Build a Secure Wireless Portal with Linux
March 17, 2006
You might be offering free wireless network access with the best of intentions, but not everyone connecting can say the same. With Linux and the right wireless portal software, you can rest easier.
Ever since wireless Ethernet was born, a sizable number of folks decided that it should be freely available to the masses at no cost. So we have official community wireless projects, coffee shops, hotels, and other businesses supplying free wireless Internet, and a lot of purposefully-unsecured private wireless networks.
Humans being what they are, admins of open wireless networks should be canny and careful. In these modern times you can be punished for what other people do, no matter how tangential your connection to them. Presumably most folks would prefer not to go to jail because someone downloaded child porn over their wireless link, or spewed forth spams, or published information displeasing to corporate types. It's a good idea anyway to have some controls in place to control un-neighborly behavior, like bandwidth- and time-hogging.
Instant Wireless Communities
There are a number of specialized applications for building wireless portals. The grandmommy of them all is NoCatAuth. NoCatAuth was designed to simplify and control the administration of public wireless portals. NoCatAuth creates a "captive portal", which means users cannot enter your network until they follow a few steps on your NoCatAuth Web page. The lowest level of access is "Public." A login is not required; users who wish simply to connect without hassles can skip the login, and are then granted the fewest network resources. The "Co-op" and "Owner" classes of members are required to login and authenticate, and are granted more network privileges.
NoCatAuth manages security most ingeniously. It wisely bypasses 802.1x security entirely, which is still in a state of flux and chaos, because lots of old network devices are still in use that support nothing stronger than WEP, which is about as secure as putting the key under the mat. Instead it creates an open access point, then hands off all access controls and authentication to your nice, strong Linux gateway. The only access controls on the NoCatAuth device itself are provided by a dynamic iptables firewall. By offloading the heavy-duty work to other servers, you have a lot of flexibility and power at your disposal, and much better security than you'll find in the world of wireless security protocols. You can use any authentication server, and use all the usual Linux tools for firewalling, monitoring, bandwidth shaping, and so forth. In fact NoCatAuth isn't limited to wireless access points, you can use it on wired networks too.
Neurally Implanted Phones
I digress briefly to make a prediction: in not too many years, wireless VoIP phones will be all the rage, or even implanted in people's heads, with the antenna fashionably masquerading as hairpins or stylish barrettes, yes, even on men, so your public access point will enable yet more pointless public phone yakking. If the people of the future even use telephones for talking.
An offshoot of NoCatAuth is NoCatSplash. This is a slimmed-down version for small-capacity embedded devices that doesn't do much more than display a splash screen that identifies your network, and re-directs users to other Web pages.
Pebble Linux is a miniature wireless AP-ready Linux designed to run on embedded devices like Soekris boards and old feeble PC hardware. It's too big for OpenWRT-type devices, but that's OK because Pebble Linux is versatile and easy to use. If you don't want to buy a Soekris or mini-ITX board, Pebble runs great on ordinary old PC hardware, even a 486. It's Debian-based, so it is easily modified with the usual Debian utilities and software repositories.
While NoCatAuth is probably the most famous captive portal, it's not being actively developed anymore. It still works fine, and there is an active user community, but the devs seem to have stuck a fork in it and pronounced it done. My current favorite is WiFiDog. It's tiny, around 30K, and is completely self-contained with no dependencies.
Like NoCatAuth, WiFiDog acts as a doorkeeper, and delegates the heavy cryptography and authentication work to your regular authentication server and the user's Web browser. The WiFiDog portal never sees any passwords, but exchanges single-session tokens with the authentication server. The one weak point is MAC address spoofing is possible, but this is common to all open wireless networks. Someday, in the far distant future when WPA (define) is universally implemented, and all antique network devices are retired, MAC spoofing will be a thing of the past. Since you're operating an open network, and presumably not sharing this nice open network with your top-secret super-sensitive private network, this shouldn't be a critical problem anyway.
Building a Wireless Access Point
Your WAP needs to be a standalone device, connected via an Ethernet bridge to your network gateway/firewall, running no services except maybe DHCP. You'll need an Ethernet NIC and a wireless NIC, hopefully one that takes a decent-quality antenna. A good antenna makes all the difference for signal quality, though many users get acceptable performance by placing their WAP in a favorable location, like on a high shelf.
Finding a supported wireless NIC is probably the hardest part, since wireless vendors can't seem to understand that us Linux (and Unix and Mac OSX) (and no, I will not stop complaing until you wireless vendors change your misguided ways) customers want to buy their products, and in fact already do buy them, and go to heroic lengths to make the darned things work. 802.11b is easy; there are many Linux-supported 802.11b chipsets. Getting the higher-speed 802.11a/g is more difficult. Not only must have Linux drivers, they must be able to run in Master mode. These chipsets will do the job:
Prism 2/2.5/3 802.11b, HostAP driver
Atheros 802.11a/b/g, Madwifi driver
Prism54 802.11b/g, Prism54 driver
There is a new wrinkle in wireless radio chipsets: "newmac" or "softmac" chips. Oh joy, for these use software to do what used to be the job of the hardware, which naturally translates to "winchips." Beware the new generation of Prism radio chipsets; see the Prism54 website for more information, and Build A Linux-Based Wireless Access Point, part 2 for more information on finding supported wireless NICs.
In a nutshell, building a good strong secure public wireless portal is pretty easy, once you locate supported wireless hardware.