[squid-users] Dual-stack IPv4/IPv6 captive portal
Steve Hill
steve at opendium.com
Fri Feb 27 17:55:39 UTC 2015
On 27.02.15 17:00, Michele Bergonzoni wrote:
> This is true for v6 if the client uses its MAC as an identifier,
> which it's not supposed to do and last time I checked was not true
> for Windows, or if clients or DHCP relays support RFC6939, which is
> quite new. See for example:
>
> https://lists.isc.org/pipermail/kea-dev/2014-June/000043.html
Oh, interesting - I hadn't realised that.
> Have you thought about engineering your captive portal with a dual
> stack DNS name (having both A and AAAA), a v4 only and a v6 only, and
> having you HTML embed requests with appropriate identifiers to
> correlate addresses? Of course there are HTTP complications and it is
> not perfect, but I guess that as long as it's a captive portal,
> kludginess cannot decrease below some level.
That was one of my options. However, it won't work in the case of WISPr
auto-logons because the page wouldn't be rendered by the client, so you
wouldn't expect it to fetch embedded bits either.
> I am really interested to hear what people are doing in the field of
> squid-powered captive portals, even more when interoperating with
> iptables/ip6tables.
At the moment, we've written a hybrid captive portal/http-auth system.
Essentially, we use HTTP proxy auth where we can and a captive portal
where we can't. HTTP proxy auth is preferable because every request
gets authenticated individually and we can use Kerberos. Unfortunately
a lot of software doesn't support it properly (I'm looking at you, apple
and google, although everyone else is getting pretty bad at it too) and
it also can't be used for transparent proxying (and again, a lot of
software just doesn't bother to support proxies these days, and it's
only getting worse). So we use the user-agent string to try and
identify the clients we can safely authenticate, and the rest rely on
cached credentials or captive portal.
Yes, it's a horrible bodge, but unfortunately that's where modern
software is driving us. :( For iOS and Android you can pretty much
forget using pure HTTP proxy authentication. Luckily iOS can use WISPr
to automatically log into a portal, sadly vanilla Android still doesn't
include a WISPr client (I'd put money on this being down to patents!).
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-824568 / sip:sales at opendium.com
Support contacts:
Email: support at opendium.com
Phone: +44-1792-825748 / sip:support at opendium.com
More information about the squid-users
mailing list