Re: [m0n0wall] Captive portal problem authenticating users behind Access Point

From:	Denis Mirassou <Mirassou at cict dot fr>
To:	Yiannis Maglaras <ym at untopic dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Captive portal problem authenticating users behind Access Point
Date:	Wed, 22 Jun 2005 09:05:56 +0200
Yiannis Maglaras wrote:
> Hi Denis,
> 
> So you are saying that this shouldn't be happening unless the Linksys is
> acting as a router instead of just an Access Point.
> My linksys is set to act solely as Access Point. No router functionalities
> are enabled.
> 
> I assume from your email that you have a similar setup.
> Which version of m0n0wall are you running?
> I didn't have any problem when using 1.2b7. Once I switched to 1.2b9, I
> started experiencing this issue?
> 
> Yiannis
> ----- Original Message ----- From: "Denis Mirassou" <Mirassou at cict dot fr>
> To: "Yiannis Maglaras" <ym at untopic dot com>
> Cc: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, June 21, 2005 8:19 AM
> Subject: Re: [m0n0wall] Captive portal problem authenticating users 
> behind Access Point
> 
> 
>> Yiannis Maglaras wrote:
>>
>>> Hi there,
>>>
>>> I have the following setup:
>>> A soekris board running m0n0wall 1.2b9 (let's call it mono) is 
>>> connected to the ethernet port of a dsl router.
>>> The LAN interface of mono has been assigned the 192.168.1.1 and dhcp 
>>> has been enabled. The LAN interface is connected with an ethernet 
>>> cable to a Linksys wrt54gs router that is running as an Access Point 
>>> to offer wireless connectivity. Linksys has been assigned the 
>>> 192.168.1.2
>>> A laptop is wirelessly connected to the the network, assigned for 
>>> example the ip 192.168.1.193. Without captive portal enabled the 
>>> laptop user can browse the internet
>>> Captive portal is enabled with radius authentication against an 
>>> external radius server (freeradius).
>>> The laptop user is prompted for username and password. Once 
>>> submitted, the mono  requests authentication not for the laptop 
>>> ip/mac(192.168.1.194) but for linksys Access Point (192.168.1.2).
>>> The radius server returns Access-Accept, and accounting starts Mon 
>>> Jun 20 01:18:07 2005
>>>         Service-Type = Login-User
>>>         User-Name = "tester2"
>>>         NAS-Identifier = "m0n0wall.local"
>>>         NAS-Port = 0
>>>         NAS-Port-Type = Ethernet
>>>         Acct-Status-Type = Start
>>>         Acct-Authentic = RADIUS
>>>         Acct-Session-Id = "24663e0bdc156fad"
>>>         Framed-IP-Address = 192.168.1.2
>>>         NAS-IP-Address = m.y.i.p
>>>         Client-IP-Address = m.y.i.p
>>>         Acct-Unique-Session-Id = "74621ed97a0dace5"
>>>         Timestamp = 1119226687
>>>
>>> As a result mono opens the firewall for linksys IP/mac and not for 
>>> the laptop one, and the laptop user is prompted for usr/pwd again.
>>>
>>> Reading the FAQ, I came across the following entry:
>>>
>>> 'Captive Portal relies on MAC addresses to function. In order for 
>>> this to work, Captive Portal clients must be on the same layer 2 
>>> network as m0n0wall. In the case of a router behind m0n0wall, the 
>>> only MAC address m0n0wall would see would be the router's MAC. The 
>>> first machine authenticated behind the router would allow all 
>>> machines behind that router access' that rings some bells, but how do 
>>> you explain the fact that this setup used to work as desired with 
>>> 1.2b7 version (opens the firewall for laptop ip/mac instead of 
>>> linksys one)?
>>>
>>> I apologise for the lengthy email, and I would appreciate some 
>>> feedback on this
>>>
>>> Thank's
>>> Yiannis
>>
>>
>> Hi,
>>
>> Client authentication against M0n0wall behind access points should 
>> function of course.
>>
>> I don't understand one thing :
>>
>> If your Linksys acts as a router in addition of an access point, then 
>> all your clients behind your Linksys should be authorized by M0n0 's 
>> captive portal.
>>
>> If your Linksys isn't a router, then you should see your laptop 
>> wireless ethernet address in the radius accountings...
>>
>> That's what I get on Radius accounting :
>>
>> Packet-Type = Access-Request
>> Tue Jun 21 08:59:14 2005
>>         User-Name = "toto at univ dot fr"
>>         Framed-MTU = 1400
>>         Called-Station-Id = "0011.5cc6.f960" -> access point mac address
>>         Calling-Station-Id = "000e.35f6.7768" -> laptop wireless card 
>> ethernet address
>>         Service-Type = Login-User
>>         Message-Authenticator = 0x1deaf7d6482bc2f4384176701e5ede06
>>         EAP-Message = 
>> 0x0201001b01757465737475743140756e69762d746c7365312e6672
>>         NAS-Port-Type = Wireless-802.11
>>         NAS-Port = 1471
>>         NAS-IP-Address = 1.1.1.1 -> access point IP address
>>         NAS-Identifier = "accesspoint-floor1"
>>         Client-IP-Address = 1.1.1.1 -> access point IP address
>>
>> Be sure that your Linksys acts ONLY as an access point and no 
>> router/NAT/firewall.
>>
>> Regards,
>>
>>
>> -- 
>>         /\
>>      /\/  \
>>  O  / / Denis Mirassou
>> @|~|  Service Réseaux
>> / \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

Hi,

I use 1.2b2 with STOCKTON patch (Radius authentication logging) on a PC 
and Cisco's AP.
So, I am far from 1.2b8 or 1.2b9, sorry.
That's why I didn't experience the problem.

I am afraid m0n0's developpers are concerned by this issue.

Regards,
-- 
         /\
      /\/  \
  O  / / Denis Mirassou
@|~|  Service Réseaux
/ \| Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)