Captivator-gw

A "captive portal" style network authorization system.

Copyright 2009 The University of Wisconsin Board of Regents
written by: Dale W. Carder
email: "dwcarder on a server called doit.wisc.edu" http://net.doit.wisc.edu/~dwcarder
Network Services Group of the Division of Information Technology at the University of Wisconsin at Madison

Current Features:

"Captive Portal" or "Walled Garden" style network authorization for ipv4
Works at Layer 2! - transparent bridging & stateful firewalling for ipv4
"Bump in the wire" - No need to run routing protocols on the box
Supports various protocols to flow through unmolested like IGMP, multicast, ...
Supports multiple bridges made up of vlans coming in as 802.1q trunks
Can stand alone, or can work with a centralized "head end"
Information stored in SQL for easy custom report generation
Radius Authentication and Accounting
Tunable syslog reporting, log as much or as little as you want
Templated and fully customizable web pages
With the right STP setup, can do stateless active-passive redundancy
A way to deal with guest users or clients otherwise lacking 802.1x supplicants
Free. Captivator-gw is distributed and licenced under the terms of the "Artistic License".

Future things it would not be hard to modify this platform to do:

support fallback authentication and federated auth environments
pubcookie for single sign on (planned for version 1.1)
blacklisting users/machines (planned for version 1.1)
force users to only have to do "click-through" style authorization
captive portal for ipv6 (needs linux kernel >= 2.6.9 for firewalling)
stateful active-passive redudancy
track bandwidth usage by user
hook in with snort for IDS features
hook in with nessus for host scanning
be used as or part of a compliance and remediation system

Download, Documents, and Stuff

captivator-1.01.tar.gz is released!

Feel free to try it out, let me know how things go for you. Please email me if you have any questions/comments, etc. We are currently running 1.01 on our production fleet of 14 captivator firewalls serving thousands of unique wireless users. As always, bug fixes, contributed code, etc are accepted. All bugs written by me.

Changes from version 1.0 to 1.01 include a sysv style init script, better database schema, radius accounting, and web page templates. 1.01 also includes hooks to include a more granular approach to authentication and authorization.
Changes from version 0.99rc3 to 1.0 include setting syslog facility name, and including a basic admin cgi script to query sql data as part of the distribution.
Changes from version 0.99rc2 include, runs in perl taint mode and does better input validation.
Changes from 0.99rc1 include distribution cleanup, better config file and init system. No change in main logic.
Changes from 0.98 include two bugfixes: detecting users who are logged in twice, and the addition of expiring all users off the system.

Installation instructions for captivator
License
Browse the release
More Documentation
Even More Documentation
Download captivator-1.01.tar.gz

System overview diagram
Origional design document
Example of setting up Linux trunking and bridging
Example of setting up Linux layer 2 firewaling.
Example of setting up Linux firewall rules for Captivator-gw management and redirection.
Example of setting up Apache for Captivator-gw.
My design requirements for our campus-wide wireless service.

Mailing List

Subscription to the captivator mailing list requires approval by the list moderators, but anyone interested is welcome to join. Posting to the list is only open to list members, but the archives are public. These measures are simply to help prevent spam.

Subscribe
List Archives

Info

Various freely available previous work contributed to this design, such as NoCatAuth and PacketFence. This project did not stem from NIH (not invented here) syndrom but rather was developed because of the need for features (like multicast, ipv6, vlans, distributed environment with centralized headend) that other packages and vendor solutions didn't have or charged obscene amounts for. Inspiration for this project is "wirelessd/Dchain" by Paul Oliphant, et. al. from the Computer Aided Engineering (CAE) Center at the University of Wisconsin at Madison.

Why Captivator-gw

Captivator-gw was origionally written to meet some immediate needs of the University of Wisconsin at Madison. We recognized the need for a "captive portal" solution to be part of our campus-wide 802.11g rollout, as well as for public access data jacks such as those found in classrooms, conference rooms, and libraries.

We looked at vendor solutions. They were not innovative, didn't support features we needed, had shoddy implementations (this is 2005 folks, we're not going to run DVMRP, nor do we allow our packets to flow through anything without SNMP) , needed work for integration into our systems though their strange API's, and they all cost way too much for what you get (espeicially for stupid head-end boxes which is just yet another thing the NOC has to deal with).

We were looking at deploying this service on about 180 networks (each one is a vlan), basicly one per building. Based on geographical and fiber plant constraints we would need to deploy at 13 sites. Take the vendor pricing, multiply by 13, and see for yourself if the vendor solutions are worth it for you. We were happy to save taxpayers the money.

We needed a layer-2 solution so we can continue to support complex protocols like multicast without dealing with routing on linux. We wanted some decent reporting tools that we can develop and integrate into our systems. We wanted a system that can support ipv6 in the near future, as well as whatever else we'll cook up (see the futures list). Thus, Captivator-gw was born.

$Id: index.html,v 1.10 2005/10/19 17:20:16 dwcarder Exp dwcarder $