[Steinbäcker, Markus] Captive portal supporting multiple Subnets, Vlans

403 views
Skip to first unread message

Russell Senior

unread,
Feb 2, 2010, 5:21:47 PM2/2/10
to ptp-g...@googlegroups.com

Any thoughts on this?

Subject: Captive portal supporting multiple Subnets, Vlans
Date: Sat, 30 Jan 2010 13:26:29 +0100
Message-ID: <9A839A27DC208D4C821A...@asgrz12.bit.local>
From: "Steinbäcker, Markus" <Markus.St...@bitonline.cc>
To: <in...@personaltelco.net>

Hi,

I found your website is one of the most informative on the web, in the
field of Captive Portals. So I kindly ask you for some conceptional
information about the scenario described below.

I ran into a scenario, where an existing network infrastructure
(L3-Switches, Accesspoints, Routers) should provide guest access,
using a captive portal.

I am familiar, with captive portals running on geographically
distributed accesspoints (eg. restaurant chains) , using a central
loginpage and radius. In all that cases the Captive portal runs on the
local subnet, serving as Router and DHCP. Is this a requirement, or
can a captive gatway also be placed behind one ore more routers?


In my scenario I would needs a "central" captive portal (Gateway), to
which I can route all the Internet traffic from one site. Ideally the
Gateway can restrict users based on VLAN-ids, Subnet-ids or SS-ids.
e.g Users belonging to a radius group called "guests" are only granted
access, if they are connected to specific SSIds, VLAn-Ids or subnets.
Would be even nicer, if there could exist multiple login pages based
on these IDs .

Is there anything on the market, which would serve my needs?

P.S.: My basic idea was to run multiple instances of a captive portal
(in my case coova-chilli) on a single server. Then use iptables (or
anything like that) to forward the client connections based on IP,
VLAN,SSid to the appropriate instance. Could this work?

Thank you for answering.

Markus Steinbäcker


bit schulungscenter Nfg GmbH & Co KG | Kaerntner Strasse 311, 8054
Graz | FN 264297 y | ATU61831566 | Gerichtsstand Graz

bit management Beratung GesmbH | Kaerntner Strasse 311, 8054 Graz | FN
147857m | ATU58011225 | Gerichtsstand Graz

bit media e-learning solution GmbH & Co KG | Kaerntner Strasse 311,
8054 Graz | FN 195426d | ATU49978207 | Gerichtsstand Wien

Unternehmensberatung bit consulting GmbH | Kaerntner Strasse 311, 8054
Graz | FN 196369d | ATU49853109 | Gerichtsstand Graz

--
Russell Senior, President
rus...@personaltelco.net

Irving Popovetsky

unread,
Feb 3, 2010, 3:13:39 PM2/3/10
to ptp-g...@googlegroups.com, Markus.St...@bitonline.cc
Markus,

A traditional captive portal could work, but would not be completely
effective in this scenario. This is because most captive portals (that
I've used) expect to act as the L3 gateway to a flat L2 network. I
think that most tools will want to use a combination of source IP
address and MAC address, and might get confused by an intermediary router.

If I wanted to get this 100% right I would use something like
Smoothwall, configured as a transparent proxy with a redirected SSL
login page. You can then allow unauthenticated access exceptions on a
per-VLAN-interface or subnet basis.

Smoothwall is Linux-based. I know from experience that the commercial
variant (http://www.smoothwall.net/ , not very expensive) will handle
this with flying colors. Pretty sure the free OSS variant will as well
(http://www.smoothwall.org/ ).

Also, because I can't resist to ask: If you are putting guests on your
(assuming) corporate network, why is controlling Internet access your
primary concern?

-Irving


On 2/2/10 2:21 PM, Russell Senior wrote:
> Any thoughts on this?
>
> Subject: Captive portal supporting multiple Subnets, Vlans
> Date: Sat, 30 Jan 2010 13:26:29 +0100
> Message-ID:<9A839A27DC208D4C821A...@asgrz12.bit.local>

> From: "Steinb�cker, Markus"<Markus.St...@bitonline.cc>

> Markus Steinb�cker
>
>
> bit schulungscenter Nfg GmbH& Co KG | Kaerntner Strasse 311, 8054


> Graz | FN 264297 y | ATU61831566 | Gerichtsstand Graz
>
> bit management Beratung GesmbH | Kaerntner Strasse 311, 8054 Graz | FN
> 147857m | ATU58011225 | Gerichtsstand Graz
>

> bit media e-learning solution GmbH& Co KG | Kaerntner Strasse 311,

Steinbäcker, Markus

unread,
Feb 4, 2010, 7:00:12 AM2/4/10
to Irving Popovetsky, ptp-g...@googlegroups.com
Hi Irving,
 
Thanks for your answer. I did some testing which looks quite good.
 
We use chillispot, since we are familiar with that from dd-wrt Accesspoints.
 
First I tried chillispot behind a chain of  L3 devices, it seems to have no need of L2.
(Client->VLAN->Core L3 Switch->Router->Router with chillispot) and it worked.
 
Then I routed all the WLAN Traffic to on Gateway and configured it to use source based routing with iptables and iproute2.
Then I started multiple instances of chillispot, as captive gateways with different configurations.
Depending of the source subnets, clients are routed to one of these instances.
In Radius every instance has its nas-id, so that users can be limited to this instance and as a consequence to the apropriate subnets and SSids.
I also can define different login pages, bandwith, time restriction... for each instance.
 
What we have to do now is to write a webinterface, which allows us to create a new "WLAN", list the associated subnets and create users. 
A script will change the routing table and policies, create a chilli-config file add a Nas and a user group to radius and start a new instance of chillispot.
after the first tests, I am quite optimistic, that this could work.
 
In this case we would be able to limit specific guests to specific SSids, without changing the existing network infrastructure.
 
I work in an Trainig Center, and our customers need Internet access.  Of course they are completely separated from our company network.  
But they need access from different locations, courserooms and sometimes companies need specific ports opend, which are normally closed by a firewall.
Until now we had an open WLAN for customers but:
 
Why we a concerend about our visitors internet access?
Look at that:
 
Markus
 
 

Von: Irving Popovetsky [mailto:irvi...@gmail.com]
Gesendet: Mi 03.02.2010 21:13
An: ptp-g...@googlegroups.com; Steinbäcker, Markus
Betreff: Re: [ptp-general] [Steinbäcker, Markus] Captive portal supporting multiple Subnets, Vlans

Markus,

A traditional captive portal could work, but would not be completely
effective in this scenario.  This is because most captive portals (that
I've used) expect to act as the L3 gateway to a flat L2 network.  I
think that most tools will want to use a combination of source IP
address and MAC address, and might get confused by an intermediary router.

If I wanted to get this 100% right I would use something like
Smoothwall,  configured as a transparent proxy with a redirected SSL
login page.  You can then allow unauthenticated access exceptions on a
per-VLAN-interface or subnet basis.

Smoothwall is Linux-based.  I know from experience that the commercial
variant (http://www.smoothwall.net/ ,  not very expensive) will handle
this with flying colors.  Pretty sure the free OSS variant will as well
(http://www.smoothwall.org/ ).

Also, because I can't resist to ask:   If you are putting guests on your
(assuming) corporate network,  why is controlling Internet access your
primary concern?

-Irving


On 2/2/10 2:21 PM, Russell Senior wrote:
> Any thoughts on this?
>
>     Subject: Captive portal supporting  multiple Subnets, Vlans
>     Date: Sat, 30 Jan 2010 13:26:29 +0100
>     Message-ID:<9A839A27DC208D4C821A...@asgrz12.bit.local>

>     From: "Steinbäcker, Markus"<Markus.St...@bitonline.cc>

>     Markus Steinbäcker


>
>
>     bit schulungscenter Nfg GmbH&  Co KG | Kaerntner Strasse 311, 8054
>     Graz | FN 264297 y | ATU61831566 | Gerichtsstand Graz
>
>     bit management Beratung GesmbH | Kaerntner Strasse 311, 8054 Graz | FN
>     147857m | ATU58011225 | Gerichtsstand Graz
>
>     bit media e-learning solution GmbH&  Co KG | Kaerntner Strasse 311,
>     8054 Graz | FN 195426d | ATU49978207 | Gerichtsstand Wien
>
>     Unternehmensberatung bit consulting GmbH | Kaerntner Strasse 311, 8054
>     Graz | FN 196369d | ATU49853109 | Gerichtsstand Graz
>
>
>
>   



bit schulungscenter Nfg GmbH & Co KG | Kärntner Straße 311, 8054 Graz | FN 264297 y | ATU61831566 | Gerichtsstand Graz
bit management Beratung GesmbH | Kärntner Straße 311, 8054 Graz | FN 147857m | ATU58011225 | Gerichtsstand Graz
bit media e-learning solution GmbH & Co KG | Kärntner Straße 311, 8054 Graz | FN 195426d | ATU49978207 | Gerichtsstand Wien
Unternehmensberatung bit consulting GmbH | Kärntner Straße 311, 8054 Graz | FN 196369d | ATU49853109 | Gerichtsstand Graz

Reply all
Reply to author
Forward
0 new messages