external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-12 11:12:06 +00:00
Code Issues Releases Wiki Activity
iiab/roles/captiveportal
History
Jerry Vonau 2acf98af60 move log directory
2020-01-22 12:26:55 -06:00
..
defaults bring cp changes on top of current HEAD 2020-01-02 06:08:57 -08:00
files make the home_selected ajax call async:false 2020-01-02 06:09:00 -08:00
tasks move log directory 2020-01-22 12:26:55 -06:00
templates move log directory 2020-01-22 12:26:55 -06:00
README.md windows7 workds 2020-01-02 06:15:58 -08:00

README.md

Theory of Operation

  • The captive portal function is a feature of most modern operating systems. With the increased use of https/ssl (secure sockets layer), the automatic diversion to a specific web page runs the risk of being detected as a "man in the middle" attack.
  • Each Operating System (OS) provides a mechanism that IIAB can use to break into a conversation, when SSL is not being used. This is an initial attempt by the OS to talk to one of its own web sites, to determine if the host os is connected to the internet. It is always performed without SSL.
  • The IIAB captive portal uses a list of these OS supported web sites, and diverts these requests to the IIAB server, which in turn forwards to the IIAB home page.

Components of the IIAB Captive Portal

  • Files used
    1. checkurls -- the list of urls use by at least one of the OS's.
    2. iiab-divert-to-nginx -- Bash script writes dnsmasq config file which points to IIAB server
    3. iiab-make-cp-servers.py -- Python script writes nginx configuration file to /etc/nginx/sites-enabled
    4. capture-wsgi.py -- the script which determines the client agent, records it in sqlite database, and responds with redirects as appropriate for each OS.
    5. uwsgi-captiveportal.service -- systemd unit file which runs uwsgi which makes capture-wsgi.py available on port 9090.

Extending and Debugging Captive Portal

  • The python capture script can be run interactively in terminal (use systemctl stop uwsgi-captiveportal to free up the port). This will expose any python errors easily.
  • Run the capture-wsgi.py with "-l" in a terminal to increase logging to /var/log/apache2/portal.log
  • To discover untrapped urls, "apt-get install tcpdump", and "tcpdump -i br0 capture.tcp". I transfer this file to a machine with a GUI, and wireshark to interpret the conversations on the wire. The DNS packets are the ones to look for.

Known Problems

  1. On Android 5-7, the browser which is brought up, during the association process, is a 'walled garden' and I cannot find a way out. This browser is not very modern, and continuously displays the "sign in to Wi-Fi network" button -- with an annoying beep.