Dual stack hotspot/captive portal
dwhite at olp.net
Wed Feb 23 20:12:18 CET 2011
On 23/02/11 12:20 -0600, Jima wrote:
>On 02/23/2011 11:39 AM, Ben Jencks wrote:
>> Does anyone have experience setting up dual stack captive portal
>> systems, e.g. for wireless hotspots? The difficulty is in tying the
>> user's identity (as they log into the portal) to *all* of their IP
>> addresses. With v4 it's easy, they only have one address and it's the
>> one they use to log into the captive portal. With dual stack they have
>> at least two: v4 and v6, plus possibly v6 privacy addresses that change
>> over time.
>> The only option seems to be identifying users by MAC address post-login,
>> but that's still imperfect. With v4 you can use the DHCP lease table to
>> tie MACs to IPs, but with v6 the best I can think of is monitoring the
>> neighbor table. Has anyone come up with any better solutions?
> I can't say I've done it or encountered any packaged solutions, but if
>I were working on this, I'd take a serious look at shoehorning a bridge
>(even a single-device bridge) into the mix and doing MAC-based permissions
>via ebtables. (Under Linux, anyway; I'm not sure what approach I'd take
>under any other OS.) Not the most helpful, I realize, but it might be
>someplace to start.
This is a pretty timely thread for us. I was just asking our captive portal
vendor yesterday (Lokbox, no response yet) what software release they might
have available for IPv6 support.
Another approach I've been thinking about is enabling dynamic VLAN
assignment on our Cisco controller, via RADIUS or some other method,
putting clients into their own individual /64 space and then see if our
captive portal can do its magic based on subnet rather than IP address.
More information about the ipv6-ops