General Questions

Quick question:

Is it possible to use m0n0wall to allow users to connect to an AP with the WPA2 protocol after entering credentials using the captive portal piece?

I see that it can be done easily enough with no encryption but my company would like the traffic to be secured.

Also, I would be using MS RADIUS for authentication.


Thanks in advance,
Major

Quick question:

Is it possible to use m0n0wall to allow users to connect to an AP with the WPA2 protocol after entering credentials using the captive portal piece?

I see that it can be done easily enough with no encryption but my company would like the traffic to be secured.

Also, I would be using MS RADIUS for authentication.


Thanks in advance,
Major

Chicken and Egg, which came first (well it was figured out something that wasn't quite a chicken laid the egg that became a chicken, but you get what I mean)

Basically, you want your clients to authenticate with m0n0wall Captive Portal before they get the WPA2 key? That would be as simple as using the URL redirect after authentication to send them to a page with the key on it, then setting up a virtual SSID with the WPA2 encryption enabled (probably would have to be a different SSID though)

Chicken and Egg, which came first (well it was figured out something that wasn't quite a chicken laid the egg that became a chicken, but you get what I mean)

Basically, you want your clients to authenticate with m0n0wall Captive Portal before they get the WPA2 key? That would be as simple as using the URL redirect after authentication to send them to a page with the key on it, then setting up a virtual SSID with the WPA2 encryption enabled (probably would have to be a different SSID though)

Thanks, but I think you lost me just a little bit...

Premise is correct, just not sure what you mean by virtual SSID. (Wouldn't I need an AP that has that capability?)


However, in determining exactly what is mandated by my chain of command, I think I may have made this a little more complicated than needed.

Using Active Directory Group Policy and WPA-Enterprise, I believe it can take care of the authentication piece.

They still would like to use captive portal to force users to accept the UAP.

Would m0n0wall still be my best option or should I look elsewhere?

Also, trying to set this up on our test network I seem to be having a little trouble figuring out the setup and layout of the network.

Here is what I am looking at:

Internal LAN (w/RADIUS) <--> m0n0wall <--> AP <--> Wireless Clients

I am trying to set it up so the WAN side of the m0n0wall is our Internal LAN.  When I do that I can not access the m0n0wall's web interface using the 'WAN' side.

Is that how m0n0wall is inherently designed or am I just missing a setting.


Thanks again for all of your help,
Major

To start with, you have an unencrypted access point. They connect, get and IP. Try to hit a website, Captive Portal grabs them, they enter username/password and then agree to the terms. From that point though, you want to move them to a WPA2 access point.

You aren't going to find anything (software or hardware) that will do that because clients won't allow it, that will require a human to manually do that.

Basically, you can't trick a wireless client into connecting to another access point via software. If that were possible, oh the hacking nightmares that would be, I shudder to think.

But, you can after authentication, present a page that says "hey, you need to connect to our encrypted access point now, and here's the key for it". That would work.

Basically, you just have two access points (or one if you go with DD-WRT or other firmware replacement for wireless routers) in which the first one is unencrypted, chained to m0n0wall LAN, the second is encrypted and chained to the m0n0wall LAN as well.

Since m0n0wall tracks sessions by IP+MAC, switching between the two will preserve your Captive Portal session, they won't have to authenticate again.

So you can do everything that you want to do, minus one step of the clients being auto-joined from an unencrypted network to an encrypted network. That step is currently not possible to automate via hardware/software.

To start with, you have an unencrypted access point. They connect, get and IP. Try to hit a website, Captive Portal grabs them, they enter username/password and then agree to the terms. From that point though, you want to move them to a WPA2 access point.

You aren't going to find anything (software or hardware) that will do that because clients won't allow it, that will require a human to manually do that.

Basically, you can't trick a wireless client into connecting to another access point via software. If that were possible, oh the hacking nightmares that would be, I shudder to think.

Roger that and I agree, that would be bad.

But, you can after authentication, present a page that says "hey, you need to connect to our encrypted access point now, and here's the key for it". That would work.

Basically, you just have two access points (or one if you go with DD-WRT or other firmware replacement for wireless routers) in which the first one is unencrypted, chained to m0n0wall LAN, the second is encrypted and chained to the m0n0wall LAN as well.

Since m0n0wall tracks sessions by IP+MAC, switching between the two will preserve your Captive Portal session, they won't have to authenticate again.

So you can do everything that you want to do, minus one step of the clients being auto-joined from an unencrypted network to an encrypted network. That step is currently not possible to automate via hardware/software.

That sounds like it would work but we already have our AP's purchased (EnGenius) and don't think management will like having to have 'dual' AP's at each location, i.e. buy more AP's. (I know, sometimes you have to just bite the bullet)

Can I just use m0n0wall to provide the UAP page?  I could still do authentication through WPA-Enterprise but make the users agree to our policy?


Major

You can, though the AP would need to sit on the same LAN segment. Since the AP is going to us it's own radius auth, make sure the captive portal for m0n0wall is set to allow it's IP "outbound" access (or use MAC pass-through if that will work better) through it to where the radius server lives, otherwise it gets stopped at the login screen when trying to do radius auth for the wireless clients.

You can, though the AP would need to sit on the same LAN segment. Since the AP is going to us it's own radius auth, make sure the captive portal for m0n0wall is set to allow it's IP "outbound" access (or use MAC pass-through if that will work better) through it to where the radius server lives, otherwise it gets stopped at the login screen when trying to do radius auth for the wireless clients.

Alright, that is what I am trying to set up.

However I am having a few issues.

I can't seem to setup the 'OPT1' interface correctly.  I have three interfaces for my m0n0wall one the LAN, one the WAN, and one that I am going to use for my AP's.  I don't plan on having anything plugged into the WAN.

Right now I have the OPT1 interface and a laptop connected with a crossover cable.  The m0n0wall will tell me if the em1 link goes up or down if I unplug the cable. (I have tried a small switch there too)

If I try to use DHCP on OPT1 interface I never receive an IP on my laptop and if I set a static IP I cannot ping the IP of the OPT1 on m0n0wall. (I have made sure I have DHCP on for the OPT1 interface)

I have added a rule for the OPT1 interface that basically allows everything.

Is there something else I need to configure?


Thanks,
Major

Is OPT1 using a different IP range than the LAN, like 192.168.2.X /24 ?

Is OPT1 using a different IP range than the LAN, like 192.168.2.X /24 ?

No, they are both on the same /16 subnet. (Yes, /16.  No, there is not a good reason for that size of a subnet)



Major

If OPT1 is not bridged, you need a separate IP range for each Interface.

Like LAN = 192.168.0.0/24
OPT1 = 192.168.1.0/24

Then you will need to make sure the DHCP for OPT1 is setup for the proper range when doing IP assignment.

If OPT1 is not bridged, you need a separate IP range for each Interface.

Like LAN = 192.168.0.0/24
OPT1 = 192.168.1.0/24

Then you will need to make sure the DHCP for OPT1 is setup for the proper range when doing IP assignment.

Right, you threw me off when you mentioned they need to be on the same subnet for RADIUS to work.

I tried running OPT1 in bridged but it won't let me have captive portal on on that interface.

I'll try using two different subnets and let you know if I can get it to work.


Thanks for you help,
Major

If OPT1 is not bridged, you need a separate IP range for each Interface.

Like LAN = 192.168.0.0/24
OPT1 = 192.168.1.0/24

Then you will need to make sure the DHCP for OPT1 is setup for the proper range when doing IP assignment.

Right, you threw me off when you mentioned they need to be on the same subnet for RADIUS to work.

I tried running OPT1 in bridged but it won't let me have captive portal on on that interface.

I'll try using two different subnets and let you know if I can get it to work.


Thanks for you help,
Major

Yeah, Captive Portal only works on *one* interface, so when you bridge them, it's like the one interface became two and it won't let you then, that's why you have to keep them separate.

Sorry about the confusion, yeah, same subnet; what I meant was that the two access points would be on the same network segment, like one is 192.168.0.253 and the other was 192.168.0.254