Quasi-enterprise WiFi network
Colleagues, I'm trying to setup a quasi-enterprise WiFi network for mobile devices. This will be a solution for a public library with the only requirement that guest users should get personal credentials for WiFi access from a librarian (not a shared PSK for everyone). The library has a FreeBSD router with FreeRADIUS3, and several TP-Link APs which support "Enterprise WiFi" and can be RADIUS clients. The point is I don't want to require customers to install X.509 certificates on their mobile devices, the network setup should be simple and transparent for the customer. I don't care if some Evil Hacker impersonates my quasi-enterprise network and collects all the passwords, so I really need no certificates to authenticate the network to customers. The only condition is that each customer has a personal login/password which expires daily (any RADIUS server can expire accounts, I'm sure FreeRADIUS is no exception). I would also consider a variant with FreeBSD+hostapd as AP (instead of the TP-Link routers) if it's more feasible. Could you please point me in the right direction. Maybe I'm totally wrong and I should use a different approach altogether? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Fwd: Re: Quasi-enterprise WiFi network
Dammit, forgot to include the list again. Resending -- Forwarded message -- From: fjwc...@gmail.com Date: Jan 7, 2018 8:58 AM Subject: Re: Quasi-enterprise WiFi network To: Victor Sudakov Cc: On Jan 7, 2018 6:31 AM, "Victor Sudakov" wrote: Colleagues, I'm trying to setup a quasi-enterprise WiFi network for mobile devices. This will be a solution for a public library with the only requirement that guest users should get personal credentials for WiFi access from a librarian (not a shared PSK for everyone). The library has a FreeBSD router with FreeRADIUS3, and several TP-Link APs which support "Enterprise WiFi" and can be RADIUS clients. The point is I don't want to require customers to install X.509 certificates on their mobile devices, the network setup should be simple and transparent for the customer. I don't care if some Evil Hacker impersonates my quasi-enterprise network and collects all the passwords, so I really need no certificates to authenticate the network to customers. The only condition is that each customer has a personal login/password which expires daily (any RADIUS server can expire accounts, I'm sure FreeRADIUS is no exception). I would also consider a variant with FreeBSD+hostapd as AP (instead of the TP-Link routers) if it's more feasible. Could you please point me in the right direction. Maybe I'm totally wrong and I should use a different approach altogether? You don't *need* RADIUS for this, although it may make some things easier in some setups. All you need is a separate vlan for the "guest" wireless clients to connect to, at the default gateway for that vlan to the FreeBSD machine, and use firewall rules to redirect all "new" devices to a local Apache setup (new meaning you don't know the MAC address). In Apache, you use mod_rewrite rules to change the requested URL to a local webpage where you display your rules and whatnot, along with the login page. Write this in PHP or Ruby or Python or whatever your preferred web scripting language is, connecting to whatever authentication database you want to use. Upon successful login, add the MAC address to the firewall rules (tables work well for this) to allow internet traffic. At midnight, empty that table. That's the setup we use at work (although with Linux on the wireless firewalls, using iptables and upset) to provide wireless access to guests in the schools. With this, you can even create an encrypted wireless setup, and just provide the PSK to the patrons on the same card as you provide their login info. The mod_rewrite rules are the magic that provide the captive portal detection for mobile devices so that the login page appears automatically as soon as they connect to the wireless network. I can provide those tomorrow if you want, as I can't access them from home. Cheers, Freddie ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Fwd: Re: Quasi-enterprise WiFi network
Freddie Cash wrote: > > > > I'm trying to setup a quasi-enterprise WiFi network for mobile > > devices. This will be a solution for a public library with the only > > requirement that guest users should get personal credentials for WiFi > > access from a librarian (not a shared PSK for everyone). > > You don't *need* RADIUS for this, although it may make some things easier > in some setups. > > All you need is a separate vlan for the "guest" wireless clients to connect > to, at the default gateway for that vlan to the FreeBSD machine, and use > firewall rules to redirect all "new" devices to a local Apache setup (new > meaning you don't know the MAC address). > > In Apache, you use mod_rewrite rules to change the requested URL to a local > webpage where you display your rules and whatnot, along with the login What you are suggesting is essentially a hand-made captive portal. I would be grateful for your mod_rewrite rules, but this will be a last resort. AFAIK there are implementations of a captive portal in M0n0wall and pfSense. I've also seen howtos like https://www.unixmen.com/freebsd-10-1-x64-wifi-captive-portal/ But if I can, I'd try a pure WiFi solution first, of course if it exists. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Fwd: Re: Quasi-enterprise WiFi network
On Jan 7, 2018 10:04 AM, "Victor Sudakov" wrote: Freddie Cash wrote: > > > > I'm trying to setup a quasi-enterprise WiFi network for mobile > > devices. This will be a solution for a public library with the only > > requirement that guest users should get personal credentials for WiFi > > access from a librarian (not a shared PSK for everyone). > > You don't *need* RADIUS for this, although it may make some things easier > in some setups. > > All you need is a separate vlan for the "guest" wireless clients to connect > to, at the default gateway for that vlan to the FreeBSD machine, and use > firewall rules to redirect all "new" devices to a local Apache setup (new > meaning you don't know the MAC address). > > In Apache, you use mod_rewrite rules to change the requested URL to a local > webpage where you display your rules and whatnot, along with the login What you are suggesting is essentially a hand-made captive portal. I would be grateful for your mod_rewrite rules, but this will be a last resort. AFAIK there are implementations of a captive portal in M0n0wall and pfSense. I've also seen howtos like https://www.unixmen.com/ freebsd-10-1-x64-wifi-captive-portal/ But if I can, I'd try a pure WiFi solution first, of course if it exists. Ah, ok, now I see what you mean by "quasi-enterprise WiFi). You are looking for a way to create an encrypted wireless connection where a username/password combo is used instead of a PSK, using something like (but not as heavy as) 802.1x. Can't help with that. We stayed down the 802.1x path, had a working RADIUS setup, but balked at all the setup that would be required on the end-user devices and abandoned it. There may be a way to do it automatically nowadays, without requiring client certs and 802.1x clients, but we haven't looked into it in over 5 years. Good luck. Hopefully someone else has more insight. :D Cheers, Freddie ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Fwd: Re: Quasi-enterprise WiFi network
On Jan 7, 2018 10:40 AM, "Valeri Galtsev" wrote: On Sun, January 7, 2018 12:04 pm, Victor Sudakov wrote: > Freddie Cash wrote: >> > >> > I'm trying to setup a quasi-enterprise WiFi network for mobile >> > devices. This will be a solution for a public library with the only >> > requirement that guest users should get personal credentials for WiFi >> > access from a librarian (not a shared PSK for everyone). > >> >> You don't *need* RADIUS for this, although it may make some things >> easier >> in some setups. >> >> All you need is a separate vlan for the "guest" wireless clients to >> connect >> to, at the default gateway for that vlan to the FreeBSD machine, and use >> firewall rules to redirect all "new" devices to a local Apache setup >> (new >> meaning you don't know the MAC address). >> >> In Apache, you use mod_rewrite rules to change the requested URL to a >> local >> webpage where you display your rules and whatnot, along with the login One trouble I expect here is: if the client goes to https destination, it will complain about your local apache certificate, as the client expects next packet (SSL negotiation) to come from host it was going originally to. I've seen quite a few of similar things. "Home brew" words come to my mind, no offense intended. Even older or two WiFi setups central IT folks at big university I work for did this setup that brakes when client goes to SSL-ed URL. Next, what if client does not use web browser at all, and just attempts to ssh to external host... Of course, your mod_rewrite rules, Freddie, may help. That was an issue with our original setup that only used firewall redirect rules, without the mod_rewrite stuff. It only worked if we walked people through visiting a non-encrypted website, in order to bring up our login page. As more and more sites started defaulting to HTTPS, it became cumbersome. All mobile devices, including Windows/MacOS devices, include captive portal detection these days, where they attempt to connect to a specific set of HTTP sites after connecting to a network. The mod_rewrite rules intercept only these requests, and redirect them to the login page. The original process was: - connect to wireless network - enter wireless key - open browser and access website - get redirected to login page - login With the mod_rewrite rules, the process is just: - connect to wireless network - enter wireless key - login page appears automatically - login Cheers, Freddie ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Fwd: Re: Quasi-enterprise WiFi network
On Sun, January 7, 2018 12:04 pm, Victor Sudakov wrote: > Freddie Cash wrote: >> > >> > I'm trying to setup a quasi-enterprise WiFi network for mobile >> > devices. This will be a solution for a public library with the only >> > requirement that guest users should get personal credentials for WiFi >> > access from a librarian (not a shared PSK for everyone). > >> >> You don't *need* RADIUS for this, although it may make some things >> easier >> in some setups. >> >> All you need is a separate vlan for the "guest" wireless clients to >> connect >> to, at the default gateway for that vlan to the FreeBSD machine, and use >> firewall rules to redirect all "new" devices to a local Apache setup >> (new >> meaning you don't know the MAC address). >> >> In Apache, you use mod_rewrite rules to change the requested URL to a >> local >> webpage where you display your rules and whatnot, along with the login One trouble I expect here is: if the client goes to https destination, it will complain about your local apache certificate, as the client expects next packet (SSL negotiation) to come from host it was going originally to. I've seen quite a few of similar things. "Home brew" words come to my mind, no offense intended. Even older or two WiFi setups central IT folks at big university I work for did this setup that brakes when client goes to SSL-ed URL. Next, what if client does not use web browser at all, and just attempts to ssh to external host... Of course, your mod_rewrite rules, Freddie, may help. > > What you are suggesting is essentially a hand-made captive portal. I > would be grateful for your mod_rewrite rules, but this will be a last > resort. AFAIK there are implementations of a captive portal in > M0n0wall and pfSense. Thanks, Victor! Valeri > I've also seen howtos like > https://www.unixmen.com/freebsd-10-1-x64-wifi-captive-portal/ > > But if I can, I'd try a pure WiFi solution first, of course if it > exists. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > AS43859 > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Fwd: Re: Quasi-enterprise WiFi network
Freddie Cash wrote: > > > Ah, ok, now I see what you mean by "quasi-enterprise WiFi). You are looking > for a way to create an encrypted wireless connection where a > username/password combo is used instead of a PSK, using something like (but > not as heavy as) 802.1x. I don't even need an *encrypted* wireless connection, these username/login pairs are not precious, and the traffic is just Internet. Yet another problem with captive portals is that not all client applications are web browsers. I personally get very annoyed when my mobile RSS reader or some other app does not work until I visit some stupid web page. > > Can't help with that. We stayed down the 802.1x path, had a working RADIUS > setup, but balked at all the setup that would be required on the end-user > devices and abandoned it. > > There may be a way to do it automatically nowadays, without requiring > client certs and 802.1x clients, but we haven't looked into it in over 5 > years. Yes, that's what I'm looking for, without requiring client certs and 802.1x clients. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Fwd: Re: Quasi-enterprise WiFi network
Freddie Cash wrote: > > > One trouble I expect here is: if the client goes to https destination, it > > will complain about your local apache certificate, as the client expects > > next packet (SSL negotiation) to come from host it was going originally > > to. I've seen quite a few of similar things. "Home brew" words come to my > > mind, no offense intended. Even older or two WiFi setups central IT folks > > at big university I work for did this setup that brakes when client goes > > to SSL-ed URL. Next, what if client does not use web browser at all, and > > just attempts to ssh to external host... > > > > That was an issue with our original setup that only used firewall redirect > rules, without the mod_rewrite stuff. It only worked if we walked people > through visiting a non-encrypted website, in order to bring up our login > page. As more and more sites started defaulting to HTTPS, it became > cumbersome. > > All mobile devices, including Windows/MacOS devices, include captive portal > detection these days, where they attempt to connect to a specific set of > HTTP sites after connecting to a network. The mod_rewrite rules intercept > only these requests, and redirect them to the login page. Your mod_rewrite rules are becoming more and more interesting. Please do post them. There is one more drawback however I have just thought about. If I go for a WiFi solution, I can deploy just an AP at some remote branch as a RADIUS client of the central FreeRADIUS server. If I go for a captive portal solution, I would need to install captive portals at every branch, or tunnel Internet traffic via the central hub. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
