On Tue, Jul 19, 2005 at 09:16:01AM +0200, Matus UHLAR - fantomas wrote:
> On 18.07 13:45, Lucia Di Occhi wrote:
> > Has anyone implemented a captive portal registration/authentication system
> > with squid in transparent mode?
>
> No. read the FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ.html
> especially: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16
You are too quick to dismiss the request. I have seen such systems
implemented. He isn't talking about combining transparent proxying
with 407 auth.
If I was going to make another such system I'd probably just use a
redirector. Squid already sends the client IP, and the redirector
can just lookup a database to check session validity, redirecting
to a local web server otherwise.
Don't hotels do this routinely?
At its simplest this can all be on the one box.
Note that such systems are susceptible to IP address spoofing. A
fully secured implementation would link DHCP-assigned IP address
to switch port somehow, with the switch/router filtering appropriately.
Doing this with 802.1q VLANs would also ensure a single broadcast
domain per client, avoiding some security pitfalls of mutually
distrusting systems on a single network.
Alternatively, noting that the Cisco DHCP Relay Agent is documented
to add per-lease static routes, you might then also use Cisco's Unicast
RPF (reverse path forwarding), assuming the right hardware, network
architecture, and IOS level.
Depending on architecture and business requirements, you could just
do a 802.1x deployment instead.
Joshua.
-- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109Received on Tue Jul 19 2005 - 02:51:36 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:02 MDT