Using Captive Portal AND the Active Directory Logon Script

[appleoddity]

As we well know, using these two items together is not supported. The captive portal ALWAYS blocks the website and forces authentication even if the user has already been authenticated through the ADLS.

So, I set out tonight to find out how to bypass that. And I think I have come up with a clever way to do it. I'd like to run it by you guys and see if any people with more knowledge of untangle can point out where there might be problems with this. SO far it appears to work properly.

I created two new .php files in the /usr/shared/untangle/web/cpd folder.

One called opencpd.php :

Code:

<?php
$ip = $_SERVER['REMOTE_ADDR'];
system("/usr/bin/sudo ipset -A cpd-ipv4-authenticated $ip");
system("/usr/bin/sudo ipset -D cpd-ipv4-expired $ip");
?>

A second called closecpd.php :

Code:

<?php
$ip = $_SERVER['REMOTE_ADDR'];
system("/usr/bin/sudo ipset -D cpd-ipv4-authenticated $ip");
?>

I then added the following lines to the /etc/sudoers file with visudo:

Code:

www-data  ALL=NOPASSWD: /usr/sbin/ipset

I then added the following lines to the AD login script:

Code:

  command2 = "http://" + ServerName + "/cpd/opencpd.php"
  AJAX.Open "GET", command2
  AJAX.Send ""

And I created a AD logoff script:

Code:

'Handle or Ignore all errors
On Error Resume Next

If WScript.Arguments.Count = 1 Then
	ServerName = WScript.Arguments.Item(0)
Else
	ServerName = "10.0.5.250"
End If

'WScript.Echo "ServerName is:"
'WScript.Echo ServerName


  Set AJAX = CreateObject("MSXML2.ServerXMLHTTP")
  command2 = "http://" + ServerName + "/cpd/closecpd.php"
  'WScript.Echo command
  AJAX.Open "GET", command2
  AJAX.Send ""

I discovered that the Captive Portal places an entry in iptables using ipset that causes an IP address to bypass the captive portal login. It will remove the entry when the session times out or the user logs out.

So, I granted apache and my PHP scripts the ability to run the ipset command as root using the sudoers file.

Then, I created those two scripts to add an entry using ipset, and to remove an entry using ipset. When the script is called it identifies the IP address of the client and adds an entry for that client to the ipset table associated with captive portal so that it can bypass the portal login.

I then modified the login script to call the opencpd.php script and bypass the portal, and I created the logoff script to call closecpd.php to activate the portal again.

By using this method I am able to get my users authenticated with the AD login script and they never see a captive portal login. However, users who are not on the domain and do not run the AD login script see the captive portal to authenticate.

An extra rack can than be added in policy manager to route all unauthenticated users through a web filter that blocks all access. Forcing everyone to authenticate, either automatically with the login script for computers on the domain, or manually with the captive portal for those that like to come and go with their laptops and other devices.

Reporting is handled normally, and users are correctly identified.

Anybody see any problems with this?

[Mathiau]

Good to know, i wasn't aware you couldn't use both.

[tsull360]

How is this solution working for you? I've been looking to do exactly this, but don't have the neccesary skill

Untangle team, any chance of seeing this (or something similar) folded into the product?

Thanks,
Tim

[jcoehoorn]

I'm looking into a different strategy - use the login script my admin and lab subnet, and captive portal for my student and wireless subnets. There will be no capture rule in captive portal for most users that log in to the domain, and those few that do via wireless will just have to deal with the capture page.

[BOFH]

I am also curious to know if this has been incorporated into the default distribution. Also, does it continue to work well for those that have implemented it?

[dmorris]

It has been.
I dont remember the URL, but you can logout by hitting it.

[BOFH]

So Just to be clear. I can just install the rack item for captive portal on my UT box and without any further effort on my part, those people that aren't connected through the AD script will be required to log in through the captive portal, and those that ARE connected through the AD script will never see a difference? If so you guys are awesome! If not you're still awesome but I'm wearing a sad face.

Thanks for your help,

BOFH

[dmorris]

Sorry, I was talking about the logoff script.
There is still no logon script to my knowledge.

btw, just glancing at the code above I can tell you it wont work. It will appear to work but the ipset data will be inconsistent with the database.
I guess that isn't the end of the world, but I wouldn't be surprised if you get weird side effects.

[hlarsen]

So Just to be clear. I can just install the rack item for captive portal on my UT box and without any further effort on my part, those people that aren't connected through the AD script will be required to log in through the captive portal, and those that ARE connected through the AD script will never see a difference?

you'll need to set Captive Portal to only capture those who you need to (eg NOT the people running the ADLS) and set it up to authenticate against AD, that should be it.

[frust]

I don't understand the script; this will allow, that anybody could call this opencpd.php directly, without logging in and would then prevent captive page?