Captive Portal for Windows

Hello, Can anyone reccommend a decent captive portal / dynamic firewall solution for windows? I've already seen firstspot (by patronsoft) but we want to see if there are any other alternatives. Most of the solutions (NoCatAuth, m0n0wall etc.) are Linux Based which is not what we want (unless there is a specialised linux distro that ONLY has this, and router fnctionallity built in - we are not interested in a full linux distro to achieve this).

We do have a software development department who would be willing to take some existing, opensource, firewall solution and modify it to our ends - so that's an option.

So, we want, either:

Windows based CP solution, or Dedicated Linux CP distro, or Opensource firewall / CP soution under GPL that we can modify. TIA

Peter Phillips

Reply to
Peter Phillips
Loading thread data ...

It would be nice to know what you're building or trying to accomplish.

It would seem to me that any of the dedicated hotspot software would do the job. I guess captive portal is almost the same thing as a wi-fi hotspot. Many of these are made to run off compact flash cards (simulated hard disk) or from a cdrom. Start at:

formatting link
use "hotspot" as a search key. Lots to choose from.

I'm not sure what you mean by "dynamic filewall". Google found a few pages on the subject, but reading them implied that dynamic just means easy to change.

formatting link
you're running in a hostile environment that requires constant security monitoring, I just don't see it. What type of environment is this thing going to live?

I guess there are also some Windoze hotspot software packages. Google found this:

formatting link
are probably others but I didn't find any.

I'm not sure what to recommend. I use:

formatting link
formatting link
a general purpose router, firewall, and access point manager. It runs on CF (compact flash) cards, handles up to 10 ports, and is fairly well supported. I used to run it on a floppy disk, but ran out of space. There are no USB, wi-fi, hotspot, or captive portal specific modules, so this may not be what you want. I've bludgeoned it into something resembling a hotspot, but without all the registration and billing stuff. I suppose it can be added if needed.

Good luck.

Reply to
Jeff Liebermann

How about:

formatting link

Reply to
JPElectron

OK.. we are a WISP with a number of installations in the UK (South Wales). Currently, we use RADIUS to authenticate the CPE MAC address at the customer's premises. This was fine for a single dwellling, but now we have the situation where one single bridge (the CPE) is serving 3 households, all with separate accounts with us. Now, if one of them breaches our T&Cs we (at the moment) only have the option of disabling the bridge, hence turning off access to the others. So, our thoughts of overcoming this was to use a captive portal to capture each user (in the same way as a hotspot), so each user will be presented with a login screen before they get access. The users themselves could be authenticated via radius in this way, and so gives us the option to turn the bad user off whilst still keeping the good ones on. It also allows us to manage bandwidth allocation at a user level rather than at the bridge.

The problem is, we cannot find one for Windows. As I mentioned though, we would be willing to go for a Linux version, but only if it was a dedicated distro to accomplish this task (we don't want one of the huge, general purpose distros - the less there is to go wrong the better!).

As for 'dynamic firewall', this is just what a captive portal is.

  1. a http request comes in from a user.
  2. the firewall looks up the MAC address / IP address in it's table of allowed users.
  3. if it's not there, show the user a login screen, otherwise let the request through.
  4. capture this user login details and send it to our RADIUS server for authentication (using a VPN).
  5. on access-accept dynamically modify the firewall rules (i.e. add the MAC / IP to the allowed users table) to let the user in.

We already have the RADIUS / billing system running fine, it's just this bit that's missing.

Thanks in advance

Peter Phillips

Reply to
Sandy Baby

I'll assume the CPE is a simple wireless bridge that can only bridge one MAC address and that you're distributing the traffic using a fairly simple router. How do you keep the 3ea customers from seeing each other?

Yeah, that would be nice. If each customer connected through a different VPN tunnel, or was part of a VLAN, you could seperate the traffic and control access. The VLAN would work, but traffic management would be much easier at the IP level with VPN tunnels, than at the MAC level with a VLAN.

Yeah, that would work, but methinks is a bit messy and limiting. There would be no easy way to deliver a routeable IP address to any of the users. The login ordeal is a web page which would need to be automated. Client side traffic management is a must or you will have the 3ea customers argueing with each other over who's hogging the bandwidth. It might actually be easier and cheaper to use 3 wireless bridges, one per customer, each on the 3ea non-overlapping channels. Methinks your "captive portal" would work, but I question whether it is worth the effort for only 3ea users.

For good reason. Windoze is not known for its simplicity, stability, or low cost. If you were to do this legally, on perhaps a desktop, you would owe Microsloth for a license. Embedded Windoze systems do work, but I would hate to be the one doing the testing. Linux, but contrast, is scaleable down to floppy disk size. There are also multiple embedded Linux distributions sold with SBC boards designed for wireless use:

formatting link
formatting link
and search for Linux distributions:
formatting link

Dedicated distributions are usually attached to specific hardware. If you're willing to change your hardware, I'm sure something can be found. What you're doing does NOT sound like something that can be crammed into a WRT54GS or similar small box. Therefore, you would be looking for either a stand alone PC driving an ethernet connected wireless bridge radio, or an SBC (single board computah) with PCMCIA card radios.

I beg to differ on the terminology, but it's not important.

Oh. So you're already using a VPN. I don't see the problem. You have everything you need to manage the bandwidth and deal with the authentication at the VPN level. If a user becomes infected with a virus, all you need to do is change the VPN termination configuration (at the ISP end) for that user, and they're off the air.

Oh, so that's where the term "dynamic" comes from. Thanks.

Well, RADIUS doesn't necessarily have to be hard wired to authenticate by MAC address. The client can be setup to pass a digital certificate, or shared key. If you transfer the authentication responsibility to the client computah, you can setup 802.1x authentication and let each computah do its own authentication instead of just authenticating the CPE. Of course, with multiple VPN tunnels, that redundant. Just use the VPN to do the login, authenticate, and bandwidth manage part.

You might get a better answer in the ISP-Wireless mailing list:

formatting link

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.