RADIUS
>>         Acct-Session-Id = "24663e0bdc156fad"
>>         Framed-IP-Address = 192.168.1.2
>>         NAS-IP-Address = m.y.i.p
>>         Client-IP-Address = m.y.i.p
>>         Acct-Unique-Session-Id = "74621ed97a0dace5"
>>         Timestamp = 1119226687
>>
>> As a result mono opens the firewall for linksys IP/mac and not for the 
>> laptop one, and the laptop user is prompted for usr/pwd again.
>>
>> Reading the FAQ, I came across the following entry:
>>
>> 'Captive Portal relies on MAC addresses to function. In order for this to 
>> work, Captive Portal clients must be on the same layer 2 network as 
>> m0n0wall. In the case of a router behind m0n0wall, the only MAC address 
>> m0n0wall would see would be the router's MAC. The first machine 
>> authenticated behind the router would allow all machines behind that 
>> router access' that rings some bells, but how do you explain the fact 
>> that this setup used to work as desired with 1.2b7 version (opens the 
>> firewall for laptop ip/mac instead of linksys one)?
>>
>> I apologise for the lengthy email, and I would appreciate some feedback 
>> on this
>>
>> Thank's
>> Yiannis
>
> Hi,
>
> Client authentication against M0n0wall behind access points should 
> function of course.
>
> I don't understand one thing :
>
> If your Linksys acts as a router in addition of an access point, then all 
> your clients behind your Linksys should be authorized by M0n0 's captive 
> portal.
>
> If your Linksys isn't a router, then you should see your laptop wireless 
> ethernet address in the radius accountings...
>
> That's what I get on Radius accounting :
>
> Packet-Type = Access-Request
> Tue Jun 21 08:59:14 2005
>         User-Name = "toto at univ dot fr"
>         Framed-MTU = 1400
>         Called-Station-Id = "0011.5cc6.f960" -> access point mac address
>         Calling-Station-Id = "000e.35f6.7768" -> laptop wireless card 
> ethernet address
>         Service-Type = Login-User
>         Message-Authenticator = 0x1deaf7d6482bc2f4384176701e5ede06
>         EAP-Message = 
> 0x0201001b01757465737475743140756e69762d746c7365312e6672
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 1471
>         NAS-IP-Address = 1.1.1.1 -> access point IP address
>         NAS-Identifier = "accesspoint-floor1"
>         Client-IP-Address = 1.1.1.1 -> access point IP address
>
> Be sure that your Linksys acts ONLY as an access point and no 
> router/NAT/firewall.
>
> Regards,
>
>
> -- 
>         /\
>      /\/  \
>  O  / / Denis Mirassou
> @|~|  Service Réseaux
> / \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>