MacAuth over Splash Page via external Webserver

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

MacAuth over Splash Page via external Webserver

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
MacAuth over Splash Page via external Webserver
MacAuth over Splash Page via external Webserver
2020-08-26 14:10:17 - last edited 2020-09-16 20:03:32
Model: EAP245  
Hardware Version: V7
Firmware Version: Latest

Is there any option available wherein the captive portal hosted on an external webserver, be able to reference a mac address file or rather radius database and allow a device in, else serve a splash page? Typical use case is IOT type of devices, that we can have mac addresses added in Freeradius ahead of time.

 

I looked at radius mac authentication, but it only allows an open SSID to be bound to this type of authentication profile.

 

And for devices authenticated via splash page, if their credential exists in the radius, then the mac addresses is saved for next time onward, use that to authenticate.

 

Thanks

  0      
  0      
#1
Options
1 Accepted Solution
Re:MacAuth over Splash Page via external Webserver-Solution
2020-09-16 15:37:55 - last edited 2020-09-16 20:03:32

 

dpsguard wrote

However, I find that when I enable Guest mode, then splash page from the Mikrotik will also not work as Guest mdoe on the APs simply disable forwarding to any private address space and there is no option for me to whitelist an address (unless you know a place in the controller to do it).

 

Do you mean the »Guest Network« setting in Omada Controller? Yes, it enables both, »Client Isolation« for isolating WLAN clients against each other (formerly wrongly called »SSID Isolation« in Omada Controller v2) as well as blocking private IPs (RFC1918). Unfortunately, I could not convice R&D (yet) to re-introduce a »Client Isolation« setting alone, which still could co-exist with the »Guest Network« setting.

 

To unblock the router from the ACL set by »Guest Network« implicitly you can use following »Block« ACL to exclude the IP of the Mikrotik from being blocked in »Exclude Subnets«. The following ACL in Omada Controller unblocks the IP address 192.168.11.1, which is the router's IP running the Captive Portal:

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
Recommended Solution
  1  
  1  
#13
Options
27 Reply
Re:MacAuth over Splash Page via external Webserver
2020-08-26 15:52:59

@dpsguard, see authentication type »External Portal Server« (not to be confused with »External Web Portal« when using »External RADIUS Server« auth type).

 

With »External Portal Server« auth type you can implement any authentication scheme such as the one you have sketched.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
Re:MacAuth over Splash Page via external Webserver
2020-08-26 15:55:42

@R1D2 

 

Really, so they have an external webserver and external portal server options?? I need to look into this.

 

Much appreciate yoru help and sharing your knowledge.

  0  
  0  
#3
Options
Re:MacAuth over Splash Page via external Webserver
2020-08-26 16:16:44 - last edited 2020-08-26 16:17:59

My issue is that to send mac address of the device trying to connect, I need to use NAS functionality to interact with the FreeRadius server. For that I need to use mac based authentication profile. And that profile can only bind None security SSID.

 

If I use external portal server, there is no NAS to send  mac address to the freeradius as an attribute in access-request as calling station ID. Unless http exchange between the client device and server or controller and server, can get this mac address and flip over to the freeradius and then if this mac address exists, no portal page is sent to client device and it is simply marked as authenticated and allowed to go to Internet.

  0  
  0  
#4
Options
Re:MacAuth over Splash Page via external Webserver
2020-08-26 16:21:28
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#5
Options
Re:MacAuth over Splash Page via external Webserver
2020-08-26 16:28:20 - last edited 2020-08-26 16:38:28

 

dpsguard wrote

If I use external portal server, there is no NAS to send  mac address to the freeradius as an attribute in access-request as calling station ID. Unless http exchange between the client device and server or controller and server, can get this mac address and flip over to the freeradius and then if this mac address exists, no portal page is sent to client device and it is simply marked as authenticated and allowed to go to Internet.

 

I don't get it why you would need a NAS.

 

See the FAQ I posted in reply to your previous post. You get all important information about the client trying to log in from the controller on the external portal server. Of course, any authentication (with FreeRADIUS or whatever) need to be done by the external portal.

 

Only information Omada Controller expects back as a reply is to whether allow or reject the client trying to authenticate. If you want Omada Controller to communicate with the RADIUS server directly, you cannot use an external portal server.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#6
Options
Re:MacAuth over Splash Page via external Webserver
2020-08-26 16:33:09

@R1D2 

 

Sorry I missed reading the link. As long as mac addresses of device is shared by controller over to the portal server, server can be set so as to capture the mac address. I guess I will need some logic in the portal server (which will also be the freeradius) where freeradius has to first tell portal server to send a portal page or not, depending upon if this mac address is available in a SQL table or not.

 

Thanks again

  0  
  0  
#7
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-14 19:04:04

Hello @R1D2 

 

Looks like I need some further hep. With no web development background and my colleagues not really able to udnerstand the requirements, do you have some sample code that establishes back and forth between the externa portal server (I will do it on Ubuntu, but any Linux distribution will work) and the SDN controller ( located on the same server). I dont believe there is any direct interaction needed between portal server and the radius server (freeradius and that also lives on the same server), as portal page will collect the login information and then pass it back on to the controller for controller to then interact with radius.

 

Thanks and very best

 

  0  
  0  
#8
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-15 05:59:37

@dpsguard,

 

unfortunately I don't have any sample code for an External Server portal except the sample code in the TP-Link FAQ. We don't use the Omada portal at all; our own proprietary Captive Portal runs directly on the router since we need to authenticate wired clients, what Omada SDN Controller introduces with software-managed Oamda switches and gateways coming soon.

 

According to this post the sample code in the TP-Link FAQ has some issues with wrong pathnames, so I would ask TP-Link to provide a working sample code. Or maybe the author of the linked post is willing to share or sell his software.

 

Regarding RADIUS: if External Server portal is enabled, you cannot send back the client to Omada Controller for authentication. Your external portal needs to do the authentication itself and sent back an allow or deny status to Omada Controller.

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#9
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-15 14:36:25

Thanks @R1D2 .

 

So you do run your own code directly on the TP-link or other router? I have also tried Mikrotik and that will largely work. But in this case, with multiple sites with an AP at each site, portal server needs to be in cloud.

  0  
  0  
#10
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-16 06:22:32

@dpsguard, yes, it run on the router. I'm not familiar with Mikrotik, but I know that OpenWrt has various Captive Portals packages. However, customization also requires writing software and this can become a very time-consuming job.

 

I suggest to ask TP-Link for a working template for External Server portals.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#11
Options