Doman Names Instead of IPs



  • I'd like to setup a number of captive portal access points that centrally authenticate with a RADIUS server in my datacenter.

    Here is what I'm worried about.

    I'd eventually like to have a number of these out in the wild (hopefully, a large number). What if I change IPs of my RADIUS server? As it stands, since I have to use an IP address I'm going to be screwed. I'd have to login to each box and update the IP addresses - BLAH…

    Isn't this one (of many) reason(s) why we have hostnames? If I used a hostname, I'd be fine (after DNS propagates, of course).

    So, I'd like to know what you all think of this "hack" I've tried in order to work around this issue:

    I've edited the following files:

    
    /etc/inc/captiveportal.inc
    /usr/local/www/services_captiveportal.php
    
    

    and

    
    /usr/local/www/services_captiveportal_ip_edit.php
    
    

    and I've made a few mods.

    In captiveportal.inc on line 227 I made this:

    
    $radiusip = $config['captiveportal']['radiusip'];
    
    

    look like this:

    
    $radiusip = gethostbyname($config['captiveportal']['radiusip']);
    
    

    I did the same thing with radiusip2 as well. Then I made line 719 go from this:

    
    fwrite($fd, $ipent['ip'] . "," . $ruleno ."\n");
    
    

    to this:

    
    fwrite($fd, gethostbyname($ipent['ip']) . "," . $ruleno ."\n");
    
    

    (So I could allow hostnames rather than just IP addresses).

    The neat thing about the gethostbyname() function is that if you pass it an IP, it just spits the IP right back (at least, from what I can tell) - so this shouldn't "break" anything already there, just allow you to add the ablity to put in hostnames.

    Oh, and I commented out the checks that give you errors if you DON'T enter IP addresses (starting on line 122 in services_captiveportal.php and line 61 in services_captiveportal_ip_edit.php)

    So, here is what I'm curious about:

    1. Obviously, will this work as I expect?
    2. Will pfSense ever "update" values on it's own (in other words, will pfSense have to be "reset" in someway for it to check for changes in the hostname's resolving IP addresses?)
    3. If the hostnames won't be looked up often, is there anyway I can run a cronjob of some sort that will automate that?
    4. If this isn't the way I should be going, does anyone have any other ideas as to how I should prevent having to login to each box and change the RADIUS server IP addresses for IP changes…?

    Thanks all!



  • We currently try to stay in sync with m0n0's captive portal implementation. If you ever want to see these changes commited to the base system please bring up that discussion at the m0n0 mailinglist or their forum (they now have one too). If we start adding/changing stuff we can't sync it over from m0n0 in case they introduce new features or fix bugs.



  • @hoba:

    We currently try to stay in sync with m0n0's captive portal implementation. If you ever want to see these changes commited to the base system please bring up that discussion at the m0n0 mailinglist or their forum (they now have one too). If we start adding/changing stuff we can't sync it over from m0n0 in case they introduce new features or fix bugs.

    I fully understand that this might not be something you want to commit to the pfSense sources. I'm just curious if it works they way I hope it will :)

    If it does, I will probably bring it up on the m0n0 forum to see what the consensus is there as well.

    So, what do you think?



  • You really should discuss it over there. The guys who wrote this code can give comments on this much better than anybody here.



  • @hoba:

    You really should discuss it over there. The guys who wrote this code can give comments on this much better than anybody here.

    Okay, so I've had a posting on there [m0n0's forum] for two weeks now without any responses at all… I've even E-Mailed Manuel, also no response.

    Does anyone here have any idea if this would work the way I would expect and not break anything? I'm not trying to sound desperate, but I feel like I am... sigh



  • It was my understanding that the CP was [hopefully] a reciprocal sync between m0n0 and pfsense.  Is that not the case?

    nb



  • @buraglio:

    It was my understanding that the CP was [hopefully] a reciprocal sync between m0n0 and pfsense.  Is that not the case?

    Thats correct.  We do not do any innovation in this area.



  • And emailing Manuel is pointless, aside from the fact that emailing anybody when they all read the public forums and lists is impolite, he didn't write any of the CP code. I have not seen any of the CP developers on the m0n0wall forum, you should try the mailing list as that seems to be a much better resource still. For the most part, unless I answer your question on the forum, the list offers MUCH better knowledge level overall and reaches a much bigger audience.



  • U need to email Jonathan DeGruve or Lee Sharp (Sorry is name spelled incorectly)
    Just use the mono-dev list
    I spoke to them before but they told me that DNS can be spoofed hacked etc, there fore it is not secure :-(

    I like DNS for radius though


Log in to reply