Yiannis Maglaras wrote:
> Hi Denis,
> So you are saying that this shouldn't be happening unless the Linksys is
> acting as a router instead of just an Access Point.
> My linksys is set to act solely as Access Point. No router functionalities
> are enabled.
> I assume from your email that you have a similar setup.
> Which version of m0n0wall are you running?
> I didn't have any problem when using 1.2b7. Once I switched to 1.2b9, I
> started experiencing this issue?
> ----- Original Message ----- From: "Denis Mirassou" <Mirassou at cict dot fr>
> To: "Yiannis Maglaras" <ym at untopic dot com>
> Cc: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, June 21, 2005 8:19 AM
> Subject: Re: [m0n0wall] Captive portal problem authenticating users
> behind Access Point
>> Yiannis Maglaras wrote:
>>> Hi there,
>>> I have the following setup:
>>> A soekris board running m0n0wall 1.2b9 (let's call it mono) is
>>> connected to the ethernet port of a dsl router.
>>> The LAN interface of mono has been assigned the 192.168.1.1 and dhcp
>>> has been enabled. The LAN interface is connected with an ethernet
>>> cable to a Linksys wrt54gs router that is running as an Access Point
>>> to offer wireless connectivity. Linksys has been assigned the
>>> A laptop is wirelessly connected to the the network, assigned for
>>> example the ip 192.168.1.193. Without captive portal enabled the
>>> laptop user can browse the internet
>>> Captive portal is enabled with radius authentication against an
>>> external radius server (freeradius).
>>> The laptop user is prompted for username and password. Once
>>> submitted, the mono requests authentication not for the laptop
>>> ip/mac(192.168.1.194) but for linksys Access Point (192.168.1.2).
>>> The radius server returns Access-Accept, and accounting starts Mon
>>> Jun 20 01:18:07 2005
>>> Service-Type = Login-User
>>> User-Name = "tester2"
>>> NAS-Identifier = "m0n0wall.local"
>>> NAS-Port = 0
>>> NAS-Port-Type = Ethernet
>>> Acct-Status-Type = Start
>>> Acct-Authentic = RADIUS
>>> Acct-Session-Id = "24663e0bdc156fad"
>>> Framed-IP-Address = 192.168.1.2
>>> NAS-IP-Address = m.y.i.p
>>> Client-IP-Address = m.y.i.p
>>> Acct-Unique-Session-Id = "74621ed97a0dace5"
>>> Timestamp = 1119226687
>>> As a result mono opens the firewall for linksys IP/mac and not for
>>> the laptop one, and the laptop user is prompted for usr/pwd again.
>>> Reading the FAQ, I came across the following entry:
>>> 'Captive Portal relies on MAC addresses to function. In order for
>>> this to work, Captive Portal clients must be on the same layer 2
>>> network as m0n0wall. In the case of a router behind m0n0wall, the
>>> only MAC address m0n0wall would see would be the router's MAC. The
>>> first machine authenticated behind the router would allow all
>>> machines behind that router access' that rings some bells, but how do
>>> you explain the fact that this setup used to work as desired with
>>> 1.2b7 version (opens the firewall for laptop ip/mac instead of
>>> linksys one)?
>>> I apologise for the lengthy email, and I would appreciate some
>>> feedback on this
>> Client authentication against M0n0wall behind access points should
>> function of course.
>> I don't understand one thing :
>> If your Linksys acts as a router in addition of an access point, then
>> all your clients behind your Linksys should be authorized by M0n0 's
>> captive portal.
>> If your Linksys isn't a router, then you should see your laptop
>> wireless ethernet address in the radius accountings...
>> That's what I get on Radius accounting :
>> Packet-Type = Access-Request
>> Tue Jun 21 08:59:14 2005
>> User-Name = "toto at univ dot fr"
>> Framed-MTU = 1400
>> Called-Station-Id = "0011.5cc6.f960" -> access point mac address
>> Calling-Station-Id = "000e.35f6.7768" -> laptop wireless card
>> ethernet address
>> Service-Type = Login-User
>> Message-Authenticator = 0x1deaf7d6482bc2f4384176701e5ede06
>> EAP-Message =
>> NAS-Port-Type = Wireless-802.11
>> NAS-Port = 1471
>> NAS-IP-Address = 184.108.40.206 -> access point IP address
>> NAS-Identifier = "accesspoint-floor1"
>> Client-IP-Address = 220.127.116.11 -> access point IP address
>> Be sure that your Linksys acts ONLY as an access point and no
>> /\/ \
>> O / / Denis Mirassou
>> @|~| Service Réseaux
>> / \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
I use 1.2b2 with STOCKTON patch (Radius authentication logging) on a PC
and Cisco's AP.
So, I am far from 1.2b8 or 1.2b9, sorry.
That's why I didn't experience the problem.
I am afraid m0n0's developpers are concerned by this issue.
O / / Denis Mirassou
@|~| Service Réseaux
/ \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)