[isf-wifidog] Some new features

Philippe April isf_lists at philippeapril.com
Sam 24 Sep 10:45:32 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I added this feature just for people to be able to have some power on  
their node (ie. owner wants direct access with no authentication).

That's because owners could configure it by logging in via SSH (not  
super useful) or via web interface (useful!)

An auth server can easily do the same thing but centrally:

1. wifidog receives traffic on port 80, redirects to login page.
2. Login page is intelligent, it knows this user has access because  
of its mac address, generates a token with access and push back this  
token in the gateway
3. the user has access, trusted by his mac address (pushed from the  
server).

A more clean implementation would be no redirects at all for the token:
1. wifidog receives traffic on port 80
2. asks the auth server if there are some special rules for this user
3. auth server says: "yes, he's allowed direct access"

For the "kicking a user by mac", this can already be done either  
locally, on on the auth server.

If you tag the connection "USED" on the auth server, next time the  
counters are updated (every 1 minute or so), the user will be kicked  
out. If you do that AND you tag his profile as "denied", he won't be  
able to re-log in.

Or, on the gateway:
./wdctl reset <insert mac or IP here>

Right now, I added a new chain for the trusted MACs, basically the  
traffic is tagged as "Known traffic" if it comes from defined MAC  
addresses from the config.

If you have feature requests and/or questions, feel free!

Philippe April
GnuPG http://key.philippeapril.com

On 24-Sep-05, at 4:22 AM, Ian White wrote:

> These changes look good. The major advantage of wifidog over nocat  
> is the two way communication.
>
> I'm not sure how the trusted mac is implementated, but it would be  
> nice if it was a auth-server originated message rather than  
> something on the wifi box in response to a heartbeat etc.
>
> Being able to communicate with a node  to add macs, kick a user off  
> by mac , reboot etc I think is the way to go.
>
> I'm looking at if wifidog can replace nocat on locustworld meshes,  
> as there trusted mac are configure outside of nocat, and you can't  
> talk to nocat.
>
> Rgds
>
> Ian
> ----- Original Message ----- From: "Philippe April"  
> <isf_lists at philippeapril.com>
> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
> Sent: Saturday, September 24, 2005 7:03 AM
> Subject: [isf-wifidog] Some new features
>
>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> I just committed some new/old features to CVS, we'll test more and
>> deploy them in the next version of WiFiDog (I hope!).
>>
>> *1. I added {Saul Albert,Jo Walsh,Schuyler}'s patch to send MAC
>> address as the node_id.
>>
>> Mina: I saw your comment regarding "if we want it to be the new
>> default or not", I personally think so. Some folks use the 'default'
>> node for a long while and it ruins some of our stats on the prod
>> server :)
>>
>> Not just that, I think a lot of people would actually pick to use the
>> MAC address as the node ID instead of creating IDs (which are random)
>> anyway.
>>
>> Everybody: let's see what you guys have to say. I personally don't
>> mind either ways, but the default is now the mac address (if
>> nothing's specified in the config) and the config's node_id has been
>> commented. We can revert anytime, we'd just need to add a new flag in
>> the config, something like "UseMACAsNodeID".
>>
>> *2. I added new code and rules to allow people to specify trusted MAC
>> addresses.
>> It's an old request, which is handy. Of course it could be done by
>> the authentication server. I think it's nice to be able to do it on
>> the WiFidog gateway since some people would actually run it with a
>> light auth server (or none!).
>>
>> *3. Some new features are coming, including Mina's cool:
>>     1. Update
>>     2. Restart
>>     3. "Look Ma! No downtime!"
>>     ... modifications.
>>
>> See changelog below.. Have a good night!
>>
>> ChangeLog:
>> 2005-09-24 Philippe April <philippe at ilesansfil.org>
>>     * (finally) Added {Saul Albert,Jo Walsh,Schuyler}'s patch (thank
>> you!) to send
>>     the GW interface's mac address as the node_id if no node_id is
>> specified. It allows
>>     the use of generic configuration files without the need to
>> hardcode the
>>     node_id in.
>>     * Added TrustedMACList configuration variable which allows
>> specifying
>>     MAC addresses which are allowed to go through without
>> authentication.
>>     * Updated OpenWrt instructions.
>>
>>
>> Philippe April
>> GnuPG http://key.philippeapril.com
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.4 (Darwin)
>>
>> iD8DBQFDNOw3Oq+Ep5Xn/aARAl2fAJ4pjB0gn+eeqFFGPZpYU8AXswvfvwCfS6IY
>> KIXZpIgnACKhdtZYDnyMtvU=
>> =l/s9
>> -----END PGP SIGNATURE-----
>>
>>
>
>
> ---------------------------------------------------------------------- 
> ----------
>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
> ---------------------------------------------------------------------- 
> ----------
>
>
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.11.5/110 - Release Date:  
> 22/09/2005
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFDNWaOOq+Ep5Xn/aARAkyYAJ97aF+2dLl1LhPDcgvz20NEKXFSZwCeMRM4
97V7EA19k9T+Eo/RZW2oRag=
=fLH2
-----END PGP SIGNATURE-----

More information about the WiFiDog mailing list