Re: [SLE] MAC address authentication

From: Danny Sauer (suse-linux-e.suselists_at_danny.teleologic.net)
Date: 08/11/04

  • Next message: Anders Johansson: "Re: [SLE] New NVU is out" 
    Date: Wed, 11 Aug 2004 13:54:21 -0500
To: SuSE List <suse-linux-e@suse.com>

    nhaas wrote regarding 'RE: [SLE] MAC address authentication' on Wed, Aug 11 at 13:04:
    > Thank you for the reply we really don't have anything in place yet. It is
    > just a wish to get this in place by the 30th before the students get back to
    > school. This would save a lot of time by not having the students use a
    > signup form...
    >
    > -----Original Message-----
    > From: Danny Sauer [mailto:suse-linux-e.suselists@danny.teleologic.net]
    >
    > nhaas wrote regarding '[SLE] MAC address authentication' on Tue, Aug 10 at
    > 17:48:
    > > Hi All;
    > >
    > > I am trying to make an authentication server. We are a campus that
    > requires
    > > a MAC address in a database to use the web.
    [...]
    > Is the proxy already in place, or is that something else that "will be"
    > set up as part of this? If it's not already in place, you could do some
    > more access control using iptables rules built from a database, and use
    [...]

    If there's nothing in place, then here's how I'd do it.

    Set up a DHCP server. Have it set the default route for all machines to
    be a linux box with iptables set up, and run a web server capable of PHP
    support on that machine. We'll call that machine 10.1.1.1 and the
    network 10.1.1.0/24

    The router machine directs all traffic from the DHCP-assigned block to
    a new chain - oncampus - whose last (default) rule is directing to
    another chain - unregistered.
            iptables -n oncampus
            iptables -n unregistered
            iptables -s 10.1.1.0/24 -d !10.1.1.0/24 -J oncampus
            iptables -A oncampus -J unregistered
            iptables -A unregistered -p tcp --dport 80 -J DNAT 10.1.1.1:8080
            iptables -A unregistered -p udp --dport 53 -J ACCEPT
            iptables -A unregistered -p tcp --dport 53 -J ACCEPT
            iptables -A unregistered -J REJECT

    So, now any outgoing DNS requests get allowed through, and any http web
    requests go to the web server running on port 8080. Everything else
    gets rejected (which responds immediately, in contrast to DROP which
    causes things to time out).

    You could set up a DNS server with a wildcard entry resolving all
    requests to the registration web server, too, but this is easier,
    IMHO.

    Now, you set up a web server, let's say an out of the box Apache setup
    on SuSE. Set it up to listen on port 8080 and to redirect all requests
    to your registration page (let's call that page register.php). In
    /etc/apache2/conf.d/registration.conf:
            RewriteEngine On
            RewriteRule .* /register.php [NS,L]
            Listen 8080

    Alright, now anyone who connects gets redirected to register.php when they
    go to any web page "on the internet".

    So, in register.php, just grab the connecting IP and stick that in
    a database with their room number, etc. If you must have a MAC address,
            $ARP = system('/sbin/arp $REMOTE_IP');
            $MAC = ereg_match('/\s([\W:]+)\s/', $ARP);
            $MAC = $MAC[1];
    or something like that - the exact php syntax eludes me for now, and I'm
    hungry (lunch supercedes looking up the order of args in PHP functions).
    Since it's just as easy to forge a MAC as is to forge an IP, though, I'd
    just go with IP restrictions since they're easier to deal with anyway.

    Anyway, now you're generating a database with all of the registered IPs,
    and possiby a date of registration (so they can be restricted by time, etc).
    All that's left is to write another shell script that, say, gets run from
    cron every 5-10 minutes and either totally regenerates the iptables ruleset
    or adds any new entries. I like the regenerate route - it's easier. :)

            #!/bin/sh
            # first, flush the chain
            iptables -F oncampus
            # then, create the default rule
            iptables -A oncampus -J unregistered
            # finally, insert the allowed IPs
            for IP in `mysql -e 'SELECT ip FROM registered_student_ips'`; do
                    iptables -I oncampus -s $IP -j ACCEPT
            done

    Run that from cron periodically, or run it whenever someone registers a new
    machine, etc. Then, machines who are registered get to go on to the internet
    and machines who are not slip past onto the "unregistered" chain where they
    are redirected to the registration script.

    It's entirely possible that I messed up somewhere with syntax, etc, but
    this should get you a good idea of how it could be done. Storing the IPs
    in a database rather than just creating the iptables rules is a good idea,
    since the iptables rules can be regenerated after a power loss. You could
    certainly use another machine for the registration page, as long as both
    the web server and router can access the DB.

    This, BTW, is a nice scheme for a coffee shop wireless access point that
    gives customers a limited amount of time to connect, etc. Stick a payment
    method on that registration page and you're all set. ;)

    --Danny 

    -- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: Anders Johansson: "Re: [SLE] New NVU is out"

    Relevant Pages