[isf-wifidog] some recent posts on wifidog captive portal

Michael Lenczner mlenczner at gmail.com
Lun 3 Avr 20:55:39 EDT 2006


1) http://ken.ipl31.net/2006/04/02/nocat-auth-is-dead-long-live-wifidog/

"Nocat Auth is dead, long live WifiDog" (from a vol from seattle wireless)

WifiDog really shines in aggreating content and making it available in
splash pages. It can take dynamic data feeds, such as geo-coded or
location based information feeds and display it to people on the
splash page. It has google maps integration and sports a monitoring
map that shows you all the status your nodes running wifidog and will
alert you if a node goes down.
In addition the fact that is designed to aggreate information feeds
means that you could feed stuff such as Itunes sharing bonjour
advertisements and display that on the portal page.
I saw it demonstrated at a session this weekend and am extremeley
impressed. I encourage anyone looking for a captive portal based
solution to check it out.


2) http://ablogofherown.postopolis.com/2006/04/01/wifidog-ile-sans-fil-and-hacking-your-city/

"You know, this is a really interesting product and it really needs to
be looked at more closely."

3) and wow - check out this one!  someone (else) should add it to the
wifidog wiki (there should be a press page if there isn't already)

http://www.enterprisenetworkingplanet.com/netos/article.php/3592556


"While NoCatAuth is probably the most famous captive portal, it's not
being actively developed anymore. It still works fine, and there is an
active user community, but the devs seem to have stuck a fork in it
and pronounced it done. My current favorite is WiFiDog. It's tiny,
around 30K, and is completely self-contained with no dependencies."

---------------------------------------
Build a Secure Wireless Portal with Linux
March 17, 2006
By Carla Schroder

Ever since wireless Ethernet was born, a sizable number of folks
decided that it should be freely available to the masses at no cost.
So we have official community wireless projects, coffee shops, hotels,
and other businesses supplying free wireless Internet, and a lot of
purposefully-unsecured private wireless networks.

Humans being what they are, admins of open wireless networks should be
canny and careful. In these modern times you can be punished for what
other people do, no matter how tangential your connection to them.
Presumably most folks would prefer not to go to jail because someone
downloaded child porn over their wireless link, or spewed forth spams,
or published information displeasing to corporate types. It's a good
idea anyway to have some controls in place to control un-neighborly
behavior, like bandwidth- and time-hogging.

Instant Wireless Communities
There are a number of specialized applications for building wireless
portals. The grandmommy of them all is NoCatAuth. NoCatAuth was
designed to simplify and control the administration of public wireless
portals. NoCatAuth creates a "captive portal", which means users
cannot enter your network until they follow a few steps on your
NoCatAuth Web page. The lowest level of access is "Public." A login is
not required; users who wish simply to connect without hassles can
skip the login, and are then granted the fewest network resources. The
"Co-op" and "Owner" classes of members are required to login and
authenticate, and are granted more network privileges.

NoCatAuth manages security most ingeniously. It wisely bypasses 802.1x
security entirely, which is still in a state of flux and chaos,
because lots of old network devices are still in use that support
nothing stronger than WEP, which is about as secure as putting the key
under the mat. Instead it creates an open access point, then hands off
all access controls and authentication to your nice, strong Linux
gateway. The only access controls on the NoCatAuth device itself are
provided by a dynamic iptables firewall. By offloading the heavy-duty
work to other servers, you have a lot of flexibility and power at your
disposal, and much better security than you'll find in the world of
wireless security protocols. You can use any authentication server,
and use all the usual Linux tools for firewalling, monitoring,
bandwidth shaping, and so forth. In fact NoCatAuth isn't limited to
wireless access points, you can use it on wired networks too.

NoCatAuth has some downsides. It won't fit on small embedded devices
because it depends on Perl, OpenSSL, and GnuPG. It keeps connections
alive by opening a second browser window with Javascript and pinging
the gateway every five minutes, so single-windows devices like PDAs,
and browsers without Javascript enabled can not be served.

Neurally Implanted Phones
I digress briefly to make a prediction: in not too many years,
wireless VoIP phones will be all the rage, or even implanted in
people's heads, with the antenna fashionably masquerading as hairpins
or stylish barrettes, yes, even on men, so your public access point
will enable yet more pointless public phone yakking. If the people of
the future even use telephones for talking.

NoCatSplash
An offshoot of NoCatAuth is NoCatSplash. This is a slimmed-down
version for small-capacity embedded devices that doesn't do much more
than display a splash screen that identifies your network, and
re-directs users to other Web pages.

Pebble Linux
Pebble Linux is a miniature wireless AP-ready Linux designed to run on
embedded devices like Soekris boards and old feeble PC hardware. It's
too big for OpenWRT-type devices, but that's OK because Pebble Linux
is versatile and easy to use. If you don't want to buy a Soekris or
mini-ITX board, Pebble runs great on ordinary old PC hardware, even a
486. It's Debian-based, so it is easily modified with the usual Debian
utilities and software repositories.

WiFiDog
While NoCatAuth is probably the most famous captive portal, it's not
being actively developed anymore. It still works fine, and there is an
active user community, but the devs seem to have stuck a fork in it
and pronounced it done. My current favorite is WiFiDog. It's tiny,
around 30K, and is completely self-contained with no dependencies.

Like NoCatAuth, WiFiDog acts as a doorkeeper, and delegates the heavy
cryptography and authentication work to your regular authentication
server and the user's Web browser. The WiFiDog portal never sees any
passwords, but exchanges single-session tokens with the authentication
server. The one weak point is MAC address spoofing is possible, but
this is common to all open wireless networks. Someday, in the far
distant future when WPA (define) is universally implemented, and all
antique network devices are retired, MAC spoofing will be a thing of
the past. Since you're operating an open network, and presumably not
sharing this nice open network with your top-secret super-sensitive
private network, this shouldn't be a critical problem anyway.

Building a Wireless Access Point
Your WAP needs to be a standalone device, connected via an Ethernet
bridge to your network gateway/firewall, running no services except
maybe DHCP. You'll need an Ethernet NIC and a wireless NIC, hopefully
one that takes a decent-quality antenna. A good antenna makes all the
difference for signal quality, though many users get acceptable
performance by placing their WAP in a favorable location, like on a
high shelf.

Finding a supported wireless NIC is probably the hardest part, since
wireless vendors can't seem to understand that us Linux (and Unix and
Mac OSX) (and no, I will not stop complaing until you wireless vendors
change your misguided ways) customers want to buy their products, and
in fact already do buy them, and go to heroic lengths to make the
darned things work. 802.11b is easy; there are many Linux-supported
802.11b chipsets. Getting the higher-speed 802.11a/g is more
difficult. Not only must have Linux drivers, they must be able to run
in Master mode. These chipsets will do the job:

Prism 2/2.5/3 802.11b, HostAP driver
Atheros 802.11a/b/g, Madwifi driver
Prism54 802.11b/g, Prism54 driver

There is a new wrinkle in wireless radio chipsets: "newmac" or
"softmac" chips. Oh joy, for these use software to do what used to be
the job of the hardware, which naturally translates to "winchips."
Beware the new generation of Prism radio chipsets; see the Prism54
website for more information, and Build A Linux-Based Wireless Access
Point, part 2 for more information on finding supported wireless NICs.

In a nutshell, building a good strong secure public wireless portal is
pretty easy, once you locate supported wireless hardware.

Resources

    * NoCat.Net. Visit here to find out why it is called NoCat.
    * NoCatSplash
    * WiFiDog
    * Pebble Linux
    * FreeRADIUS and Linux for Your WLAN
    * Build A Linux-Based Wireless Access Point, part 1
    * Build A Linux-Based Wireless Access Point, part 2


More information about the WiFiDog mailing list