Search squid archive

Dual-stack IPv4/IPv6 captive portal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
I'm wondering whether anyone has implemented a captive portal on a dual-stacked network, and whether they can provide any insight into the best way of going about it. 


The problems:
- Networks are frequently routed with the proxy server on the border. This means the proxy doesn't get to see the client's MAC address, so captive portals have to work by associating the IP address with the user's credentials.
- In a dual-stacked environment, a clients' requests come from both its IPv4 address and IPv6 address. Treating them independently of each other would lead to a bad user experience since the user would need to authenticate separately for each address.
- Where IPv6 privacy extensions are enabled, the client has multiple addresses at the same time, with the preferred address changing at regular intervals. The address rotation interval is typically quite long (e.g. 1 day) but the change-over between addresses will occur spontaneously with the captive portal not being informed in advance. Again, we don't want to auth each address individually.
- Captive portals often want to support WISPr to allow client devices to perform automated logins. 


Possible solutions:
- The captive portal page could include embedded objects from the captive portal server's v4 and v6 addresses. This would allow the captive portal to temporarily link the addresses together and therefore link the authentication credentials to both. The portal would still have to work correctly when used from single-stacked devices. This also isn't going to work for WISPr clients since the client will never render the page when doing an automated login so we wouldn't expect any embedded objects to be requested.
- Using DHCPv6 instead of SLAAC to do the address assignment would disable IPv6 privacy extensions, which would be desirable in this case. However, many devices don't support DHCPv6.
- The DHCP and DHCPv6 servers know the MAC and IPv[46] address of each client and could cooperate with each other to link this data together. However, the proxy does not always have control of the DHCP/DHCPv6 servers. 


--
 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:steve@xxxxxxxxxxxx
   Email:            steve@xxxxxxxxxxxx
   Phone:            sip:steve@xxxxxxxxxxxx

Sales / enquiries contacts:
   Email:            sales@xxxxxxxxxxxx
   Phone:            +44-1792-824568 / sip:sales@xxxxxxxxxxxx

Support contacts:
   Email:            support@xxxxxxxxxxxx
   Phone:            +44-1792-825748 / sip:support@xxxxxxxxxxxx
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux