[ previous ] [ next ] [ threads ]
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  =?iso-8859-1?Q?Jan=E5ke_R=F6nnblom?= <j dot ronnblom at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] captive portal and radius
 Date:  Tue, 16 May 2006 09:55:07 +0200
> -----Oorspronkelijk bericht-----
> Van: Janåke Rönnblom [mailto:j dot ronnblom at gmail dot com]
> Verzonden: dinsdag 16 mei 2006 9:07
> Aan: m0n0wall at lists dot m0n0 dot ch
> Onderwerp: [m0n0wall] captive portal and radius
> Hi!

Hi yourself
> Im currently testing m0n0wall as an captive portal for our wireless
> network.
> However I need to allow traffic to a few
> networks through the m0n0wall but I can't find any way to add it except to
> add every IP address on the "Allow IP Addresses"
> tab. Is there any way to add a whole network?

Currently not (sorry) this behaviour maybe changed in a future version.

> I have limited knowledge of m0n0wall and RADIUS so please forgive me if
> the
> answer to the follwing questions are obvious.
> On this network the students can be authenticated to two different Active
> Directories, would it be possible to let the user choose which
> domain (REALM in kerberos?) they should be authenticated against without
> the
> user having to type userid@domain?  I was thinking of
> presenting the different domains/realms in a drop-down box on the login
> page
> of the m0n0wall, is this possible and how do I send the REALM
> attribute to the RADIUS server?

Only way todo this is with javascript doing everything. Otherwise its not possible. The user will
have to authenticate with userid@domain (untested situation for m0n0wall)

> I am using MS Windows 2003 IAS and RADIUS to test m0n0wall and have it
> running in the lab. I have enabled both Radius Authentication and
> Accounting. I probably will move this to freeradius to be able to support
> Radius Accounting before deploying in our production environment.

RADIUS accounting should work on IAS too.

> If I use the Session-Timeout attribute to disconnect users who can connect
> for only 1 hour per day would it be possible to show the user how much
> time
> they have left when they login?
This isn't possible. You can develop a 'ISP' webapplication where the user can login to see its
current status (download/upload traffic remaining session time). We currently use such an

> I suppose I need to use the Redirection-
> Url
> but how do I "forward" the Sessiom-Timeout that is sent to m0n0wall to the
> Redirection-Url server?
Currently this isn't possible. But I already tried to add a javascript box into the logout popup
window which tells the user how many time there's left but I'm not a javascript geek. If somebody
could help me with the script I certainly can add it to the m0n0wall.

> When a user is logged out from the captive portal due to a DISCONNECT or a
> TIMEOUT is there a LOGOUT or an Accounting STOP message
> sent to the RADIUS? 
Yes there is.

>I can only find login messages from m0n0wall on my
> Windows 2003 IAS and in its eventlog.

M0n0wall radius development is tested against a Freeradius system. If nobody complains we assume
that everything is working fine on other radius systems too. So far I had only 1 non-confirmed issue
where the message was only "it doesn't work"

If you want to get it working on windows too you will need spent time for debugging the issue with
me. You can't expect somebody will mysteriously solve it for you without knowing your situation.


Jonathan De Graeve
Network/System Engineer
Imelda vzw
Informatica Dienst
+32 15/50.52.98
jonathan dot de dot graeve at imelda dot be

Always read the manual for the correct way to do things because the number of incorrect ways to do
things is almost infinite