Mailinglist Archive: opensuse (4237 mails)
| < Previous | Next > |
Re: [SLE] MAC address authentication
- From: Danny Sauer <suse-linux-e.suselists@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 11 Aug 2004 13:54:21 -0500
- Message-id: <20040811135421.K18863@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
nhaas wrote regarding 'RE: [SLE] MAC address authentication' on Wed, Aug 11 at 13:04:
> Thank you for the reply we really don't have anything in place yet. It is
> just a wish to get this in place by the 30th before the students get back to
> school. This would save a lot of time by not having the students use a
> signup form...
>
> -----Original Message-----
> From: Danny Sauer [mailto:suse-linux-e.suselists@xxxxxxxxxxxxxxxxxxxx]
>
> nhaas wrote regarding '[SLE] MAC address authentication' on Tue, Aug 10 at
> 17:48:
> > Hi All;
> >
> > I am trying to make an authentication server. We are a campus that
> requires
> > a MAC address in a database to use the web.
[...]
> Is the proxy already in place, or is that something else that "will be"
> set up as part of this? If it's not already in place, you could do some
> more access control using iptables rules built from a database, and use
[...]
If there's nothing in place, then here's how I'd do it.
Set up a DHCP server. Have it set the default route for all machines to
be a linux box with iptables set up, and run a web server capable of PHP
support on that machine. We'll call that machine 10.1.1.1 and the
network 10.1.1.0/24
The router machine directs all traffic from the DHCP-assigned block to
a new chain - oncampus - whose last (default) rule is directing to
another chain - unregistered.
iptables -n oncampus
iptables -n unregistered
iptables -s 10.1.1.0/24 -d !10.1.1.0/24 -J oncampus
iptables -A oncampus -J unregistered
iptables -A unregistered -p tcp --dport 80 -J DNAT 10.1.1.1:8080
iptables -A unregistered -p udp --dport 53 -J ACCEPT
iptables -A unregistered -p tcp --dport 53 -J ACCEPT
iptables -A unregistered -J REJECT
So, now any outgoing DNS requests get allowed through, and any http web
requests go to the web server running on port 8080. Everything else
gets rejected (which responds immediately, in contrast to DROP which
causes things to time out).
You could set up a DNS server with a wildcard entry resolving all
requests to the registration web server, too, but this is easier,
IMHO.
Now, you set up a web server, let's say an out of the box Apache setup
on SuSE. Set it up to listen on port 8080 and to redirect all requests
to your registration page (let's call that page register.php). In
/etc/apache2/conf.d/registration.conf:
RewriteEngine On
RewriteRule .* /register.php [NS,L]
Listen 8080
Alright, now anyone who connects gets redirected to register.php when they
go to any web page "on the internet".
So, in register.php, just grab the connecting IP and stick that in
a database with their room number, etc. If you must have a MAC address,
$ARP = system('/sbin/arp $REMOTE_IP');
$MAC = ereg_match('/\s([\W:]+)\s/', $ARP);
$MAC = $MAC[1];
or something like that - the exact php syntax eludes me for now, and I'm
hungry (lunch supercedes looking up the order of args in PHP functions).
Since it's just as easy to forge a MAC as is to forge an IP, though, I'd
just go with IP restrictions since they're easier to deal with anyway.
Anyway, now you're generating a database with all of the registered IPs,
and possiby a date of registration (so they can be restricted by time, etc).
All that's left is to write another shell script that, say, gets run from
cron every 5-10 minutes and either totally regenerates the iptables ruleset
or adds any new entries. I like the regenerate route - it's easier. :)
#!/bin/sh
# first, flush the chain
iptables -F oncampus
# then, create the default rule
iptables -A oncampus -J unregistered
# finally, insert the allowed IPs
for IP in `mysql -e 'SELECT ip FROM registered_student_ips'`; do
iptables -I oncampus -s $IP -j ACCEPT
done
Run that from cron periodically, or run it whenever someone registers a new
machine, etc. Then, machines who are registered get to go on to the internet
and machines who are not slip past onto the "unregistered" chain where they
are redirected to the registration script.
It's entirely possible that I messed up somewhere with syntax, etc, but
this should get you a good idea of how it could be done. Storing the IPs
in a database rather than just creating the iptables rules is a good idea,
since the iptables rules can be regenerated after a power loss. You could
certainly use another machine for the registration page, as long as both
the web server and router can access the DB.
This, BTW, is a nice scheme for a coffee shop wireless access point that
gives customers a limited amount of time to connect, etc. Stick a payment
method on that registration page and you're all set. ;)
--Danny
> Thank you for the reply we really don't have anything in place yet. It is
> just a wish to get this in place by the 30th before the students get back to
> school. This would save a lot of time by not having the students use a
> signup form...
>
> -----Original Message-----
> From: Danny Sauer [mailto:suse-linux-e.suselists@xxxxxxxxxxxxxxxxxxxx]
>
> nhaas wrote regarding '[SLE] MAC address authentication' on Tue, Aug 10 at
> 17:48:
> > Hi All;
> >
> > I am trying to make an authentication server. We are a campus that
> requires
> > a MAC address in a database to use the web.
[...]
> Is the proxy already in place, or is that something else that "will be"
> set up as part of this? If it's not already in place, you could do some
> more access control using iptables rules built from a database, and use
[...]
If there's nothing in place, then here's how I'd do it.
Set up a DHCP server. Have it set the default route for all machines to
be a linux box with iptables set up, and run a web server capable of PHP
support on that machine. We'll call that machine 10.1.1.1 and the
network 10.1.1.0/24
The router machine directs all traffic from the DHCP-assigned block to
a new chain - oncampus - whose last (default) rule is directing to
another chain - unregistered.
iptables -n oncampus
iptables -n unregistered
iptables -s 10.1.1.0/24 -d !10.1.1.0/24 -J oncampus
iptables -A oncampus -J unregistered
iptables -A unregistered -p tcp --dport 80 -J DNAT 10.1.1.1:8080
iptables -A unregistered -p udp --dport 53 -J ACCEPT
iptables -A unregistered -p tcp --dport 53 -J ACCEPT
iptables -A unregistered -J REJECT
So, now any outgoing DNS requests get allowed through, and any http web
requests go to the web server running on port 8080. Everything else
gets rejected (which responds immediately, in contrast to DROP which
causes things to time out).
You could set up a DNS server with a wildcard entry resolving all
requests to the registration web server, too, but this is easier,
IMHO.
Now, you set up a web server, let's say an out of the box Apache setup
on SuSE. Set it up to listen on port 8080 and to redirect all requests
to your registration page (let's call that page register.php). In
/etc/apache2/conf.d/registration.conf:
RewriteEngine On
RewriteRule .* /register.php [NS,L]
Listen 8080
Alright, now anyone who connects gets redirected to register.php when they
go to any web page "on the internet".
So, in register.php, just grab the connecting IP and stick that in
a database with their room number, etc. If you must have a MAC address,
$ARP = system('/sbin/arp $REMOTE_IP');
$MAC = ereg_match('/\s([\W:]+)\s/', $ARP);
$MAC = $MAC[1];
or something like that - the exact php syntax eludes me for now, and I'm
hungry (lunch supercedes looking up the order of args in PHP functions).
Since it's just as easy to forge a MAC as is to forge an IP, though, I'd
just go with IP restrictions since they're easier to deal with anyway.
Anyway, now you're generating a database with all of the registered IPs,
and possiby a date of registration (so they can be restricted by time, etc).
All that's left is to write another shell script that, say, gets run from
cron every 5-10 minutes and either totally regenerates the iptables ruleset
or adds any new entries. I like the regenerate route - it's easier. :)
#!/bin/sh
# first, flush the chain
iptables -F oncampus
# then, create the default rule
iptables -A oncampus -J unregistered
# finally, insert the allowed IPs
for IP in `mysql -e 'SELECT ip FROM registered_student_ips'`; do
iptables -I oncampus -s $IP -j ACCEPT
done
Run that from cron periodically, or run it whenever someone registers a new
machine, etc. Then, machines who are registered get to go on to the internet
and machines who are not slip past onto the "unregistered" chain where they
are redirected to the registration script.
It's entirely possible that I messed up somewhere with syntax, etc, but
this should get you a good idea of how it could be done. Storing the IPs
in a database rather than just creating the iptables rules is a good idea,
since the iptables rules can be regenerated after a power loss. You could
certainly use another machine for the registration page, as long as both
the web server and router can access the DB.
This, BTW, is a nice scheme for a coffee shop wireless access point that
gives customers a limited amount of time to connect, etc. Stick a payment
method on that registration page and you're all set. ;)
--Danny
| < Previous | Next > |