Wireless User Authentication using Linux?

Forgive me if this is a FAQ-- I'm sure this subject has come up many
times before-- but a good net search didn't get me any leads.

My network consists of a 802.11b wireless D-Link router connected to the
Internet, and through there between 10-20 wireless (Windows) clients use
DHCP to access the Internet. Everything works fine.

What I'd like to do is have each one of those clients login before gaining
access to the Internet. I have the u/p database on a linux box, which I'm
thinking could act as a proxy between the Internet and the Router. I don't
need high security, just something that's not easily circumvented by the
average PC'er.

I was thinking it could work like this:

The linux box sits as a proxy between the router and the Internet. A
wireless client enters the network and is assigned a DHCP address by the
router. Any request to the Internet would have its IP+MAC combination
validated by the "enhanced" proxy server. If it was an unknown combination
or one that hasn't recently been logged in, a "login" page would be
returned prompting the user for a u/p. Once validated, the proxy would
simply forward requests and it would be transparent to the user.

Obviously this would only work for HTTP/S connections, which is OK for
now. It would be nice if there were some session-like timeout capabilities
and light logging supported, but the authentication is the main feature.

Does anything like this currently exist? If not, how practical is the
approach described above?

Any comments appreciated. Thanks.

Jim Reynolds wrote:

> What I'd like to do is have each one of those clients login before gaining
> access to the Internet. I have the u/p database on a linux box, which I'm
> thinking could act as a proxy between the Internet and the Router. I don't
> need high security, just something that's not easily circumvented by the
> average PC'er.

I'd try PPTP. Because it's based on PPP, secure challenge-based
authentication can be implemented. There's a linux server for pptp called
PoPToP <http://poptop.sourceforge.net/>. It claims to work with M$ VPN
(which really is PPTP) included in at least 95 (and up) and NT4 (and up). In
case you want to include Linux clients, there's a Linux client daemon
pptp-client <http://pptpclient.sourceforge.net/>.

HTH, let me know if it works (I'm looking for a same kind of solution), regards,

Timo

--
Timo Voipio | Helsinki, Finland | ICBM at: 60 11.800 N 024 52.760 E
GeekCode ver 3: GU>CC d s-: a--- C++ UL(+)$>+++$ P+>+++ L++(+) E- W++ N++
o? K? w O M- V- PS PE Y+ PGP+ t 5++ X R tv- b++(++++) DI+ D G e- h! r !y
Remove +newsharvested to e-mail me | Poista +newsharvested jos meilaat

In article <bgrp91$rqfn7$(E-Mail Removed)>,
Timo Voipio wrote:
> I'd try PPTP. Because it's based on PPP, secure challenge-based

Why PPTP in particular? Just because it's supported in Windows? There
are IMO better VPN's even for Windows. The VPN I use, OpenVPN, is also
PPP-like, and can use numerous sophisticated authentication methods.
Windows support was just announced last month.

I think you're right about a VPN being a good solution especially for
wireless; encryption can be employed to inhibit sniffers. I'm just
doubtful that PPTP is the best solution. IPSec or CIPE, perhaps, if not
OpenVPN.

> HTH, let me know if it works (I'm looking for a same kind of solution), regards,

Did you catch the thread from 2-3 days ago? My post:
Message-Id: <(E-Mail Removed)>
It's an idea along the lines of what the OP was thinking.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Thanks everyone for your replies.

One of the requirements I should have added is that no special software
should be required on the clients. Most of the people using this set-up
are not very computer saavy. I need a set-up that has the highest possible
ease-of-use and is very portable. I don't want to rely on software that
might be on the standard Windows install, or run the risk of people
breaking their existing configurations trying to use my network.

Correct me if I'm wrong, but I believe this would eliminate PPTP and VPN's.
Granted they may be more technically robust choices, but I'm concerned
that they'd be too complicated for my users.

The good news is that I was able to perform more more targeted searches
and may have come across something: Horatio - Authenticated Network Access

http://www.cs.utexas.edu/users/mcgui...tware/horatio/

Snippet from the website:

|
| When a legitimate user connects his or her host, it is assigned an address
| by a DHCP server (such as dhcpd), but is unable to contact anything
| outside the untrusted network. The user must must point a web browser at
| the horatio web server, which runs on the firewall machine, and provide a
| username and password. Once the username and password have been validated,
| the firewall rules are modified to allow the host access to the rest of
| the network.
|

Also checkout the Authentication Gateway HOWTO.

http://www.itlab.musc.edu/~nathan/au...ation_gateway/

I've got a lot more reading to do, but it sounds like I'm onto something!

Thanks again.