Dual stack hotspot/captive portal
ben at bjencks.net
Wed Feb 23 20:18:51 CET 2011
On Feb 23, 2011, at 1:20 PM, Jima wrote:
> On 02/23/2011 11:39 AM, Ben Jencks wrote:
>> Does anyone have experience setting up dual stack captive portal systems, e.g. for wireless hotspots? The difficulty is in tying the user's identity (as they log into the portal) to *all* of their IP addresses. With v4 it's easy, they only have one address and it's the one they use to log into the captive portal. With dual stack they have at least two: v4 and v6, plus possibly v6 privacy addresses that change over time.
>> The only option seems to be identifying users by MAC address post-login, but that's still imperfect. With v4 you can use the DHCP lease table to tie MACs to IPs, but with v6 the best I can think of is monitoring the neighbor table. Has anyone come up with any better solutions?
> I can't say I've done it or encountered any packaged solutions, but if
> I were working on this, I'd take a serious look at shoehorning a bridge
> (even a single-device bridge) into the mix and doing MAC-based
> permissions via ebtables. (Under Linux, anyway; I'm not sure what
> approach I'd take under any other OS.)
> Not the most helpful, I realize, but it might be someplace to start.
MAC-based permissions will work fine (and I will probably do the authorization portion just like that), but that doesn't generate a log of IP addresses associated with that MAC. Not only do I have to make sure only authenticated users have access, I have to know which IP each user has, so we can tie any future abuse complaints back to the user.
We're probably going to be doing something almost entirely homegrown; it won't use RADIUS but will integrate with an existing in-house application, so we have lots of flexibility in implementation.
More information about the ipv6-ops