Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default Using Captive Portal AND the Active Directory Logon Script

    As we well know, using these two items together is not supported. The captive portal ALWAYS blocks the website and forces authentication even if the user has already been authenticated through the ADLS.

    So, I set out tonight to find out how to bypass that. And I think I have come up with a clever way to do it. I'd like to run it by you guys and see if any people with more knowledge of untangle can point out where there might be problems with this. SO far it appears to work properly.

    I created two new .php files in the /usr/shared/untangle/web/cpd folder.

    One called opencpd.php :
    Code:
    <?php
    $ip = $_SERVER['REMOTE_ADDR'];
    system("/usr/bin/sudo ipset -A cpd-ipv4-authenticated $ip");
    system("/usr/bin/sudo ipset -D cpd-ipv4-expired $ip");
    ?>
    A second called closecpd.php :
    Code:
    <?php
    $ip = $_SERVER['REMOTE_ADDR'];
    system("/usr/bin/sudo ipset -D cpd-ipv4-authenticated $ip");
    ?>
    I then added the following lines to the /etc/sudoers file with visudo:
    Code:
    www-data  ALL=NOPASSWD: /usr/sbin/ipset
    I then added the following lines to the AD login script:
    Code:
      command2 = "http://" + ServerName + "/cpd/opencpd.php"
      AJAX.Open "GET", command2
      AJAX.Send ""
    And I created a AD logoff script:
    Code:
    'Handle or Ignore all errors
    On Error Resume Next
    
    If WScript.Arguments.Count = 1 Then
    	ServerName = WScript.Arguments.Item(0)
    Else
    	ServerName = "10.0.5.250"
    End If
    
    'WScript.Echo "ServerName is:"
    'WScript.Echo ServerName
    
    
      Set AJAX = CreateObject("MSXML2.ServerXMLHTTP")
      command2 = "http://" + ServerName + "/cpd/closecpd.php"
      'WScript.Echo command
      AJAX.Open "GET", command2
      AJAX.Send ""

    I discovered that the Captive Portal places an entry in iptables using ipset that causes an IP address to bypass the captive portal login. It will remove the entry when the session times out or the user logs out.

    So, I granted apache and my PHP scripts the ability to run the ipset command as root using the sudoers file.

    Then, I created those two scripts to add an entry using ipset, and to remove an entry using ipset. When the script is called it identifies the IP address of the client and adds an entry for that client to the ipset table associated with captive portal so that it can bypass the portal login.

    I then modified the login script to call the opencpd.php script and bypass the portal, and I created the logoff script to call closecpd.php to activate the portal again.

    By using this method I am able to get my users authenticated with the AD login script and they never see a captive portal login. However, users who are not on the domain and do not run the AD login script see the captive portal to authenticate.

    An extra rack can than be added in policy manager to route all unauthenticated users through a web filter that blocks all access. Forcing everyone to authenticate, either automatically with the login script for computers on the domain, or manually with the captive portal for those that like to come and go with their laptops and other devices.

    Reporting is handled normally, and users are correctly identified.

    Anybody see any problems with this?
    Last edited by appleoddity; 08-25-2010 at 12:48 AM.

  2. #2
    Untangle Ninja Mathiau's Avatar
    Join Date
    Feb 2008
    Location
    Costa Frickn' Rica
    Posts
    1,636

    Default

    Good to know, i wasn't aware you couldn't use both.
    kv-2 | UT 11.0.1 | Dell R610 Server | Intel Xeon 2.8Ghz Quad Cores | 24Gb DDR3 ECC | 1 Intel QPort NIC | Integrated Broadcom QP | Dell Perc 4i | 6 x 73G 2.5 15k SAS raid 10 | 100mb/100mb | 30mb/30Mb

  3. #3
    Untangler
    Join Date
    May 2008
    Posts
    80

    Default

    How is this solution working for you? I've been looking to do exactly this, but don't have the neccesary skill

    Untangle team, any chance of seeing this (or something similar) folded into the product?

    Thanks,
    Tim

  4. #4
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,876

    Default

    I'm looking into a different strategy - use the login script my admin and lab subnet, and captive portal for my student and wireless subnets. There will be no capture rule in captive portal for most users that log in to the domain, and those few that do via wireless will just have to deal with the capture page.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  5. #5
    Master Untangler BOFH's Avatar
    Join Date
    May 2009
    Location
    OKC, OK
    Posts
    131

    Default

    I am also curious to know if this has been incorporated into the default distribution. Also, does it continue to work well for those that have implemented it?

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    It has been.
    I dont remember the URL, but you can logout by hitting it.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler BOFH's Avatar
    Join Date
    May 2009
    Location
    OKC, OK
    Posts
    131

    Default

    So Just to be clear. I can just install the rack item for captive portal on my UT box and without any further effort on my part, those people that aren't connected through the AD script will be required to log in through the captive portal, and those that ARE connected through the AD script will never see a difference? If so you guys are awesome! If not you're still awesome but I'm wearing a sad face.

    Thanks for your help,

    BOFH

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Sorry, I was talking about the logoff script.
    There is still no logon script to my knowledge.

    btw, just glancing at the code above I can tell you it wont work. It will appear to work but the ipset data will be inconsistent with the database.
    I guess that isn't the end of the world, but I wouldn't be surprised if you get weird side effects.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,385

    Default

    Quote Originally Posted by BOFH View Post
    So Just to be clear. I can just install the rack item for captive portal on my UT box and without any further effort on my part, those people that aren't connected through the AD script will be required to log in through the captive portal, and those that ARE connected through the AD script will never see a difference?
    you'll need to set Captive Portal to only capture those who you need to (eg NOT the people running the ADLS) and set it up to authenticate against AD, that should be it.

  10. #10
    Master Untangler
    Join Date
    Jul 2008
    Location
    Germany
    Posts
    140

    Default

    I don't understand the script; this will allow, that anybody could call this opencpd.php directly, without logging in and would then prevent captive page?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2