Captive Proxy
‘lo all. Things have been quite busy around here…hence the lack of updates. Work has been insanely busy due mostly to post-merger integration stuff…trying to (gracefully) integrate two completely different networks isn’t an easy thing to say the least…
One of the things I need to do soon is implement some sort of captive proxy/authentication system for our wireless VLAN. I’ve never implemented something like this before, so it’s gonna take a bit of research and tinkering. If y’all have recommendations on how to accomplish this, I’m all ears. Extra points if it can authenticate against either OpenLDAP or Active Directory :-) I’ve researched the NoCatAuth project, which seems to be the most mature out there, but I’m not sure it’s exactly what I’m looking for. Another possibility is to use m0n0wall, which comes w/ a built-in captive proxy. That would be very easy to set up and maintain, but may not be as flexible as we want in the future. I dunno. Maybe if I just click my heels together it’ll just happen…
If you want quick and dirty (and don’t need to handle a ton of traffic), there’s the all-in-one things (http://www.dlink.com/products/category.asp?cid=81&sec=2 and there are other vendors I think too). That may be simple enough to let usage determine needs for a more permanant solution if necessary later. Perfigo (one of the big edu ones) basically does a DHCP based thing and passthrough. Everyone’s in one VLAN, and it hands out restricted IPs to unknowns, and then on registration of some sort it puts them into an OK pool. I think everything other than maybe the first version did some sanity checks that the IP was actually issued and it matches the MAC too. I’ve heard it works well. Our previous solution was based on the switch fabric’s ability to do MAC based VLANs. The default for the ports was registration, and then a simple web page grabbed the MAC from ARP when they authenticated and changed the VLAN for the MAC (which stuck anywhere on the switch fabric so roaming works). Our current solution is open (we don’t trust the wired network either, and usual time to identify the owner of a machine doing bad stuff is a under a minute even without registration, so it’s not a big deal for us). Our future system is based off Enterasys’ UPN which is an expansion of 802.1q with 802.1x or local web auth (switch does auth, authenticates to radius), or default vlan with some other web system that updates radius. I don’t know much about that, my closest interaction is some SOAP calls I’ve been given to latch into my IDS system (I basically run my own that uses combinations of firewall log parsing and a feed from the email server scanners that yanks people off the network a few seconds after they start causing trouble for things we’ve gotten annoyed with in the past). I believe Cisco has this as well. It’s sorta dependent on either the APs supporting VLANs and/or layer 2-4 traffic policies per associated radio or the switches being able to separate back out the traffic per client). Hopefully that may help. You may find the EDUCAUSE WIRLESS-LAN group helpful too (http://www.educause.edu/WirelessLocalAreaNetworkingConstituentGroup/987).
The HP stuff looks interesting (http://www.hp.com/rnd/products/wireless/700wlseries/overview.htm) and according to a thread on that list from January, it authenticates against AD. Doesn’t look cheap, as it looks like it’s multiple parts that tie together.