SSIDChalking

Captive Portals

Most of the discussions on Wi-Fi security are focused on keeping the general public out of wireless networks. This kind of 'brick-wall' security sees a sharp division between private and public use of Wi-Fi connections, especially those leading out onto the Internet.

The issue is not always so cut-and-dried. Some individuals and groups feel that making Internet access ubiquitous by sharing Net connections wirelessly is the way to go, especially in places where cable and telco organizations are keeping prices high on broadband services. Sharing Net connections makes the issue not one of stopping access to Wi-Fi networks by the general public, but one of managing it. Technological means have been suggested for doing this, and a few have begun to appear. By far the most important of these technologies is the captive portal.

The notion of a captive portal is older than Wi-Fi, and has been used for years to manage Internet access through 'rented wires' in places like airports, hotels, and Internet cafes. (I've used Wayport's wired captive portal system in hotel rooms around the world. See Chapter 10 for more on Wayport.) In a Wi-Fi context, a captive portal is a feature-rich wireless access point, specifically designed to manage (and optionally charge for) connections to a wireless network by people not (entirely) trusted by the owner of the network. A captive portal's major tasks are as follows:

  • It establishes a strong firewall between the wireless access mechanism and the wired LAN to which the portal is attached. Most access points are simply hubs and do not contain firewalls at all, and are usually connected inside the network firewall. This is usually trouble, especially in corporate applications.

  • In those cases where the portal is part of a larger network of access points (often forming a community network or a fee-based network like Boingo) it identifies and authenticates members of the network community.

  • It manages network traffic priority according to some sort of plan. Generally, the node owner has the highest priority for all bandwidth. Network members have lower priority, and non-members have the lowest priority of all.

  • It sets limits on the bit rate that certain classes of users are allowed. As with traffic priority, the node owner generally gets the highest bit rate the node supports. Network members may be limited to a lower bit rate, and nonmembers to an even lower bit rate.

Some captive portals support additional features, but these are the major tasks that define a captive portal vis-a-vis a simple wireless access point.

Keep in mind that an 'access point' isn't always a dedicated little box you buy in a shrink-wrapped package at Best Buy. A computer with an Ethernet network interface controller (NIC) and a wireless client adapter can operate as an access point under the control of appropriate software.The software 'overrides' the software store inside the client adapter (the client adapter's firmware) and makes the client adapter operate differently. If all the correct software functions are available, the computer will look like an access point to client adapters in the vicinity, and will coordinate associations with those client adapters just as an access point would. Most (but not all) captive portal implementations use a computer with a client adapter card installed in it.

What a User Sees

The captive portal implementations that I have used are all based on the Web protocol (http) and Web browsers. If you've ever used a fee-based wireless Net access system at a coffee shop or hotel (Boingo is typical), you have probably encountered a captive portal. Here's how it works:

  1. You crank up your wireless laptop. The portal's hotspot is usually 'wide open' and will associate with any wireless client adapter. However, the network connection isn't 'live' yet, even once you associate. You must first launch a Web browser.

  2. Your Web browser's requests for URLs are redirected to a particular Web address, which is the only address you can see at first. So no matter what URL you might try to request, you'll get the designated portal entry page. You are still a 'captive' of that portal entry page, hence the term 'captive portal.' The portal isn't the captive… you are the captive of the portal!

  3. This Web site may request a user name and password, or (for 'open' community networks) simply display a 'terms and conditions' page for legal reasons. If you don't have an account with that portal, the server may offer you the opportunity to create one. In one way or another, the portal authenticates you according to its established rules.

  4. After authentication, the portal closes the authentication page, opens your connection to the Internet, and allows your Web browser's URL requests to go to their true destinations. You're 'in.'

That's the road warrior's view of captive portals, which I feel will become the standard way to access the Internet wirelessly through both free and fee-based hotspots.

There are some variations on this theme. Boingo, for example, depends on a client application that you install on your laptop when you establish a Boingo account. When your laptop associates with a Boingo hotspot, the client application handles the conversation with the captive portal. Boingo is one of the slickest Net access systems I've ever used, and I think its client-application authentication model will eventually be adopted by others. See Chapter 10 for more on Boingo and other wireless hotspot networks catering to business travelers.

Creating Your Own Captive Portal

People at the heart of the community networks movement have led the way in creating open-source (that is, free and 'no-secrets' software) implementations of captive portals.The original free portal package is NoCatAuth, created by the people at NoCatNet in Sebastopol, California. My personal favorite is Sputnik (which draws on NoCatAuth), because it is probably the easiest to set up and use.

You can use a captive portal to share your broadband connection either as a lone wolf hotspot, or as part of a larger community or fee-based network. If you want to join a fee-based network like Boingo, the software will generally be handed to you as a turnkey solution-at a price. For use in a community network, the software is usually free, but you'll have to do a fair amount of pretty technical work yourself.

That's a serious issue and something to keep in mind: If you aren't fairly adept with the Unix command line and Unix networking, you're going to have trouble. All of the free portals I know of are based on some flavor of Unix, either Linux or BSD. Windows 9x is completely hopeless from a server-side networking standpoint, and Windows 2000 Server is neither cheap nor as reliable or easy to use as Microsoft insists. Linux, on the other hand, will run for months without requiring a reboot. (I once had my Linux box going for 96 days straight, between power outages here, and it never burped. Try that with Windows!) Needless to say, you had also better be keenly familiar with TCP/IP, firewalls, routing, DHCP, and all that other serverside machinery. Knowing Perl helps. (NoCatAuth is a Perl app.)

The free portal software runs on a dedicated PC-you can't run the portal on a computer and then use the computer for other things as well. The PC can be pretty minimal; Sputnik will run well on a 486 with as little as 32 MB RAM and doesn't even need a hard drive. Typically, a portal requires:

  • A working Intel motherboard, 486-33 or better, 32 MB RAM or better

  • A modest-sized hard drive (maybe; Sputnik boots from CD-ROM)

  • An Ethernet NIC

  • A wireless client card, ideally one incorporating the Prism chipset

Junker PCs in this class lurk almost everywhere in suburbia, hiding in basements and closets because people have this hangup about putting something out on the curb when it once cost them $2,000, even if its current value asymptotically approaches zero. Ask around; you'll get one, and maybe a spare-or if you're not careful, a garage full.

The very best way to learn about community network implementation is to join or form a group in your area, and work with other people who may have more experience than you do, or experience in different areas. These groups are appearing all over the country; ask around or search on the Web. Good, detailed books on the topic will appear over time, (I intend to write one myself ) but in these early stages there's nothing to beat face-to-face cooperation with other interested people.

As useful as they are in building community networks, there is a physical problem with captive portal systems running on old PCs: It's very difficult to put them close to an outside antenna, particularly one set high and in the clear to increase the size of your hotspot. Losses through runs of coaxial cable longer than ten or twelve feet can be crippling unless you use Andrew Heliax or Times Microwave LMR 600 or LMR 900, all of which are fairly stiff and extremely expensive. (Heliax N connectors alone cost $30 to $40 each!) You can sometimes scrounge odd lengths of Heliax at amateur radio hamfests (basically flea markets for technology junk; that's where I've gotten mine) but it's hard to be sure you'll find just what you want precisely when you want it.

There's lots of room for experimentation here. If you're good with PC hardware you can probably buy a small-footprint Intel motherboard and build a weatherproof PC to mount right up on the roof, and control it remotely. (The reigning champ in the tiny motherboard wars is the Mini-ITX-see http://www.mini-itx.com.) Surplus military steel ammunition cans are cheap and abundant and worth exploring for uses like that. People are building the Mini-ITX into toasters; surely you could build it into an ammo can!

Another thing to do is follow the OpenAP project, which actually replaces an ordinary access point's firmware with an implementation of Linux. When last I looked they didn't have captive portal software for OpenAP, but it's an obvious thing to do with a Linux-programmable access point, and I suspect it will happen eventually.

To help you learn more abut the available captive portal programs and projects, I've included a set of reference links in Table 5.2.

Table 5.2: Captive Portal Software and Related Links.

Program

Name Link

NoCatAuth

http://nocat.net/download/NoCatAuth/

OpenAP

http://opensource.instant802.com/

Sputnik

http://www.sputnik.com/

The subject of captive portal installation, configuration, and use is an extremely technical topic, and tightly tied to the larger issue of community networks. I can't do that topic justice in less than an entire book. A lot is happening on this front so stay tuned.



Jeff Duntemann's Drive-By Wi-Fi Guide
Jeff Duntemanns Drive-By Wi-Fi Guide
ISBN: 1932111743
EAN: 2147483647
Year: 2005
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net