On 27.02.15 17:00, Michele Bergonzoni wrote:
This is true for v6 if the client uses its MAC as an identifier, which it's not supposed to do and last time I checked was not true for Windows, or if clients or DHCP relays support RFC6939, which is quite new. See for example: https://lists.isc.org/pipermail/kea-dev/2014-June/000043.html
Oh, interesting - I hadn't realised that.
Have you thought about engineering your captive portal with a dual stack DNS name (having both A and AAAA), a v4 only and a v6 only, and having you HTML embed requests with appropriate identifiers to correlate addresses? Of course there are HTTP complications and it is not perfect, but I guess that as long as it's a captive portal, kludginess cannot decrease below some level.
That was one of my options. However, it won't work in the case of WISPr auto-logons because the page wouldn't be rendered by the client, so you wouldn't expect it to fetch embedded bits either.
I am really interested to hear what people are doing in the field of squid-powered captive portals, even more when interoperating with iptables/ip6tables.
At the moment, we've written a hybrid captive portal/http-auth system. Essentially, we use HTTP proxy auth where we can and a captive portal where we can't. HTTP proxy auth is preferable because every request gets authenticated individually and we can use Kerberos. Unfortunately a lot of software doesn't support it properly (I'm looking at you, apple and google, although everyone else is getting pretty bad at it too) and it also can't be used for transparent proxying (and again, a lot of software just doesn't bother to support proxies these days, and it's only getting worse). So we use the user-agent string to try and identify the clients we can safely authenticate, and the rest rely on cached credentials or captive portal.
Yes, it's a horrible bodge, but unfortunately that's where modern software is driving us. :( For iOS and Android you can pretty much forget using pure HTTP proxy authentication. Luckily iOS can use WISPr to automatically log into a portal, sadly vanilla Android still doesn't include a WISPr client (I'd put money on this being down to patents!).
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
