On 27.02.15 17:00, Michele Bergonzoni wrote:
This is true for v6 if the client uses its MAC as an identifier,
which it's not supposed to do and last time I checked was not true
for Windows, or if clients or DHCP relays support RFC6939, which is
quite new. See for example:
https://lists.isc.org/pipermail/kea-dev/2014-June/000043.html
Oh, interesting - I hadn't realised that.
Have you thought about engineering your captive portal with a dual
stack DNS name (having both A and AAAA), a v4 only and a v6 only, and
having you HTML embed requests with appropriate identifiers to
correlate addresses? Of course there are HTTP complications and it is
not perfect, but I guess that as long as it's a captive portal,
kludginess cannot decrease below some level.
That was one of my options. However, it won't work in the case of WISPr
auto-logons because the page wouldn't be rendered by the client, so you
wouldn't expect it to fetch embedded bits either.
I am really interested to hear what people are doing in the field of
squid-powered captive portals, even more when interoperating with
iptables/ip6tables.
At the moment, we've written a hybrid captive portal/http-auth system.
Essentially, we use HTTP proxy auth where we can and a captive portal
where we can't. HTTP proxy auth is preferable because every request
gets authenticated individually and we can use Kerberos. Unfortunately
a lot of software doesn't support it properly (I'm looking at you, apple
and google, although everyone else is getting pretty bad at it too) and
it also can't be used for transparent proxying (and again, a lot of
software just doesn't bother to support proxies these days, and it's
only getting worse). So we use the user-agent string to try and
identify the clients we can safely authenticate, and the rest rely on
cached credentials or captive portal.
Yes, it's a horrible bodge, but unfortunately that's where modern
software is driving us. :( For iOS and Android you can pretty much
forget using pure HTTP proxy authentication. Luckily iOS can use WISPr
to automatically log into a portal, sadly vanilla Android still doesn't
include a WISPr client (I'd put money on this being down to patents!).
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email: st...@opendium.com
Phone: sip:st...@opendium.com
Sales / enquiries contacts:
Email: sa...@opendium.com
Phone: +44-1792-824568 / sip:sa...@opendium.com
Support contacts:
Email: supp...@opendium.com
Phone: +44-1792-825748 / sip:supp...@opendium.com
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
