[ previous ] [ next ] [ threads ]
 From:  "Christian H Borrman" <chb at orange dot net>
 To:  "'Yiannis Maglaras'" <ym at untopic dot com>, <Mirassou at cict dot fr>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Captive portal problem authenticating users behind Access Point
 Date:  Tue, 21 Jun 2005 12:38:07 +0100
Hi Dennis, Yiannis,

We had the same issue here on an installation with a d-link 2110 access
point, and a Linksys router running as access point (using LAN ports and AP
mode), it works with 1.2b7 but not b8 and b9.

RE Dennis: For Yiannis´s setup to work and the linksys to issue IP addresses
from the m0n0wall DHCP server, the linksys must be running in Access point
mode, as our access points are. (yiannis I assume you are using the LAN
ports on the Linksys and AP mode?) Furrthermore, we have also tested
multiple Access points in WDS and mesh modes, all using the DHCP and Radius
correctly as Yiannis says on M0n0wall 1.2b7, but not on 1.2b8 or 1.2b9.

Basically, m0n0wall is issuing an IP address against a MAC from a client on
the access points, forwarding the the correct MAC and IP of the client to
the radius server, but then on 1.2b8 and 1.2b9, when radius replies,
m0n0wall opens up the firewall to the access point MAC and IP, not the
original client MAC and IP. On 1.2b7 this does not occur; same access
points, same settings and tried on two different sites (radius on site and
radius remote).

This is a quite a big issue as radius auth captive portal for multiple MACs
basically works on 1.2b7 but not on 1.2b8 and 1.2b9, which is ironic, as
1.2b8 and 1.2b9 need this access point set-up as the 4.11 OS Base only
supports two types of 802.11b cards only, that either have been pulled out
of a dell laptop and put on eBay (dell truemobile) or have been out of
production for a while (2511+) and are sporadic in supply. Both these cards
are now two generations old and not been manufactured for up to 18 months!.
The 1.2b7 5.3 base OS supports all the latest a/b/g Atheros cards on board
and so this is not an issue, however the radius accounting is broken on
1.2b7 but not on b8 and b9! It is a catch 22.

Does anyone know why this is happening? 

Is it a 4.11 OS issue? Is it the eth cards on soekris (yiannis you do not
say what platform you are using?) or is it something that the accounting
fixes on b8 and b9 have broken?



-----Original Message-----
From: Yiannis Maglaras [mailto:ym at untopic dot com] 
Sent: 21 June 2005 10:47
To: Mirassou at cict dot fr
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Captive portal problem authenticating users behind
Access Point

Hi Denis,

So you are saying that this shouldn't be happening unless the Linksys is
acting as a router instead of just an Access Point.
My linksys is set to act solely as Access Point. No router functionalities
are enabled.

I assume from your email that you have a similar setup.
Which version of m0n0wall are you running?
I didn't have any problem when using 1.2b7. Once I switched to 1.2b9, I
started experiencing this issue?

----- Original Message ----- 
From: "Denis Mirassou" <Mirassou at cict dot fr>
To: "Yiannis Maglaras" <ym at untopic dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, June 21, 2005 8:19 AM
Subject: Re: [m0n0wall] Captive portal problem authenticating users behind 
Access Point

> Yiannis Maglaras wrote:
>> Hi there,
>> I have the following setup:
>> A soekris board running m0n0wall 1.2b9 (let's call it mono) is connected 
>> to the ethernet port of a dsl router.
>> The LAN interface of mono has been assigned the and dhcp has 
>> been enabled. The LAN interface is connected with an ethernet cable to a 
>> Linksys wrt54gs router that is running as an Access Point to offer 
>> wireless connectivity. Linksys has been assigned the
>> A laptop is wirelessly connected to the the network, assigned for example

>> the ip Without captive portal enabled the laptop user can 
>> browse the internet
>> Captive portal is enabled with radius authentication against an external 
>> radius server (freeradius).
>> The laptop user is prompted for username and password. Once submitted, 
>> the mono  requests authentication not for the laptop 
>> ip/mac( but for linksys Access Point (
>> The radius server returns Access-Accept, and accounting starts Mon Jun 20

>> 01:18:07 2005
>>         Service-Type = Login-User
>>         User-Name = "tester2"
>>         NAS-Identifier = "m0n0wall.local"
>>         NAS-Port = 0
>>         NAS-Port-Type = Ethernet
>>         Acct-Status-Type = Start
>>         Acct-Authentic = RADIUS
>>         Acct-Session-Id = "24663e0bdc156fad"
>>         Framed-IP-Address =
>>         NAS-IP-Address = m.y.i.p
>>         Client-IP-Address = m.y.i.p
>>         Acct-Unique-Session-Id = "74621ed97a0dace5"
>>         Timestamp = 1119226687
>> As a result mono opens the firewall for linksys IP/mac and not for the 
>> laptop one, and the laptop user is prompted for usr/pwd again.
>> Reading the FAQ, I came across the following entry:
>> 'Captive Portal relies on MAC addresses to function. In order for this to

>> work, Captive Portal clients must be on the same layer 2 network as 
>> m0n0wall. In the case of a router behind m0n0wall, the only MAC address 
>> m0n0wall would see would be the router's MAC. The first machine 
>> authenticated behind the router would allow all machines behind that 
>> router access' that rings some bells, but how do you explain the fact 
>> that this setup used to work as desired with 1.2b7 version (opens the 
>> firewall for laptop ip/mac instead of linksys one)?
>> I apologise for the lengthy email, and I would appreciate some feedback 
>> on this
>> Thank's
>> Yiannis
> Hi,
> Client authentication against M0n0wall behind access points should 
> function of course.
> I don't understand one thing :
> If your Linksys acts as a router in addition of an access point, then all 
> your clients behind your Linksys should be authorized by M0n0 's captive 
> portal.
> If your Linksys isn't a router, then you should see your laptop wireless 
> ethernet address in the radius accountings...
> That's what I get on Radius accounting :
> Packet-Type = Access-Request
> Tue Jun 21 08:59:14 2005
>         User-Name = "toto at univ dot fr"
>         Framed-MTU = 1400
>         Called-Station-Id = "0011.5cc6.f960" -> access point mac address
>         Calling-Station-Id = "000e.35f6.7768" -> laptop wireless card 
> ethernet address
>         Service-Type = Login-User
>         Message-Authenticator = 0x1deaf7d6482bc2f4384176701e5ede06
>         EAP-Message = 
> 0x0201001b01757465737475743140756e69762d746c7365312e6672
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 1471
>         NAS-IP-Address = -> access point IP address
>         NAS-Identifier = "accesspoint-floor1"
>         Client-IP-Address = -> access point IP address
> Be sure that your Linksys acts ONLY as an access point and no 
> router/NAT/firewall.
> Regards,
> -- 
>         /\
>      /\/  \
>  O  / / Denis Mirassou
> @|~|  Service Réseaux
> / \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch