Re: Software for WLAN Hotspot

To: Kay-Michael Voit <debian@voits.net>, stefan@neufeind.net, debian-isp@lists.debian.org
Subject: Re: Software for WLAN Hotspot
From: "Uwe A. P. Wuerdinger" <dr.pain@lifeishell.de>
Date: Fri, 15 Aug 2003 22:14:34 +0200
Message-id: <[🔎] 3F3D3F2A.2080105@lifeishell.de>
In-reply-to: <[🔎] 3F3D388A.6040209@voits.net>
References: <3F3D2BEB.29414.21F30BF@localhost> <3F3D4DA0.23466.2A2DC29@localhost> <[🔎] 3F3D388A.6040209@voits.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kay-Michael Voit schrieb:
|
|
|>> If we work with iptables, we have to authenticate the client in some
|>> way. Though I think it is possible to extend iptables, this would
|>> exceed my abilitys a lot.
|>>
|>
|>
|> But maybe would be the cleanest / best solution :-) Okay then ...
|>
|>
| I fully agree, but as I said, it exeeds my skill, I think....
|
|>> So, I would use existing possibilitys, of which mac address
|>> filtering is the safest for my purpose.
|>>
|>> Now there are two possibilities:
|>> 1. Writing a web-based interface, for example with PHP, to log in.
|>> Then a C/C++ based daemon adds some iptablesrules, which allow the
|>> client to go online. +: platform independent -: one has to enter his
|>> MAC address, for I don't know any possibility to determine ones ip
|>> through PHP (and I don't think this is possible?)
|>>
|>
|>
|> It's possible to read his ip with PHP. It's in the enviroment-
|> variables when he executes your php-script to login in. But I don't
|> know of actually translating it to the mac for inserting into your
|> iptable-rules.
|>
| Yes, I know, I'm just too stupid, reading my message again you will
| notice, that I wanted to write MAC adress.
| IP is |$_SERVER[REMOTE_ADDR] but I don't think this is usefull here.
| Any solution how to determine the MAC automatically?|

arp | grep MAC:ADDR:ESS:0

sorry can't resist.
|
|>> 2. Daemon as above, but with clientsoftware which sends password and
|>> MAC-address to server. (because they are one-time, they can be
|>> transmitted plaintext) +: See above -: Clientsoftware...
|>>
|>
|>
|> Bad because client-software.
|>
|> All the "big" firms do it via webbrowser so I think that's the way to go.
|>
|>
| That's what I said.... but it is the easiest solution. Perhaps one could
| do both client and webinterface, like some ISP provide a Dial-Up
| Software though it's possible to dial up"normally"
|

IMHO clientsoftware isn't nessasery after all

USE DHCP to handle out IP Addresses
write IP Address , Hostname, and State file into DNS
set up IPTABLES Redirect rule for that ip to authentification website
(https).

You can use SecureID, Plaintext or x509 certs here. Depending on what
you need.
You can give out one time tickets at the webserver and write rcords into
billing dbs or to radius or whatever if needed.

set state to authentificated after succesfull login
and write time left into state to. Write a scope limitation into state,
if neeeded.

remove redirection rule or rewrite to point to proxy.

Use a cron script to check and count down state record in dns.

Set the arp cache to 1 minute and if a system wasn't seen for two
minutes the user is loged out. so remove DHCP lease, DNS Records etc.

You can hold a table with MAC Address and time left informations
and check it as soon as a new wlan client connects.

|> Well all okay. But how do you want a user to log off automatically?
|> E.g. if there is no traffic from his IP for the last 15 minutes you
|> want to automatically log him off, right? One way would be to use a
|> browser-window that remains open (small one) and is reloaded every
|> minute. This way you can timeout a user easily.
|>
| Or you can letr the daemon watch logs. Just log every new connection
| (synbit set) with iptables and filter the address.

As I sayed the box is the default gateway so just use the arp cache

|> Btw: Using this solution you can add a rule when the user is "logged
|> off" like: requests for http (port 80) to any ip rewrite to local
|> apache (for logging in). If somebody is logged out and tries to access
|> any webpage in the "open world" he's redirected to your apache.
|>
| nice idea
|
|> Hmm ... the more I think about it, the simpler this solution looks :-
|> )
|>
| There must be a snag, if it is easy enough for me to code :)
|
|> Give it a try. And please keep me posted on your findings.
|>
| I'll try


greets Uwe
- --
As far back as I recall (nearly 20 years I guess, though rather vaguely
at times) there's only ever been one scene more bitchy than goths, and
that's the gay scene. - /mel/  in uk.people.gothic
http://www.lifeishell.de/
http://www.darkregensburg.de/wardance/
http://www.highspeed-firewall.de/adamantix/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE/PT8qmDkRS+2sqmURAiVwAJwIvsgSbCTBDY/0H0uN3Wi9kU1s0wCfcjOU
jp7VGgrWAJHi05c6F5+XX9o=
=l2aj
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: Software for WLAN Hotspot
  - From: Kay-Michael Voit <debian@voits.net>

Prev by Date: Re: Apache + PHP4
Next by Date: Re: Apache + PHP4
Previous by thread: Re: Software for WLAN Hotspot
Next by thread: Re: Software for WLAN Hotspot
Index(es):
- Date
- Thread