[ previous ] [ next ] [ threads ]
 
 From:  "Jimmy Bones (Mhottie)" <mhottie at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] last call - WRT54G and captive portal reported issues
 Date:  Fri, 30 Dec 2005 01:58:41 -0500
The network is setup....  ISP ---> m0n0wall 1.2 ---> Cisco 2924 ---> WRT54G
(3) in different areas

Cisco 2924 ---> MS 2003 DNS / 2003 native domain controller

Cisco 2924 ---> Apache on OSX

Cisco 2924 ---> OpenBSD 3.7 running SSH, MySQL, etc.

Cisco 2924 ---> Win 2000 Srv SP4 Replica DC and development system

etc. etc.

All 3 WRT54G's are using HyperWRT 2.1b Tofu11, and are set for WPA2
Enterprise (Radius) with a radius server and Windows 2003 CA server issuing
certs.

In the current setup, wireless clients are authenticated based on their
MAC's and not only the WRT54G's MAC. I will play around with this setup this
weekend a bit to test further.

>sounds like how it's supposed to work, assuming the first server is
>m0n0wall itself.  if there are other servers you want people to
>access, you'll have to exempt them.

Chris, the first DNS server is a LAN MS DNS server 192.168.x.x, the 2nd in
the list is BIND on the BSD machine, same subnet, and 3rd is the ISP WAN DNS
server incase of internal failure.

Only the 1st LAN DNS is used. How do I exempt the other two? This happens
even after the clients are authenticated.

-J



On 12/29/05, Chris Buechler <cbuechler at gmail dot com> wrote:
>
> On 12/29/05, Jimmy Bones (Mhottie) <mhottie at gmail dot com> wrote:
> > I'd be happy to test with my several WRTG54's if needed... they are all
> > running HyperWRT 2.1 b1 + tofu 11 also, but several different HW
> versions.
> > Just point me to where the bug is.
> >
>
> supposedly it authenticates the MAC address of the AP and not of the
> wireless clients, so if one wireless client successfully
> authenticates, any wireless client can get through.  you need two
> wireless machiens to test, authenticate on the first, and then see if
> you can get through on the second without authenticating.
>
>
> > I am having other issues with captive portal though, I don't think it's
> > related to this. It seems when captive portal is on it only uses/allows
> to
> > be used the 1st DNS server in the list no matter how many others you
> add...
> > so if our internal DNS is down (1st in the list) all clients time-out
> and
> > cannot use 2nd/3rd, etc. DNS servers. I haven't posted yet because (as
> you
> > can see) I haven't had time to further investigate the issue yet. But as
> > soon as Cap Portal was turned off, all clients could get to 2nd/3rd DNS
> > server w/o problem.
> >
>
> sounds like how it's supposed to work, assuming the first server is
> m0n0wall itself.  if there are other servers you want people to
> access, you'll have to exempt them.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>