Auto-authenticate user when one connects with a known MAC address

Registered by gbastien on 2011-01-13

This feature has been widely asked for

When a new connection originates from a known MAC address, the user should be automatically connected to the auth server, without having to reenter his username/password (so this plugin depends on other authentication plugins).

Problem is: the Mac address is not available when the login page is requested, only when the authentication is verified and if the MAC is not recognised, the gateway will redirect to the gw_message page and the authentication is faulty. We should then program a way to redirect to the standard login page with other authenticators if this authenticator doesn't pass instead of showing the faulty authentication page.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Medium
Drafter:
None
Direction:
Needs approval
Assignee:
gbastien
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

What happens if two users share the same computer? Offer the choice to disconnect and reconnect as other? But then a connection has already been initiated between the gateway and the server... Will need to invalidate/destroy the previous connection so that the gateway/server protocol can start over again.

Is only the last mac address of the user kept or all MACs for a user?

What about public computers? Offer a choice when login to remember this MAC for this user and thus keep a list of known mac for a user? And if a user never wants to register his MAC address, then, he needs to login each time?

Geneviève

======================================================================================

The way I see it is with MAC sign on, the administrator has a wish to track the different computers rather than the different users mainly in a closed environment. Or they wish to make the process easier for devices like smart phones, handheld consoles like the DS etc.

A different situation is where the user signs up and the MAC is recorded and checked against when the user logs in in the future (The database would class this address as a unique value). the sole purpose of this is to stop the user from signing up with multiple accounts to bypass bandwidth limits etc. An option would allow the user to register a different computer and distroy his old one a certain amount of times say per month.

Robin.

=============

Thanks for adding this whiteboard article, gbastien!

Would a modification to the SplashOnly plugin be an option - although it wouldn't be as good as automatically permitting access, it could be a reasonable workaround. e.g. with SplashOnlyAlternative you would initially be offered a 'click to connect' button - clicking that would then pass your MAC address through. If this was on the valid user list then it would permit internet access, if it was either not on the valid list OR you had exceeded the ConnectionPolicies plugin setting (e.g., too much data transfer, too long a connection, etc.) then it would force login. ConnectionPolicies could also be altered to force a login after a set amount of time (e.g. users must login every day/month).

Re Robin's points (and I'm guessing all the above are his, but correct me if I'm wrong!) - good points re. preventing multiple registrations. In the situation I'm thinking of though, it's purely to make re-connection much easier for those on mobile devices who are regular users. In this situation there's no problem re. multiple users from the one device. Of course it could be a login option 'allow automatic login in the future from this device'. Also the AuthPuppy authserver homepage could always offer a log out option to allow a user to cancel the auto-MAC login. With regards public computers - I don't think you'd use this option at all as you presumably are wanting users to log in individually. If you want to allow permanent untracked access then you could just user the MAC bypass option in the Wifidog gateway settings on the router (indeed this is what we've done in our setup - a public fixed PC on bypass, but individuals can register for their own account for personal devices - it's just quite a hassle having to sign in each time just now).

Happy to try and answer any other qns!

Alan

=============

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.