Captive portal user fixed to MAC



  • Is it possible to create user account to access internet
    that is fixed to one MAC or IP address?

    for example

    user: jerry
    jerrys MAC: xx:xx:xx:xx:xx:xx / IP: xxx.xxx.xxx.xxx

    so jerry can log in only from devince with that MAc/IP



  • This is possible with a RADIUS server and Captive Portal.



  • @filip_pag:

    Is it possible to create user account to access internet
    that is fixed to one MAC or IP address?

    for example

    user: jerry
    jerrys MAC: xx:xx:xx:xx:xx:xx / IP: xxx.xxx.xxx.xxx

    so jerry can log in only from devince with that MAc/IP

    Do you mean that the access should only be allow if:
    Username + mac + IP are correct !?

    This cannot be done in just one step. I do not know any possibility to solve this in just one check.

    MAC <-> IP matching:
    enable DHCP and static MAC entry
    create a firewall rule for this IP which allows traffic and disallows other traffic from other IPs
    Enable Static ARP entries on DHCP

    for username/password check you can use different things:
    CaptivePortal
    Squid in non-transparent mode with user access

    Perhaps it will be possible with squid or CP and freeradius2 package as user backend.
    Setup a username/password entry in freeradius and add a custom "Check-Item" attribute for the client IP address. This will look like that:

    Framed-IP-Address == 192.168.10.125
    

    So if the NAS (CaptivePortal or Squid) send the "Framed-IP-Address of the host to the RADIUS than you can do a check against this attribute (Framed-IP-Address) and if the IP is wrong then the user will be rejected. You can do this with the MAC-Address, too if CaptivePortal or Squid is sending this:

    Calling-Station-ID == 00:11:22:aa:bb:cc
    

    But be careful, both attributes need to be CHECK-ITEMS and must not be REPLY-ITEMS to work !!!
    You can use both checks together, too.

    Hmm - if I read this again, then it could be possibly feasible to realize that in just one step  ;)


Log in to reply