[ previous ] [ next ] [ threads ]
 
 From:  Michael Monaghan <mmonaghan at gmail dot com>
 To:  sylikc <sylikc at gmail dot com>
 Cc:  "Mitch (WebCob)" <mitch at webcob dot com>, dinesh at alphaque dot com, Chris Buechler <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] External Authentication
 Date:  Wed, 22 Sep 2004 00:00:20 -0400 
First I'd like to say thanks to everyone for chipping in on this
thread.  Its nice to see a community share ideas in a constructive way
for a change.  There've been a lot of great ideas thrown out both on
the list and off.  Here's what I've learned so far:

Based on Dinesh's statement about the MAC address I'm pretty sure this
won't work with the captive portal on the Internet side.  To me more
precise the first user will open the server to the world since m0n0
would see the MAC of the first upstream router.  Since all traffic
comes from that router everyone is authorized on the first user.  When
the first user logs off everyone will be shut out until someone else
authenticates.  So after 15 minutes of documenting a case someone will
hit submit only to find "Auth Required" and their notes lost.  The
first time that happens I'd receive a pink slip by post card.

Sylikc's idea would work if technically minded users were involved,
but most of our users are not.  Also most of the facilities we access
from will not allow us to "install" programs on their computers.  Thus
why we wanted this kind of functionality in the first place.

What I have left in the maybe category is:

- squid (http://www.squid-cache.org) : It can auth connections.  I
have yet to find out if their auth is MAC, IP, or connection (http,
https) based.

- OpenVPN (http://openvpn.org) : This is slick stuff and when the port
with key management is done for m0n0 I have some projects for this. 
I'm guessing I can get the client to run from CD without installation,
and since everything is in userland rather than kernel code, it should
run without administrator privileges.

- NetScreen-SA 1000 SSL VPN appliance.  It looks like it would do the
job, but at 9K for 25 users it is hard to sell.  I sent my customer an
E-Mail last night and I _can_ wait to see his reaction.  Of course
when I look at the cost of the intrusion, 9K is nothing.  If anyone
ever got his data damages could easily be in the tens of millions.

If anyone cares to comment on these ideas I'd love to hear feedback
and alternate suggestions.  I know several people here are seeking a
solution like this so hopefully this will help someone.

Thanks again,

Mike