So you are saying that this shouldn't be happening unless the Linksys is
acting as a router instead of just an Access Point.
My linksys is set to act solely as Access Point. No router functionalities
I assume from your email that you have a similar setup.
Which version of m0n0wall are you running?
I didn't have any problem when using 1.2b7. Once I switched to 1.2b9, I
started experiencing this issue?
----- Original Message -----
From: "Denis Mirassou" <Mirassou at cict dot fr>
To: "Yiannis Maglaras" <ym at untopic dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, June 21, 2005 8:19 AM
Subject: Re: [m0n0wall] Captive portal problem authenticating users behind
> Yiannis Maglaras wrote:
>> Hi there,
>> I have the following setup:
>> A soekris board running m0n0wall 1.2b9 (let's call it mono) is connected
>> to the ethernet port of a dsl router.
>> The LAN interface of mono has been assigned the 192.168.1.1 and dhcp has
>> been enabled. The LAN interface is connected with an ethernet cable to a
>> Linksys wrt54gs router that is running as an Access Point to offer
>> wireless connectivity. Linksys has been assigned the 192.168.1.2
>> A laptop is wirelessly connected to the the network, assigned for example
>> the ip 192.168.1.193. Without captive portal enabled the laptop user can
>> browse the internet
>> Captive portal is enabled with radius authentication against an external
>> radius server (freeradius).
>> The laptop user is prompted for username and password. Once submitted,
>> the mono requests authentication not for the laptop
>> ip/mac(192.168.1.194) but for linksys Access Point (192.168.1.2).
>> The radius server returns Access-Accept, and accounting starts Mon Jun 20
>> 01:18:07 2005
>> Service-Type = Login-User
>> User-Name = "tester2"
>> NAS-Identifier = "m0n0wall.local"
>> NAS-Port = 0
>> NAS-Port-Type = Ethernet
>> Acct-Status-Type = Start
>> Acct-Authentic = RADIUS
>> Acct-Session-Id = "24663e0bdc156fad"
>> Framed-IP-Address = 192.168.1.2
>> NAS-IP-Address = m.y.i.p
>> Client-IP-Address = m.y.i.p
>> Acct-Unique-Session-Id = "74621ed97a0dace5"
>> Timestamp = 1119226687
>> As a result mono opens the firewall for linksys IP/mac and not for the
>> laptop one, and the laptop user is prompted for usr/pwd again.
>> Reading the FAQ, I came across the following entry:
>> 'Captive Portal relies on MAC addresses to function. In order for this to
>> work, Captive Portal clients must be on the same layer 2 network as
>> m0n0wall. In the case of a router behind m0n0wall, the only MAC address
>> m0n0wall would see would be the router's MAC. The first machine
>> authenticated behind the router would allow all machines behind that
>> router access' that rings some bells, but how do you explain the fact
>> that this setup used to work as desired with 1.2b7 version (opens the
>> firewall for laptop ip/mac instead of linksys one)?
>> I apologise for the lengthy email, and I would appreciate some feedback
>> on this
> Client authentication against M0n0wall behind access points should
> function of course.
> I don't understand one thing :
> If your Linksys acts as a router in addition of an access point, then all
> your clients behind your Linksys should be authorized by M0n0 's captive
> If your Linksys isn't a router, then you should see your laptop wireless
> ethernet address in the radius accountings...
> That's what I get on Radius accounting :
> Packet-Type = Access-Request
> Tue Jun 21 08:59:14 2005
> User-Name = "toto at univ dot fr"
> Framed-MTU = 1400
> Called-Station-Id = "0011.5cc6.f960" -> access point mac address
> Calling-Station-Id = "000e.35f6.7768" -> laptop wireless card
> ethernet address
> Service-Type = Login-User
> Message-Authenticator = 0x1deaf7d6482bc2f4384176701e5ede06
> EAP-Message =
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1471
> NAS-IP-Address = 220.127.116.11 -> access point IP address
> NAS-Identifier = "accesspoint-floor1"
> Client-IP-Address = 18.104.22.168 -> access point IP address
> Be sure that your Linksys acts ONLY as an access point and no
> /\/ \
> O / / Denis Mirassou
> @|~| Service Réseaux
> / \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch