Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 Jan 2018 14:20:35 +0700
From:      Victor Sudakov <vas@mpeks.tomsk.su>
To:        Freddie Cash <fjwcash@gmail.com>
Cc:        galtsev@kicp.uchicago.edu, freebsd-net <freebsd-net@freebsd.org>
Subject:   Re: Fwd: Re: Quasi-enterprise WiFi network
Message-ID:  <20180108072035.GB52442@admin.sibptus.transneft.ru>
In-Reply-To: <CAOjFWZ5j+ixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg@mail.gmail.com>
References:  <CAOjFWZ6kYSTKmPHpQqd+ywrUNVLcG6JNzwFJYPyt5z1H4HeRUw@mail.gmail.com> <20180107180422.GA46756@admin.sibptus.transneft.ru> <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> <CAOjFWZ5j+ixKVc0cy6ik=BuU0nmpdUgFyePAVDouKmS=MM9vOg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Freddie Cash wrote:
> 
> > One trouble I expect here is: if the client goes to https destination, it
> > will complain about your local apache certificate, as the client expects
> > next packet (SSL negotiation) to come from host it was going originally
> > to. I've seen quite a few of similar things. "Home brew" words come to my
> > mind, no offense intended. Even older or two WiFi setups central IT folks
> > at big university I work for did this setup that brakes when client goes
> > to SSL-ed URL. Next, what if client does not use web browser at all, and
> > just attempts to ssh to external host...
> 
> 
> 
> That was an issue with our original setup that only used firewall redirect
> rules, without the mod_rewrite stuff. It only worked if we walked people
> through visiting a non-encrypted website, in order to bring up our login
> page. As more and more sites started defaulting to HTTPS, it became
> cumbersome.
> 
> All mobile devices, including Windows/MacOS devices, include captive portal
> detection these days, where they attempt to connect to a specific set of
> HTTP sites after connecting to a network. The mod_rewrite rules intercept
> only these requests, and redirect them to the login page.

Your mod_rewrite rules are becoming more and more interesting. Please
do post them.

There is one more drawback however I have just thought about. If I go
for a WiFi solution, I can deploy just an AP at some remote branch as
a RADIUS client of the central FreeRADIUS server.

If I go for a captive portal solution, I would need to install captive
portals at every branch, or tunnel Internet traffic via the central
hub.



-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20180108072035.GB52442>