Fwd: Re: Quasi-enterprise WiFi network
Victor Sudakov
vas at mpeks.tomsk.su
Mon Jan 8 07:20:44 UTC 2018
Freddie Cash wrote:
>
> > One trouble I expect here is: if the client goes to https destination, it
> > will complain about your local apache certificate, as the client expects
> > next packet (SSL negotiation) to come from host it was going originally
> > to. I've seen quite a few of similar things. "Home brew" words come to my
> > mind, no offense intended. Even older or two WiFi setups central IT folks
> > at big university I work for did this setup that brakes when client goes
> > to SSL-ed URL. Next, what if client does not use web browser at all, and
> > just attempts to ssh to external host...
>
>
>
> That was an issue with our original setup that only used firewall redirect
> rules, without the mod_rewrite stuff. It only worked if we walked people
> through visiting a non-encrypted website, in order to bring up our login
> page. As more and more sites started defaulting to HTTPS, it became
> cumbersome.
>
> All mobile devices, including Windows/MacOS devices, include captive portal
> detection these days, where they attempt to connect to a specific set of
> HTTP sites after connecting to a network. The mod_rewrite rules intercept
> only these requests, and redirect them to the login page.
Your mod_rewrite rules are becoming more and more interesting. Please
do post them.
There is one more drawback however I have just thought about. If I go
for a WiFi solution, I can deploy just an AP at some remote branch as
a RADIUS client of the central FreeRADIUS server.
If I go for a captive portal solution, I would need to install captive
portals at every branch, or tunnel Internet traffic via the central
hub.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
AS43859
More information about the freebsd-net
mailing list