Linux Wireless Access Point HOWTO

Chapter 9. Configuring NoCatAuth Gateway

9.1 Overview of NoCatAuth Gateway

NoCatAuth is an access control and resource allocation solution for wireless clients. It is implemented on Access Points and is written in PERL. It is a work in progress maintained by the Sonoma County Wireless Group in California, USA. NoCatAuth has two elements; a Gateway service and an Authentication service. The former is discussed in this chapter.

The NoCatAuth gateway service is concerned with running what is called Captive Portal. With NoCatAuth installed, wireless clients connecting to the Access Point are blocked from using network resources until such time as they have authenticated themselves. All web traffic from unauthenticated wireless clients is redirected to a login page. NoCatAuth is capable of dynamically relaxing firewall rules for those clients that authenticate successfully.

NoCatAuth is constantly under development and in the future it will be superceded by NoCatSplash. For more information on both refer to the NoCat homepage, the NoCat development list and the various text documents that come as part of the NoCat packages.

9.2 Required software

In order to install NoCatAuth you must have the PERL programming language, GNU make and gpgv installed on your system. If you didn't chose these during our Redhat install in Chapter 3 or they are otherwise unavailable on your system, you can download and install them here, here and here now. Note that IPTABLES is required and we assume it is supported by your kernel.

Once PERL, gpgv and make are available on your system, Download the latest version of NoCatAuth. The version I used for constructing this chapter of the HOWTO is 0.82 but it should be worthwhile getting the latest version.

9.3 Installing NoCatAuth Gateway

NoCatAuth is distributed as a tarred and gziped package. Unlike other software dealt with in this HOWTO which is distributed in pre-packaged binary format, we need unpackage NoCatAuth, install it and configure it for our purposes. Here is a description of the steps;

9.3.1 Unpacking NoCatAuth

Unpack NoCatAuth with this command (assuming you're using version 0.82);

[root@accesspoint root]# tar -zxvf NoCatAuth-0.82.tar.gz

Which will unpack all of the NoCatAuth files into a directory called NoCatAuth-0.82 Change to this directory with the cd command and take the time to read the documentation README, INSTALL and the text files in the doc directory as they contain valuable insights into NoCatAuth's operation and it's configuration.

9.3.2 Making NoCatAuth Gateway

NoCatAuth is installed using the GNU make utility. Make is capable of analysing our system to make sure that the necessary software requirements are met and installing the necessary NoCatAuth files. It is also possible to use make to modify some install parameters. For more information regarding make refer to the make man page.

We are going to install NoCatAuth to a non-default directory, using the following command;

[root@accesspoint NoCatAuth-0.82]# make PREFIX=/usr/local/nocat/gateway

Which will produce a Congratulations message at the bottom of the resulting output if the installation is successful. If it doesn't, read through the output text for clues as to what may have gone wrong.

9.4 Configuring NoCatAuth Gateway

NoCatAuth gateway uses /usr/local/nocat/gateway/nocat.conf as it's configuration file, though the path may be different if you used a different PREFIX variable in the make above in section 9.3.2

As in previous chapters, provided here is an example NoCatAuth gateway configuration file which you can modify for your use using the embedded comments as a guide. In this case, lines beginning with a "#" are comments.

Note that the file presented here should be read in conjunction with the default nocat.conf file included with NoCat as the default file includes descriptions from the developers. NoCatAuth has a large number of configuration options and three different modes of operation, more than can be adequetly covered in this HOWTO. For a more in-depth guide to NoCatAuth review the documentation that comes as part of the package and peruse the information available at the NoCat homepage.

The following configuration file is suitable for use as a gateway that uses an external authentication service, disallows public acccess and allows member access to Internet web servers using your upstream Internet connection.

# example /usr/local/nocat/gateway/nocat.conf

#Set logging verbosity. 10 is good for testing, 5 is good for day to day, 0 for off.
Verbosity 10

# Set this to the name of your Access Point
# NZ-Wireless operators should use your fully qualified domain name
GatewayName simon.akld.nzwireless.org

# Mode of operation
GatewayMode Passive

# Log file
GatewayLog /usr/local/nocat/gateway/nocat.log

# Timeout in seconds for clients to begin login sequence
LoginTimeout 600

# Default redirect, to your wireless community group homepage is a good option
HomePage http://www.nzwireless.org

# The following file locations will only need to be changed if
# you used a different PREFIX variable during the make.
DocumentRoot /usr/local/nocat/gateway/htdocs
SplashForm splash.html
StatusForm status.html

# Set this to the name of your wireless community group as
# specified to your authentication service
TrustedGroups NZWireless

# Set this to any users who should have unrestricted access to your
# LAN from the wireless network
Owners oob@wildstar.net

# Set to the IP or DNS address of your authentication service
AuthServiceAddr authservice.nzwireless.org

# The following URLs shouldn't need to be altered
AuthServiceURL https://$AuthServiceAddr/cgi-bin/login
LogoutURL https://$AuthServiceAddr/logout.html

# Uncomment the following line _only_ if NoCat fails to determine
# your LAN interface by itself
# ExternalDevice eth0

# Your wireless interface. NoCat seems to need this one uncommented
InternalDevice wlan0

# Set to the IP and mask of your wireless local network
LocalNetwork 10.1.2.0/24

# Set to your DNS server address as given to wireless clients via
# DHCP. Set to the WLAN0 IP address if you're running DNS on your
# Access Point
DNSAddr 10.1.2.1

# Allow traffic from the wireless network to pass through your LAN
# to the Internet to contact the following sites
AllowedWebHosts nocat.net nzwireless.org

# Comment the following line out if you are running NAT
RouteOnly 1

# Comment out the following line to allow public access
MembersOnly 1

# Use one of the following. Ports that should/shouldn't be available
# to wireless clients.

IncludePorts 80 443
# ExcludePorts 22 25

Note that it is possible to make NoCatAuth more restrictive and tailor it to our own requirments by adding your own firewall rules to the bottom of the file /usr/local/nocat/gateway/bin/initialize.fw

9.5 Bandwidth Throttling (Traffic Shaping)

NoCatAuth has a facility for limiting the use of your upstream internet connection by wireless clients, using the tc tool which is part of the iproute2 package. IPROUTE2 is included in the default Redhat 9.0 installation. You will need to obtain it if you intend to use the bandwidth throttling functionality of NoCatAuth.

As mentioned in the NoCatAuth documentation, support for tc in NoCatAuth is experimental, so there are no guarantees. For more information review the documentation that comes with the NoCatAuth package.

9.5.1 Configuring throttling

We can set traffic limits for the various classes of NoCat users (Owner, Member, Public) by editing the values at the top of the file /usr/local/nocat/gateway/bin/throttle.fw as in the following example. Note that this example is only a snippet from the top of the file and that the rest of the file is not presented here. Note also that comments are lines that begin with a "#".

# Set these to the total capacity of your Internet connection
TOTAL_DOWN=1mbit
TOTAL_UP=1mbit

# Set these limits for your own use
OWNER_DOWN=1mbit          # fw mark 1
OWNER_UP=1mbit
OWNER_OPTIONS=""

# Set these to the amount of your bandwidth you are willing to share
# with authenticated members of your community group
COOP_DOWN=128kbit          # fw mark 2
COOP_UP=128kbit
COOP_OPTIONS=

# Set these to the amount of bandwith you are willing to share
# with unauthenticated public users
PUBLIC_DOWN=0kbit          # fw mark 3
PUBLIC_UP=0kbit
PUBLIC_OPTIONS="bounded"

The values in the above example provide unlimited upstream bandwidth to users in the Owner class, 10% of available bandwidth to users in the Member class and no bandwidth for users in the Public class. Alter these values to reflect your altruism.

9.5.2 Enabling throttling

Bandwidth throttling support in NoCatAuth is enabled with the following command;

[root@accesspoint gateway]# chmod +x /usr/local/nocat/gateway/bin/throttle.fw

This command makes throttle.fw executable so that NoCatAuth can enable traffic shaping when it starts.

9.6 Testing NoCatAuth Gateway

If NoCatAuth is operating nominally, local wireless clients should be unable to use network resources, excepting those websites excluded from blocking in the configuration file. Local wireless clients that attempt to load any other web site should be presented with a login screen to the NoCatAuth Authentication server that we chose in the configuration file. Wireless clients that successfully authenticate should be able to use those network resources which we have allocated.

The best way to test that NoCat is working is to attempt the end-to-end connection process from a wireless client. If for some reason it fails, look in the log file /usr/local/nocat/gateway/nocat.log for clues as to what may have gone wrong.

It's also worthwhile ensuring that our network resource allocations are being enforced. I recommend using the NMAP portscanner from authenticated and unauthenticated clients, pointing at your Access Point and at machines on your LAN, to ensure that access is only granted following the parameters you have laid down.

9.7 Enabling NoCatAuth from startup

NoCatAuth includes a suitable startup script in the etc directory of the install directory. In order to enable NoCatAuth from startup, it needs to be copied into /etc/rc.d/init.d and symlinked to runlevel 3 like so;

[root@accesspoint NoCatAuth-0.82]# cp etc/nocat.rc /etc/rc.d/init.d
[root@accesspoint NoCatAuth-0.82]# ln -s /etc/rc.d/init.d/nocat.rc /etc/rc3.d/S99nocat

As we changed the default NoCatAuth directory in above in section 9.3.2, we need to edit the file /etc/rc.d/init.d/nocat.rc to tell it where to find the gateway binaries. Find the line which reads NC=/usr/local/nocat at the top of the file and change it to read NC=/usr/local/nocat/gateway

NoCatAuth should now start when the system boots.

Home