[Server-devel] Captive portal updates

Anish Mangal anishmg at umich.edu
Sun Sep 25 04:07:53 EDT 2016 

Hi,

I wanted to ask whether a captive portal + radius server + radius server
gui would be a useful feature and wanted to discuss possible implementation
routes as this affects other services on the XSCE.

A radius server allows to have controlled access to server resources,
internet connectivity, and allows one to create users, groups, and set
aside network bandwidth. i.e. it is quite useful in a medium to large
setup. A captive portal alongside it allows for good UX with notifications
in phones, tablets and not having users to type http://school.lan.

The existing captive portal PR (#771) is a very good step in that
direction, but I believe we will eventually need to use some kind of
standard implementations - radius + captive portal setups.

Now that 6.1 is out of the door, I would like to propose a captive portal
feature for 6.2.

In the current setup I am testing, I am using freeradius[1] as the radius
server, and CoovaChilli [2] as the captive portal. Coova does it's own dhcp
so it will have to replace dhcpd if it is used. Also, starting/stopping the
coova services affects iptables, so initially, having it run in conjunction
with dansguardian and squid might be a little tricky (though it is
certainly possible, just needs more time to test/develop). Also, while
freeradius is available as a rpm package, coova, and a dependency needs to
be complied from source. I can create the packages for it though - it did
not seem complicated.

So, the current approach I am proposing is:
1. If captive + radius is enabled, dhcpd is disabled, squid and
dansguardian are disabled. Later, we can just have dhcpd disabled and the
other two enabled if need be
2. If captive + radius is enabled, either we include a few knobs and levers
to manage radius in our admin console (more difficult), or include a radius
admin console (easier)

At the same time I have a question, since my understanding of xsce
networking is limited. When setup in LANcontroller mode with both the
internal wifi + LAN being controlled by XSCE, does all the LAN side traffic
flow through br0? Is it always the case?  (in gateway mode too). If that is
so, then I will configure coova to work on br0.

[1] http://freeradius.org/
[2] http://coova.github.io/CoovaChilli/

Best,
Anish


On Tue, Sep 20, 2016 at 7:36 AM, Anish Mangal <anishmg at umich.edu> wrote:

> I believe I am able to get the captive portal working as intended
>
> http://people.sugarlabs.org/anish/captive.webm
>
> Now will need to work in a branch on a playbook.
>
> Another idea would be to have a web ui for radius to show all kids of user
> stats, control per user/group bandwidth, and accounting.
>
> On Mon, Sep 19, 2016 at 8:54 PM, Anish Mangal <anishmg at umich.edu> wrote:
>
>>
>>
>> On Mon, Sep 19, 2016 at 8:54 PM, Anish Mangal <anishmg at umich.edu> wrote:
>>
>>> Hi,
>>>
>>> So I was able to setup freeradius and coovachilli on a centos x86
>>> machine to setup a captive portal using the method below:
>>> https://www.howtoforge.com/tutorial/how-to-install-a-wireles
>>> s-hotspot-with-captive-page-in-linux-using-coovachilli/
>>>
>>> Now, this is progress since the user experience is exactly how you would
>>> see in a coffee shop. Upon connecting, you will see a notification in your
>>> phone, and be prompted by a login prompt (where we can redirect the user to
>>> school.lan) or whatever afterwards.
>>>
>>> However, there are some notes:
>>> 1. Coovachili does its own dhcp, so probably we might have to use that,
>>> if the captive portal is being enabled.
>>> 2. By default it does dhcp on a different subnet. and _maybe_ because of
>>> that, a bunch of iptables rules dont work. name resolution doesnt work.
>>> Will change the default subnet to what we currently use and disable dhcpd
>>> and see what happens
>>>
>>> To setup coova and freeradius, they have to be compiled from source. The
>>> compiling was pretty straightforward on centos, so either the same can be
>>> done for ARM, but long term i think packages would be wonderful :-)
>>>
>>> All in all, this definitely looks like an approach worth pursuing :)
>>>
>>> Cheers,
>>> Anish
>>>
>>>
>>
>>
>> --
>> Anish
>>
>>
>>
>
>
> --
> Anish
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/server-devel/attachments/20160925/7dbc50cb/attachment.html>

More information about the Server-devel mailing list