Captive Portal ONLY for some?

[sky-knight]

The answer to that is an Untangle app for iPhone/Driod/Blackberry, not a manipulation of of mac addresses.

[CrZy_T]

Where am I saying that one should manipulate MAC addresses?

[sky-knight]

Umm... post 3 on?

[CrZy_T]

Okey, English isn't my native language so I'll try again.

The Untangle internal interface and the clients are on the same network. In other words, they use layer2 (MAC addresses) to communicate. A MAC address in a unique 12 byte identifier (12 hex digits) where the first 6 are OUI (Organizationally Unique Identifier) which is unique to one manufactor (one manufactor usually have more than one OUI).

The Linux OS holds an ARP table with MAC addresses and IP addresses, so there is a "database" to lookup MAC vs IP. If I where to exclude hosts based on IP, I could (as far as I've read) say 10.0.0.* to exclude all IPs starting with 10.0.0. With MAC addresses I could exclude 00-00-00* and allow all Xerox MAC addresses starting with 00-00-00.

As I've hopefully tried to explain, I'm not trying to manipule MAC addresses. I'm just trying to use them as a way to group simular equiptment.

[sky-knight]

Right, and Untangle is a layer 7 device with minimal layer 3 features and almost no layer 2 features.

Translation: Untangle's layer 3 features are weak, and by extension it's layer 2 features are all but non-existent.

When you add to that the fact that mac level control is usually a management nightmare... well the drive to add those features isn't on the front burner.

This means you have to use IP addressing to control your devices. And in all likelihood will be forced to do so for the foreseeable future.

The best solution, would be a login app that replaced the windows script and integrated with the CP / Directory connector. That is once the Directory Connector is appropriately enhanced to automatically bypass users that are already logged in. An app that ran on the phones/desktops/laptops to do all that would be simple, but it isn't going to be built over night.

With the features we have now, you have no choice but to do things via IP address. If you have an entire family of devices, I suggest you look into how to configure your DHCP server to pass out a special DHCP scope to a mac range. It's possible using many DHCP services including the DNSMasq service built into Untangle. It's a technique commonly used by VoIP phone provisioning systems, to hand out boot server directives to specific devices.

Instead you're using that to hand out a subset of your DHCP scope to a list of specific hardware devices, then you're free to exempt that scope.

Or you add an interface to Untangle and configure a separate wireless network to be used by only the phones and move on. Personally I don't see your users really using the wireless much, my users all jump over to the cellular connection at the first block page.

[CrZy_T]

When you add to that the fact that mac level control is usually a management nightmare... well the drive to add those features isn't on the front burner.

It's a management nightmare if you control all MAC addresses and not OUIs.

The best solution, would be a login app that replaced the windows script and integrated with the CP / Directory connector. That is once the Directory Connector is appropriately enhanced to automatically bypass users that are already logged in. An app that ran on the phones/desktops/laptops to do all that would be simple, but it isn't going to be built over night.

I think you guys might run into a development nightmare if you're going to make one app for every cellphone OS with WLAN support. If you managed to do this it would probably kick ass and leave the others biting the dust

With the features we have now, you have no choice but to do things via IP address. If you have an entire family of devices, I suggest you look into how to configure your DHCP server to pass out a special DHCP scope to a mac range. It's possible using many DHCP services including the DNSMasq service built into Untangle. It's a technique commonly used by VoIP phone provisioning systems, to hand out boot server directives to specific devices.

Instead you're using that to hand out a subset of your DHCP scope to a list of specific hardware devices, then you're free to exempt that scope.

Yes. I've kinda figured out that I'm stuck with IP exclusions. Handing out a scope of IPs based on OUIs is something I havn't even though about or seen done before, but it's wellworth looking into. Guessing the M$ guys at work will be pissed when their DHCP server probably just isn't doing the job anymore

[sky-knight]

Yeah I'm not even sure where to start on MS's DHCP. Untangle's DNSMasq service is just easier in these regards... but I assume it can be done. I know you can have multiple Scopes on a single segment with MS DHCP, and obviously it has to be mac level filtered or it won't know what address to give out where...

A scope per phone mfg doesn't sound too bad to deal with, it's just the learning curve of getting the service to do it.

Of course, we all know what happens when you assume.