Slashdot Mirror
Controlling Access to Wireless APs?
pvera asks: "A friend-of-a-friend-of-a-friend is thinking of offering wireless internet access at the medical conferences that he organizes. He already has people that can help him setting the access point itself and the connection to the internet, but he does not know how to control access. I am a T-mobile hot-spot subscriber, and my service uses some sort of proxy that does not allow me to surf thru their network unless I authenticate on a page that comes up regardless of what my home page is set to. Once I am authenticated then the proxy is transparent to me.
Here in Arlington, VA there is a company called iSurf networks that has the exact same setup as T-mobile, only they sell their service thru pre-paid cards. The cards are just like phone cards, your scratch a strip in the back to have access to the account id and the password. While you use the connection it shows a pop-up with a count-down display so you know how much time is left in your card. Does anyone know of a commercial or open source product that allows this functionality? Or of a company that provides an outsourced solution to do this?"
Sputnik?
Keep your packets off my GNU/Girlfriend!
NoCatAuth
GStreamer - The only way to stream!
When a machine joins the network and gets an IP address and attempts to hit a website, it will attempt to go through your firewall. You'll want to have this machine redirect the connection to a webserver on that machine that shows a "authenticate in some way, shape or form." Using whatever logic you want, it decides to allow this machine to go out the firewall unstopped. You could probably have this program write the IP address to a file or database or something.
Some other process picks up that there's a new machine that should be granted access, and it creates a new iptables rule to allow it unrestricted outbound access, thus bypassing the "redirect everyone to our 'authenticate' page".
Now the next issue is how to keep a new person from using this same IP address. You could watch for MAC address changes and remove the iptables rules if the MAC changes.
This is a bit hasty response - heading out the door.
The AP is hooked up to a FreeBSD box. The FreeBSD box runs NAT and DHCP. When the box sees a DHCP lease request from an unkown MAC, it gives the client an IP and puts the client in a "sandbox" network. This "sandbox" network redirects all IP packets to port 80 on the authentication server (two different ways to do this - either with dynamic ipfw rules, or directly through divert(4)). The authentication server asks for a username/password. Since you write this stuff yourself, you can integrate it with LDAP/Kerberos/flat files, etc. You can even get creative and set the password to something you print out on a receipt so the clients have to "buy" time from you, with the POS computers hooked up to the auth server, etc.
Once the client authenticates, you modify the ipfw rules that redirected packets to the local machine so that packets run through the normal NAT stuff. You can also set up a cron job to delete stale entries so people have to re-authenticate every now and then.
If you do this with ipfw, it's just a couple rules. I ran into some problems doing it this way, so I wrote a little C program that directly inspected packets and passed them along using FreeBSD's divert(4) interface. (I get paid to do these sort of things for people, so the code ain't mine to give away and it would be pretty useless anyway since there's a lot of coding and admin work involved in integrating it).
For real security, you'll need to pass all packets through such a custom program anyway, so you can inspect whether or not that particular IP (given from a DHCP lease) has authenticated recently. You'll also need an AP that passes along MAC addresses unmodified. I know Cisco Aironets allow you to do this, and I know Linksys APs don't (Linksys APs are based on a Lucent chip that's used in lots of other APs like the Apple Airport).
Note that someone with enough expertise can sniff the network, get a valid IP, DOS the real client, and then impersonate the already-authenticated MAC and IP. All systems which work in the way you described are vulnerable to this type of attack.
Not a whole lot you can do to fight this; however, a while back, some guy submitted a paper to Slashdot about how you can tell if someone is spoofing a MAC based on some peculiarities with how most 802.11b cards handle a sequence number in the 802.11 protocol. I'm guessing his paper is new enough that none of the people who sell these pre-built systems implemented his idea, but if you do your own, you're free to implement whatever you want. Note that using this is still not foolproof (search my posting history for an example of an attack against a system which would use this idea and for the link to the original article).
Basic conclusion: there is no bulletproof system which does what you need. If you implement it correctly (with an AP that passes along MACs unmolested in bridge mode), it makes it more difficult, and if you implement the anti-spoofing thing I mentioned, it just ups the bar even more, past the level of the script kiddies. Judge your security needs: such a wireless access system can be good enough if you ensure your confidential data is behind a real authentication system and is never sent over the wire clear-text. If you're worried about someone (someone capable) stealing 'net access from you, you should probably stay away from wireless.
You seem to be looking for a pre-built system that does this sort of thing. Although I'm sure someone is selling this sort of thing, it's probably not popular because there are so many variables involved with integrating it into your existing infrastructure (cabling, routing, authentication systems, etc). Generally, you would get a competent consultant to build something like this for you if you don't have the requisite programmers and networking gurus. If you want to avoid the consulting fees, pick up some Richard Stevens books to learn networking and programming, and start running -CURRENT to learn proper system administration :)
Have fun.
If you want to restrict access, the best way (IMHO) is to set up a dedicated routing machine running some Unix variant, acting as a firewall between the APs and the net at large. Users can then log onto that machine using PPPOE or PPTP (depending on whether you want to encrypt the links as well).
Oooohhh its a new topic/icon. First story ever posted under 'software'.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
In Stockholm (Sweden), there is actually a project which is exactly what you are looking for. They have access points in different places and a common software for authentication. You get an ip-number automatically and must then authenticate on a webpage before connecting to the internet. It supports kerberos authentication too.
Basically, it's a system designed to offer a wide coverage by little means and cooperation.
Everything is at www.stockholmopen.net You can download the software here too.