guanxi and wireless authentication

Mon, Feb 21, 2005

The scenario

UHI user visits the eggheads at SMO, who have a wireless network. The user, after a long day having his brain cooked by the SMO boffins decides he wants to check his email using the Groupwise web client, as he doesn’t have the mail client on his laptop. So, he powers up the machine and connects to the SMO wireless network.

Here’s the logical flow: Wireless Guanxi

Now, the wireless network is serviced by a firewall running on a Linux machine. Upon initial connection, the laptop is assigned a DHCP address and all traffic from that laptop is NATted to port 80 on the firewall.

The only thing on port 80 is a web service, whose only function is to take the REMOTE_HOST of the connection, find out it’s MAC address, enable it in the iptables rules on the firewall and remove the NAT. Thus allowing traffic from that MAC address to flow freely.

The web services is protected by a standard Shibboleth target, which, when it detects access to the web service intitiates a shibboleth session and the user is redirected to the UHI institutional authentication page.

After successfully authenticated, the user is redirected by Shibboleth back to the web service on the firewall which uses their REMOTE_HOST to get their MAC address and let them through the firewall. The NAT is also removed so they can roam freely on the network.

The firewall can set a TTL on the entry based on attribute TTLs coming back from the attribute store when they authenticate

comments powered by Disqus