NoCatAuth Gateway Server Configuration By Matt Gunter
November 19, 2003
Installation and Testing
The gateway server is the first step in creating your own NoCatAuth system.
Remember that you can have just one remote located authentication server, but
your field located access points will need to connect through a gateway server.
Hardware Requirements
Any PC or Server with a 486 processor or better
Two network interface cards (NICs); one for connecting to the AP, the other
to connect to your outside network.
A hard disk with at least 10GB
At least 256K of RAM
Software Requirements
RedHat 9.x Linux distribution with kernel version 2.4.x with iptables running.
You need iptables running so that your two NICs can communicate with each
other.
A Copy of the nightly build
of NoCatAuth. Be aware that some nightly builds are flaky due to its open-source
nature. You may have to hunt around for a good copy. If you have trouble with
your version, add yourself to one or both of the NoCat mailing lists and ask the
helpful folks a question. You can also find the version we used via FTP.
You need to have DHCP (Dynamic Host Control Protocol) server daemon running
on your machine. Sometimes DHCP can be served from your access point or another
server.
If you plan on setting bandwidth limits on a per user basis, you will need
to have 'tc' installed on your sever. This should come with RedHat 9.x. If
you do not have it or chose not to install it, get
a copy.
Optionally, you can install a local caching DNS (domain name service) server.
There are instructions on how
to install this online. You should have the option to install it when
you install RedHat 9.x from scratch.
Installation and Configuration of the Gateway
Throughout these instructions, you will need to be the root user so that you
have the correct permissions.
Download the nightly build from the NoCat Website referenced above. Place
it in a temporary directory on your gateway server (/tmp for example).
Go to the directory where you downloaded the file and uncompress the tarball.
For example type: gunzip NoCatAuth-0.82.tar.gz
Then unpack the tarball by typing: tar zvxf NoCatAuth-0.82.tar Upon
unpacking the tarball, a subdirectory in /tmp is created named 'NoCatAuth-nightly'
that contains all of the files you need for installing the gateway portion
of NoCatAuth.
Go to the 'NoCatAuth-nightly' subdirectory and type: make gateway.
This uses the temporary install files to install the full gateway server program
files in their respective locations. If you want to specify your own paths
for installation of program files, you will need to edit the file named 'Makefile'
found in the 'NoCatAuth-nightly' directory. This should only be done if you
are a high level Linux user because many problems can result. Please refer
to NoCat's own installation instructions in the file named 'install' found
in the 'NoCatAuth-nightly' directory for more detail.
With the gateway software now in its respective directories, you can now
customize the configuration file for your specific system and needs. To do
this go to the recently created /usr/local/nocat/ directory and edit the 'nocat.conf'
file. Inside the 'nocat.conf' file you will find helpful comments on how each
of the parameters affects the gateway server operation. The following parameters
need to be individually configured per your system:
InternalDevice This is your NIC that will be communicating
with your access point. In RedHat 9.x this will probably be set to 'eth0'
ExternalDevice This is your NIC that will be communicating
to an external network (i.e. your DSL, cable, satellite, bridge, whatever).
In RedHat 9.x this will probably be set to 'eth1'
LocalNetwork This will be the network address that your
InternalDevice connects to. It can take the form of 192.168.0.0/255.255.255.0
or 192.168.0.0/24
DNSAddr If you do as we suggest and have a local
caching DNS server on your gateway then leave this option commented out.
If you are not using a DNS server, then make sure to specify the IP address
of your external DNS server.
GatewayMode This option allows you to toggle between an
Open or a Captive type gateway. An open gateway will display a html message
specified in the SplashForm, while a Captive gateway requires the user
to login and implements the Auth system which includes the exchange of
encrypted keys to verify the users identification. We suggest that you
set it to Captive so that you have the benefit of a more secure system.
AuthServiceAddr, AuthServiceURL These really depend
on the way you structure your authentication server. Here it allows you
to specify the remote auth server's address (yours or someone elses) or
a local auth server of your own.
IncludePorts and ExcludePorts These are set to restrict
the use of certain ports that public users can access. If you specify
IncludePorts then only the ports listed will be allowed. You need to set
this to one or the other because if you set both, then NoCat will default
to ExcludePorts.
GatewayName This is the name that you want your user to
see on the splash and status pages as being the name of your gateway
LimitAverage This is part of the downstream bandwidth
control applicable to clients in the Public Class. This setting sets the
average number of packets per second. Remember, to use this you must have
'tc' available on your server for the script to call upon.
Owners This is a list of all local 'owner' users. List the
users separated by spaces. Owners will receive unrestricted bandwidth
on the network. You will want to put your login ID here.
The Gateway installation and configuration are now complete. You are ready
to test the gateway server by its self. Please read further to verify the operation
of the Gateway.
Testing the Gateway
As long as you have followed the instructions above, you should have a working
gateway server. You will not really know it is working correctly until the authentication
server is also in place. Then you will have the ability to verify the interaction
of the two and see the whole process in motion.
To test the gateway:
Go to the 'usr/local/nocat/bin/' directory and type in: gateway
Upon running the gateway, verify that you see a message displayed similar
to the one below:
[%]# Resetting firewall
[%]# Binding listener socket 0.0.0.0
If you do see the above message or similar message, you are ready to set
up an authentication server to complete the NoCatAuth system. If you are not
creating your own auth server, then make sure the AuthServiceAddr and AuthServiceURL
parameters in your 'nocat.conf' file correctly reference your external auth
server you are borrowing from someone else. If they are set, they you have
a complete system. Please refer to the Authentication Server installation
and configuration tutorial on how to test the system in its entirety.
If you do not see the above message, please review our instructions and
then refer to the 'install' document file under the 'NoCatAuth-nightly' directory.
Your gateway may not be working for a number of reasons (different operating
system, wrong paths, etc). If you are not running RedHat 9.x then you may
not have the proper supporting programs in place or in the needed directories.
The 'install' file covers procedures if you are using an operating system
other than RedHat 9.x or if you have custom configured your paths in some
way. If there is enough demand for NoCatAuth installation instructions for
other Linux distributions we can go to the lab, do some testing, and write
the instructions specifically for those.
To automate the operation of your NoCatAuth gateway server, you may want
to place it in your bootup script. To do this look at the '/usr/local/nocat/etc/nocat.rc'
script. Copy it into the '/etc/rc.d/init.d'. After that you can either add
a call in your 'rc.local' or symbolically link (symlink) it to your runlevel
3 whichever you are comfortable with. You can perform a symlink by typing
in something like: ln --s /etc/rc.d/init.d/nocat.rc /etc/rc.d/rc3.d/S99nocat
Congratulations. You have your NoCatAuth Gateway Server running.
Stay tuned for how to install and configure your NoCatAuth Authentication Server.
References and Credits
1) No Cat Net
2) All of the kind folks on the two NoCat mailing lists
3) The open source community
4) John-David Henderson, Goose Creek Communications, Inc.
5) Flickenger, Rob. Building Wireless Community Networks. Sebastopol: O'Reilly & Associates, Inc, 2002.
6) NoCatNet Digest
7) Nate Davis from Salt Lake City, Utah
8) Atanu from India (chatted over the net)
Add wi-fiplanet.com to your favorites Add wi-fiplanet.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.xReceive news via our XML/RSS feed
IE 7
Firefox 2.0
