A "captive portal" style network authorization system.
Copyright 2009 The University of Wisconsin Board of Regents
written by: Dale W. Carder
email: "dwcarder on a server called doit.wisc.edu" http://net.doit.wisc.edu/~dwcarder
Network Services Group of the Division of Information Technology at the University of Wisconsin at Madison
Feel free to try it out, let me know how things go for you. Please
email me if you have any questions/comments, etc.
We are currently running 1.01 on our production fleet of
14 captivator firewalls serving thousands of unique wireless users.
As always, bug fixes, contributed code, etc are accepted. All bugs written by me.
Changes from version 1.0 to 1.01 include a sysv style init script, better database schema,
radius accounting, and web page templates. 1.01 also includes hooks to include a more granular approach
to authentication and authorization.
Changes from version 0.99rc3 to 1.0 include setting syslog facility name, and including a basic admin cgi script to query sql data as part of the distribution.
Changes from version 0.99rc2 include, runs in perl taint mode and does better input validation.
Changes from 0.99rc1 include distribution cleanup, better config file and init system. No change in main logic.
Changes from 0.98 include two bugfixes: detecting users who are logged in twice, and the addition of expiring all users off the system.
Installation instructions for captivator
Browse the release
Even More Documentation
System overview diagram
Origional design document
Example of setting up Linux trunking and bridging
Example of setting up Linux layer 2 firewaling.
Example of setting up Linux firewall rules for Captivator-gw management and redirection.
Example of setting up Apache for Captivator-gw.
My design requirements for our campus-wide wireless service.
We looked at vendor solutions. They were not innovative, didn't support features we needed, had shoddy implementations (this is 2005 folks, we're not going to run DVMRP, nor do we allow our packets to flow through anything without SNMP) , needed work for integration into our systems though their strange API's, and they all cost way too much for what you get (espeicially for stupid head-end boxes which is just yet another thing the NOC has to deal with).
We were looking at deploying this service on about 180 networks (each one is a vlan), basicly one per building. Based on geographical and fiber plant constraints we would need to deploy at 13 sites. Take the vendor pricing, multiply by 13, and see for yourself if the vendor solutions are worth it for you. We were happy to save taxpayers the money.
We needed a layer-2 solution so we can continue to support complex protocols like multicast without dealing with routing on linux. We wanted some decent reporting tools that we can develop and integrate into our systems. We wanted a system that can support ipv6 in the near future, as well as whatever else we'll cook up (see the futures list). Thus, Captivator-gw was born.