Zeroshell Linux: Captive Portal, Internet Gateway and Router (part3)
Setting up the Captive Portal
May 18, 2009
Last month we discovered ZeroShell (part 1, part 2), a multi-purpose LAN server that you can run from an open source Live CD on a old PC. After doing the initial setup in Part 1, we configured the RADIUS server for 802.1X/PEAP authentication in Part 2. This way we could configure our wireless access points (APs) to run enterprise-level Wi-Fi encryption. We played around with the AP features of ZeroShell in the second part as well.
Now we're going to experiment with the captive portal functions, in case you want to offer public Internet access. Plus we'll figure out how to get ZeroShell to take over the routing and DHCP functions of your network, so you can get rid of your off-the-shelf router. Let's get started!
Setting up the Captive Portal
As briefly mentioned, you might want to use ZeroShell's captive portal feature if you want to offer managed Internet access to the public. Thus we'll go through the steps of setting this up, for a simple system. In simple, I mean you'd have to manually input the usernames and passwords of the hotspot users into ZeroShell; but you can give people the same details if desired. Additionally, you can't completely customize the portal or login page user's will see, but you can customize portions of it. Figure 1 shows an example.
If you require a more complex system, such as full customization, self-registering, or fee-based-access, you can look into doing remote authentication.
Here's how to start captivating your users:
- On the ZeroShell web-based GUI, click the Captive Portal link on the menu. Figure 2 shows an example of the Captive Portal page.
- For the Mode, select Bridged, and then for the Interface, select the adapter that the hotspot users are going to connect to, and click Save.
- For the Simultaneous Connections option, under the Gateway Parameters, select Not Allowed if you are giving users unique accounts, and click Save. This ensures only one connection per user at a time, preventing users from sharing their login details. However if you need to allow simultaneous connections, such as when giving users the same username and password to login, you should keep this option set to Allow.
- If you want to add additional Free Authorized Services to the list, so users can use additional ports/IP addresses before logging in, click the plus sign. This is useful if you have some sort of server or application you want you or your users to be able to access before logging in. For example, you could add port 80 and 443 for the ZeroShell's IP address, so you don't have to log in to access the web-based GUI. Additionally, you could add the IP address of a website (with port 80), to allow free access to it. But remember, the website must be configured with a static IP address. Plus bigger sites, such as Google, use multiple IPs.
- If you want specific computers to bypass the captive portal, such as your PC, choose Clients on the Free Authorized section, click the plus sign, enter the MAC (physical) address of your computer's network adapter, and click OK.
- If you are only offering free access, you probably want to disable HTTPS (SSL encryption) for the captive portal page. Click the Authentication tab (see Figure 3), in the X.509 section, mark the Do not use HTTPS�checkbox, and then click Save.
This prevents users from being "warned" by their browser that the captive portal page isn't using a trusted certificate. Though users can proceed to the portal page when they get this error, it will likely confuse them. If you want to use encryption on the portal page, it's best replace the default self-signed certificate on the ZeroShell machine with one purchased from a third-party that's supported by browsers.
- Finally, to start captivating, mark the checkbox next to GW (gateway) on the top of the page.
Now if everything runs smoothly, users should be prompted to login with a username and password you've created before they can use the Internet.