As we well know, using these two items together is not supported. The captive portal ALWAYS blocks the website and forces authentication even if the user has already been authenticated through the ADLS.
So, I set out tonight to find out how to bypass that. And I think I have come up with a clever way to do it. I'd like to run it by you guys and see if any people with more knowledge of untangle can point out where there might be problems with this. SO far it appears to work properly.
I created two new .php files in the /usr/shared/untangle/web/cpd folder.
One called opencpd.php :
A second called closecpd.php :Code:<?php $ip = $_SERVER['REMOTE_ADDR']; system("/usr/bin/sudo ipset -A cpd-ipv4-authenticated $ip"); system("/usr/bin/sudo ipset -D cpd-ipv4-expired $ip"); ?>
I then added the following lines to the /etc/sudoers file with visudo:Code:<?php $ip = $_SERVER['REMOTE_ADDR']; system("/usr/bin/sudo ipset -D cpd-ipv4-authenticated $ip"); ?>
I then added the following lines to the AD login script:Code:www-data ALL=NOPASSWD: /usr/sbin/ipset
And I created a AD logoff script:Code:command2 = "http://" + ServerName + "/cpd/opencpd.php" AJAX.Open "GET", command2 AJAX.Send ""
Code:'Handle or Ignore all errors On Error Resume Next If WScript.Arguments.Count = 1 Then ServerName = WScript.Arguments.Item(0) Else ServerName = "10.0.5.250" End If 'WScript.Echo "ServerName is:" 'WScript.Echo ServerName Set AJAX = CreateObject("MSXML2.ServerXMLHTTP") command2 = "http://" + ServerName + "/cpd/closecpd.php" 'WScript.Echo command AJAX.Open "GET", command2 AJAX.Send ""
I discovered that the Captive Portal places an entry in iptables using ipset that causes an IP address to bypass the captive portal login. It will remove the entry when the session times out or the user logs out.
So, I granted apache and my PHP scripts the ability to run the ipset command as root using the sudoers file.
Then, I created those two scripts to add an entry using ipset, and to remove an entry using ipset. When the script is called it identifies the IP address of the client and adds an entry for that client to the ipset table associated with captive portal so that it can bypass the portal login.
I then modified the login script to call the opencpd.php script and bypass the portal, and I created the logoff script to call closecpd.php to activate the portal again.
By using this method I am able to get my users authenticated with the AD login script and they never see a captive portal login. However, users who are not on the domain and do not run the AD login script see the captive portal to authenticate.
An extra rack can than be added in policy manager to route all unauthenticated users through a web filter that blocks all access. Forcing everyone to authenticate, either automatically with the login script for computers on the domain, or manually with the captive portal for those that like to come and go with their laptops and other devices.
Reporting is handled normally, and users are correctly identified.
Anybody see any problems with this?