From ken at jots.org  Mon Dec 18 00:29:36 2006
From: ken at jots.org (ken at jots.org)
Date: Mon, 18 Dec 2006 03:29:36 -0500 (EST)
Subject: [NoCat] "Dumb," static authentication?
Message-ID: <47321.75.67.222.237.1166430576.squirrel@webmail.jots.org>

Hi, all.  (First and foremost, I hope this is the right list; I usually
hesitate to e-mail "developers'" lists with usage questions, but that
seemed to be how it's done here, so...)

I'm about to set up a captive portal for my company -- specifically, for
visitors/contractors.  We don't want anything over-the-top; all we need is
for ONE static password to be implemented, which we'll change on a (say)
weekly basis.  Basically, we're just looking to discourage the casual
peruser.  Since the WAP in question is outside our firewall, it's not like
we're worried about security -- we just don't want to be an open access
point.  However, the docs that I've found all seem to imply RADIUS or an
SQL database, etc.  Is there any way to just do a query against a local
text file, or PAM, or something?

Thanks!

-Ken D'Ambrosio




From alain at ait.ac.th  Mon Dec 18 01:03:26 2006
From: alain at ait.ac.th (Alain Fauconnet)
Date: Mon, 18 Dec 2006 10:03:26 +0100
Subject: [NoCat] "Dumb," static authentication?
In-Reply-To: <47321.75.67.222.237.1166430576.squirrel@webmail.jots.org>
References: <47321.75.67.222.237.1166430576.squirrel@webmail.jots.org>
Message-ID: <4586595E.7030305@ait.ac.th>

Hello Ken,

ken at jots.org wrote:
> Hi, all.  (First and foremost, I hope this is the right list; I usually
> hesitate to e-mail "developers'" lists with usage questions, but that
> seemed to be how it's done here, so...)

Honestly I'm not sure there is much development going on or any 
developer on this list (or any at all).
This list is almost dead anyway.

> 
> I'm about to set up a captive portal for my company -- specifically, for
> visitors/contractors.  We don't want anything over-the-top; all we need is
> for ONE static password to be implemented, which we'll change on a (say)
> weekly basis.  Basically, we're just looking to discourage the casual
> peruser.  Since the WAP in question is outside our firewall, it's not like
> we're worried about security -- we just don't want to be an open access
> point.  However, the docs that I've found all seem to imply RADIUS or an
> SQL database, etc.  Is there any way to just do a query against a local
> text file, or PAM, or something?

Are you talking about the original, Perl-based version? or the new one 
written in C(++?) I'm not familiar with.
The old Perl-based version had authentication based on flat files
(see passwd, group, groupadm in ./etc and the 'admintool' program) and 
should be good enough for your needs. I'd go for the 'Actares' fork of 
the Perl version which has quite a few serious bug fixes merged in 
(http://www.actares.com/nocat-0.82-actares.tar.gz)

Greets,
_Alain_



From ken at jots.org  Mon Dec 18 01:42:00 2006
From: ken at jots.org (ken at jots.org)
Date: Mon, 18 Dec 2006 04:42:00 -0500 (EST)
Subject: [NoCat] 'Dumb,' static authentication?
In-Reply-To: <4586595E.7030305@ait.ac.th>
References: <47321.75.67.222.237.1166430576.squirrel@webmail.jots.org>
	<4586595E.7030305@ait.ac.th>
Message-ID: <41202.75.67.222.237.1166434920.squirrel@webmail.jots.org>

On Mon, December 18, 2006 4:03 am, Alain Fauconnet wrote:
> Hello Ken,
>
>
> ken at jots.org wrote:
>> Hi, all.  (First and foremost, I hope this is the right list; I usually
>>  hesitate to e-mail "developers'" lists with usage questions, but that
>> seemed to be how it's done here, so...)
>
> Honestly I'm not sure there is much development going on or any
> developer on this list (or any at all). This list is almost dead anyway..

Ah, well.  In that case, I guess I won't be intruding too much.  ;-)

> Are you talking about the original, Perl-based version? or the new one
> written in C(++?) I'm not familiar with. The old Perl-based version had
> authentication based on flat files (see passwd, group, groupadm in ./etc
> and the 'admintool' program) and should be good enough for your needs. I'd
> go for the 'Actares' fork of the Perl version which has quite a few
> serious bug fixes merged in
> (http://www.actares.com/nocat-0.82-actares.tar.gz)

Looks like I'm looking at nocatsplash -- the C-based one.  The reason
being, I'm looking to run it on my WAP via OpenWRT.  I know there are
other captive portal solutions for OpenWRT, but NoCat(splash) seemed to be
the closest to my needs.

Thanks for the reply!

-Ken




From tjaqua at efn.org  Tue Dec 19 04:47:48 2006
From: tjaqua at efn.org (Troy M Jaqua)
Date: Tue, 19 Dec 2006 04:47:48 -0800 (PST)
Subject: [NoCat] 'Dumb,' static authentication?
Message-ID: <46984.67.40.252.74.1166532468.squirrel@67.40.252.74>

Hi Ken,

ken at jots.org said:
> On Mon, December 18, 2006 4:03 am, Alain Fauconnet wrote:
>> Hello Ken,
>>
>>
>> ken at jots.org wrote:
>>> Hi, all.  (First and foremost, I hope this is the right list; I usually
>>>  hesitate to e-mail "developers'" lists with usage questions, but that
>>> seemed to be how it's done here, so...)
>>
>> Honestly I'm not sure there is much development going on or any
developer on this list (or any at all). This list is almost dead
anyway..
>
> Ah, well.  In that case, I guess I won't be intruding too much.  ;-)
>
Please see below for info about another dev-list where we are currently
welcoming discussion of splashd (yes, the C implementation) design, usage
and/or development.

Our company has contemplated fully adopting splashd's development (and
hosting) for some time.  Does anyone on nocat-dev have any comments or
feelings on this?  Does anyone wish to volunteer to help with testing or
coding implementation?

>> Are you talking about the original, Perl-based version? or the new one
written in C(++?) I'm not familiar with. The old Perl-based version had
authentication based on flat files (see passwd, group, groupadm in ./etc
and the 'admintool' program) and should be good enough for your needs. I'd
>> go for the 'Actares' fork of the Perl version which has quite a few
serious bug fixes merged in
>> (http://www.actares.com/nocat-0.82-actares.tar.gz)
>
> Looks like I'm looking at nocatsplash -- the C-based one.  The reason
being, I'm looking to run it on my WAP via OpenWRT.  I know there are
other captive portal solutions for OpenWRT, but NoCat(splash) seemed to be
the closest to my needs.
>

Our open-source WAP firmware, called EWRT, contains a much improved
version of NoCat splashd.  We have spent a great deal of time stabilizing
it and optimizing it to be run and administered from the Linksys WRT
routers.  We have added many user-requested features, and now support 4
modes of authentication: Open (splash/redirect without login,) password
(user and/or password based auth,) passive (a request is redirected to an
external server with a dynamic token added; it returns the token if the
client completes auth,) and RADIUS-mode (Auth and Acct proxy.)

We also have packages for WifiDog and Chillispot, but we too feel that
splashd is the easiest to use as a standalone hotspot, so it gets the most
integration on our base system (it's even configurable from the web admin
interface.)

I just recently finished the implementation of the password-mode feature
you are looking for. Password mode typically maps a set of usernames to
(currently plain-text) passwords in a flat file, and keeps local accounts
(e.g. of elapsed login time) on each user; when they reach a quota they
are locked out until the account is reactivated.  It can also be used as
you suggest: by disabling the quota, and using a login page containing a
POST with a type="hidden" username field - thus giving everyone who knows
the password a default timeout, without ever expiring the account. The
password file (and all Splash/Login/Logout-pages' content) is stored on
the rewritable flash partition built into our firmware.  A package update
is currently pending which adds an invalid-login page, and fixes the
manual logout method.  Idle auto-logout is also working.

If you own any version of Linksys WRT, you can try our firmware out right
now, by downloading a binary from: http://www.portless.net/menu/ewrt/ 
Ewrt-0.4.4 is the latest stable version, and is recommended.

To get set up with the password-mode splashd (open-mode splashd is
installed in the default ewrt base system,) you will need to install and
configure the nocat-pwd ipkg from our website:

0. Install the base EWRT firmware binary image from the Upgrade tab of the
Linksys web interface, or via the boot_wait+tftp method (instructions are
in the HOWTOs on our website.)
1. Wait for the upgrade to finish before touching anything on the router.
1.5 It's usually best (but not always necessary) to reset to nvram
defaults (by holding the reset button on the back for 5 seconds) after
upgrading (especially if you are getting rid of another nasty third party
firmware ;)
2. Login to the EWRT web-admin interface, and configure your WAN and LAN
settings to get the router connected to the Internet, and resolving DNS
properly.  It is probably also a good idea to set a new password and
enable boot_wait right now in the Administration tab.
3. Login via ssh (defaults: root@<routerIP>, password: admin, sometimes
takes a couple of minutes to negotiate session keys) and run the following
commands:
# nvram set lan_gateway_enable="0"
# nvram set lan_gateway=""
# nvram set lan_dns_enable="0"
# nvram set lan_dns=""
# nvram set lan_wan_proxy_arp="0"
# nvram set lan_wan_bridge="0"
# nvram commit
# reboot
(the above are defaults that didn't get set automatically in 0.4.4, which
may cause your default route or DNS on the WAN not to work)
4. Ssh in again, and run:
# ipkg update
# ipkg install nocat-pwd
# nvram set NC_DocumentRoot="/opt/etc/nocat/htdocs/"
# nvram set NC_binary_path="/opt/usr/sbin/"
# nvram set NC_binary_name="splashd-pw"
# nvram set NC_LeaseFile="/opt/etc/nocat/nocat.leases"
# nvram commit
5. Edit the /opt/etc/nocat/nocat-pw.txt file to change the user/pass
mappings (accounts with 3rd field 0 get default LoginTimeout && never
expire)
6. Edit the /opt/etc/nocat/htdocs/splash.html to customize the login page
(and/or add the "hidden" username field.)

Our next base system release is coming very soon, and will support many of
the other WAP devices based upon the Broadcom mipsel platform, and maybe
even some on other architectures!  It will also contain a few bugfixes,
new features, and some new packages and modules.

Subscribe to our dev-list to ask questions and stay informed, at:
http://www.portless.net/mailman/listinfo/ewrt-devel/

> Thanks for the reply!
>
> -Ken
>
>
>
> _______________________________________________
> NoCat mailing list
> NoCat at lists.nocat.net
> http://lists.nocat.net/mailman/listinfo/nocat
>


Troy Jaqua
Primary Developer of the EWRT Project
Portless Networks
http://www.portless.net