Authenticated NAT and DHCP

I want to be able to have clients connect their computer to a network,
get an IP via DHCP and then when they open their web browser have it
go to a predefined site where they can log in before being allowed to
browse the net.

I want this authentication to apply to their NAT abilities, not just
http or such, so a proxy will not work. Also, I don't want them to
have to do any configuring of their system. Assuming dhcp enabled and
no proxies set for each client connecting.

Is there a package out there that does this? Can it be done?

Thanks in advance!

Brian Andrus

You can try ITShield Firewall (http://www.itshield.com). ITShield Firewall
is a transparent application firewall. Althrough its documents do not
mention any thing about DHCP, actually it can run as a DHCP server. Intel
version of ITShield Firewall is compatible with Redhet 7.1.

Every user can use HTTPS, SSH, HTTP and TELNET to get authenticated.

Ida Young

"Brian Andrus" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I want to be able to have clients connect their computer to a network,
> get an IP via DHCP and then when they open their web browser have it
> go to a predefined site where they can log in before being allowed to
> browse the net.
>
> I want this authentication to apply to their NAT abilities, not just
> http or such, so a proxy will not work. Also, I don't want them to
> have to do any configuring of their system. Assuming dhcp enabled and
> no proxies set for each client connecting.
>
> Is there a package out there that does this? Can it be done?
>
> Thanks in advance!
>
> Brian Andrus

In article <(E-Mail Removed) >,
Brian Andrus wrote:
> I want to be able to have clients connect their computer to a network,
> get an IP via DHCP and then when they open their web browser have it
> go to a predefined site where they can log in before being allowed to
> browse the net.
>
> I want this authentication to apply to their NAT abilities, not just
> http or such, so a proxy will not work. Also, I don't want them to

Generally this sort of control IS best done with a proxy. I don't know
much about SOCKS except that it can handle multiple protocols. What
protocols do you expect to be used?

> Is there a package out there that does this? Can it be done?

I don't know, yes. I do think you should look deeper into proxies. But
you could use a CGI script for your authentication, and when a user logs
in, an iptables command to SNAT his/her IP would run. Simple in concept.
You'd probably want to set a means of purging stale sessions, or of
verifying that a session is still active.

If you just set a fixed timeout period, it would be easy. The user could
reauthenticate before the expiration to avoid connection interruption.
The authentication script would set an "at" job to delete the rule from
the chain. (You should test to be sure that iptables doesn't care about
duplicate rules before you rely on this. Mine seems to be able to delete
one and leave the other for each -D command.)

NB: for this to work there must not be a blanket SNAT or MASQUERADE rule
in your tables! You would only add each IP individually, which is a
rather inefficient use of iptables. I still think a proxy is best.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Brian Andrus wrote:
> I want to be able to have clients connect their computer to a network,
> get an IP via DHCP and then when they open their web browser have it
> go to a predefined site where they can log in before being allowed to
> browse the net.
>
> I want this authentication to apply to their NAT abilities, not just
> http or such, so a proxy will not work. Also, I don't want them to
> have to do any configuring of their system. Assuming dhcp enabled and
> no proxies set for each client connecting.
>
> Is there a package out there that does this? Can it be done?

you may want to try
http://www.tldp.org/HOWTO/Samba-Auth...y-HOWTO-3.html

HTH

Lee