Sign in with
Sign up | Sign in
Your question

Captive Portal for Windows

Last response: in Wireless Networking
Share
Anonymous
November 6, 2004 5:39:04 PM

Archived from groups: alt.internet.wireless (More info?)

Hello,
Can anyone reccommend a decent captive portal / dynamic firewall
solution for windows? I've already seen firstspot (by patronsoft) but we
want to see if there are any other alternatives. Most of the solutions
(NoCatAuth, m0n0wall etc.) are Linux Based which is not what we want
(unless there is a specialised linux distro that ONLY has this, and
router fnctionallity built in - we are not interested in a full linux
distro to achieve this).

We do have a software development department who would be willing to
take some existing, opensource, firewall solution and modify it to our
ends - so that's an option.

So, we want, either:

Windows based CP solution, or
Dedicated Linux CP distro, or
Opensource firewall / CP soution under GPL that we can modify.


TIA

Peter Phillips

More about : captive portal windows

Anonymous
November 7, 2004 12:46:34 PM

Archived from groups: alt.internet.wireless (More info?)

On Sat, 6 Nov 2004 14:39:04 +0000 (UTC), Peter Phillips
<pphillips@_SPAMTRAP_kinetiqnetworks.com> wrote:

>Can anyone reccommend a decent captive portal / dynamic firewall
>solution for windows? I've already seen firstspot (by patronsoft) but we
>want to see if there are any other alternatives. Most of the solutions
>(NoCatAuth, m0n0wall etc.) are Linux Based which is not what we want
>(unless there is a specialised linux distro that ONLY has this, and
>router fnctionallity built in - we are not interested in a full linux
>distro to achieve this).
>
> We do have a software development department who would be willing to
>take some existing, opensource, firewall solution and modify it to our
>ends - so that's an option.
>
> So, we want, either:
>
> Windows based CP solution, or
> Dedicated Linux CP distro, or
> Opensource firewall / CP soution under GPL that we can modify.

It would be nice to know what you're building or trying to accomplish.

It would seem to me that any of the dedicated hotspot software would
do the job. I guess captive portal is almost the same thing as a
wi-fi hotspot. Many of these are made to run off compact flash cards
(simulated hard disk) or from a cdrom. Start at:
http://www.sourceforge.net
and use "hotspot" as a search key. Lots to choose from.

I'm not sure what you mean by "dynamic filewall". Google found a few
pages on the subject, but reading them implied that dynamic just means
easy to change.
http://www-106.ibm.com/developerworks/linux/library/l-f...
Unless you're running in a hostile environment that requires constant
security monitoring, I just don't see it. What type of environment is
this thing going to live?

I guess there are also some Windoze hotspot software packages. Google
found this:
http://www.yachtspot.net/22201.html
There are probably others but I didn't find any.

I'm not sure what to recommend. I use:
http://www.freesco.org
http://www.freescosoft.com
as a general purpose router, firewall, and access point manager. It
runs on CF (compact flash) cards, handles up to 10 ports, and is
fairly well supported. I used to run it on a floppy disk, but ran out
of space. There are no USB, wi-fi, hotspot, or captive portal
specific modules, so this may not be what you want. I've bludgeoned
it into something resembling a hotspot, but without all the
registration and billing stuff. I suppose it can be added if needed.

Good luck.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Anonymous
November 7, 2004 1:54:11 PM

Archived from groups: alt.internet.wireless (More info?)

How about: www.dnsredirector.com


"Peter Phillips" <pphillips@_SPAMTRAP_kinetiqnetworks.com> wrote in message
news:cminm8$j40$1@titan.btinternet.com...
> Hello,
> Can anyone reccommend a decent captive portal / dynamic firewall
> solution for windows? I've already seen firstspot (by patronsoft) but we
> want to see if there are any other alternatives. Most of the solutions
> (NoCatAuth, m0n0wall etc.) are Linux Based which is not what we want
> (unless there is a specialised linux distro that ONLY has this, and router
> fnctionallity built in - we are not interested in a full linux distro to
> achieve this).
>
> We do have a software development department who would be willing to take
> some existing, opensource, firewall solution and modify it to our ends -
> so that's an option.
>
> So, we want, either:
>
> Windows based CP solution, or
> Dedicated Linux CP distro, or
> Opensource firewall / CP soution under GPL that we can modify.
>
>
> TIA
>
> Peter Phillips
Related resources
Anonymous
November 8, 2004 3:16:22 AM

Archived from groups: alt.internet.wireless (More info?)

Jeff Liebermann wrote:
> On Sat, 6 Nov 2004 14:39:04 +0000 (UTC), Peter Phillips
> <pphillips@_SPAMTRAP_kinetiqnetworks.com> wrote:
>
>
>>Can anyone reccommend a decent captive portal / dynamic firewall
>>solution for windows? I've already seen firstspot (by patronsoft) but we
>>want to see if there are any other alternatives. Most of the solutions
>>(NoCatAuth, m0n0wall etc.) are Linux Based which is not what we want
>>(unless there is a specialised linux distro that ONLY has this, and
>>router fnctionallity built in - we are not interested in a full linux
>>distro to achieve this).
>>
>> We do have a software development department who would be willing to
>>take some existing, opensource, firewall solution and modify it to our
>>ends - so that's an option.
>>
>> So, we want, either:
>>
>> Windows based CP solution, or
>> Dedicated Linux CP distro, or
>> Opensource firewall / CP soution under GPL that we can modify.
>
>
> It would be nice to know what you're building or trying to accomplish.

OK.. we are a WISP with a number of installations in the UK (South Wales).
Currently, we use RADIUS to authenticate the CPE MAC address at the
customer's premises. This was fine for a single dwellling, but now we
have the situation where one single bridge (the CPE) is serving 3
households, all with separate accounts with us. Now, if one of them
breaches our T&Cs we (at the moment) only have the option of disabling
the bridge, hence turning off access to the others. So, our thoughts of
overcoming this was to use a captive portal to capture each user (in the
same way as a hotspot), so each user will be presented with a login
screen before they get access. The users themselves could be
authenticated via radius in this way, and so gives us the option to turn
the bad user off whilst still keeping the good ones on. It also allows
us to manage bandwidth allocation at a user level rather than at the bridge.

The problem is, we cannot find one for Windows. As I mentioned though,
we would be willing to go for a Linux version, but only if it was a
dedicated distro to accomplish this task (we don't want one of the huge,
general purpose distros - the less there is to go wrong the better!).

As for 'dynamic firewall', this is just what a captive portal is.
1. a http request comes in from a user.
2. the firewall looks up the MAC address / IP address in it's table of
allowed users.
3. if it's not there, show the user a login screen, otherwise let the
request through.
4. capture this user login details and send it to our RADIUS server for
authentication (using a VPN).
5. on access-accept dynamically modify the firewall rules (i.e. add the
MAC / IP to the allowed users table) to let the user in.

We already have the RADIUS / billing system running fine, it's just this
bit that's missing.

Thanks in advance

Peter Phillips
Anonymous
November 9, 2004 12:44:04 PM

Archived from groups: alt.internet.wireless (More info?)

On Mon, 8 Nov 2004 00:16:22 +0000 (UTC), Sandy Baby
<bill@microsoft.com> wrote:

>OK.. we are a WISP with a number of installations in the UK (South Wales).
>Currently, we use RADIUS to authenticate the CPE MAC address at the
>customer's premises. This was fine for a single dwellling, but now we
>have the situation where one single bridge (the CPE) is serving 3
>households, all with separate accounts with us.

I'll assume the CPE is a simple wireless bridge that can only bridge
one MAC address and that you're distributing the traffic using a
fairly simple router. How do you keep the 3ea customers from seeing
each other?

>Now, if one of them
>breaches our T&Cs we (at the moment) only have the option of disabling
>the bridge, hence turning off access to the others.

Yeah, that would be nice. If each customer connected through a
different VPN tunnel, or was part of a VLAN, you could seperate the
traffic and control access. The VLAN would work, but traffic
management would be much easier at the IP level with VPN tunnels, than
at the MAC level with a VLAN.

>So, our thoughts of
>overcoming this was to use a captive portal to capture each user (in the
>same way as a hotspot), so each user will be presented with a login
>screen before they get access. The users themselves could be
>authenticated via radius in this way, and so gives us the option to turn
>the bad user off whilst still keeping the good ones on. It also allows
>us to manage bandwidth allocation at a user level rather than at the bridge.

Yeah, that would work, but methinks is a bit messy and limiting.
There would be no easy way to deliver a routeable IP address to any of
the users. The login ordeal is a web page which would need to be
automated. Client side traffic management is a must or you will have
the 3ea customers argueing with each other over who's hogging the
bandwidth. It might actually be easier and cheaper to use 3 wireless
bridges, one per customer, each on the 3ea non-overlapping channels.
Methinks your "captive portal" would work, but I question whether it
is worth the effort for only 3ea users.

>The problem is, we cannot find one for Windows.

For good reason. Windoze is not known for its simplicity, stability,
or low cost. If you were to do this legally, on perhaps a desktop,
you would owe Microsloth for a license. Embedded Windoze systems do
work, but I would hate to be the one doing the testing. Linux, but
contrast, is scaleable down to floppy disk size. There are also
multiple embedded Linux distributions sold with SBC boards designed
for wireless use:
http://www.soekris.com
http://www.pcengines.ch/wrap.htm
List and search for Linux distributions:
http://www.linux.org/dist/

>As I mentioned though,
>we would be willing to go for a Linux version, but only if it was a
>dedicated distro to accomplish this task (we don't want one of the huge,
>general purpose distros - the less there is to go wrong the better!).

Dedicated distributions are usually attached to specific hardware. If
you're willing to change your hardware, I'm sure something can be
found. What you're doing does NOT sound like something that can be
crammed into a WRT54GS or similar small box. Therefore, you would be
looking for either a stand alone PC driving an ethernet connected
wireless bridge radio, or an SBC (single board computah) with PCMCIA
card radios.

>As for 'dynamic firewall', this is just what a captive portal is.

I beg to differ on the terminology, but it's not important.

>1. a http request comes in from a user.
>2. the firewall looks up the MAC address / IP address in it's table of
>allowed users.
>3. if it's not there, show the user a login screen, otherwise let the
>request through.
>4. capture this user login details and send it to our RADIUS server for
>authentication (using a VPN).

Oh. So you're already using a VPN. I don't see the problem. You
have everything you need to manage the bandwidth and deal with the
authentication at the VPN level. If a user becomes infected with a
virus, all you need to do is change the VPN termination configuration
(at the ISP end) for that user, and they're off the air.

>5. on access-accept dynamically modify the firewall rules (i.e. add the
>MAC / IP to the allowed users table) to let the user in.

Oh, so that's where the term "dynamic" comes from. Thanks.

>We already have the RADIUS / billing system running fine, it's just this
> bit that's missing.

Well, RADIUS doesn't necessarily have to be hard wired to authenticate
by MAC address. The client can be setup to pass a digital
certificate, or shared key. If you transfer the authentication
responsibility to the client computah, you can setup 802.1x
authentication and let each computah do its own authentication instead
of just authenticating the CPE. Of course, with multiple VPN tunnels,
that redundant. Just use the VPN to do the login, authenticate, and
bandwidth manage part.

You might get a better answer in the ISP-Wireless mailing list:
http://isp-wireless.com

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
!