[ previous ] [ next ] [ threads ]
 From:  Adeoye Oke <dexteroo at yahoo dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Captive Portal MAC-pass-through issues
 Date:  Mon, 3 Jul 2006 02:02:01 -0700 (PDT)

I have a m0no box setup to use captive portal, and all works great except certain aspects of the
paas-through MAC feature. Here is the actual scebario.

I have my clients using wired NICs behind wireless bridges, connected to my AP that goes directly
into my m0n0 box. I also wish to give each client a specific IP, so I setup static DHCP mappings for
each client, using their WIRED NIC MAC. Then I setup captive portal with these same MACs to allow
passthrough for those which I want to go through without authentication, and leave the rest to
authenticate against my radius server.

When the client's wireless bridge associates with my AP, and his system then asks for an IP, DHCP
logs the clients MAC and allocates the desired IP - FINE. Now when the client (who should be let
through captive portal) tries to browse he gets the captive portal page and is unable to proceed,
since he doesnt have a login ID. However, if I place his wireless-bridge MAC into the MAC
pass-through, he is able to bypass the portal page. 

I initially thought the bridge wasnt letting the client MAC through, but I guess if DHCP in m0n0
sees it, then it does pass through the AP, so my concern is why doesnt the Captive portal see the
MAC also, and would only see the radio MAC? I tried using IP pass-through and that works fine, but
is rather insecure for my deployment, because a lot of users try putting static IPs into their PCs
and may bypass the portal page altogether.

I searched the list Archives and found some related posts, but nothing of this exact nature. The
suggestions I see are not likely to help me out much here, as I dont have the "disable MAC
filtering" option checked. Most clients also have only 1 PC behind their bridge, and in some cases
they may have more, and those are the cases I cannot afford to place the bridge MAC into m0n0 for,
as they would use more PCs than I want them to.

Is there a quick fix or suggestion to this problem, or is there a bug in the m0n0 code? By the way I
am using either Senao or Nexus APs and most clients connect using Linksys wireless bridges, or
Linux-hacked WRT54G routers.

Any/all suggestions welcome.



Do you Yahoo!?
 Next-gen email? Have it all with the  all-new Yahoo! Mail Beta.