[squid-users] Dual-stack IPv4/IPv6 captive portal

Steve Hill steve at opendium.com
Fri Feb 27 17:55:39 UTC 2015 

On 27.02.15 17:00, Michele Bergonzoni wrote:

> This is true for v6 if the client uses its MAC as an identifier,
> which it's not supposed to do and last time I checked was not true
> for Windows, or if clients or DHCP relays support RFC6939, which is
> quite new. See for example:
>
> https://lists.isc.org/pipermail/kea-dev/2014-June/000043.html

Oh, interesting - I hadn't realised that.

> Have you thought about engineering your captive portal with a dual
> stack DNS name (having both A and AAAA), a v4 only and a v6 only, and
> having you HTML embed requests with appropriate identifiers to
> correlate addresses? Of course there are HTTP complications and it is
> not perfect, but I guess that as long as it's a captive portal,
> kludginess cannot decrease below some level.

That was one of my options.  However, it won't work in the case of WISPr 
auto-logons because the page wouldn't be rendered by the client, so you 
wouldn't expect it to fetch embedded bits either.

> I am really interested to hear what people are doing in the field of
> squid-powered captive portals, even more when interoperating with
> iptables/ip6tables.

At the moment, we've written a hybrid captive portal/http-auth system. 
Essentially, we use HTTP proxy auth where we can and a captive portal 
where we can't.  HTTP proxy auth is preferable because every request 
gets authenticated individually and we can use Kerberos.  Unfortunately 
a lot of software doesn't support it properly (I'm looking at you, apple 
and google, although everyone else is getting pretty bad at it too) and 
it also can't be used for transparent proxying (and again, a lot of 
software just doesn't bother to support proxies these days, and it's 
only getting worse).  So we use the user-agent string to try and 
identify the clients we can safely authenticate, and the rest rely on 
cached credentials or captive portal.

Yes, it's a horrible bodge, but unfortunately that's where modern 
software is driving us. :(  For iOS and Android you can pretty much 
forget using pure HTTP proxy authentication.  Luckily iOS can use WISPr 
to automatically log into a portal, sadly vanilla Android still doesn't 
include a WISPr client (I'd put money on this being down to patents!).


-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com

More information about the squid-users mailing list